General

  • Target

    Mozi.mittotond

  • Size

    134KB

  • Sample

    220425-221ebsgcf7

  • MD5

    d3d6614282509be0a15a5bc01ab8b5ae

  • SHA1

    a3bed9ce0585954fc02e6f20ed68ef6800fce9cd

  • SHA256

    459e454e45f08c917dec9342b7c6a586dbe9edfa4bb942dcd4766ecb446fbd1a

  • SHA512

    bc4568e60e6f4833ab619eeeb50a47d54213621d830ce58414602c12dc3cbd01b94603467787672f5caf372f74f727516b2e31e8b332a582df1c98dae7889252

Malware Config

Targets

    • Target

      Mozi.mittotond

    • Size

      134KB

    • MD5

      d3d6614282509be0a15a5bc01ab8b5ae

    • SHA1

      a3bed9ce0585954fc02e6f20ed68ef6800fce9cd

    • SHA256

      459e454e45f08c917dec9342b7c6a586dbe9edfa4bb942dcd4766ecb446fbd1a

    • SHA512

      bc4568e60e6f4833ab619eeeb50a47d54213621d830ce58414602c12dc3cbd01b94603467787672f5caf372f74f727516b2e31e8b332a582df1c98dae7889252

    • Contacts a large (17310) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Modifies the Watchdog daemon

      Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

    • Writes file to system bin folder

    • Modifies hosts file

      Adds to hosts file used for mapping hosts to IP addresses.

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

MITRE ATT&CK Enterprise v6

Tasks