Behavioral Report

General

Target

Mozi.m
Size

106KB
MD5

4dde761681684d7edad4e5e1ffdb940b
SHA1

2327be693bc11a618c380d7d3abc2382d870d48b
SHA256

d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8
SHA512

91a61c719128f263f9f95736d55895954cc468c74ff469ee061d35ec382c50b9165e9a5427dc46a835dac6ae0e6e1f9819632475f68b98a907b53196bd4eb02a

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution
suricata: ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution
suricata
suricata: ET MALWARE Mirai Variant User-Agent (Outbound)
suricata: ET MALWARE Mirai Variant User-Agent (Outbound)
suricata
Modifies the Watchdog daemon ⋅ 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

TTPs:
Writes file to system bin folder ⋅ 1 TTPs 2 IoCs

TTPs:

Processes:

description ioc

/sbin/watchdog /sbin/watchdog
/bin/watchdog /bin/watchdog
Modifies hosts file ⋅ 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.

Processes:

description ioc

/etc/hosts /etc/hosts
Writes DNS configuration ⋅ 1 TTPs 1 IoCs
Writes data to DNS resolver config file.

TTPs:

Processes:

description ioc

/etc/resolv.conf /etc/resolv.conf
Enumerates active TCP sockets ⋅ 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

TTPs:

System Network Connections Discovery

Processes:

description ioc

/proc/net/tcp /proc/net/tcp
Modifies init.d ⋅ 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

TTPs:

Processes:

description ioc

/etc/init.d/S95baby.sh /etc/init.d/S95baby.sh
Reads system routing table ⋅ 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.

TTPs:

System Network Configuration Discovery

Processes:

description ioc

/proc/net/route /proc/net/route
Reads system network configuration ⋅ 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.

TTPs:

System Network Configuration Discovery

Processes:

description ioc

/proc/net/raw /proc/net/raw
/proc/net/tcp /proc/net/tcp
/proc/net/route /proc/net/route
Writes file to tmp directory ⋅ 2 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

/tmp/Mozi.m /tmp/Mozi.m
/tmp/config /tmp/config

description	ioc
/sbin/watchdog	/sbin/watchdog
/bin/watchdog	/bin/watchdog

description	ioc
/etc/hosts	/etc/hosts

description	ioc
/etc/resolv.conf	/etc/resolv.conf

description	ioc
/proc/net/tcp	/proc/net/tcp

description	ioc
/etc/init.d/S95baby.sh	/etc/init.d/S95baby.sh

description	ioc
/proc/net/route	/proc/net/route

description	ioc
/proc/net/raw	/proc/net/raw
/proc/net/tcp	/proc/net/tcp
/proc/net/route	/proc/net/route

description	ioc
/tmp/Mozi.m	/tmp/Mozi.m
/tmp/config	/tmp/config

./Mozi.m

./Mozi.m

PID:331

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 22 -j DROP"

PID:339

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 22 -j DROP

PID:340

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 23 -j DROP"

PID:349

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 23 -j DROP

PID:351

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 60907 -j ACCEPT"

PID:350

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 60907 -j ACCEPT

PID:352

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 2323 -j DROP"

PID:353

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 2323 -j DROP

PID:354

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 22 -j DROP"

PID:355

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 22 -j DROP

PID:356

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 23 -j DROP"

PID:357

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 23 -j DROP

PID:358

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 2323 -j DROP"

PID:359

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 2323 -j DROP

PID:360

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"

PID:361

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 58000 -j DROP

PID:362

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"

PID:363

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 58000 -j DROP

PID:364

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 60907 -j ACCEPT"

PID:365

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 60907 -j ACCEPT

PID:366

/bin/sh

sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""

PID:367

/bin/sh

sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""

PID:368

/bin/sh

sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 60907 -j ACCEPT"

PID:369

/sbin/iptables

iptables -I PREROUTING -t nat -p tcp --destination-port 60907 -j ACCEPT

PID:371

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"

PID:370

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 35000 -j DROP

PID:372

/bin/sh

sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 60907 -j ACCEPT"

PID:381

/sbin/iptables

iptables -I POSTROUTING -t nat -p tcp --source-port 60907 -j ACCEPT

PID:382

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"

PID:383

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 50023 -j DROP

PID:384

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"

PID:385

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 50023 -j DROP

PID:386

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"

PID:387

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 35000 -j DROP

PID:388

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"

PID:389

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 7547 -j DROP

PID:390

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"

PID:391

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 7547 -j DROP

PID:392

/bin/sh

sh -c "iptables -I INPUT -p udp --destination-port 12724 -j ACCEPT"

PID:393

/sbin/iptables

iptables -I INPUT -p udp --destination-port 12724 -j ACCEPT

PID:394

/bin/sh

sh -c "iptables -I OUTPUT -p udp --source-port 12724 -j ACCEPT"

PID:395

/sbin/iptables

iptables -I OUTPUT -p udp --source-port 12724 -j ACCEPT

PID:396

/bin/sh

sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 12724 -j ACCEPT"

PID:397

/sbin/iptables

iptables -I PREROUTING -t nat -p udp --destination-port 12724 -j ACCEPT

PID:398

/bin/sh

sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 12724 -j ACCEPT"

PID:399

/sbin/iptables

iptables -I POSTROUTING -t nat -p udp --source-port 12724 -j ACCEPT

PID:400

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads