Overview

overview

10

Static

static

1

Pandora.sh

ubuntu-18.04-amd64

10

Pandora.sh

debian-9-armhf

10

Pandora.sh

debian-9-mips

10

Pandora.sh

debian-9-mipsel

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Pandora.sh

  • Size

    1KB

  • Sample

    230505-taf8dabd27

  • MD5

    2ee1634f94b542051d04f8d1faf225ff

  • SHA1

    5300cf1316226fad2d58cd03d942c13f40b7328f

  • SHA256

    da09e2e35ee13411a6ae582d331dd3dab910e94c686faccddf8c8d8bf5d842c8

  • SHA512

    65323f720e3e20b384d6490631d512e49521232e52dc956489a771652e9bf559b6f2c8c1a7607498868b3b617f6ab58042b99e59d1dd76d81efb79e8a0af6bd1

Score
10/10
mirailzrdbotnetdiscoverylinux

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Targets

    • Target

      Pandora.sh

    • Size

      1KB

    • MD5

      2ee1634f94b542051d04f8d1faf225ff

    • SHA1

      5300cf1316226fad2d58cd03d942c13f40b7328f

    • SHA256

      da09e2e35ee13411a6ae582d331dd3dab910e94c686faccddf8c8d8bf5d842c8

    • SHA512

      65323f720e3e20b384d6490631d512e49521232e52dc956489a771652e9bf559b6f2c8c1a7607498868b3b617f6ab58042b99e59d1dd76d81efb79e8a0af6bd1

    Score
    10/10
    mirailzrdbotnetdiscovery

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

      botnetmirai

    • Contacts a large (280633) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Contacts a large (580963) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Contacts a large (610734) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Contacts a large (658251) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Modifies the Watchdog daemon

      Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Executes dropped EXE

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Discovery

Network Service Scanning

5
T1046

System Network Connections Discovery

1
T1049

System Network Configuration Discovery

1
T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks