Analysis
-
max time kernel
0s -
max time network
153s -
platform
linux_mipsel -
resource
debian9-mipsel-en-20211208 -
submitted
21-01-2022 23:04
Static task
static1
Behavioral task
behavioral1
Sample
da573b1d8eec8b4c87b85279192980e306ffed4c1147afc649598671a2e42250
Resource
debian9-mipsel-en-20211208
0 signatures
0 seconds
General
-
Target
da573b1d8eec8b4c87b85279192980e306ffed4c1147afc649598671a2e42250
-
Size
173KB
-
MD5
cc8d2f4a88fc831aa70a75398386b854
-
SHA1
197ef2f68cee1753d90cd49959e997002a2d5379
-
SHA256
da573b1d8eec8b4c87b85279192980e306ffed4c1147afc649598671a2e42250
-
SHA512
ed7fe58b08b8e6b722bde672a78aaf7ac008cb18c6aca628d7914886dfdf28227a529e75cfb6da59a62c932d9b24799b96524bce8dbdb8d587c2ed64b1a83dcf
Score
7/10
Malware Config
Signatures
-
Modifies rc script 1 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
Processes:
description ioc /etc/rc.d/rc.local /etc/rc.d/rc.local -
Reads CPU attributes 1 TTPs 23 IoCs
Processes:
pkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkilldescription ioc Process /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill /sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkillpkilldescription ioc Process /proc/1/status /proc/1/status pkill /proc/222/status /proc/222/status pkill /proc/69/cmdline /proc/69/cmdline pkill /proc/142/cmdline /proc/142/cmdline pkill /proc/3/cmdline /proc/3/cmdline pkill /proc/306/cmdline /proc/306/cmdline pkill /proc/2/cmdline /proc/2/cmdline pkill /proc/208/status /proc/208/status pkill /proc/77/status /proc/77/status pkill /proc/69/status /proc/69/status pkill /proc/222/status /proc/222/status pkill /proc/222/status /proc/222/status pkill /proc/15/status /proc/15/status pkill /proc/157/status /proc/157/status pkill /proc/sys/kernel/osrelease /proc/sys/kernel/osrelease pkill /proc/142/cmdline /proc/142/cmdline pkill /proc/115/status /proc/115/status pkill /proc/73/cmdline /proc/73/cmdline pkill /proc/323/cmdline /proc/323/cmdline pkill /proc/sys/kernel/osrelease /proc/sys/kernel/osrelease pkill /proc/252/status /proc/252/status pkill /proc/11/status /proc/11/status pkill /proc/82/cmdline /proc/82/cmdline pkill /proc/300/cmdline /proc/300/cmdline pkill /proc/251/cmdline /proc/251/cmdline pkill /proc/7/status /proc/7/status pkill /proc/105/status /proc/105/status pkill /proc/20/status /proc/20/status pkill /proc/327/status /proc/327/status pkill /proc/13/status /proc/13/status pkill /proc/1/cmdline /proc/1/cmdline pkill /proc/116/cmdline /proc/116/cmdline pkill /proc/251/cmdline /proc/251/cmdline pkill /proc/293/status /proc/293/status pkill /proc/323/cmdline /proc/323/cmdline pkill /proc/9/cmdline /proc/9/cmdline pkill /proc/77/cmdline /proc/77/cmdline pkill /proc/4/cmdline /proc/4/cmdline pkill /proc/12/status /proc/12/status pkill /proc/222/status /proc/222/status pkill /proc/323/cmdline /proc/323/cmdline pkill /proc/269/cmdline /proc/269/cmdline pkill /proc/filesystems /proc/filesystems pkill /proc/5/cmdline /proc/5/cmdline