Analysis

  • max time kernel
    5025s
  • max time network
    154s
  • platform
    linux_mips
  • resource
    debian9-mipsbe-en-20211208
  • submitted
    04-02-2022 21:10

General

  • Target

    Mozi.m

  • Size

    106KB

  • Sample

    220204-z1afeafdcm

  • MD5

    4dde761681684d7edad4e5e1ffdb940b

  • SHA1

    2327be693bc11a618c380d7d3abc2382d870d48b

  • SHA256

    d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8

  • SHA512

    91a61c719128f263f9f95736d55895954cc468c74ff469ee061d35ec382c50b9165e9a5427dc46a835dac6ae0e6e1f9819632475f68b98a907b53196bd4eb02a

Score
10/10

Malware Config

Signatures 11

  • suricata: ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution

    suricata: ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution

  • suricata: ET MALWARE Mirai Variant User-Agent (Outbound)

    suricata: ET MALWARE Mirai Variant User-Agent (Outbound)

  • Modifies the Watchdog daemon ⋅ 1 TTPs

    Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

  • Writes file to system bin folder ⋅ 1 TTPs 2 IoCs
  • Modifies hosts file ⋅ 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • Writes DNS configuration ⋅ 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Enumerates active TCP sockets ⋅ 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Modifies init.d ⋅ 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

  • Reads system routing table ⋅ 1 TTPs 1 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Reads system network configuration ⋅ 1 TTPs 3 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Writes file to tmp directory ⋅ 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes 47

  • ./Mozi.m
    ./Mozi.m
    PID:331
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 22 -j DROP"
    PID:339
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 22 -j DROP
      PID:340
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 23 -j DROP"
    PID:349
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 23 -j DROP
      PID:351
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 60907 -j ACCEPT"
    PID:350
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 60907 -j ACCEPT
      PID:352
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 2323 -j DROP"
    PID:353
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 2323 -j DROP
      PID:354
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 22 -j DROP"
    PID:355
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 22 -j DROP
      PID:356
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 23 -j DROP"
    PID:357
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 23 -j DROP
      PID:358
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 2323 -j DROP"
    PID:359
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
      PID:360
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
    PID:361
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 58000 -j DROP
      PID:362
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
    PID:363
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
      PID:364
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 60907 -j ACCEPT"
    PID:365
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 60907 -j ACCEPT
      PID:366
  • /bin/sh
    sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
    PID:367
  • /bin/sh
    sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
    PID:368
  • /bin/sh
    sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 60907 -j ACCEPT"
    PID:369
    • /sbin/iptables
      iptables -I PREROUTING -t nat -p tcp --destination-port 60907 -j ACCEPT
      PID:371
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
    PID:370
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 35000 -j DROP
      PID:372
  • /bin/sh
    sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 60907 -j ACCEPT"
    PID:381
    • /sbin/iptables
      iptables -I POSTROUTING -t nat -p tcp --source-port 60907 -j ACCEPT
      PID:382
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
    PID:383
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 50023 -j DROP
      PID:384
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
    PID:385
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
      PID:386
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
    PID:387
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
      PID:388
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
    PID:389
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 7547 -j DROP
      PID:390
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
    PID:391
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
      PID:392
  • /bin/sh
    sh -c "iptables -I INPUT -p udp --destination-port 12724 -j ACCEPT"
    PID:393
    • /sbin/iptables
      iptables -I INPUT -p udp --destination-port 12724 -j ACCEPT
      PID:394
  • /bin/sh
    sh -c "iptables -I OUTPUT -p udp --source-port 12724 -j ACCEPT"
    PID:395
    • /sbin/iptables
      iptables -I OUTPUT -p udp --source-port 12724 -j ACCEPT
      PID:396
  • /bin/sh
    sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 12724 -j ACCEPT"
    PID:397
    • /sbin/iptables
      iptables -I PREROUTING -t nat -p udp --destination-port 12724 -j ACCEPT
      PID:398
  • /bin/sh
    sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 12724 -j ACCEPT"
    PID:399
    • /sbin/iptables
      iptables -I POSTROUTING -t nat -p udp --source-port 12724 -j ACCEPT
      PID:400

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Replay Monitor

                        00:00 00:00

                        Downloads