Analysis

  • max time kernel
    0s
  • max time network
    153s
  • platform
    linux_mipsel
  • resource
    debian9-mipsel-en-20211208
  • submitted
    21-01-2022 23:04

General

  • Target

    da573b1d8eec8b4c87b85279192980e306ffed4c1147afc649598671a2e42250

  • Size

    173KB

  • MD5

    cc8d2f4a88fc831aa70a75398386b854

  • SHA1

    197ef2f68cee1753d90cd49959e997002a2d5379

  • SHA256

    da573b1d8eec8b4c87b85279192980e306ffed4c1147afc649598671a2e42250

  • SHA512

    ed7fe58b08b8e6b722bde672a78aaf7ac008cb18c6aca628d7914886dfdf28227a529e75cfb6da59a62c932d9b24799b96524bce8dbdb8d587c2ed64b1a83dcf

Score
7/10

Malware Config

Signatures

  • Modifies rc script 1 TTPs 1 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

  • Reads CPU attributes 1 TTPs 23 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • ./da573b1d8eec8b4c87b85279192980e306ffed4c1147afc649598671a2e42250
    ./da573b1d8eec8b4c87b85279192980e306ffed4c1147afc649598671a2e42250
    1⤵
      PID:325
    • /bin/sh
      sh -c "pkill -9 mirai.* || busybox pkill -9 mirai.*"
      1⤵
        PID:329
        • /usr/bin/pkill
          pkill -9 "mirai.*"
          2⤵
          • Reads CPU attributes
          • Reads runtime system information
          PID:330
        • /bin/busybox
          busybox pkill -9 "mirai.*"
          2⤵
            PID:335
        • /bin/sh
          sh -c "pkill -9 dlr.*mips || busybox pkill -9 dlr.*mips"
          1⤵
            PID:336
            • /usr/bin/pkill
              pkill -9 "dlr.*mips"
              2⤵
              • Reads CPU attributes
              • Reads runtime system information
              PID:337
            • /bin/busybox
              busybox pkill -9 "dlr.*mips"
              2⤵
                PID:338
            • /bin/sh
              sh -c "pkill -9 mips64 || busybox pkill -9 mips64"
              1⤵
                PID:339
                • /usr/bin/pkill
                  pkill -9 mips64
                  2⤵
                  • Reads CPU attributes
                  • Reads runtime system information
                  PID:340
                • /bin/busybox
                  busybox pkill -9 mips64
                  2⤵
                    PID:341
                • /bin/sh
                  sh -c "pkill -9 mipsel || busybox pkill -9 mipsel"
                  1⤵
                    PID:342
                    • /usr/bin/pkill
                      pkill -9 mipsel
                      2⤵
                      • Reads CPU attributes
                      • Reads runtime system information
                      PID:343
                    • /bin/busybox
                      busybox pkill -9 mipsel
                      2⤵
                        PID:344
                    • /bin/sh
                      sh -c "pkill -9 sh2eb || busybox pkill -9 sh2eb"
                      1⤵
                        PID:345
                        • /usr/bin/pkill
                          pkill -9 sh2eb
                          2⤵
                          • Reads CPU attributes
                          • Reads runtime system information
                          PID:346
                        • /bin/busybox
                          busybox pkill -9 sh2eb
                          2⤵
                            PID:347
                        • /bin/sh
                          sh -c "pkill -9 sh2elf || busybox pkill -9 sh2elf"
                          1⤵
                            PID:348
                            • /usr/bin/pkill
                              pkill -9 sh2elf
                              2⤵
                              • Reads CPU attributes
                              • Reads runtime system information
                              PID:349
                            • /bin/busybox
                              busybox pkill -9 sh2elf
                              2⤵
                                PID:350
                            • /bin/sh
                              sh -c "pkill -9 sh4 || busybox pkill -9 sh4"
                              1⤵
                                PID:351
                                • /usr/bin/pkill
                                  pkill -9 sh4
                                  2⤵
                                  • Reads CPU attributes
                                  • Reads runtime system information
                                  PID:352
                                • /bin/busybox
                                  busybox pkill -9 sh4
                                  2⤵
                                    PID:353
                                • /bin/sh
                                  sh -c "pkill -9 x86 || busybox pkill -9 x86"
                                  1⤵
                                    PID:354
                                    • /usr/bin/pkill
                                      pkill -9 x86
                                      2⤵
                                      • Reads CPU attributes
                                      • Reads runtime system information
                                      PID:355
                                    • /bin/busybox
                                      busybox pkill -9 x86
                                      2⤵
                                        PID:356
                                    • /bin/sh
                                      sh -c "pkill -9 arm || busybox pkill -9 arm"
                                      1⤵
                                        PID:357
                                        • /usr/bin/pkill
                                          pkill -9 arm
                                          2⤵
                                          • Reads CPU attributes
                                          • Reads runtime system information
                                          PID:358
                                        • /bin/busybox
                                          busybox pkill -9 arm
                                          2⤵
                                            PID:359
                                        • /bin/sh
                                          sh -c "pkill -9 armv5 || busybox pkill -9 armv5"
                                          1⤵
                                            PID:360
                                            • /usr/bin/pkill
                                              pkill -9 armv5
                                              2⤵
                                              • Reads CPU attributes
                                              • Reads runtime system information
                                              PID:361
                                            • /bin/busybox
                                              busybox pkill -9 armv5
                                              2⤵
                                                PID:362
                                            • /bin/sh
                                              sh -c "pkill -9 armv4tl || busybox pkill -9 armv4tl"
                                              1⤵
                                                PID:363
                                                • /usr/bin/pkill
                                                  pkill -9 armv4tl
                                                  2⤵
                                                  • Reads CPU attributes
                                                  • Reads runtime system information
                                                  PID:364
                                                • /bin/busybox
