Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

Bins
active

First seen in Guardicore Centra

2017-01-07

Last seen in Guardicore Centra

2020-08-19

Bins is a family of DDoS attack campaigns. The malware they spread is a variant of Mirai, with various functions such as UDP and TCP floods, IP spoofing, etc. Some malware samples disguise themselves as the SSH daemon process or the light-weight SSH server ‘DropBear’. The different names of the malware file tell exactly which architectures are targeted: mips, mipsel, sh4, x86, armv6l, i686, powerpc, i586, m68k, sparc, armv4l, and armv5l.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Associated Files

PathHashSize

/tmp/bins.sh, /tmp/bins.sh.1, /tmp/bins.sh.2…

b791bce45d1bc7527dbd5e2ffa3799a1826482ddf9e46a176367934a5d9e7f5c

1.71 KB

/tmp/bins.sh

f88388a7250ab66c77d54834c0bd6422b7b761935b0a0c8aca88d2f2248be58d

1.21 KB

/tmp/ntpd

68fc6a9a86cb9dad4f8b812611d51649cff8c864b1a6bfaf2eaa6ef50880a115

284.85 KB

/tmp/sshd

cc01a6ec4605fb4522a0d0f0453ed8ac8641dcb5d78bfb8d500e458cb57c87aa

284.91 KB

/tmp/openssh

99edbe3b161582c011bcb1ef024e2f6aec8db859d414e91873abdf8552a1d415

204.11 KB

/tmp/bash

64b1c58a89b4b48176aa29494436f03f040cd0814e4d5893a19803f0678df397

263.50 KB

/tmp/bins.sh, /tmp/bins.sh.1, /tmp/bins.sh.2

6af204a19f98202ad91a60536b000cba924a1b768d77dedd4f88600e70f6d43c

1.59 KB

/tmp/Sunny.mips, /tmp/Sunny.mips.1

dcd57e03ebea53d07527bbf2c4f1cb32e4454c17525ca4aaafcb3a5278f7a966

150.14 KB

/tmp/Sunny.mpsl, /tmp/Sunny.mpsl.1

77a55842069af0f0e2c47e89090b33f88300b27d3d3770e5a674dbeeabfffc04

150.14 KB

/tmp/Sunny.arm6, /tmp/Sunny.arm6.1

d76d9ebc9b339c38abb2d65d361a07d3ee02a600f40826d8ad2a67d23e7d857f

139.39 KB

/tmp/Sunny.x86, /tmp/Sunny.x86.1

730f9e3ca8ef6c2c107af8fb51815ea1564653d0058ae19526ba7acbfbec28b9

108.32 KB

/tmp/Sunny.arm4, /tmp/Sunny.arm4.1

74b83fc4c4cc98a1242662c755b2935a766c424cae7335abcc7f25684a34fe2b

117.28 KB

/tmp/GHfjfgvj, /tmp/GHfjfgvj.1, /tmp/GHfjfgvj.1.1…

0f7a68f9ddd80072245c41f6f1af1710a429d2a99bc133304dfc83ebb149f49b

286.14 KB

/tmp/Sunny.sh4

3848bd45031b326b29161ad9af786fe1d69fea4aa934f374a665d2fa2c2ed1ce

104.89 KB

/tmp/Sunny.ppc

f324e83cc63b749f0430c964b07afd66d320287baf13f7142da1398e7e489adf

124.64 KB

Attack Flow

Breached Services

HadoopYARN

HTTP

SSH

Tags

1 Shell Commands

HTTP

SSH

Download and Execute

Outgoing Connection

Successful SSH Login

Download Operation

Download and Allow Execution

Download File

Incident Summary

A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List

Successful SSH Login

A possibly malicious Download Operation was detected 2 times

Download Operation

Process /usr/bin/wget generated outgoing network traffic to: 107.174.241.143:80 2 times

Outgoing Connection

The file /tmp/bins.sh was downloaded and granted execution privileges

The file /tmp/Thotty.mips was downloaded and granted execution privileges

Download and Allow Execution

Process /usr/local/bin/dash generated outgoing network traffic to: 107.174.241.143:80 3 times

Outgoing Connection

/tmp/Thotty.mpsl was downloaded

Download File

The file /tmp/Thotty.mpsl was downloaded and granted execution privileges

The file /tmp/Thotty.sh4 was downloaded and granted execution privileges

Download and Allow Execution

Process /usr/bin/wget generated outgoing network traffic to: 107.174.241.143:80 2 times

Outgoing Connection

The file /tmp/Thotty.x86 was downloaded and executed 8 times

Download and Execute

The file /tmp/Thotty.arm6 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Thotty.i686 was downloaded and executed 29 times

Download and Execute

Process /usr/local/bin/dash generated outgoing network traffic to: 107.174.241.143:80

Outgoing Connection

The file /tmp/Thotty.ppc was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 107.174.241.143:80

Outgoing Connection

The file /tmp/Thotty.i586 was downloaded and executed 21 times

Download and Execute

Process /usr/local/bin/dash generated outgoing network traffic to: 107.174.241.143:80

Outgoing Connection

The file /tmp/Thotty.m68k was downloaded and granted execution privileges

The file /tmp/Thotty.sparc was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 107.174.241.143:80

Outgoing Connection

Connection was closed due to timeout