Analysis

  • max time kernel
    0s
  • max time network
    121s
  • platform
    linux_mipsel
  • resource
    debian9-mipsel-en-20211208
  • submitted
    14-03-2022 01:55

General

  • Target

    97717ad2ff60ac257a5f66634fe06544

  • Size

    156KB

  • MD5

    97717ad2ff60ac257a5f66634fe06544

  • SHA1

    9845039ea2423177944fb7666595002891ca28e3

  • SHA256

    95d1fca8bea30d9629fdf05e6ba0fc6195eb0a86f99ea021b17cb8823db9d78b

  • SHA512

    1535c1402cce5805feff0373ad74de39d5fd5012ff4c400a1e82074fa9967cdc50e58876ad9f9a2352fcb340e77735abd2f5f3f5fa5dcde254f6abd326577f6e

Score
9/10

Malware Config

Signatures

  • Writes file to system bin folder 1 TTPs 3 IoCs
  • Modifies hosts file 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Modifies rc script 1 TTPs 1 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

  • Write file to user bin folder 1 TTPs 2 IoCs
  • Reads runtime system information 20 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 5 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • ./97717ad2ff60ac257a5f66634fe06544
    ./97717ad2ff60ac257a5f66634fe06544
    1⤵
    • Modifies rc script
    • Writes file to tmp directory
    PID:325
  • /bin/sh
    sh -c "pidof -x strace > /dev/null"
    1⤵
      PID:326
      • /bin/pidof
        pidof -x strace
        2⤵
          PID:327
      • /bin/sh
        sh -c "pidof -x tcpdump > /dev/null"
        1⤵
          PID:328
          • /bin/pidof
            pidof -x tcpdump
            2⤵
              PID:330
          • /bin/sh
            sh -c "cat /etc/inittab | grep -v \"/tmp/97717ad2ff60ac257a5f66634fe06544\" > /etc/inittab2"
            1⤵
              PID:336
              • /bin/cat
                cat /etc/inittab
                2⤵
                  PID:339
                • /bin/grep
                  grep -v /tmp/97717ad2ff60ac257a5f66634fe06544
                  2⤵
                    PID:342
                • /bin/sh
                  sh -c "crontab -r"
                  1⤵
                    PID:337
                    • /usr/bin/crontab
                      crontab -r
                      2⤵
                      • Reads runtime system information
                      PID:340
                  • /bin/sh
                    sh -c "crontab -l | grep /tmp/97717ad2ff60ac257a5f66634fe06544 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/97717ad2ff60ac257a5f66634fe06544 > /dev/null 2>&1 &\") | crontab -"
                    1⤵
                      PID:338
                      • /usr/bin/crontab
                        crontab -l
                        2⤵
                        • Reads runtime system information
                        PID:341
                      • /bin/grep
                        grep /tmp/97717ad2ff60ac257a5f66634fe06544
                        2⤵
                          PID:343
                        • /bin/grep
                          grep -v "no cron"
                          2⤵
                            PID:344
                          • /usr/bin/crontab
                            crontab -
                            2⤵
                            • Reads runtime system information
                            PID:347
                        • /bin/sh
                          sh -c "echo \"0:2345:respawn:/tmp/97717ad2ff60ac257a5f66634fe06544\" >> /etc/inittab2"
                          1⤵
                            PID:345
                          • /usr/bin/crontab
                            crontab -l
                            1⤵
                            • Reads runtime system information
                            PID:348
                          • /bin/sh
                            sh -c "cat /etc/inittab2 > /etc/inittab"
                            1⤵
                              PID:349
                              • /bin/cat
                                cat /etc/inittab2
                                2⤵
                                  PID:350
                              • /bin/sh
                                sh -c "rm -rf /etc/inittab2"
                                1⤵
                                  PID:351
                                  • /bin/rm
                                    rm -rf /etc/inittab2
                                    2⤵
                                      PID:352
                                  • /bin/sh
                                    sh -c "touch -acmr /bin/ls /etc/inittab"
                                    1⤵
                                      PID:353
                                      • /usr/bin/touch
                                        touch -acmr /bin/ls /etc/inittab
                                        2⤵
                                          PID:354
                                      • /bin/sh
                                        sh -c "cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /dev/shm/97717ad2ff60ac257a5f66634fe06544"
                                        1⤵
                                          PID:357
                                          • /bin/cp
                                            cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /dev/shm/97717ad2ff60ac257a5f66634fe06544
                                            2⤵
                                            • Reads runtime system information
                                            • Writes file to tmp directory
                                            PID:360
                                        • /bin/sh
                                          sh -c "/bin/uname -n"
                                          1⤵
                                            PID:358
                                            • /bin/uname
                                              /bin/uname -n
                                              2⤵
                                                PID:359
                                            • /bin/sh
                                              sh -c "cat /etc/inittab | grep -v \"/dev/shm/97717ad2ff60ac257a5f66634fe06544\" > /etc/inittab2"
                                              1⤵
                                                PID:362
                                                • /bin/cat
                                                  cat /etc/inittab
                                                  2⤵
                                                    PID:364
                                                  • /bin/grep
                                                    grep -v /dev/shm/97717ad2ff60ac257a5f66634fe06544
                                                    2⤵
                                                      PID:365
                                                  • /bin/sh
                                                    sh -c "crontab -l | grep /dev/shm/97717ad2ff60ac257a5f66634fe06544 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/97717ad2ff60ac257a5f66634fe06544 > /dev/null 2>&1 &\") | crontab -"
                                                    1⤵
                                                      PID:363
                                                      • /usr/bin/crontab
                                                        crontab -l
                                                        2⤵
                                                        • Reads runtime system information
                                                        PID:366
                                                      • /bin/grep
                                                        grep /dev/shm/97717ad2ff60ac257a5f66634fe06544
                                                        2⤵
                                                          PID:367
                                                        • /bin/grep
                                                          grep -v "no cron"
                                                          2⤵
                                                            PID:368
                                                          • /usr/bin/crontab
                                                            crontab -
                                                            2⤵
                                                            • Reads runtime system information
                                                            PID:371
                                                        • /bin/sh
                                                          sh -c "echo \"0:2345:respawn:/dev/shm/97717ad2ff60ac257a5f66634fe06544\" >> /etc/inittab2"
                                                          1⤵
                                                            PID:369
                                                          • /usr/bin/crontab
                                                            crontab -l
                                                            1⤵
                                                            • Reads runtime system information
                                                            PID:372
                                                          • /bin/sh
                                                            sh -c "cat /etc/inittab2 > /etc/inittab"
                                                            1⤵
                                                              PID:373
                                                              • /bin/cat
                                                                cat /etc/inittab2
                                                                2⤵
                                                                  PID:374
                                                              • /bin/sh
                                                                sh -c "rm -rf /etc/inittab2"
                                                                1⤵
                                                                  PID:375
                                                                  • /bin/rm
                                                                    rm -rf /etc/inittab2
                                                                    2⤵
                                                                      PID:376
                                                                  • /bin/sh
                                                                    sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                    1⤵
                                                                      PID:377
                                                                      • /usr/bin/touch
                                                                        touch -acmr /bin/ls /etc/inittab
                                                                        2⤵
                                                                          PID:378
                                                                      • /bin/sh
                                                                        sh -c "cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/tmp/97717ad2ff60ac257a5f66634fe06544"
                                                                        1⤵
                                                                          PID:379
                                                                          • /bin/cp
                                                                            cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/tmp/97717ad2ff60ac257a5f66634fe06544
                                                                            2⤵
                                                                            • Reads runtime system information
                                                                            • Writes file to tmp directory
                                                                            PID:380
                                                                        • /bin/sh
                                                                          sh -c "cat /etc/inittab | grep -v \"/var/tmp/97717ad2ff60ac257a5f66634fe06544\" > /etc/inittab2"
                                                                          1⤵
                                                                            PID:382
                                                                            • /bin/grep
                                                                              grep -v /var/tmp/97717ad2ff60ac257a5f66634fe06544
                                                                              2⤵
                                                                                PID:386
                                                                              • /bin/cat
                                                                                cat /etc/inittab
                                                                                2⤵
                                                                                  PID:384
                                                                              • /bin/sh
                                                                                sh -c "crontab -l | grep /var/tmp/97717ad2ff60ac257a5f66634fe06544 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/97717ad2ff60ac257a5f66634fe06544 > /dev/null 2>&1 &\") | crontab -"
                                                                                1⤵
                                                                                  PID:383
                                                                                  • /bin/grep
                                                                                    grep -v "no cron"
                                                                                    2⤵
                                                                                      PID:388
                                                                                    • /usr/bin/crontab
                                                                                      crontab -l
                                                                                      2⤵
                                                                                      • Reads runtime system information
                                                                                      PID:385
                                                                                    • /bin/grep
                                                                                      grep /var/tmp/97717ad2ff60ac257a5f66634fe06544
                                                                                      2⤵
                                                                                        PID:387
                                                                                      • /usr/bin/crontab
                                                                                        crontab -
                                                                                        2⤵
                                                                                        • Reads runtime system information
                                                                                        PID:391
                                                                                    • /bin/sh
                                                                                      sh -c "echo \"0:2345:respawn:/var/tmp/97717ad2ff60ac257a5f66634fe06544\" >> /etc/inittab2"
                                                                                      1⤵
                                                                                        PID:389
                                                                                      • /usr/bin/crontab
                                                                                        crontab -l
                                                                                        1⤵
                                                                                        • Reads runtime system information
                                                                                        PID:392
                                                                                      • /bin/sh
                                                                                        sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                                        1⤵
                                                                                          PID:393
                                                                                          • /bin/cat
                                                                                            cat /etc/inittab2
                                                                                            2⤵
                                                                                              PID:394
                                                                                          • /bin/sh
                                                                                            sh -c "rm -rf /etc/inittab2"
                                                                                            1⤵
                                                                                              PID:395
                                                                                              • /bin/rm
                                                                                                rm -rf /etc/inittab2
                                                                                                2⤵
                                                                                                  PID:396
                                                                                              • /bin/sh
                                                                                                sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                                1⤵
                                                                                                  PID:397
                                                                                                  • /usr/bin/touch
                                                                                                    touch -acmr /bin/ls /etc/inittab
                                                                                                    2⤵
                                                                                                      PID:398
                                                                                                  • /bin/sh
                                                                                                    sh -c "cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/lock/97717ad2ff60ac257a5f66634fe06544"
                                                                                                    1⤵
                                                                                                      PID:399
                                                                                                      • /bin/cp
                                                                                                        cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/lock/97717ad2ff60ac257a5f66634fe06544
                                                                                                        2⤵
                                                                                                        • Reads runtime system information
                                                                                                        • Writes file to tmp directory
                                                                                                        PID:400
                                                                                                    • /bin/sh
                                                                                                      sh -c "cat /etc/inittab | grep -v \"/var/lock/97717ad2ff60ac257a5f66634fe06544\" > /etc/inittab2"
                                                                                                      1⤵
                                                                                                        PID:402
                                                                                                        • /bin/grep
