Analysis

  • max time kernel
    0s
  • max time network
    96s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • submitted
    21-01-2022 22:52

General

  • Target

    f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef83

  • Size

    151KB

  • MD5

    83cf481c39ca88dbcf3a5fac359cc9a5

  • SHA1

    54c2519606316bc4b4106607a6cbad3c1b437cd8

  • SHA256

    f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef83

  • SHA512

    54befac5b059a227aa5a28f4526854907d70f1f33cdb6b9a1b7a59d831583e3017ddbd8658e4dd28cbdd7f32250516c41a9d90b1f4b8c12f234595b54548c6b2

Score
7/10

Malware Config

Signatures

  • Modifies rc script 1 TTPs 1 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

  • Reads CPU attributes 1 TTPs 29 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • ./f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef83
    ./f4ff89b7994bda48548c58f6be117a547c3b38a91b62f4986c9377e6b37bef83
    1⤵
      PID:581
    • /bin/sh
      sh -c "pkill -9 mirai.* || busybox pkill -9 mirai.*"
      1⤵
        PID:585
        • /usr/bin/pkill
          pkill -9 "mirai.*"
          2⤵
          • Reads CPU attributes
          • Reads runtime system information
          PID:586
        • /bin/busybox
          busybox pkill -9 "mirai.*"
          2⤵
            PID:591
        • /bin/sh
          sh -c "pkill -9 dlr.*mips || busybox pkill -9 dlr.*mips"
          1⤵
            PID:592
            • /usr/bin/pkill
              pkill -9 "dlr.*mips"
              2⤵
              • Reads CPU attributes
              • Reads runtime system information
              PID:593
            • /bin/busybox
              busybox pkill -9 "dlr.*mips"
              2⤵
                PID:594
            • /bin/sh
              sh -c "pkill -9 mips64 || busybox pkill -9 mips64"
              1⤵
                PID:595
                • /usr/bin/pkill
                  pkill -9 mips64
                  2⤵
                  • Reads CPU attributes
                  • Reads runtime system information
                  PID:596
                • /bin/busybox
                  busybox pkill -9 mips64
                  2⤵
                    PID:597
                • /bin/sh
                  sh -c "pkill -9 mipsel || busybox pkill -9 mipsel"
                  1⤵
                    PID:598
                    • /usr/bin/pkill
                      pkill -9 mipsel
                      2⤵
                      • Reads CPU attributes
                      • Reads runtime system information
                      PID:599
                    • /bin/busybox
                      busybox pkill -9 mipsel
                      2⤵
                        PID:600
                    • /bin/sh
                      sh -c "pkill -9 sh2eb || busybox pkill -9 sh2eb"
                      1⤵
                        PID:601
                        • /usr/bin/pkill
                          pkill -9 sh2eb
                          2⤵
                          • Reads CPU attributes
                          • Reads runtime system information
                          PID:602
                        • /bin/busybox
                          busybox pkill -9 sh2eb
                          2⤵
                            PID:603
                        • /bin/sh
                          sh -c "pkill -9 sh2elf || busybox pkill -9 sh2elf"
                          1⤵
                            PID:604
                            • /usr/bin/pkill
                              pkill -9 sh2elf
                              2⤵
                              • Reads CPU attributes
                              • Reads runtime system information
                              PID:605
                            • /bin/busybox
                              busybox pkill -9 sh2elf
                              2⤵
                                PID:606
                            • /bin/sh
                              sh -c "pkill -9 sh4 || busybox pkill -9 sh4"
                              1⤵
                                PID:607
                                • /usr/bin/pkill
                                  pkill -9 sh4
                                  2⤵
                                  • Reads CPU attributes
                                  PID:608
                                • /bin/busybox
                                  busybox pkill -9 sh4
                                  2⤵
                                    PID:609
                                • /bin/sh
                                  sh -c "pkill -9 x86 || busybox pkill -9 x86"
                                  1⤵
                                    PID:610
                                    • /usr/bin/pkill
                                      pkill -9 x86
                                      2⤵
                                      • Reads CPU attributes
                                      • Reads runtime system information
                                      PID:611
                                    • /bin/busybox
                                      busybox pkill -9 x86
                                      2⤵
                                        PID:612
                                    • /bin/sh
                                      sh -c "pkill -9 arm || busybox pkill -9 arm"
                                      1⤵
                                        PID:613
                                        • /usr/bin/pkill
                                          pkill -9 arm
                                          2⤵
                                          • Reads CPU attributes
                                          • Reads runtime system information
                                          PID:614
                                        • /bin/busybox
                                          busybox pkill -9 arm
                                          2⤵
                                            PID:615
                                        • /bin/sh
                                          sh -c "pkill -9 armv5 || busybox pkill -9 armv5"
                                          1⤵
                                            PID:616
                                            • /usr/bin/pkill
                                              pkill -9 armv5
                                              2⤵
                                              • Reads CPU attributes
                                              • Reads runtime system information
                                              PID:617
                                            • /bin/busybox
                                              busybox pkill -9 armv5
                                              2⤵
                                                PID:618
                                            • /bin/sh
                                              sh -c "pkill -9 armv4tl || busybox pkill -9 armv4tl"
                                              1⤵
                                                PID:619
                                                • /usr/bin/pkill
                                                  pkill -9 armv4tl
                                                  2⤵
                                                  • Reads CPU attributes
                                                  • Reads runtime system information
                                                  PID:620
                                                • /bin/busybox
                                                  busybox pkill -9 armv4tl
                                                  2⤵
                                                    PID:621
                                                • /bin/sh
                                                  sh -c "pkill -9 armv4 || busybox pkill -9 armv4"
                                                  1⤵
                                                    PID:622
                                                    • /usr/bin/pkill
                                                      pkill -9 armv4
                                                      2⤵
                                                      • Reads CPU attributes
                                                      • Reads runtime system information
                                                      PID:623
                                                    • /bin/busybox
                                                      busybox pkill -9 armv4
                                                      2⤵
                                                        PID:624
                                                    • /bin/sh
                                                      sh -c "pkill -9 armv6 || busybox pkill -9 armv6"
                                                      1⤵
                                                        PID:625
                                                        • /usr/bin/pkill
                                                          pkill -9 armv6
                                                          2⤵
                                                          • Reads CPU attributes
                                                          • Reads runtime system information
                                                          PID:626
                                                        • /bin/busybox
                                                          busybox pkill -9 armv6
                                                          2⤵
                                                            PID:627
                                                        • /bin/sh
                                                          sh -c "pkill -9 i686 || busybox pkill -9 i686"
                                                          1⤵
                                                            PID:628
                                                            • /usr/bin/pkill
                                                              pkill -9 i686
                                                              2⤵
                                                              • Reads CPU attributes
                                                              • Reads runtime system information
                                                              PID:629
                                                            • /bin/busybox
                                                              busybox pkill -9 i686
                                                              2⤵
                                                                PID:630
                                                            • /bin/sh
                                                              sh -c "pkill -9 powerpc || busybox pkill -9 powerpc"
                                                              1⤵
                                                                PID:631
                                                                • /usr/bin/pkill
