General
Target

Mozi.mwtrblbac

Filesize

132KB

Completed

26-04-2022 08:03

Task

behavioral1

Score
10/10
MD5

59ce0baba11893f90527fc951ac69912

SHA1

5857a7dd621c4c3ebb0b5a3bec915d409f70d39f

SHA256

4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7

SHA512

c5b12797b477e5e5964a78766bb40b1c0d9fdfb8eef1f9aee3df451e3441a40c61d325bf400ba51048811b68e1c70a95f15e4166b7a65a4eca0c624864328647

Malware Config
Signatures 14

Filter: none

Discovery
  • suricata: ET MALWARE Mirai Variant User-Agent (Outbound)

    Description

    suricata: ET MALWARE Mirai Variant User-Agent (Outbound)

    Tags

  • Contacts a large (8861) amount of remote hosts

    Description

    This may indicate a network scan to discover remotely running services.

    Tags

    TTPs

    Network Service Scanning
  • Modifies the Watchdog daemon

    Description

    Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

    TTPs

  • Writes file to system bin folder

    TTPs

    Reported IOCs

    descriptionioc
    /sbin/watchdog/sbin/watchdog
    /bin/watchdog/bin/watchdog
  • Modifies hosts file

    Description

    Adds to hosts file used for mapping hosts to IP addresses.

    Reported IOCs

    descriptionioc
    /etc/hosts/etc/hosts
  • Writes DNS configuration

    Description

    Writes data to DNS resolver config file.

    TTPs

    Reported IOCs

    descriptionioc
    /etc/resolv.conf/etc/resolv.conf
  • Enumerates active TCP sockets
    Mozi.mwtrblbac

    Description

    Gets active TCP sockets from /proc virtual filesystem.

    TTPs

    System Network Connections Discovery

    Reported IOCs

    descriptioniocprocess
    /proc/net/tcp/proc/net/tcpMozi.mwtrblbac
  • Modifies init.d

    Description

    Adds/modifies system service, likely for persistence.

    TTPs

    Reported IOCs

    descriptionioc
    /etc/init.d/S95baby.sh/etc/init.d/S95baby.sh
  • Reads system routing table

    Description

    Gets active network interfaces from /proc virtual filesystem.

    TTPs

    System Network Configuration Discovery

    Reported IOCs

    descriptionioc
    /proc/net/route/proc/net/route
  • Creates a large amount of network flows

    Description

    This may indicate a network scan to discover remotely running services.

    Tags

    TTPs

    Network Service Scanning
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    8745ipinfo.io
  • Reads system network configuration
    Mozi.mwtrblbac

    Description

    Uses contents of /proc filesystem to enumerate network settings.

    TTPs

    System Network Configuration Discovery

    Reported IOCs

    descriptioniocprocess
    /proc/net/tcp/proc/net/tcpMozi.mwtrblbac
    /proc/net/raw/proc/net/rawMozi.mwtrblbac
    /proc/net/route/proc/net/route
  • Reads runtime system information
    Mozi.mwtrblbac

    Description

    Reads data from /proc virtual filesystem.

    Reported IOCs

    descriptionioc
    /proc/mounts/proc/mounts
    /proc/self/exe/proc/self/exeMozi.mwtrblbac
  • Writes file to tmp directory

    Description

    Malware often drops required files in the /tmp directory.

