Overview

overview

10

Static

static

8

Mozi.m

linux_mips

10

Analysis

  • max time kernel
    5025s
  • max time network
    154s
  • platform
    linux_mips
  • resource
    debian9-mipsbe-en-20211208
  • submitted
    04-02-2022 21:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mozi.m

  • Size

    106KB

  • MD5

    4dde761681684d7edad4e5e1ffdb940b

  • SHA1

    2327be693bc11a618c380d7d3abc2382d870d48b

  • SHA256

    d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8

  • SHA512

    91a61c719128f263f9f95736d55895954cc468c74ff469ee061d35ec382c50b9165e9a5427dc46a835dac6ae0e6e1f9819632475f68b98a907b53196bd4eb02a

Score
10/10
persistencesuricata

Malware Config

Signatures

  • suricata: ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution

    suricata: ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution

    suricata
  • suricata: ET MALWARE Mirai Variant User-Agent (Outbound)

    suricata: ET MALWARE Mirai Variant User-Agent (Outbound)

    suricata
  • Modifies the Watchdog daemon 1 TTPs

    Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

  • Writes file to system bin folder 1 TTPs 2 IoCs
  • Modifies hosts file 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

    persistence
  • Reads system routing table 1 TTPs 1 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Reads system network configuration 1 TTPs 3 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Writes file to tmp directory 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • ./Mozi.m
    ./Mozi.m
      PID:331
    • /bin/sh
      sh -c "iptables -I INPUT -p tcp --destination-port 22 -j DROP"
        PID:339
        • /sbin/iptables
          iptables -I INPUT -p tcp --destination-port 22 -j DROP
            PID:340
        • /bin/sh
          sh -c "iptables -I INPUT -p tcp --destination-port 23 -j DROP"
            PID:349
            • /sbin/iptables
              iptables -I INPUT -p tcp --destination-port 23 -j DROP
                PID:351
            • /bin/sh
              sh -c "iptables -I INPUT -p tcp --destination-port 60907 -j ACCEPT"
                PID:350
                • /sbin/iptables
                  iptables -I INPUT -p tcp --destination-port 60907 -j ACCEPT
                    PID:352
                • /bin/sh
                  sh -c "iptables -I INPUT -p tcp --destination-port 2323 -j DROP"
                    PID:353
                    • /sbin/iptables
                      iptables -I INPUT -p tcp --destination-port 2323 -j DROP
                        PID:354
                    • /bin/sh
                      sh -c "iptables -I OUTPUT -p tcp --source-port 22 -j DROP"
                        PID:355
                        • /sbin/iptables
                          iptables -I OUTPUT -p tcp --source-port 22 -j DROP
                            PID:356
                        • /bin/sh
                          sh -c "iptables -I OUTPUT -p tcp --source-port 23 -j DROP"
                            PID:357
                            • /sbin/iptables
                              iptables -I OUTPUT -p tcp --source-port 23 -j DROP
                                PID:358
                            • /bin/sh
                              sh -c "iptables -I OUTPUT -p tcp --source-port 2323 -j DROP"
                                PID:359
                                • /sbin/iptables
                                  iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
                                    PID:360
                                • /bin/sh
                                  sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
                                    PID:361
                                    • /sbin/iptables
                                      iptables -I INPUT -p tcp --destination-port 58000 -j DROP
                                        PID:362
                                    • /bin/sh
                                      sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
                                        PID:363
                                        • /sbin/iptables
                                          iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
                                            PID:364
                                        • /bin/sh
                                          sh -c "iptables -I OUTPUT -p tcp --source-port 60907 -j ACCEPT"
                                            PID:365
                                            • /sbin/iptables
                                              iptables -I OUTPUT -p tcp --source-port 60907 -j ACCEPT
                                                PID:366
                                            • /bin/sh
                                              sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
                                                PID:367
                                              • /bin/sh
                                                sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
                                                  PID:368
                                                • /bin/sh
                                                  sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 60907 -j ACCEPT"
                                                    PID:369
                                                    • /sbin/iptables
                                                      iptables -I PREROUTING -t nat -p tcp --destination-port 60907 -j ACCEPT
                                                        PID:371
                                                    • /bin/sh
                                                      sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
                                                        PID:370
                                                        • /sbin/iptables
                                                          iptables -I INPUT -p tcp --destination-port 35000 -j DROP
                                                            PID:372
                                                        • /bin/sh
                                                          sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 60907 -j ACCEPT"
                                                            PID:381
                                                            • /sbin/iptables
                                                              iptables -I POSTROUTING -t nat -p tcp --source-port 60907 -j ACCEPT
                                                                PID:382
                                                            • /bin/sh
                                                              sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
                                                                PID:383
                                                                • /sbin/iptables
                                                                  iptables -I INPUT -p tcp --destination-port 50023 -j DROP
                                                                    PID:384
                                                                • /bin/sh
                                                                  sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
                                                                    PID:385
                                                                    • /sbin/iptables
                                                                      iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
                                                                        PID:386
                                                                    • /bin/sh
                                                                      sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
                                                                        PID:387
                                                                        • /sbin/iptables
                                                                          iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
                                                                            PID:388
                                                                        • /bin/sh
                                                                          sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
                                                                            PID:389
                                                                            • /sbin/iptables
                                                                              iptables -I INPUT -p tcp --destination-port 7547 -j DROP
                                                                                PID:390
                                                                            • /bin/sh
                                                                              sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
                                                                                PID:391
                                                                                • /sbin/iptables
                                                                                  iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
                                                                                    PID:392
                                                                                • /bin/sh
                                                                                  sh -c "iptables -I INPUT -p udp --destination-port 12724 -j ACCEPT"
                                                                                    PID:393
                                                                                    • /sbin/iptables
                                                                                      iptables -I INPUT -p udp --destination-port 12724 -j ACCEPT
                                                                                        PID:394
                                                                                    • /bin/sh
                                                                                      sh -c "iptables -I OUTPUT -p udp --source-port 12724 -j ACCEPT"
                                                                                        PID:395
                                                                                        • /sbin/iptables
                                                                                          iptables -I OUTPUT -p udp --source-port 12724 -j ACCEPT
                                                                                            PID:396
                                                                                        • /bin/sh
                                                                                          sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 12724 -j ACCEPT"
                                                                                            PID:397
                                                                                            • /sbin/iptables
                                                                                              iptables -I PREROUTING -t nat -p udp --destination-port 12724 -j ACCEPT
                                                                                                PID:398
                                                                                            • /bin/sh
                                                                                              sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 12724 -j ACCEPT"
                                                                                                PID:399
                                                                                                • /sbin/iptables
                                                                                                  iptables -I POSTROUTING -t nat -p udp --source-port 12724 -j ACCEPT
                                                                                                    PID:400

                                                                                                Network

                                                                                                MITRE ATT&CK Matrix ATT&CK v6

                                                                                                Initial Access

                                                                                                Execution

                                                                                                Persistence

                                                                                                Hijack Execution Flow

                                                                                                1
                                                                                                T1574

                                                                                                Boot or Logon Autostart Execution

                                                                                                1
                                                                                                T1547

                                                                                                Privilege Escalation

                                                                                                Hijack Execution Flow

                                                                                                1
                                                                                                T1574

                                                                                                Boot or Logon Autostart Execution

                                                                                                1
                                                                                                T1547

                                                                                                Defense Evasion

                                                                                                Impair Defenses

                                                                                                1
                                                                                                T1562

                                                                                                Hijack Execution Flow

                                                                                                1
                                                                                                T1574

                                                                                                Credential Access

                                                                                                Discovery

                                                                                                System Network Connections Discovery

                                                                                                1
                                                                                                T1049

                                                                                                System Network Configuration Discovery

                                                                                                2
                                                                                                T1016

                                                                                                Lateral Movement

                                                                                                Collection

                                                                                                Exfiltration

                                                                                                Command and Control

                                                                                                Dynamic Resolution

                                                                                                1
                                                                                                T1568

                                                                                                Impact

                                                                                                Replay Monitor

                                                                                                00:00 00:00

                                                                                                Downloads