                                                                                                          grep -v /var/lock/97717ad2ff60ac257a5f66634fe06544
                                                                                                          2⤵
                                                                                                            PID:406
                                                                                                          • /bin/cat
                                                                                                            cat /etc/inittab
                                                                                                            2⤵
                                                                                                              PID:404
                                                                                                          • /bin/sh
                                                                                                            sh -c "crontab -l | grep /var/lock/97717ad2ff60ac257a5f66634fe06544 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/97717ad2ff60ac257a5f66634fe06544 > /dev/null 2>&1 &\") | crontab -"
                                                                                                            1⤵
                                                                                                              PID:403
                                                                                                              • /bin/grep
                                                                                                                grep -v "no cron"
                                                                                                                2⤵
                                                                                                                  PID:408
                                                                                                                • /bin/grep
                                                                                                                  grep /var/lock/97717ad2ff60ac257a5f66634fe06544
                                                                                                                  2⤵
                                                                                                                    PID:407
                                                                                                                  • /usr/bin/crontab
                                                                                                                    crontab -l
                                                                                                                    2⤵
                                                                                                                    • Reads runtime system information
                                                                                                                    PID:405
                                                                                                                  • /usr/bin/crontab
                                                                                                                    crontab -
                                                                                                                    2⤵
                                                                                                                    • Reads runtime system information
                                                                                                                    PID:411
                                                                                                                • /bin/sh
                                                                                                                  sh -c "echo \"0:2345:respawn:/var/lock/97717ad2ff60ac257a5f66634fe06544\" >> /etc/inittab2"
                                                                                                                  1⤵
                                                                                                                    PID:409
                                                                                                                  • /usr/bin/crontab
                                                                                                                    crontab -l
                                                                                                                    1⤵
                                                                                                                    • Reads runtime system information
                                                                                                                    PID:412
                                                                                                                  • /bin/sh
                                                                                                                    sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                                                                    1⤵
                                                                                                                      PID:413
                                                                                                                      • /bin/cat
                                                                                                                        cat /etc/inittab2
                                                                                                                        2⤵
                                                                                                                          PID:414
                                                                                                                      • /bin/sh
                                                                                                                        sh -c "rm -rf /etc/inittab2"
                                                                                                                        1⤵
                                                                                                                          PID:415
                                                                                                                          • /bin/rm
                                                                                                                            rm -rf /etc/inittab2
                                                                                                                            2⤵
                                                                                                                              PID:416
                                                                                                                          • /bin/sh
                                                                                                                            sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                                                            1⤵
                                                                                                                              PID:417
                                                                                                                              • /usr/bin/touch
                                                                                                                                touch -acmr /bin/ls /etc/inittab
                                                                                                                                2⤵
                                                                                                                                  PID:418
                                                                                                                              • /bin/sh
                                                                                                                                sh -c "cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/run/97717ad2ff60ac257a5f66634fe06544"
                                                                                                                                1⤵
                                                                                                                                  PID:419
                                                                                                                                  • /bin/cp
                                                                                                                                    cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/run/97717ad2ff60ac257a5f66634fe06544
                                                                                                                                    2⤵
                                                                                                                                    • Reads runtime system information
                                                                                                                                    • Writes file to tmp directory
                                                                                                                                    PID:420
                                                                                                                                • /bin/sh
                                                                                                                                  sh -c "cat /etc/inittab | grep -v \"/var/run/97717ad2ff60ac257a5f66634fe06544\" > /etc/inittab2"
                                                                                                                                  1⤵
                                                                                                                                    PID:422
                                                                                                                                    • /bin/cat
