Analysis
-
max time kernel
8255s -
max time network
190s -
platform
linux_armhf -
resource
debian9-armhf-en-20211208 -
submitted
14-03-2022 05:56
Static task
static1
Behavioral task
behavioral1
Sample
0abc01de8962867957bca89f6bd4c10e
Resource
debian9-armhf-en-20211208
General
-
Target
0abc01de8962867957bca89f6bd4c10e
-
Size
1.6MB
-
MD5
0abc01de8962867957bca89f6bd4c10e
-
SHA1
a7b49698f0562b887d1c5b96272b50e9e13cba80
-
SHA256
46389c117c5f41b60e10f965b3674b3b77189b504b0aeb5c2da67adf55a7129f
-
SHA512
508fec5f009bfe080ce31b510c21cbe22caa83a4b82c44786f08c53ac04e290d10c0efe4f71ac88b33946e6c7fec2665fbc221adf08af5e428f8c1df17777318
Malware Config
Signatures
-
suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity
suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity
-
Writes file to system bin folder 1 TTPs 3 IoCs
Processes:
description ioc /bin/crontab /bin/crontab /bin/nvram /bin/nvram /bin/uname /bin/uname -
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Modifies rc script 1 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
Processes:
0abc01de8962867957bca89f6bd4c10edescription ioc process /etc/rc.local /etc/rc.local 0abc01de8962867957bca89f6bd4c10e -
Write file to user bin folder 1 TTPs 2 IoCs
Processes:
description ioc /usr/bin/crontab /usr/bin/crontab /usr/sbin/nvram /usr/sbin/nvram -
Reads runtime system information 20 IoCs
Reads data from /proc virtual filesystem.
Processes:
crontabcpcrontabcpcrontabcrontabcrontabcrontabcrontabcrontabcpcrontabcpcrontabcrontabcrontabcrontabcrontabcrontabcrontabdescription ioc process /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
cp0abc01de8962867957bca89f6bd4c10ecpcpcpdescription ioc process /tmp/0abc01de8962867957bca89f6bd4c10e /tmp/0abc01de8962867957bca89f6bd4c10e cp /tmp/.bawtz /tmp/.bawtz 0abc01de8962867957bca89f6bd4c10e /tmp/0abc01de8962867957bca89f6bd4c10e /tmp/0abc01de8962867957bca89f6bd4c10e cp /tmp/0abc01de8962867957bca89f6bd4c10e /tmp/0abc01de8962867957bca89f6bd4c10e cp /tmp/0abc01de8962867957bca89f6bd4c10e /tmp/0abc01de8962867957bca89f6bd4c10e cp
Processes
-
./0abc01de8962867957bca89f6bd4c10e./0abc01de8962867957bca89f6bd4c10e1⤵
- Modifies rc script
- Writes file to tmp directory
PID:358 -
/bin/shsh -c "pidof -x strace > /dev/null"2⤵PID:359
-
/bin/pidofpidof -x strace3⤵PID:360
-
/bin/shsh -c "pidof -x tcpdump > /dev/null"2⤵PID:361
-
/bin/pidofpidof -x tcpdump3⤵PID:366
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/tmp/0abc01de8962867957bca89f6bd4c10e\" > /etc/inittab2"2⤵PID:371
-
/bin/catcat /etc/inittab3⤵PID:374
-
/bin/grepgrep -v /tmp/0abc01de8962867957bca89f6bd4c10e3⤵PID:376
-
/bin/shsh -c "echo \"0:2345:respawn:/tmp/0abc01de8962867957bca89f6bd4c10e\" >> /etc/inittab2"2⤵PID:378
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"2⤵PID:382
-
/bin/catcat /etc/inittab23⤵PID:383
-
/bin/shsh -c "rm -rf /etc/inittab2"2⤵PID:384
-
/bin/rmrm -rf /etc/inittab23⤵PID:385
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"2⤵PID:386
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab3⤵PID:387
-
/bin/shsh -c "crontab -r"1⤵PID:369
-
/usr/bin/crontabcrontab -r2⤵
- Reads runtime system information
PID:372
-
/bin/shsh -c "crontab -l | grep /tmp/0abc01de8962867957bca89f6bd4c10e | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &\") | crontab -"1⤵PID:370
-
/usr/bin/crontabcrontab -l2⤵
- Reads runtime system information
PID:373 -
/bin/grepgrep /tmp/0abc01de8962867957bca89f6bd4c10e2⤵PID:375
-
/bin/grepgrep -v "no cron"2⤵PID:377
-
/usr/bin/crontabcrontab -2⤵
- Reads runtime system information
PID:380
-
/usr/bin/crontabcrontab -l1⤵
- Reads runtime system information
PID:381
-
/bin/shsh -c "cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /dev/shm/0abc01de8962867957bca89f6bd4c10e"1⤵PID:390
-
/bin/cpcp -f /tmp/0abc01de8962867957bca89f6bd4c10e /dev/shm/0abc01de8962867957bca89f6bd4c10e2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:392
-
/bin/shsh -c "/bin/uname -n"1⤵PID:391
-
/bin/uname/bin/uname -n2⤵PID:393
-
/bin/shsh -c "crontab -l | grep /dev/shm/0abc01de8962867957bca89f6bd4c10e | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &\") | crontab -"1⤵PID:396
-
/usr/bin/crontabcrontab -l2⤵
- Reads runtime system information
PID:398 -
/bin/grepgrep /dev/shm/0abc01de8962867957bca89f6bd4c10e2⤵PID:400
-
/bin/grepgrep -v "no cron"2⤵PID:401
-
/usr/bin/crontabcrontab -2⤵
- Reads runtime system information
PID:405
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/dev/shm/0abc01de8962867957bca89f6bd4c10e\" > /etc/inittab2"1⤵PID:395
-
/bin/catcat /etc/inittab2⤵PID:397
-
/bin/grepgrep -v /dev/shm/0abc01de8962867957bca89f6bd4c10e2⤵PID:399
-
/bin/shsh -c "echo \"0:2345:respawn:/dev/shm/0abc01de8962867957bca89f6bd4c10e\" >> /etc/inittab2"1⤵PID:402
