Behavioral Report

max time kernel11976s
max time network176s
platformlinux_mips
resourcedebian9-mipsbe-en-20211208
submitted25-04-2022 23:36

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

Mozi.mwtrblbac

Filesize

132KB

Completed

26-04-2022 08:03

Task

behavioral1

Score

10^/10

MD5

59ce0baba11893f90527fc951ac69912

SHA1

5857a7dd621c4c3ebb0b5a3bec915d409f70d39f

SHA256

4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7

SHA512

c5b12797b477e5e5964a78766bb40b1c0d9fdfb8eef1f9aee3df451e3441a40c61d325bf400ba51048811b68e1c70a95f15e4166b7a65a4eca0c624864328647

discovery persistence suricata

Discovery

suricata: ET MALWARE Mirai Variant User-Agent (Outbound)

Description

suricata: ET MALWARE Mirai Variant User-Agent (Outbound)

Tags

suricata
Contacts a large (8861) amount of remote hosts

Description

This may indicate a network scan to discover remotely running services.

Tags

discovery

TTPs

Network Service Scanning
Modifies the Watchdog daemon

Description

Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

TTPs
Writes file to system bin folder

TTPs

Reported IOCs

description ioc

/sbin/watchdog /sbin/watchdog
/bin/watchdog /bin/watchdog
Modifies hosts file

Description

Adds to hosts file used for mapping hosts to IP addresses.

Reported IOCs

description ioc

/etc/hosts /etc/hosts
Writes DNS configuration

Description

Writes data to DNS resolver config file.

TTPs

Reported IOCs

description ioc

/etc/resolv.conf /etc/resolv.conf
Enumerates active TCP sockets
Mozi.mwtrblbac

Description

Gets active TCP sockets from /proc virtual filesystem.

TTPs

System Network Connections Discovery

Reported IOCs

description ioc process

/proc/net/tcp /proc/net/tcp Mozi.mwtrblbac
Modifies init.d

Description

Adds/modifies system service, likely for persistence.

Tags

persistence

TTPs

Reported IOCs

description ioc

/etc/init.d/S95baby.sh /etc/init.d/S95baby.sh
Reads system routing table

Description

Gets active network interfaces from /proc virtual filesystem.

TTPs

System Network Configuration Discovery

Reported IOCs

description ioc

/proc/net/route /proc/net/route
Creates a large amount of network flows

Description

This may indicate a network scan to discover remotely running services.

Tags

discovery

TTPs

Network Service Scanning
Looks up external IP address via web service

Description

Uses a legitimate IP lookup service to find the infected system's external IP.

Reported IOCs

flow ioc

8745 ipinfo.io
Reads system network configuration
Mozi.mwtrblbac

Description

Uses contents of /proc filesystem to enumerate network settings.

TTPs

System Network Configuration Discovery

Reported IOCs

description ioc process

/proc/net/tcp /proc/net/tcp Mozi.mwtrblbac
/proc/net/raw /proc/net/raw Mozi.mwtrblbac
/proc/net/route /proc/net/route
Reads runtime system information
Mozi.mwtrblbac

Description

Reads data from /proc virtual filesystem.

Reported IOCs

description ioc

/proc/mounts /proc/mounts
/proc/self/exe /proc/self/exe Mozi.mwtrblbac
Writes file to tmp directory

Description

Malware often drops required files in the /tmp directory.

Reported IOCs

description ioc

/tmp/Mozi.mwtrblbac /tmp/Mozi.mwtrblbac

description	ioc
/sbin/watchdog	/sbin/watchdog
/bin/watchdog	/bin/watchdog

description	ioc
/etc/hosts	/etc/hosts

description	ioc
/etc/resolv.conf	/etc/resolv.conf

description	ioc	process
/proc/net/tcp	/proc/net/tcp	Mozi.mwtrblbac

description	ioc
/etc/init.d/S95baby.sh	/etc/init.d/S95baby.sh

description	ioc
/proc/net/route	/proc/net/route

flow	ioc
8745	ipinfo.io

description	ioc	process
/proc/net/tcp	/proc/net/tcp	Mozi.mwtrblbac
/proc/net/raw	/proc/net/raw	Mozi.mwtrblbac
/proc/net/route	/proc/net/route

description	ioc
/proc/mounts	/proc/mounts
/proc/self/exe	/proc/self/exe	Mozi.mwtrblbac

description	ioc
/tmp/Mozi.mwtrblbac	/tmp/Mozi.mwtrblbac

./Mozi.mwtrblbac

./Mozi.mwtrblbac

Enumerates active TCP sockets
Reads system network configuration
Reads runtime system information

PID:320

/bin/sh

sh -c "killall -9 telnetd utelnetd scfgmgr"

PID:323

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 55093 -j ACCEPT"

PID:334

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 55093 -j ACCEPT

PID:335

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 55093 -j ACCEPT"

PID:340

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 55093 -j ACCEPT

PID:341

/bin/sh

sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 55093 -j ACCEPT"

PID:342

/sbin/iptables

iptables -I PREROUTING -t nat -p tcp --destination-port 55093 -j ACCEPT

PID:343

/bin/sh

sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 55093 -j ACCEPT"

PID:351

/sbin/iptables

iptables -I POSTROUTING -t nat -p tcp --source-port 55093 -j ACCEPT

PID:352

/bin/sh

sh -c "iptables -I INPUT -p tcp --dport 55093 -j ACCEPT"

PID:353

/sbin/iptables

iptables -I INPUT -p tcp --dport 55093 -j ACCEPT

PID:354

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --sport 55093 -j ACCEPT"