                                                                  pkill -9 powerpc
                                                                  2⤵
                                                                  • Reads CPU attributes
                                                                  • Reads runtime system information
                                                                  PID:632
                                                                • /bin/busybox
                                                                  busybox pkill -9 powerpc
                                                                  2⤵
                                                                    PID:633
                                                                • /bin/sh
                                                                  sh -c "pkill -9 powerpc440fp || busybox pkill -9 powerpc440fp"
                                                                  1⤵
                                                                    PID:634
                                                                    • /usr/bin/pkill
                                                                      pkill -9 powerpc440fp
                                                                      2⤵
                                                                      • Reads CPU attributes
                                                                      • Reads runtime system information
                                                                      PID:635
                                                                    • /bin/busybox
                                                                      busybox pkill -9 powerpc440fp
                                                                      2⤵
                                                                        PID:636
                                                                    • /bin/sh
                                                                      sh -c "pkill -9 i586 || busybox pkill -9 i586"
                                                                      1⤵
                                                                        PID:637
                                                                        • /usr/bin/pkill
                                                                          pkill -9 i586
                                                                          2⤵
                                                                          • Reads CPU attributes
                                                                          • Reads runtime system information
                                                                          PID:638
                                                                        • /bin/busybox
                                                                          busybox pkill -9 i586
                                                                          2⤵
                                                                            PID:639
                                                                        • /bin/sh
                                                                          sh -c "pkill -9 m68k || busybox pkill -9 m68k"
                                                                          1⤵
                                                                            PID:640
                                                                            • /usr/bin/pkill
                                                                              pkill -9 m68k
                                                                              2⤵
                                                                              • Reads CPU attributes
                                                                              • Reads runtime system information
                                                                              PID:641
                                                                            • /bin/busybox
                                                                              busybox pkill -9 m68k
                                                                              2⤵
                                                                                PID:642
                                                                            • /bin/sh
                                                                              sh -c "pkill -9 sparc || busybox pkill -9 sparc"
                                                                              1⤵
                                                                                PID:643
                                                                                • /usr/bin/pkill
                                                                                  pkill -9 sparc
                                                                                  2⤵
                                                                                  • Reads CPU attributes
                                                                                  • Reads runtime system information
                                                                                  PID:644
                                                                                • /bin/busybox
                                                                                  busybox pkill -9 sparc
                                                                                  2⤵
                                                                                    PID:645
                                                                                • /bin/sh
                                                                                  sh -c "pkill -9 x86_64 || busybox pkill -9 x86_64"
                                                                                  1⤵
                                                                                    PID:646
                                                                                    • /usr/bin/pkill
                                                                                      pkill -9 x86_64
                                                                                      2⤵
                                                                                      • Reads CPU attributes
                                                                                      • Reads runtime system information
                                                                                      PID:647
                                                                                    • /bin/busybox
                                                                                      busybox pkill -9 x86_64
                                                                                      2⤵
                                                                                        PID:648
                                                                                    • /bin/sh
                                                                                      sh -c "pkill -9 jackmy* || busybox pkill -9 jackmy*"
                                                                                      1⤵
                                                                                        PID:649
                                                                                        • /usr/bin/pkill
                                                                                          pkill -9 "jackmy*"
                                                                                          2⤵
                                                                                          • Reads CPU attributes
                                                                                          • Reads runtime system information
                                                                                          PID:650
                                                                                        • /bin/busybox
                                                                                          busybox pkill -9 "jackmy*"
                                                                                          2⤵
                                                                                            PID:651
                                                                                        • /bin/sh
                                                                                          sh -c "pkill -9 hackmy* || busybox pkill -9 hackmy*"
                                                                                          1⤵
                                                                                            PID:652
                                                                                            • /usr/bin/pkill
                                                                                              pkill -9 "hackmy*"
                                                                                              2⤵
                                                                                              • Reads CPU attributes
                                                                                              • Reads runtime system information
                                                                                              PID:653
                                                                                            • /bin/busybox
                                                                                              busybox pkill -9 "hackmy*"
                                                                                              2⤵
                                                                                                PID:654
                                                                                            • /bin/sh
                                                                                              sh -c "pkill -9 b1 || busybox pkill -9 b1"
                                                                                              1⤵
                                                                                                PID:655
                                                                                                • /usr/bin/pkill
                                                                                                  pkill -9 b1
                                                                                                  2⤵
                                                                                                  • Reads CPU attributes
                                                                                                  • Reads runtime system information
                                                                                                  PID:656
                                                                                                • /bin/busybox
                                                                                                  busybox pkill -9 b1
                                                                                                  2⤵
                                                                                                    PID:657
                                                                                                • /bin/sh
                                                                                                  sh -c "pkill -9 b2 || busybox pkill -9 b2"
                                                                                                  1⤵
                                                                                                    PID:658
                                                                                                    • /usr/bin/pkill
                                                                                                      pkill -9 b2
                                                                                                      2⤵
                                                                                                      • Reads CPU attributes
                                                                                                      • Reads runtime system information
                                                                                                      PID:659
                                                                                                    • /bin/busybox
                                                                                                      busybox pkill -9 b2
                                                                                                      2⤵
                                                                                                        PID:660
                                                                                                    • /bin/sh
                                                                                                      sh -c "pkill -9 b3 || busybox pkill -9 b3"
                                                                                                      1⤵
                                                                                                        PID:661
                                                                                                        • /usr/bin/pkill
                                                                                                          pkill -9 b3
                                                                                                          2⤵
                                                                                                          • Reads CPU attributes
                                                                                                          • Reads runtime system information
                                                                                                          PID:662
                                                                                                        • /bin/busybox
                                                                                                          busybox pkill -9 b3
                                                                                                          2⤵
                                                                                                            PID:663
                                                                                                        • /bin/sh
                                                                                                          sh -c "pkill -9 b4 || busybox pkill -9 b4"
                                                                                                          1⤵
                                                                                                            PID:664
                                                                                                            • /usr/bin/pkill
                                                                                                              pkill -9 b4
                                                                                                              2⤵
                                                                                                              • Reads CPU attributes
                                                                                                              • Reads runtime system information
                                                                                                              PID:665
                                                                                                            • /bin/busybox
                                                                                                              busybox pkill -9 b4
                                                                                                              2⤵
                                                                                                                PID:666
                                                                                                            • /bin/sh
                                                                                                              sh -c "pkill -9 b5 || busybox pkill -9 b5"
                                                                                                              1⤵
                                                                                                                PID:667
                                                                                                                • /usr/bin/pkill
                                                                                                                  pkill -9 b5
                                                                                                                  2⤵
                                                                                                                  • Reads CPU attributes
                                                                                                                  • Reads runtime system information
                                                                                                                  PID:668
                                                                                                                • /bin/busybox
                                                                                                                  busybox pkill -9 b5
                                                                                                                  2⤵
                                                                                                                    PID:669
                                                                                                                • /bin/sh
                                                                                                                  sh -c "pkill -9 b6 || busybox pkill -9 b6"
                                                                                                                  1⤵
                                                                                                                    PID:670
                                                                                                                    • /usr/bin/pkill
                                                                                                                      pkill -9 b6
                                                                                                                      2⤵
                                                                                                                      • Reads CPU attributes
                                                                                                                      • Reads runtime system information
                                                                                                                      PID:671
                                                                                                                    • /bin/busybox
                                                                                                                      busybox pkill -9 b6
                                                                                                                      2⤵
                                                                                                                        PID:672
                                                                                                                    • /bin/sh
                                                                                                                      sh -c "pkill -9 b7 || busybox pkill -9 b7"
                                                                                                                      1⤵
                                                                                                                        PID:673
                                                                                                                        • /usr/bin/pkill
                                                                                                                          pkill -9 b7
                                                                                                                          2⤵
                                                                                                                          • Reads CPU attributes
                                                                                                                          • Reads runtime system information
                                                                                                                          PID:674

                                                                                                                      Network

                                                                                                                      MITRE ATT&CK Enterprise v6

                                                                                                                      Replay Monitor

                                                                                                                      Loading Replay Monitor...

                                                                                                                      Downloads