-
/usr/bin/crontabcrontab -l1⤵
- Reads runtime system information
PID:404
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:406
-
/bin/catcat /etc/inittab22⤵PID:408
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:410
-
/bin/rmrm -rf /etc/inittab22⤵PID:411
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:412
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:413
-
/bin/shsh -c "cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/tmp/0abc01de8962867957bca89f6bd4c10e"1⤵PID:414
-
/bin/cpcp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/tmp/0abc01de8962867957bca89f6bd4c10e2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:415
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/var/tmp/0abc01de8962867957bca89f6bd4c10e\" > /etc/inittab2"1⤵PID:417
-
/bin/catcat /etc/inittab2⤵PID:419
-
/bin/grepgrep -v /var/tmp/0abc01de8962867957bca89f6bd4c10e2⤵PID:420
-
/bin/shsh -c "crontab -l | grep /var/tmp/0abc01de8962867957bca89f6bd4c10e | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &\") | crontab -"1⤵PID:418
-
/usr/bin/crontabcrontab -l2⤵
- Reads runtime system information
PID:421 -
/bin/grepgrep /var/tmp/0abc01de8962867957bca89f6bd4c10e2⤵PID:422
-
/bin/grepgrep -v "no cron"2⤵PID:423
-
/usr/bin/crontabcrontab -2⤵
- Reads runtime system information
PID:427
-
/bin/shsh -c "echo \"0:2345:respawn:/var/tmp/0abc01de8962867957bca89f6bd4c10e\" >> /etc/inittab2"1⤵PID:424
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:425
-
/bin/catcat /etc/inittab22⤵PID:429
-
/usr/bin/crontabcrontab -l1⤵
- Reads runtime system information
PID:428
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:430
-
/bin/rmrm -rf /etc/inittab22⤵PID:431
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:432
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:433
-
/bin/shsh -c "cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/lock/0abc01de8962867957bca89f6bd4c10e"1⤵PID:434
-
/bin/cpcp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/lock/0abc01de8962867957bca89f6bd4c10e2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:435
-
/bin/shsh -c "crontab -l | grep /var/lock/0abc01de8962867957bca89f6bd4c10e | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &\") | crontab -"1⤵PID:438
-
/usr/bin/crontabcrontab -l2⤵
- Reads runtime system information
PID:440 -
/bin/grepgrep /var/lock/0abc01de8962867957bca89f6bd4c10e2⤵PID:442
-
/bin/grepgrep -v "no cron"2⤵PID:443
-
/usr/bin/crontabcrontab -2⤵
- Reads runtime system information
PID:446
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/var/lock/0abc01de8962867957bca89f6bd4c10e\" > /etc/inittab2"1⤵PID:437
-
/bin/catcat /etc/inittab2⤵PID:439
-
/bin/grepgrep -v /var/lock/0abc01de8962867957bca89f6bd4c10e2⤵PID:441
-
/bin/shsh -c "echo \"0:2345:respawn:/var/lock/0abc01de8962867957bca89f6bd4c10e\" >> /etc/inittab2"1⤵PID:444
-
/usr/bin/crontabcrontab -l1⤵
- Reads runtime system information
PID:447
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:448
-
/bin/catcat /etc/inittab22⤵PID:449
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:450
-
/bin/rmrm -rf /etc/inittab22⤵PID:451
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:452
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:453
-
/bin/shsh -c "cp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/run/0abc01de8962867957bca89f6bd4c10e"1⤵PID:454
-
/bin/cpcp -f /tmp/0abc01de8962867957bca89f6bd4c10e /var/run/0abc01de8962867957bca89f6bd4c10e2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:455
-
/bin/shsh -c "crontab -l | grep /var/run/0abc01de8962867957bca89f6bd4c10e | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/0abc01de8962867957bca89f6bd4c10e > /dev/null 2>&1 &\") | crontab -"1⤵PID:457
-
/usr/bin/crontabcrontab -l2⤵
- Reads runtime system information
PID:460 -
/bin/grepgrep /var/run/0abc01de8962867957bca89f6bd4c10e2⤵PID:462
-
/bin/grepgrep -v "no cron"2⤵PID:463
-
/usr/bin/crontabcrontab -2⤵
- Reads runtime system information
PID:466
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/var/run/0abc01de8962867957bca89f6bd4c10e\" > /etc/inittab2"1⤵PID:458
-
/bin/catcat /etc/inittab2⤵PID:459
-
/bin/grepgrep -v /var/run/0abc01de8962867957bca89f6bd4c10e2⤵PID:461
-
/bin/shsh -c "echo \"0:2345:respawn:/var/run/0abc01de8962867957bca89f6bd4c10e\" >> /etc/inittab2"1⤵PID:465
-
/usr/bin/crontabcrontab -l1⤵
- Reads runtime system information
PID:467
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:468
-
/bin/catcat /etc/inittab22⤵PID:469
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:470
-
/bin/rmrm -rf /etc/inittab22⤵PID:471
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:472
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:473