2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6

Resubmissions

09-07-2021 14:36

210709-6lg5mtvdax 9

09-07-2021 14:30

210709-y4bheb71f6 8

09-07-2021 14:27

210709-akqez2tkz2 8

Analysis

max time kernel
20040s
max time network
61s
platform
linux_mips
resource
debian9-mipsbe
submitted
09-07-2021 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6.elf
Size

129KB
MD5

fbe51695e97a45dc61967dc3241a37dc
SHA1

1ed14334b5b71783cd6ec14b8a704fe48e600cf0
SHA256

2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6
SHA512

c35eab56ba59beb2ec2b362e4d1aae734fadc2d9db1d720439337dcade13ec9c7b68da9d03821efc7277abaf9bace342ff35593373e04c67327d5f7db460ad8a

Score

9^/10

Malware Config

Signatures

Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc
/sbin/watchdog	/sbin/watchdog
/bin/watchdog	/bin/watchdog

Modifies hosts file 1 IoCs

Adds to hosts file used for mapping hosts to IP addresses.

description	ioc
/etc/hosts	/etc/hosts

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc	Process
/proc/net/tcp	/proc/net/tcp	2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6.elf

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery

T1016

description	ioc
/proc/net/route	/proc/net/route

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc	Process
/proc/net/raw	/proc/net/raw	2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6.elf
/proc/net/route	/proc/net/route	Process not Found
/proc/net/tcp	/proc/net/tcp	2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6.elf

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/self/exe	/proc/self/exe	2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6.elf

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
/tmp/2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6.elf	/tmp/2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6.elf

./2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6.elf
./2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6.elf
1⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:332

/bin/sh
sh -c "killall -9 telnetd utelnetd scfgmgr"
1⤵
PID:335

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads