19ddd93024d0cf74acf046476e138a66a1b851da4fb49911794f731f39fa2c1b | Triage

Sharing

General

Target

Mozi.a
Size

300KB
Sample

210727-72yannh6ns
MD5

0dbb1190017d9959933b36b05e49a1c2
SHA1

01c185f26dd219f3a44630087500f912cecd94ef
SHA256

19ddd93024d0cf74acf046476e138a66a1b851da4fb49911794f731f39fa2c1b
SHA512

338e14ae743afe86d3f0b4e8fd5122419690953312b19cd88fa925be74944af2a4356c8a9067ae9486651c5be43a7e74c94f0194540fb588d5355e3574a70e06

Score

9^/10

linux

Malware Config

Targets

- Target
  
  Mozi.a
- Size
  
  300KB
- MD5
  
  0dbb1190017d9959933b36b05e49a1c2
- SHA1
  
  01c185f26dd219f3a44630087500f912cecd94ef
- SHA256
  
  19ddd93024d0cf74acf046476e138a66a1b851da4fb49911794f731f39fa2c1b
- SHA512
  
  338e14ae743afe86d3f0b4e8fd5122419690953312b19cd88fa925be74944af2a4356c8a9067ae9486651c5be43a7e74c94f0194540fb588d5355e3574a70e06
Score

9^/10
- Modifies the Watchdog daemon
  Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
- Writes file to system bin folder
- Enumerates active TCP sockets
  Gets active TCP sockets from /proc virtual filesystem.
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
- Reads system network configuration
  Uses contents of /proc filesystem to enumerate network settings.
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

Privilege Escalation

Hijack Execution Flow

Defense Evasion

Impair Defenses

Hijack Execution Flow

Credential Access

Discovery

System Network Connections Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3