pkill /proc/69/status /proc/69/status pkill /proc/6/cmdline /proc/6/cmdline pkill /proc/105/status /proc/105/status pkill /proc/366/cmdline /proc/366/cmdline pkill /proc/2/cmdline /proc/2/cmdline pkill /proc/269/cmdline /proc/269/cmdline pkill /proc/23/cmdline /proc/23/cmdline pkill /proc/9/status /proc/9/status pkill /proc/14/cmdline /proc/14/cmdline pkill /proc/300/status /proc/300/status pkill /proc/3/status /proc/3/status pkill /proc/306/cmdline /proc/306/cmdline pkill /proc/352/cmdline /proc/352/cmdline pkill /proc/17/status /proc/17/status pkill /proc/323/cmdline /proc/323/cmdline pkill /proc/233/cmdline /proc/233/cmdline pkill /proc/300/cmdline /proc/300/cmdline pkill /proc/307/status /proc/307/status pkill /proc/18/cmdline /proc/18/cmdline pkill /proc/12/status /proc/12/status pkill
Processes
-
./da573b1d8eec8b4c87b85279192980e306ffed4c1147afc649598671a2e42250./da573b1d8eec8b4c87b85279192980e306ffed4c1147afc649598671a2e422501⤵PID:325
-
/bin/shsh -c "pkill -9 mirai.* || busybox pkill -9 mirai.*"1⤵PID:329
-
/usr/bin/pkillpkill -9 "mirai.*"2⤵
- Reads CPU attributes
- Reads runtime system information
PID:330
-
-
/bin/busyboxbusybox pkill -9 "mirai.*"2⤵PID:335
-
-
/bin/shsh -c "pkill -9 dlr.*mips || busybox pkill -9 dlr.*mips"1⤵PID:336
-
/usr/bin/pkillpkill -9 "dlr.*mips"2⤵
- Reads CPU attributes
- Reads runtime system information
PID:337
-
-
/bin/busyboxbusybox pkill -9 "dlr.*mips"2⤵PID:338
-
-
/bin/shsh -c "pkill -9 mips64 || busybox pkill -9 mips64"1⤵PID:339
-
/usr/bin/pkillpkill -9 mips642⤵
- Reads CPU attributes
- Reads runtime system information
PID:340
-
-
/bin/busyboxbusybox pkill -9 mips642⤵PID:341
-
-
/bin/shsh -c "pkill -9 mipsel || busybox pkill -9 mipsel"1⤵PID:342
-
/usr/bin/pkillpkill -9 mipsel2⤵
- Reads CPU attributes
- Reads runtime system information
PID:343
-
-
/bin/busyboxbusybox pkill -9 mipsel2⤵PID:344
-
-
/bin/shsh -c "pkill -9 sh2eb || busybox pkill -9 sh2eb"1⤵PID:345
-
/usr/bin/pkillpkill -9 sh2eb2⤵
- Reads CPU attributes
- Reads runtime system information
PID:346
-
-
/bin/busyboxbusybox pkill -9 sh2eb2⤵PID:347
-
-
/bin/shsh -c "pkill -9 sh2elf || busybox pkill -9 sh2elf"1⤵PID:348
-
/usr/bin/pkillpkill -9 sh2elf2⤵
- Reads CPU attributes
- Reads runtime system information
PID:349
-
-
/bin/busyboxbusybox pkill -9 sh2elf2⤵PID:350
-
-
/bin/shsh -c "pkill -9 sh4 || busybox pkill -9 sh4"1⤵PID:351
-
/usr/bin/pkillpkill -9 sh42⤵
- Reads CPU attributes
- Reads runtime system information
PID:352
-
-
/bin/busyboxbusybox pkill -9 sh42⤵PID:353
-
-
/bin/shsh -c "pkill -9 x86 || busybox pkill -9 x86"1⤵PID:354
-
/usr/bin/pkillpkill -9 x862⤵
- Reads CPU attributes
- Reads runtime system information
PID:355
-
-
/bin/busyboxbusybox pkill -9 x862⤵PID:356
-
-
/bin/shsh -c "pkill -9 arm || busybox pkill -9 arm"1⤵PID:357
-
/usr/bin/pkillpkill -9 arm2⤵
- Reads CPU attributes
- Reads runtime system information
PID:358
-
-
/bin/busyboxbusybox pkill -9 arm2⤵PID:359
-
-