                                                                                                                                      cat /etc/inittab
                                                                                                                                      2⤵
                                                                                                                                        PID:424
                                                                                                                                      • /bin/grep
                                                                                                                                        grep -v /var/run/97717ad2ff60ac257a5f66634fe06544
                                                                                                                                        2⤵
                                                                                                                                          PID:425
                                                                                                                                      • /bin/sh
                                                                                                                                        sh -c "crontab -l | grep /var/run/97717ad2ff60ac257a5f66634fe06544 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/97717ad2ff60ac257a5f66634fe06544 > /dev/null 2>&1 &\") | crontab -"
                                                                                                                                        1⤵
                                                                                                                                          PID:423
                                                                                                                                          • /usr/bin/crontab
                                                                                                                                            crontab -l
                                                                                                                                            2⤵
                                                                                                                                            • Reads runtime system information
                                                                                                                                            PID:426
                                                                                                                                          • /bin/grep
                                                                                                                                            grep /var/run/97717ad2ff60ac257a5f66634fe06544
                                                                                                                                            2⤵
                                                                                                                                              PID:427
                                                                                                                                            • /bin/grep
                                                                                                                                              grep -v "no cron"
                                                                                                                                              2⤵
                                                                                                                                                PID:428
                                                                                                                                              • /usr/bin/crontab
                                                                                                                                                crontab -
                                                                                                                                                2⤵
                                                                                                                                                • Reads runtime system information
                                                                                                                                                PID:432
                                                                                                                                            • /bin/sh
                                                                                                                                              sh -c "echo \"0:2345:respawn:/var/run/97717ad2ff60ac257a5f66634fe06544\" >> /etc/inittab2"
                                                                                                                                              1⤵
                                                                                                                                                PID:429
                                                                                                                                              • /bin/sh
                                                                                                                                                sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                                                                                                1⤵
                                                                                                                                                  PID:430
                                                                                                                                                  • /bin/cat
                                                                                                                                                    cat /etc/inittab2
                                                                                                                                                    2⤵
                                                                                                                                                      PID:434
                                                                                                                                                  • /usr/bin/crontab
                                                                                                                                                    crontab -l
                                                                                                                                                    1⤵
                                                                                                                                                    • Reads runtime system information
                                                                                                                                                    PID:433
                                                                                                                                                  • /bin/sh
                                                                                                                                                    sh -c "rm -rf /etc/inittab2"
                                                                                                                                                    1⤵
                                                                                                                                                      PID:435
                                                                                                                                                      • /bin/rm
                                                                                                                                                        rm -rf /etc/inittab2
                                                                                                                                                        2⤵
                                                                                                                                                          PID:436
                                                                                                                                                      • /bin/sh
                                                                                                                                                        sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                                                                                        1⤵
                                                                                                                                                          PID:437
                                                                                                                                                          • /usr/bin/touch
                                                                                                                                                            touch -acmr /bin/ls /etc/inittab
                                                                                                                                                            2⤵
                                                                                                                                                              PID:438

                                                                                                                                                          Network

                                                                                                                                                          MITRE ATT&CK Enterprise v6

                                                                                                                                                          Replay Monitor

                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                          Downloads