Analysis
-
max time kernel
3517s -
max time network
147s -
platform
linux_mips -
resource
debian9-mipsbe -
submitted
30-12-2020 08:40
Static task
static1
Behavioral task
behavioral1
Sample
HEUR.Backdoor.Linux.Hajime.b.5377e8f2ebdb280216c37a6195da9d6c
Resource
debian9-mipsbe
General
-
Target
HEUR.Backdoor.Linux.Hajime.b.5377e8f2ebdb280216c37a6195da9d6c
-
Size
83KB
-
MD5
5377e8f2ebdb280216c37a6195da9d6c
-
SHA1
b54c705193b7963a0d40699a91cdb34fedecbe88
-
SHA256
020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0
-
SHA512
65e5aec56ddde56f245a20f88553d2f76bd7dd8e1940e9d49637d51a868fe73003b8a95fffeb9481110579f6ee4790fc9af1668d435930d4c01b116490908eed
Malware Config
Signatures
-
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
Processes:
description ioc /etc/hosts /etc/hosts -
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
description ioc /proc/net/route /proc/net/route -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
description ioc /proc/net/route /proc/net/route /proc/net/tcp /proc/net/tcp /proc/net/tcp6 /proc/net/tcp6 -
Reads runtime system information 78 IoCs
Reads data from /proc virtual filesystem.
Processes:
description ioc /proc/326/cmdline /proc/326/cmdline /proc/313/cmdline /proc/313/cmdline /proc/297/cmdline /proc/297/cmdline /proc/157/fd /proc/157/fd /proc/140/fd /proc/140/fd /proc/116/cmdline /proc/116/cmdline /proc/21/cmdline /proc/21/cmdline /proc/254/cmdline /proc/254/cmdline /proc/231/cmdline /proc/231/cmdline /proc/218/cmdline /proc/218/cmdline /proc/260/cmdline /proc/260/cmdline /proc/37/cmdline /proc/37/cmdline /proc/11/cmdline /proc/11/cmdline /proc/8/cmdline /proc/8/cmdline /proc/330/cmdline /proc/330/cmdline /proc/313/fd /proc/313/fd /proc/300/cmdline /proc/300/cmdline /proc/71/cmdline /proc/71/cmdline /proc/23/cmdline /proc/23/cmdline /proc/297/fd /proc/297/fd /proc/228/fd /proc/228/fd /proc/82/cmdline /proc/82/cmdline /proc/20/cmdline /proc/20/cmdline /proc/283/fd /proc/283/fd /proc/226/fd /proc/226/fd /proc/115/cmdline /proc/115/cmdline /proc/78/cmdline /proc/78/cmdline /proc/72/cmdline /proc/72/cmdline /proc/70/cmdline /proc/70/cmdline /proc/17/cmdline /proc/17/cmdline /proc/12/cmdline /proc/12/cmdline /proc/2/cmdline /proc/2/cmdline /proc/260/fd /proc/260/fd /proc/147/cmdline /proc/147/cmdline /proc/228/cmdline /proc/228/cmdline /proc/105/cmdline /proc/105/cmdline /proc/22/cmdline /proc/22/cmdline /proc/19/cmdline /proc/19/cmdline /proc/18/cmdline /proc/18/cmdline /proc/15/cmdline /proc/15/cmdline /proc/9/cmdline /proc/9/cmdline /proc/7/cmdline /proc/7/cmdline /proc/255/fd /proc/255/fd /proc/230/cmdline /proc/230/cmdline /proc/69/cmdline /proc/69/cmdline /proc/314/fd /proc/314/fd /proc/157/cmdline /proc/157/cmdline /proc/140/cmdline /proc/140/cmdline /proc/14/cmdline /proc/14/cmdline /proc/300/fd /proc/300/fd /proc/231/fd /proc/231/fd /proc/77/cmdline /proc/77/cmdline /proc/74/cmdline /proc/74/cmdline /proc/24/cmdline /proc/24/cmdline /proc/4/cmdline /proc/4/cmdline /proc/1/fd /proc/1/fd /proc/80/cmdline /proc/80/cmdline /proc/76/cmdline /proc/76/cmdline /proc/10/cmdline /proc/10/cmdline /proc/3/cmdline /proc/3/cmdline /proc/1/cmdline /proc/1/cmdline /proc/314/cmdline /proc/314/cmdline /proc/255/cmdline /proc/255/cmdline /proc/254/fd /proc/254/fd /proc/218/fd /proc/218/fd /proc/6/cmdline /proc/6/cmdline /proc/287/fd /proc/287/fd /proc/165/cmdline /proc/165/cmdline /proc/67/cmdline /proc/67/cmdline /proc/16/cmdline /proc/16/cmdline /proc/283/cmdline /proc/283/cmdline /proc/230/fd /proc/230/fd /proc/13/cmdline /proc/13/cmdline /proc/330/fd /proc/330/fd /proc/287/cmdline /proc/287/cmdline /proc/226/cmdline /proc/226/cmdline /proc/36/cmdline /proc/36/cmdline /proc/5/cmdline /proc/5/cmdline -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc /tmp/ftpupdate.sh /tmp/ftpupdate.sh /tmp/ftpupload.sh /tmp/ftpupload.sh
Processes
-
./HEUR.Backdoor.Linux.Hajime.b.5377e8f2ebdb280216c37a6195da9d6c./HEUR.Backdoor.Linux.Hajime.b.5377e8f2ebdb280216c37a6195da9d6c1⤵PID:328
-
/bin/shsh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"1⤵PID:331
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 23 -j DROP2⤵PID:332
-
-
/bin/shsh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"1⤵PID:338
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 7547 -j DROP2⤵PID:341
-
-
/bin/shsh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"1⤵PID:342
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 5555 -j DROP2⤵PID:343
-
-
/bin/shsh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"1⤵PID:344
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 5358 -j DROP2⤵PID:345
-
-
/bin/shsh -c "iptables -D INPUT -j CWMP_CR"1⤵PID:346
-
/sbin/iptablesiptables -D INPUT -j CWMP_CR2⤵PID:347
-
-
/bin/shsh -c "iptables -X CWMP_CR"1⤵PID:348
-
/sbin/iptablesiptables -X CWMP_CR2⤵PID:349
-
-
/bin/shsh -c "iptables -I INPUT -p udp --dport 61391 -j ACCEPT"1⤵PID:350
-
/sbin/iptablesiptables -I INPUT -p udp --dport 61391 -j ACCEPT2⤵PID:351
-