/bin/shsh -c "pkill -9 armv5 || busybox pkill -9 armv5"1⤵PID:360
-
/usr/bin/pkillpkill -9 armv52⤵
- Reads CPU attributes
- Reads runtime system information
PID:361
-
-
/bin/busyboxbusybox pkill -9 armv52⤵PID:362
-
-
/bin/shsh -c "pkill -9 armv4tl || busybox pkill -9 armv4tl"1⤵PID:363
-
/usr/bin/pkillpkill -9 armv4tl2⤵
- Reads CPU attributes
- Reads runtime system information
PID:364
-
-
/bin/busyboxbusybox pkill -9 armv4tl2⤵PID:365
-
-
/bin/shsh -c "pkill -9 armv4 || busybox pkill -9 armv4"1⤵PID:366
-
/usr/bin/pkillpkill -9 armv42⤵
- Reads CPU attributes
- Reads runtime system information
PID:367
-
-
/bin/busyboxbusybox pkill -9 armv42⤵PID:368
-
-
/bin/shsh -c "pkill -9 armv6 || busybox pkill -9 armv6"1⤵PID:369
-
/usr/bin/pkillpkill -9 armv62⤵
- Reads CPU attributes
- Reads runtime system information
PID:370
-
-
/bin/busyboxbusybox pkill -9 armv62⤵PID:371
-
-
/bin/shsh -c "pkill -9 i686 || busybox pkill -9 i686"1⤵PID:372
-
/usr/bin/pkillpkill -9 i6862⤵
- Reads CPU attributes
PID:373
-
-
/bin/busyboxbusybox pkill -9 i6862⤵PID:374
-
-
/bin/shsh -c "pkill -9 powerpc || busybox pkill -9 powerpc"1⤵PID:375
-
/usr/bin/pkillpkill -9 powerpc2⤵
- Reads CPU attributes
- Reads runtime system information
PID:376
-
-
/bin/busyboxbusybox pkill -9 powerpc2⤵PID:377
-
-
/bin/shsh -c "pkill -9 powerpc440fp || busybox pkill -9 powerpc440fp"1⤵PID:378
-
/usr/bin/pkillpkill -9 powerpc440fp2⤵
- Reads CPU attributes
- Reads runtime system information
PID:379
-
-
/bin/busyboxbusybox pkill -9 powerpc440fp2⤵PID:380
-
-
/bin/shsh -c "pkill -9 i586 || busybox pkill -9 i586"1⤵PID:381
-
/usr/bin/pkillpkill -9 i5862⤵
- Reads CPU attributes
- Reads runtime system information
PID:382
-
-
/bin/busyboxbusybox pkill -9 i5862⤵PID:383
-
-
/bin/shsh -c "pkill -9 m68k || busybox pkill -9 m68k"1⤵PID:384
-
/usr/bin/pkillpkill -9 m68k2⤵
- Reads CPU attributes
- Reads runtime system information
PID:385
-
-
/bin/busyboxbusybox pkill -9 m68k2⤵PID:386
-
-
/bin/shsh -c "pkill -9 sparc || busybox pkill -9 sparc"1⤵PID:387
-
/usr/bin/pkillpkill -9 sparc2⤵
- Reads CPU attributes
- Reads runtime system information
PID:388
-
-
/bin/busyboxbusybox pkill -9 sparc2⤵PID:389
-
-
/bin/shsh -c "pkill -9 x86_64 || busybox pkill -9 x86_64"1⤵PID:390
-
/usr/bin/pkillpkill -9 x86_642⤵
- Reads CPU attributes
- Reads runtime system information
PID:391
-
-
/bin/busyboxbusybox pkill -9 x86_642⤵PID:392
-
-
/bin/shsh -c "pkill -9 jackmy* || busybox pkill -9 jackmy*"1⤵PID:393
-
/usr/bin/pkillpkill -9 "jackmy*"2⤵
- Reads CPU attributes
- Reads runtime system information
PID:394
-
-
/bin/busyboxbusybox pkill -9 "jackmy*"2⤵PID:395
-
-
/bin/shsh -c "pkill -9 hackmy* || busybox pkill -9 hackmy*"1⤵PID:396
-
/usr/bin/pkillpkill -9 "hackmy*"2⤵
- Reads CPU attributes
- Reads runtime system information
PID:397
-
-
/bin/busyboxbusybox pkill -9 "hackmy*"2⤵PID:398
-
-
/bin/shsh -c "pkill -9 b1 || busybox pkill -9 b1"1⤵PID:399
-
/usr/bin/pkillpkill -9 b12⤵
- Reads CPU attributes
- Reads runtime system information
PID:400
-