Resubmissions
09-07-2021 14:36
210709-6lg5mtvdax 909-07-2021 14:30
210709-y4bheb71f6 809-07-2021 14:27
210709-akqez2tkz2 8Analysis
-
max time kernel
20040s -
max time network
61s -
platform
linux_mips -
resource
debian9-mipsbe -
submitted
09-07-2021 14:36
General
-
Target
2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6.elf
-
Size
129KB
-
MD5
fbe51695e97a45dc61967dc3241a37dc
-
SHA1
1ed14334b5b71783cd6ec14b8a704fe48e600cf0
-
SHA256
2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6
-
SHA512
c35eab56ba59beb2ec2b362e4d1aae734fadc2d9db1d720439337dcade13ec9c7b68da9d03821efc7277abaf9bace342ff35593373e04c67327d5f7db460ad8a
Malware Config
Signatures
-
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Writes file to system bin folder 1 TTPs 2 IoCs
-
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
-
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
./2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6.elf./2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6.elf1⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
-
/bin/shsh -c "killall -9 telnetd utelnetd scfgmgr"1⤵