    Reported IOCs

    descriptionioc
    /tmp/Mozi.mwtrblbac/tmp/Mozi.mwtrblbac
Processes 92
  • ./Mozi.mwtrblbac
    ./Mozi.mwtrblbac
    Enumerates active TCP sockets
    Reads system network configuration
    Reads runtime system information
    PID:320
  • /bin/sh
    sh -c "killall -9 telnetd utelnetd scfgmgr"
    PID:323
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 55093 -j ACCEPT"
    PID:334
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 55093 -j ACCEPT
      PID:335
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 55093 -j ACCEPT"
    PID:340
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 55093 -j ACCEPT
      PID:341
  • /bin/sh
    sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 55093 -j ACCEPT"
    PID:342
    • /sbin/iptables
      iptables -I PREROUTING -t nat -p tcp --destination-port 55093 -j ACCEPT
      PID:343
  • /bin/sh
    sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 55093 -j ACCEPT"
    PID:351
    • /sbin/iptables
      iptables -I POSTROUTING -t nat -p tcp --source-port 55093 -j ACCEPT
      PID:352
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 55093 -j ACCEPT"
    PID:353
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 55093 -j ACCEPT
      PID:354
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 55093 -j ACCEPT"
    PID:355
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 55093 -j ACCEPT
      PID:356
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 22 -j DROP"
    PID:357
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 22 -j DROP
      PID:358
  • /bin/sh
    sh -c "iptables -I PREROUTING -t nat -p tcp --dport 55093 -j ACCEPT"
    PID:359
    • /sbin/iptables
      iptables -I PREROUTING -t nat -p tcp --dport 55093 -j ACCEPT
      PID:360
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 23 -j DROP"
    PID:361
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 23 -j DROP
      PID:362
  • /bin/sh
    sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 55093 -j ACCEPT"
    PID:363
    • /sbin/iptables
      iptables -I POSTROUTING -t nat -p tcp --sport 55093 -j ACCEPT
      PID:364
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 2323 -j DROP"
    PID:365
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 2323 -j DROP
      PID:366
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 22 -j DROP"
    PID:367
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 22 -j DROP
      PID:368
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 23 -j DROP"
    PID:369
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 23 -j DROP
      PID:370
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 2323 -j DROP"
    PID:371
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
      PID:372
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 22 -j DROP"
    PID:373
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 22 -j DROP
      PID:374
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 23 -j DROP"
    PID:375
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 23 -j DROP
      PID:376
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 2323 -j DROP"
    PID:377
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 2323 -j DROP
      PID:378
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 22 -j DROP"
    PID:379
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 22 -j DROP
      PID:380
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 23 -j DROP"
    PID:381
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 23 -j DROP
      PID:382
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 2323 -j DROP"
    PID:383
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 2323 -j DROP
      PID:384
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
    PID:385
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 58000 -j DROP
      PID:386
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
    PID:387
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
      PID:388
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
    PID:389
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 58000 -j DROP
      PID:390
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
    PID:391
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 58000 -j DROP
      PID:392
  • /bin/sh
    sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
    PID:393
  • /bin/sh
    sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
    PID:394
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
    PID:395
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 35000 -j DROP
      PID:396
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
    PID:397
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 50023 -j DROP
      PID:398
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
    PID:399
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
      PID:400
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
    PID:401
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
      PID:402
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
    PID:403
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 7547 -j DROP
      PID:404
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
    PID:405
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
      PID:406
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
    PID:407
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 35000 -j DROP
      PID:408
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
    PID:409
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 50023 -j DROP
      PID:410
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
    PID:411
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 50023 -j DROP
      PID:412
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
    PID:413
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 35000 -j DROP
      PID:414
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
    PID:415
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 7547 -j DROP
      PID:416
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
    PID:417
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 7547 -j DROP
      PID:418
  • /bin/sh
    sh -c "iptables -I INPUT -p udp --destination-port 1027 -j ACCEPT"
    PID:419
    • /sbin/iptables
      iptables -I INPUT -p udp --destination-port 1027 -j ACCEPT
      PID:420
  • /bin/sh
    sh -c "iptables -I OUTPUT -p udp --source-port 1027 -j ACCEPT"
    PID:421
    • /sbin/iptables
      iptables -I OUTPUT -p udp --source-port 1027 -j ACCEPT
      PID:422
  • /bin/sh
    sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 1027 -j ACCEPT"
    PID:423
    • /sbin/iptables
      iptables -I PREROUTING -t nat -p udp --destination-port 1027 -j ACCEPT
      PID:424
  • /bin/sh
    sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 1027 -j ACCEPT"
    PID:425
    • /sbin/iptables
      iptables -I POSTROUTING -t nat -p udp --source-port 1027 -j ACCEPT
      PID:426
  • /bin/sh
    sh -c "iptables -I INPUT -p udp --dport 1027 -j ACCEPT"
    PID:427
    • /sbin/iptables
      iptables -I INPUT -p udp --dport 1027 -j ACCEPT
      PID:428
  • /bin/sh
    sh -c "iptables -I OUTPUT -p udp --sport 1027 -j ACCEPT"
    PID:429
    • /sbin/iptables
      iptables -I OUTPUT -p udp --sport 1027 -j ACCEPT
      PID:430
  • /bin/sh
    sh -c "iptables -I PREROUTING -t nat -p udp --dport 1027 -j ACCEPT"
    PID:431
    • /sbin/iptables
      iptables -I PREROUTING -t nat -p udp --dport 1027 -j ACCEPT
      PID:432
  • /bin/sh
    sh -c "iptables -I POSTROUTING -t nat -p udp --sport 1027 -j ACCEPT"
    PID:433
    • /sbin/iptables
      iptables -I POSTROUTING -t nat -p udp --sport 1027 -j ACCEPT
      PID:434
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads