Analysis
-
max time kernel
5025s -
max time network
154s -
platform
linux_mips -
resource
debian9-mipsbe-en-20211208 -
submitted
04-02-2022 21:10
Static task
static1
Behavioral task
behavioral1
Sample
Mozi.m
Resource
debian9-mipsbe-en-20211208
General
-
Target
Mozi.m
-
Size
106KB
-
MD5
4dde761681684d7edad4e5e1ffdb940b
-
SHA1
2327be693bc11a618c380d7d3abc2382d870d48b
-
SHA256
d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8
-
SHA512
91a61c719128f263f9f95736d55895954cc468c74ff469ee061d35ec382c50b9165e9a5427dc46a835dac6ae0e6e1f9819632475f68b98a907b53196bd4eb02a
Malware Config
Signatures
-
suricata: ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution
suricata: ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution
-
suricata: ET MALWARE Mirai Variant User-Agent (Outbound)
suricata: ET MALWARE Mirai Variant User-Agent (Outbound)
-
Modifies the Watchdog daemon ⋅ 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Writes file to system bin folder ⋅ 1 TTPs 2 IoCs
-
Modifies hosts file ⋅ 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
Processes:
description ioc /etc/hosts /etc/hosts -
Writes DNS configuration ⋅ 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Enumerates active TCP sockets ⋅ 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Reads system routing table ⋅ 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
description ioc /proc/net/route /proc/net/route -
Reads system network configuration ⋅ 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
description ioc /proc/net/raw /proc/net/raw /proc/net/tcp /proc/net/tcp /proc/net/route /proc/net/route -
Writes file to tmp directory ⋅ 2 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc /tmp/Mozi.m /tmp/Mozi.m /tmp/config /tmp/config
Processes
-
./Mozi.m./Mozi.m
-
/bin/shsh -c "iptables -I INPUT -p tcp --destination-port 22 -j DROP"
-
/sbin/iptablesiptables -I INPUT -p tcp --destination-port 22 -j DROP
-
/bin/shsh -c "iptables -I INPUT -p tcp --destination-port 23 -j DROP"
-
/sbin/iptablesiptables -I INPUT -p tcp --destination-port 23 -j DROP
-
/bin/shsh -c "iptables -I INPUT -p tcp --destination-port 60907 -j ACCEPT"
-
/sbin/iptablesiptables -I INPUT -p tcp --destination-port 60907 -j ACCEPT
-
/bin/shsh -c "iptables -I INPUT -p tcp --destination-port 2323 -j DROP"
-
/sbin/iptablesiptables -I INPUT -p tcp --destination-port 2323 -j DROP
-
/bin/shsh -c "iptables -I OUTPUT -p tcp --source-port 22 -j DROP"
-
/sbin/iptablesiptables -I OUTPUT -p tcp --source-port 22 -j DROP
-
/bin/shsh -c "iptables -I OUTPUT -p tcp --source-port 23 -j DROP"
-
/sbin/iptablesiptables -I OUTPUT -p tcp --source-port 23 -j DROP
-
/bin/shsh -c "iptables -I OUTPUT -p tcp --source-port 2323 -j DROP"
-
/sbin/iptablesiptables -I OUTPUT -p tcp --source-port 2323 -j DROP
-
/bin/shsh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
-
/sbin/iptablesiptables -I INPUT -p tcp --destination-port 58000 -j DROP
-
/bin/shsh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
-
/sbin/iptablesiptables -I OUTPUT -p tcp --source-port 58000 -j DROP
-
/bin/shsh -c "iptables -I OUTPUT -p tcp --source-port 60907 -j ACCEPT"
-
/sbin/iptablesiptables -I OUTPUT -p tcp --source-port 60907 -j ACCEPT
-
/bin/shsh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
-
/bin/shsh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
-
/bin/shsh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 60907 -j ACCEPT"
-
/sbin/iptablesiptables -I PREROUTING -t nat -p tcp --destination-port 60907 -j ACCEPT
-
/bin/shsh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
-
/sbin/iptablesiptables -I INPUT -p tcp --destination-port 35000 -j DROP
-
/bin/shsh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 60907 -j ACCEPT"
-
/sbin/iptablesiptables -I POSTROUTING -t nat -p tcp --source-port 60907 -j ACCEPT
-
/bin/shsh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
-
/sbin/iptablesiptables -I INPUT -p tcp --destination-port 50023 -j DROP
-
/bin/shsh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
-
/sbin/iptablesiptables -I OUTPUT -p tcp --source-port 50023 -j DROP
-
/bin/shsh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
-
/sbin/iptablesiptables -I OUTPUT -p tcp --source-port 35000 -j DROP
-
/bin/shsh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
-
/sbin/iptablesiptables -I INPUT -p tcp --destination-port 7547 -j DROP
-
/bin/shsh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
-
/sbin/iptablesiptables -I OUTPUT -p tcp --source-port 7547 -j DROP
-
/bin/shsh -c "iptables -I INPUT -p udp --destination-port 12724 -j ACCEPT"
-
/sbin/iptablesiptables -I INPUT -p udp --destination-port 12724 -j ACCEPT
-
/bin/shsh -c "iptables -I OUTPUT -p udp --source-port 12724 -j ACCEPT"
-
/sbin/iptablesiptables -I OUTPUT -p udp --source-port 12724 -j ACCEPT
-
/bin/shsh -c "iptables -I PREROUTING -t nat -p udp --destination-port 12724 -j ACCEPT"
-
/sbin/iptablesiptables -I PREROUTING -t nat -p udp --destination-port 12724 -j ACCEPT
-
/bin/shsh -c "iptables -I POSTROUTING -t nat -p udp --source-port 12724 -j ACCEPT"
-
/sbin/iptablesiptables -I POSTROUTING -t nat -p udp --source-port 12724 -j ACCEPT
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation