Analysis
-
max time kernel
0s -
max time network
120s -
platform
linux_mips -
resource
debian9-mipsbe-en-20211208 -
submitted
14-03-2022 05:55
Static task
static1
Behavioral task
behavioral1
Sample
4aa80ec9c4af1849fb3f0c82cf82c99b
Resource
debian9-mipsbe-en-20211208
General
-
Target
4aa80ec9c4af1849fb3f0c82cf82c99b
-
Size
156KB
-
MD5
4aa80ec9c4af1849fb3f0c82cf82c99b
-
SHA1
0a2ad5795cbafb1f2962c27ce0fe657704d146ee
-
SHA256
4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197
-
SHA512
6d51053d173efcbfed3b89294e1f8c17c90795054ce4f7c5fcb18c12bbcbed8cb31f27b5ef354aeb9909d3beb03a1797b94c6f9ac32dfd5b1697f52ceccd5356
Malware Config
Signatures
-
suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity
suricata: ET MALWARE ELF/Muhstik Botnet CnC Activity
-
Writes file to system bin folder 1 TTPs 3 IoCs
Processes:
description ioc /bin/crontab /bin/crontab /bin/nvram /bin/nvram /bin/uname /bin/uname -
Modifies rc script 1 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
Processes:
4aa80ec9c4af1849fb3f0c82cf82c99bdescription ioc process /etc/rc.local /etc/rc.local 4aa80ec9c4af1849fb3f0c82cf82c99b -
Write file to user bin folder 1 TTPs 2 IoCs
Processes:
description ioc /usr/bin/crontab /usr/bin/crontab /usr/sbin/nvram /usr/sbin/nvram -
Reads runtime system information 20 IoCs
Reads data from /proc virtual filesystem.
Processes:
crontabcrontabcrontabcrontabcpcrontabcrontabcrontabcpcpcrontabcrontabcrontabcrontabcrontabcpcrontabcrontabcrontabcrontabdescription ioc process /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
4aa80ec9c4af1849fb3f0c82cf82c99bcpcpcpcpdescription ioc process /tmp/.bawtz /tmp/.bawtz 4aa80ec9c4af1849fb3f0c82cf82c99b /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b cp /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b cp /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b cp /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b cp
Processes
-
./4aa80ec9c4af1849fb3f0c82cf82c99b./4aa80ec9c4af1849fb3f0c82cf82c99b1⤵
- Modifies rc script
- Writes file to tmp directory
PID:332
-
/bin/shsh -c "pidof -x strace > /dev/null"1⤵PID:333
-
/bin/pidofpidof -x strace2⤵PID:334
-
/bin/shsh -c "pidof -x tcpdump > /dev/null"1⤵PID:335
-
/bin/pidofpidof -x tcpdump2⤵PID:336
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b\" > /etc/inittab2"1⤵PID:343
-
/bin/catcat /etc/inittab2⤵PID:346
-
/bin/grepgrep -v /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b2⤵PID:347
-
/bin/shsh -c "crontab -r"1⤵PID:344
-
/usr/bin/crontabcrontab -r2⤵
- Reads runtime system information
PID:349
-
/bin/shsh -c "crontab -l | grep /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b > /dev/null 2>&1 &\") | crontab -"1⤵PID:345
-
/bin/grepgrep /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b2⤵PID:350
-
/usr/bin/crontabcrontab -l2⤵
- Reads runtime system information
PID:348 -
/bin/grepgrep -v "no cron"2⤵PID:351
-
/usr/bin/crontabcrontab -2⤵
- Reads runtime system information
PID:354
-
/bin/shsh -c "echo \"0:2345:respawn:/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b\" >> /etc/inittab2"1⤵PID:352
-
/usr/bin/crontabcrontab -l1⤵
- Reads runtime system information
PID:355
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:356
-
/bin/catcat /etc/inittab22⤵PID:357
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:358
-
/bin/rmrm -rf /etc/inittab22⤵PID:359
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:360
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:361
-
/bin/shsh -c "cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b"1⤵PID:364
-
/bin/cpcp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:367
-
/bin/shsh -c "/bin/uname -n"1⤵PID:365
-
/bin/uname/bin/uname -n2⤵PID:366
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b\" > /etc/inittab2"1⤵PID:369
-
/bin/catcat /etc/inittab2⤵PID:371
-
/bin/grepgrep -v /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b2⤵PID:372
-
/bin/shsh -c "crontab -l | grep /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b > /dev/null 2>&1 &\") | crontab -"1⤵PID:370
-
/usr/bin/crontabcrontab -l2⤵
- Reads runtime system information
PID:373 -
/bin/grepgrep /dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b2⤵PID:374
-
/bin/grepgrep -v "no cron"2⤵PID:375
-
/usr/bin/crontabcrontab -2⤵
- Reads runtime system information
PID:378
-
/bin/shsh -c "echo \"0:2345:respawn:/dev/shm/4aa80ec9c4af1849fb3f0c82cf82c99b\" >> /etc/inittab2"1⤵PID:376
-
/usr/bin/crontabcrontab -l1⤵
- Reads runtime system information
PID:379
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:380
-
/bin/catcat /etc/inittab22⤵PID:381
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:382
-
/bin/rmrm -rf /etc/inittab22⤵PID:383
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:384
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:385
-
/bin/shsh -c "cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b"1⤵PID:386
-
/bin/cpcp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:387
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b\" > /etc/inittab2"1⤵PID:389
-
/bin/catcat /etc/inittab2⤵PID:391
-
/bin/grepgrep -v /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b2⤵PID:392
-
/bin/shsh -c "crontab -l | grep /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b > /dev/null 2>&1 &\") | crontab -"1⤵PID:390
-
/bin/grepgrep /var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b2⤵PID:394
-
/bin/grepgrep -v "no cron"2⤵PID:395
-
/usr/bin/crontabcrontab -l2⤵
- Reads runtime system information
PID:393 -
/usr/bin/crontabcrontab -2⤵
- Reads runtime system information
PID:398
-
/bin/shsh -c "echo \"0:2345:respawn:/var/tmp/4aa80ec9c4af1849fb3f0c82cf82c99b\" >> /etc/inittab2"1⤵PID:396
-
/usr/bin/crontabcrontab -l1⤵
- Reads runtime system information
PID:399
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:400
-
/bin/catcat /etc/inittab22⤵PID:401
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:402
-
/bin/rmrm -rf /etc/inittab22⤵PID:403
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:404
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:405
-
/bin/shsh -c "cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b"1⤵PID:406
-
/bin/cpcp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:407
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b\" > /etc/inittab2"1⤵PID:409
-
/bin/grepgrep -v /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b2⤵PID:412
-
/bin/catcat /etc/inittab2⤵PID:411
-
/bin/shsh -c "crontab -l | grep /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b > /dev/null 2>&1 &\") | crontab -"1⤵PID:410
-
/bin/grepgrep /var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b2⤵PID:414
-
/bin/grepgrep -v "no cron"2⤵PID:415
-
/usr/bin/crontabcrontab -l2⤵
- Reads runtime system information
PID:413 -
/usr/bin/crontabcrontab -2⤵
- Reads runtime system information
PID:418
-
/bin/shsh -c "echo \"0:2345:respawn:/var/lock/4aa80ec9c4af1849fb3f0c82cf82c99b\" >> /etc/inittab2"1⤵PID:416
-
/usr/bin/crontabcrontab -l1⤵
- Reads runtime system information
PID:419
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:420
-
/bin/catcat /etc/inittab22⤵PID:421
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:422
-
/bin/rmrm -rf /etc/inittab22⤵PID:423
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:424
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:425
-
/bin/shsh -c "cp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b"1⤵PID:426
-
/bin/cpcp -f /tmp/4aa80ec9c4af1849fb3f0c82cf82c99b /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:427
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/var/run/4aa80ec9c4af1849fb3f0c82cf82c99b\" > /etc/inittab2"1⤵PID:429
-
/bin/catcat /etc/inittab2⤵PID:431
-
/bin/grepgrep -v /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b2⤵PID:433
-
/bin/shsh -c "crontab -l | grep /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b > /dev/null 2>&1 &\") | crontab -"1⤵PID:430
-
/bin/grepgrep -v "no cron"2⤵PID:435
-
/bin/grepgrep /var/run/4aa80ec9c4af1849fb3f0c82cf82c99b2⤵PID:434
-
/usr/bin/crontabcrontab -l2⤵
- Reads runtime system information
PID:432 -
/usr/bin/crontabcrontab -2⤵
- Reads runtime system information
PID:438
-
/bin/shsh -c "echo \"0:2345:respawn:/var/run/4aa80ec9c4af1849fb3f0c82cf82c99b\" >> /etc/inittab2"1⤵PID:436
-
/usr/bin/crontabcrontab -l1⤵
- Reads runtime system information
PID:439
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"1⤵PID:440
-
/bin/catcat /etc/inittab22⤵PID:441
-
/bin/shsh -c "rm -rf /etc/inittab2"1⤵PID:442
-
/bin/rmrm -rf /etc/inittab22⤵PID:443
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"1⤵PID:444
-
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab2⤵PID:445