Analysis

  • max time kernel
    0s
  • max time network
    120s
  • platform
    linux_mips
  • resource
    debian9-mipsbe-en-20211208
  • submitted
    14-03-2022 05:55

General

  • Target

    4aa80ec9c4af1849fb3f0c82cf82c99b

  • Size

    156KB

  • MD5

    4aa80ec9c4af1849fb3f0c82cf82c99b

  • SHA1

    0a2ad5795cbafb1f2962c27ce0fe657704d146ee

  • SHA256

    4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197

  • SHA512

    6d51053d173efcbfed3b89294e1f8c17c90795054ce4f7c5fcb18c12bbcbed8cb31f27b5ef354aeb9909d3beb03a1797b94c6f9ac32dfd5b1697f52ceccd5356

Score
10/10

Malware Config

Signatures

  • suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity

    suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity

  • Writes file to system bin folder 1 TTPs 3 IoCs
  • Modifies rc script 1 TTPs 1 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

  • Write file to user bin folder 1 TTPs 2 IoCs
  • Reads runtime system information 20 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 5 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • ./4aa80ec9c4af1849fb3f0c82cf82c99b
    ./4aa80ec9c4af1849fb3f0c82cf82c99b
    1⤵
    • Modifies rc script
    • Writes file to tmp directory
    PID:332
  • /bin/sh
    sh -c "pidof -x strace > /dev/null"
    1⤵
      PID:333
      • /bin/pidof
        pidof -x strace
        2⤵
          PID:334
      • /bin/sh
        sh -c "pidof -x tcpdump > /dev/null"
        1⤵
          PID:335
          • /bin/pidof
            pidof -x tcpdump
            2⤵
              PID:336
          • /bin/sh
            sh -c "cat /etc/inittab | grep -v \"/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b\" > /etc/inittab2"
            1⤵
              PID:343
              • /bin/cat
                cat /etc/inittab
                2⤵
                  PID:346
                • /bin/grep
                  grep -v /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b
                  2⤵
                    PID:347
                • /bin/sh
                  sh -c "crontab -r"
                  1⤵
                    PID:344
                    • /usr/bin/crontab
                      crontab -r
                      2⤵
                      • Reads runtime system information
                      PID:349
                  • /bin/sh
                    sh -c "crontab -l | grep /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b > /dev/null 2>&1 &\") | crontab -"
                    1⤵
                      PID:345
                      • /bin/grep
                        grep /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b
                        2⤵
                          PID:350
                        • /usr/bin/crontab
                          crontab -l
                          2⤵
                          • Reads runtime system information
                          PID:348
                        • /bin/grep
                          grep -v "no cron"
                          2⤵
                            PID:351
                          • /usr/bin/crontab
                            crontab -
                            2⤵
                            • Reads runtime system information
                            PID:354
                        • /bin/sh
                          sh -c "echo \"0:2345:respawn:/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b\" >> /etc/inittab2"
                          1⤵
                            PID:352
                          • /usr/bin/crontab
                            crontab -l
                            1⤵
                            • Reads runtime system information
                            PID:355
                          • /bin/sh
                            sh -c "cat /etc/inittab2 > /etc/inittab"
                            1⤵
                              PID:356
                              • /bin/cat
                                cat /etc/inittab2
                                2⤵
                                  PID:357
                              • /bin/sh
                                sh -c "rm -rf /etc/inittab2"
                                1⤵
                                  PID:358
                                  • /bin/rm
                                    rm -rf /etc/inittab2
                                    2⤵
                                      PID:359
                                  • /bin/sh
                                    sh -c "touch -acmr /bin/ls /etc/inittab"
                                    1⤵
                                      PID:360
                                      • /usr/bin/touch
                                        touch -acmr /bin/ls /etc/inittab
                                        2⤵
                                          PID:361
                                      • /bin/sh
                                        sh -c "cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b"
                                        1⤵
                                          PID:364
                                          • /bin/cp
                                            cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b
                                            2⤵
                                            • Reads runtime system information
                                            • Writes file to tmp directory
                                            PID:367
                                        • /bin/sh
                                          sh -c "/bin/uname -n"
                                          1⤵
                                            PID:365
                                            • /bin/uname
                                              /bin/uname -n
                                              2⤵
                                                PID:366
                                            • /bin/sh
                                              sh -c "cat /etc/inittab | grep -v \"/dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b\" > /etc/inittab2"
                                              1⤵
                                                PID:369
                                                • /bin/cat
                                                  cat /etc/inittab
                                                  2⤵
                                                    PID:371
                                                  • /bin/grep
                                                    grep -v /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b
                                                    2⤵
                                                      PID:372
                                                  • /bin/sh
                                                    sh -c "crontab -l | grep /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b > /dev/null 2>&1 &\") | crontab -"
                                                    1⤵
                                                      PID:370
                                                      • /usr/bin/crontab
                                                        crontab -l
                                                        2⤵
                                                        • Reads runtime system information
                                                        PID:373
                                                      • /bin/grep
                                                        grep /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b
                                                        2⤵
                                                          PID:374
                                                        • /bin/grep
                                                          grep -v "no cron"
                                                          2⤵
                                                            PID:375
                                                          • /usr/bin/crontab
                                                            crontab -
                                                            2⤵
                                                            • Reads runtime system information
                                                            PID:378
                                                        • /bin/sh
                                                          sh -c "echo \"0:2345:respawn:/dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b\" >> /etc/inittab2"
                                                          1⤵
                                                            PID:376
                                                          • /usr/bin/crontab
                                                            crontab -l
                                                            1⤵
                                                            • Reads runtime system information
                                                            PID:379
                                                          • /bin/sh
                                                            sh -c "cat /etc/inittab2 > /etc/inittab"
                                                            1⤵
                                                              PID:380
                                                              • /bin/cat
                                                                cat /etc/inittab2
                                                                2⤵
                                                                  PID:381
                                                              • /bin/sh
                                                                sh -c "rm -rf /etc/inittab2"
                                                                1⤵
                                                                  PID:382
                                                                  • /bin/rm
                                                                    rm -rf /etc/inittab2
                                                                    2⤵
                                                                      PID:383
                                                                  • /bin/sh
                                                                    sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                    1⤵
                                                                      PID:384
                                                                      • /usr/bin/touch
                                                                        touch -acmr /bin/ls /etc/inittab
                                                                        2⤵
                                                                          PID:385
                                                                      • /bin/sh
                                                                        sh -c "cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b"
                                                                        1⤵
                                                                          PID:386
                                                                          • /bin/cp
                                                                            cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b
                                                                            2⤵
                                                                            • Reads runtime system information
                                                                            • Writes file to tmp directory
                                                                            PID:387
                                                                        • /bin/sh
                                                                          sh -c "cat /etc/inittab | grep -v \"/var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b\" > /etc/inittab2"
                                                                          1⤵
                                                                            PID:389
                                                                            • /bin/cat
                                                                              cat /etc/inittab
                                                                              2⤵
                                                                                PID:391
                                                                              • /bin/grep
                                                                                grep -v /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b
                                                                                2⤵
                                                                                  PID:392
                                                                              • /bin/sh
                                                                                sh -c "crontab -l | grep /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b > /dev/null 2>&1 &\") | crontab -"
                                                                                1⤵
                                                                                  PID:390
                                                                                  • /bin/grep
                                                                                    grep /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b
                                                                                    2⤵
                                                                                      PID:394
                                                                                    • /bin/grep
                                                                                      grep -v "no cron"
                                                                                      2⤵
                                                                                        PID:395
                                                                                      • /usr/bin/crontab
                                                                                        crontab -l
                                                                                        2⤵
                                                                                        • Reads runtime system information
                                                                                        PID:393
                                                                                      • /usr/bin/crontab
                                                                                        crontab -
                                                                                        2⤵
                                                                                        • Reads runtime system information
                                                                                        PID:398
                                                                                    • /bin/sh
                                                                                      sh -c "echo \"0:2345:respawn:/var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b\" >> /etc/inittab2"
                                                                                      1⤵
                                                                                        PID:396
                                                                                      • /usr/bin/crontab
                                                                                        crontab -l
                                                                                        1⤵
                                                                                        • Reads runtime system information
                                                                                        PID:399
                                                                                      • /bin/sh
                                                                                        sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                                        1⤵
                                                                                          PID:400
                                                                                          • /bin/cat
                                                                                            cat /etc/inittab2
                                                                                            2⤵
                                                                                              PID:401
                                                                                          • /bin/sh
                                                                                            sh -c "rm -rf /etc/inittab2"
                                                                                            1⤵
                                                                                              PID:402
                                                                                              • /bin/rm
                                                                                                rm -rf /etc/inittab2
                                                                                                2⤵
                                                                                                  PID:403
                                                                                              • /bin/sh
                                                                                                sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                                1⤵
                                                                                                  PID:404
                                                                                                  • /usr/bin/touch
                                                                                                    touch -acmr /bin/ls /etc/inittab
                                                                                                    2⤵
                                                                                                      PID:405
                                                                                                  • /bin/sh
                                                                                                    sh -c "cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b"
                                                                                                    1⤵
                                                                                                      PID:406
                                                                                                      • /bin/cp
                                                                                                        cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b
                                                                                                        2⤵
                                                                                                        • Reads runtime system information
                                                                                                        • Writes file to tmp directory
                                                                                                        PID:407
                                                                                                    • /bin/sh
                                                                                                      sh -c "cat /etc/inittab | grep -v \"/var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b\" > /etc/inittab2"
                                                                                                      1⤵
                                                                                                        PID:409
                                                                                                        • /bin/grep
                                                                                                          grep -v /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b
                                                                                                          2⤵
                                                                                                            PID:412
                                                                                                          • /bin/cat
                                                                                                            cat /etc/inittab
                                                                                                            2⤵
                                                                                                              PID:411
                                                                                                          • /bin/sh
                                                                                                            sh -c "crontab -l | grep /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b > /dev/null 2>&1 &\") | crontab -"
                                                                                                            1⤵
                                                                                                              PID:410
                                                                                                              • /bin/grep
                                                                                                                grep /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b
                                                                                                                2⤵
                                                                                                                  PID:414
                                                                                                                • /bin/grep
                                                                                                                  grep -v "no cron"
                                                                                                                  2⤵
                                                                                                                    PID:415
                                                                                                                  • /usr/bin/crontab
                                                                                                                    crontab -l
                                                                                                                    2⤵
                                                                                                                    • Reads runtime system information
                                                                                                                    PID:413
                                                                                                                  • /usr/bin/crontab
                                                                                                                    crontab -
                                                                                                                    2⤵
                                                                                                                    • Reads runtime system information
                                                                                                                    PID:418
                                                                                                                • /bin/sh
                                                                                                                  sh -c "echo \"0:2345:respawn:/var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b\" >> /etc/inittab2"
                                                                                                                  1⤵
                                                                                                                    PID:416
                                                                                                                  • /usr/bin/crontab
                                                                                                                    crontab -l
                                                                                                                    1⤵
                                                                                                                    • Reads runtime system information
                                                                                                                    PID:419
                                                                                                                  • /bin/sh
                                                                                                                    sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                                                                    1⤵
                                                                                                                      PID:420
                                                                                                                      • /bin/cat
                                                                                                                        cat /etc/inittab2
                                                                                                                        2⤵
                                                                                                                          PID:421
                                                                                                                      • /bin/sh
                                                                                                                        sh -c "rm -rf /etc/inittab2"
                                                                                                                        1⤵
                                                                                                                          PID:422
                                                                                                                          • /bin/rm
                                                                                                                            rm -rf /etc/inittab2
                                                                                                                            2⤵
                                                                                                                              PID:423
                                                                                                                          • /bin/sh
                                                                                                                            sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                                                            1⤵
                                                                                                                              PID:424
                                                                                                                              • /usr/bin/touch
                                                                                                                                touch -acmr /bin/ls /etc/inittab
                                                                                                                                2⤵
                                                                                                                                  PID:425
                                                                                                                              • /bin/sh
                                                                                                                                sh -c "cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b"
                                                                                                                                1⤵
                                                                                                                                  PID:426
                                                                                                                                  • /bin/cp
                                                                                                                                    cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b
                                                                                                                                    2⤵
                                                                                                                                    • Reads runtime system information
                                                                                                                                    • Writes file to tmp directory
                                                                                                                                    PID:427
                                                                                                                                • /bin/sh
                                                                                                                                  sh -c "cat /etc/inittab | grep -v \"/var/run/4aa80ec9c4af1849fb3f0c82cf82c99b\" > /etc/inittab2"
                                                                                                                                  1⤵
                                                                                                                                    PID:429
                                                                                                                                    • /bin/cat
                                                                                                                                      cat /etc/inittab
                                                                                                                                      2⤵
                                                                                                                                        PID:431
                                                                                                                                      • /bin/grep
                                                                                                                                        grep -v /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b
                                                                                                                                        2⤵
                                                                                                                                          PID:433
                                                                                                                                      • /bin/sh
                                                                                                                                        sh -c "crontab -l | grep /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b > /dev/null 2>&1 &\") | crontab -"
                                                                                                                                        1⤵
                                                                                                                                          PID:430
                                                                                                                                          • /bin/grep
                                                                                                                                            grep -v "no cron"
                                                                                                                                            2⤵
                                                                                                                                              PID:435
                                                                                                                                            • /bin/grep
                                                                                                                                              grep /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b
                                                                                                                                              2⤵
                                                                                                                                                PID:434
                                                                                                                                              • /usr/bin/crontab
                                                                                                                                                crontab -l
                                                                                                                                                2⤵
                                                                                                                                                • Reads runtime system information
                                                                                                                                                PID:432
                                                                                                                                              • /usr/bin/crontab
                                                                                                                                                crontab -
                                                                                                                                                2⤵
                                                                                                                                                • Reads runtime system information
                                                                                                                                                PID:438
                                                                                                                                            • /bin/sh
                                                                                                                                              sh -c "echo \"0:2345:respawn:/var/run/4aa80ec9c4af1849fb3f0c82cf82c99b\" >> /etc/inittab2"
                                                                                                                                              1⤵
                                                                                                                                                PID:436
                                                                                                                                              • /usr/bin/crontab
                                                                                                                                                crontab -l
                                                                                                                                                1⤵
                                                                                                                                                • Reads runtime system information
                                                                                                                                                PID:439
                                                                                                                                              • /bin/sh
                                                                                                                                                sh -c "cat /etc/inittab2 > /etc/inittab"
                                                                                                                                                1⤵
                                                                                                                                                  PID:440
                                                                                                                                                  • /bin/cat
                                                                                                                                                    cat /etc/inittab2
                                                                                                                                                    2⤵
                                                                                                                                                      PID:441
                                                                                                                                                  • /bin/sh
                                                                                                                                                    sh -c "rm -rf /etc/inittab2"
                                                                                                                                                    1⤵
                                                                                                                                                      PID:442
                                                                                                                                                      • /bin/rm
                                                                                                                                                        rm -rf /etc/inittab2
                                                                                                                                                        2⤵
                                                                                                                                                          PID:443
                                                                                                                                                      • /bin/sh
                                                                                                                                                        sh -c "touch -acmr /bin/ls /etc/inittab"
                                                                                                                                                        1⤵
                                                                                                                                                          PID:444
                                                                                                                                                          • /usr/bin/touch
                                                                                                                                                            touch -acmr /bin/ls /etc/inittab
                                                                                                                                                            2⤵
                                                                                                                                                              PID:445

                                                                                                                                                          Network

                                                                                                                                                          MITRE ATT&CK Enterprise v6

                                                                                                                                                          Replay Monitor

                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                          Downloads