                                                  busybox pkill -9 armv4tl
                                                  2⤵
                                                    PID:365
                                                • /bin/sh
                                                  sh -c "pkill -9 armv4 || busybox pkill -9 armv4"
                                                  1⤵
                                                    PID:366
                                                    • /usr/bin/pkill
                                                      pkill -9 armv4
                                                      2⤵
                                                      • Reads CPU attributes
                                                      • Reads runtime system information
                                                      PID:367
                                                    • /bin/busybox
                                                      busybox pkill -9 armv4
                                                      2⤵
                                                        PID:368
                                                    • /bin/sh
                                                      sh -c "pkill -9 armv6 || busybox pkill -9 armv6"
                                                      1⤵
                                                        PID:369
                                                        • /usr/bin/pkill
                                                          pkill -9 armv6
                                                          2⤵
                                                          • Reads CPU attributes
                                                          • Reads runtime system information
                                                          PID:370
                                                        • /bin/busybox
                                                          busybox pkill -9 armv6
                                                          2⤵
                                                            PID:371
                                                        • /bin/sh
                                                          sh -c "pkill -9 i686 || busybox pkill -9 i686"
                                                          1⤵
                                                            PID:372
                                                            • /usr/bin/pkill
                                                              pkill -9 i686
                                                              2⤵
                                                              • Reads CPU attributes
                                                              PID:373
                                                            • /bin/busybox
                                                              busybox pkill -9 i686
                                                              2⤵
                                                                PID:374
                                                            • /bin/sh
                                                              sh -c "pkill -9 powerpc || busybox pkill -9 powerpc"
                                                              1⤵
                                                                PID:375
                                                                • /usr/bin/pkill
                                                                  pkill -9 powerpc
                                                                  2⤵
                                                                  • Reads CPU attributes
                                                                  • Reads runtime system information
                                                                  PID:376
                                                                • /bin/busybox
                                                                  busybox pkill -9 powerpc
                                                                  2⤵
                                                                    PID:377
                                                                • /bin/sh
                                                                  sh -c "pkill -9 powerpc440fp || busybox pkill -9 powerpc440fp"
                                                                  1⤵
                                                                    PID:378
                                                                    • /usr/bin/pkill
                                                                      pkill -9 powerpc440fp
                                                                      2⤵
                                                                      • Reads CPU attributes
                                                                      • Reads runtime system information
                                                                      PID:379
                                                                    • /bin/busybox
                                                                      busybox pkill -9 powerpc440fp
                                                                      2⤵
                                                                        PID:380
                                                                    • /bin/sh
                                                                      sh -c "pkill -9 i586 || busybox pkill -9 i586"
                                                                      1⤵
                                                                        PID:381
                                                                        • /usr/bin/pkill
                                                                          pkill -9 i586
                                                                          2⤵
                                                                          • Reads CPU attributes
                                                                          • Reads runtime system information
                                                                          PID:382
                                                                        • /bin/busybox
                                                                          busybox pkill -9 i586
                                                                          2⤵
                                                                            PID:383
                                                                        • /bin/sh
                                                                          sh -c "pkill -9 m68k || busybox pkill -9 m68k"
                                                                          1⤵
                                                                            PID:384
                                                                            • /usr/bin/pkill
                                                                              pkill -9 m68k
                                                                              2⤵
                                                                              • Reads CPU attributes
                                                                              • Reads runtime system information
                                                                              PID:385
                                                                            • /bin/busybox
