General
-
Target
Mozi.aevlsmato
-
Size
300KB
-
Sample
220425-2fk3hsfda3
-
MD5
1af4de72c3ecf9b8b42f585232da79ff
-
SHA1
c7329de7741529b10c49a0aae595fdbf6ed59374
-
SHA256
ad23d3c3a70c722f36f005a0660fe2dbf6385fc6da6c799d0feb81599dd7e341
-
SHA512
cd39848f0070de6e70af095bb7a424e6cb61e82050abc48381b3f580ddaca696658975f26c1871c6e5dc1fc69b2a8a5fbffa97f4d4b7c729aa2f92893dd60f37
Malware Config
Targets
-
-
Target
Mozi.aevlsmato
-
Size
300KB
-
MD5
1af4de72c3ecf9b8b42f585232da79ff
-
SHA1
c7329de7741529b10c49a0aae595fdbf6ed59374
-
SHA256
ad23d3c3a70c722f36f005a0660fe2dbf6385fc6da6c799d0feb81599dd7e341
-
SHA512
cd39848f0070de6e70af095bb7a424e6cb61e82050abc48381b3f580ddaca696658975f26c1871c6e5dc1fc69b2a8a5fbffa97f4d4b7c729aa2f92893dd60f37
Score9/10-
Contacts a large (11717) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Modifies the Watchdog daemon
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Writes file to system bin folder
-
Modifies hosts file
Adds to hosts file used for mapping hosts to IP addresses.
-
Writes DNS configuration
Writes data to DNS resolver config file.
-
Enumerates active TCP sockets
Gets active TCP sockets from /proc virtual filesystem.
-
Modifies init.d
Adds/modifies system service, likely for persistence.
-
Reads system routing table
Gets active network interfaces from /proc virtual filesystem.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Reads system network configuration
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory
Malware often drops required files in the /tmp directory.
-