                                                                              busybox pkill -9 m68k
                                                                              2⤵
                                                                                PID:386
                                                                            • /bin/sh
                                                                              sh -c "pkill -9 sparc || busybox pkill -9 sparc"
                                                                              1⤵
                                                                                PID:387
                                                                                • /usr/bin/pkill
                                                                                  pkill -9 sparc
                                                                                  2⤵
                                                                                  • Reads CPU attributes
                                                                                  • Reads runtime system information
                                                                                  PID:388
                                                                                • /bin/busybox
                                                                                  busybox pkill -9 sparc
                                                                                  2⤵
                                                                                    PID:389
                                                                                • /bin/sh
                                                                                  sh -c "pkill -9 x86_64 || busybox pkill -9 x86_64"
                                                                                  1⤵
                                                                                    PID:390
                                                                                    • /usr/bin/pkill
                                                                                      pkill -9 x86_64
                                                                                      2⤵
                                                                                      • Reads CPU attributes
                                                                                      • Reads runtime system information
                                                                                      PID:391
                                                                                    • /bin/busybox
                                                                                      busybox pkill -9 x86_64
                                                                                      2⤵
                                                                                        PID:392
                                                                                    • /bin/sh
                                                                                      sh -c "pkill -9 jackmy* || busybox pkill -9 jackmy*"
                                                                                      1⤵
                                                                                        PID:393
                                                                                        • /usr/bin/pkill
                                                                                          pkill -9 "jackmy*"
                                                                                          2⤵
                                                                                          • Reads CPU attributes
                                                                                          • Reads runtime system information
                                                                                          PID:394
                                                                                        • /bin/busybox
                                                                                          busybox pkill -9 "jackmy*"
                                                                                          2⤵
                                                                                            PID:395
                                                                                        • /bin/sh
                                                                                          sh -c "pkill -9 hackmy* || busybox pkill -9 hackmy*"
                                                                                          1⤵
                                                                                            PID:396
                                                                                            • /usr/bin/pkill
                                                                                              pkill -9 "hackmy*"
                                                                                              2⤵
                                                                                              • Reads CPU attributes
                                                                                              • Reads runtime system information
                                                                                              PID:397
                                                                                            • /bin/busybox
                                                                                              busybox pkill -9 "hackmy*"
                                                                                              2⤵
                                                                                                PID:398
                                                                                            • /bin/sh
                                                                                              sh -c "pkill -9 b1 || busybox pkill -9 b1"
                                                                                              1⤵
                                                                                                PID:399
                                                                                                • /usr/bin/pkill
                                                                                                  pkill -9 b1
                                                                                                  2⤵
                                                                                                  • Reads CPU attributes
                                                                                                  • Reads runtime system information
                                                                                                  PID:400

                                                                                              Network

                                                                                              MITRE ATT&CK Enterprise v6

                                                                                              Replay Monitor

                                                                                              Loading Replay Monitor...

                                                                                              Downloads