PID:355

/sbin/iptables

iptables -I OUTPUT -p tcp --sport 55093 -j ACCEPT

PID:356

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 22 -j DROP"

PID:357

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 22 -j DROP

PID:358

/bin/sh

sh -c "iptables -I PREROUTING -t nat -p tcp --dport 55093 -j ACCEPT"

PID:359

/sbin/iptables

iptables -I PREROUTING -t nat -p tcp --dport 55093 -j ACCEPT

PID:360

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 23 -j DROP"

PID:361

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 23 -j DROP

PID:362

/bin/sh

sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 55093 -j ACCEPT"

PID:363

/sbin/iptables

iptables -I POSTROUTING -t nat -p tcp --sport 55093 -j ACCEPT

PID:364

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 2323 -j DROP"

PID:365

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 2323 -j DROP

PID:366

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 22 -j DROP"

PID:367

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 22 -j DROP

PID:368

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 23 -j DROP"

PID:369

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 23 -j DROP

PID:370

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 2323 -j DROP"

PID:371

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 2323 -j DROP

PID:372

/bin/sh

sh -c "iptables -I INPUT -p tcp --dport 22 -j DROP"

PID:373

/sbin/iptables

iptables -I INPUT -p tcp --dport 22 -j DROP

PID:374

/bin/sh

sh -c "iptables -I INPUT -p tcp --dport 23 -j DROP"

PID:375

/sbin/iptables

iptables -I INPUT -p tcp --dport 23 -j DROP

PID:376

/bin/sh

sh -c "iptables -I INPUT -p tcp --dport 2323 -j DROP"

PID:377

/sbin/iptables

iptables -I INPUT -p tcp --dport 2323 -j DROP

PID:378

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --sport 22 -j DROP"

PID:379

/sbin/iptables

iptables -I OUTPUT -p tcp --sport 22 -j DROP

PID:380

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --sport 23 -j DROP"

PID:381

/sbin/iptables

iptables -I OUTPUT -p tcp --sport 23 -j DROP

PID:382

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --sport 2323 -j DROP"

PID:383

/sbin/iptables

iptables -I OUTPUT -p tcp --sport 2323 -j DROP

PID:384

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"

PID:385

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 58000 -j DROP

PID:386

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"

PID:387

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 58000 -j DROP

PID:388

/bin/sh

sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"

PID:389

/sbin/iptables

iptables -I INPUT -p tcp --dport 58000 -j DROP

PID:390

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"

PID:391

/sbin/iptables

iptables -I OUTPUT -p tcp --sport 58000 -j DROP

PID:392

/bin/sh

sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""

PID:393

/bin/sh

sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""

PID:394

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"

PID:395

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 35000 -j DROP

PID:396

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"

PID:397

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 50023 -j DROP

PID:398

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"

PID:399

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 50023 -j DROP

PID:400

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"

PID:401

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 35000 -j DROP

PID:402

/bin/sh

sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"

PID:403

/sbin/iptables

iptables -I INPUT -p tcp --destination-port 7547 -j DROP

PID:404

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"

PID:405

/sbin/iptables

iptables -I OUTPUT -p tcp --source-port 7547 -j DROP

PID:406

/bin/sh

sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"

PID:407

/sbin/iptables

iptables -I INPUT -p tcp --dport 35000 -j DROP

PID:408

/bin/sh

sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"

PID:409

/sbin/iptables

iptables -I INPUT -p tcp --dport 50023 -j DROP

PID:410

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"

PID:411

/sbin/iptables

iptables -I OUTPUT -p tcp --sport 50023 -j DROP

PID:412

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"

PID:413

/sbin/iptables

iptables -I OUTPUT -p tcp --sport 35000 -j DROP

PID:414

/bin/sh

sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"

PID:415

/sbin/iptables

iptables -I INPUT -p tcp --dport 7547 -j DROP

PID:416

/bin/sh

sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"

PID:417

/sbin/iptables

iptables -I OUTPUT -p tcp --sport 7547 -j DROP

PID:418

/bin/sh

sh -c "iptables -I INPUT -p udp --destination-port 1027 -j ACCEPT"

PID:419

/sbin/iptables

iptables -I INPUT -p udp --destination-port 1027 -j ACCEPT

PID:420

/bin/sh

sh -c "iptables -I OUTPUT -p udp --source-port 1027 -j ACCEPT"

PID:421

/sbin/iptables

iptables -I OUTPUT -p udp --source-port 1027 -j ACCEPT

PID:422

/bin/sh

sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 1027 -j ACCEPT"

PID:423

/sbin/iptables

iptables -I PREROUTING -t nat -p udp --destination-port 1027 -j ACCEPT

PID:424

/bin/sh

sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 1027 -j ACCEPT"

PID:425

/sbin/iptables

iptables -I POSTROUTING -t nat -p udp --source-port 1027 -j ACCEPT

PID:426

/bin/sh

sh -c "iptables -I INPUT -p udp --dport 1027 -j ACCEPT"

PID:427

/sbin/iptables

iptables -I INPUT -p udp --dport 1027 -j ACCEPT

PID:428

/bin/sh

sh -c "iptables -I OUTPUT -p udp --sport 1027 -j ACCEPT"

PID:429

/sbin/iptables

iptables -I OUTPUT -p udp --sport 1027 -j ACCEPT

PID:430

/bin/sh

sh -c "iptables -I PREROUTING -t nat -p udp --dport 1027 -j ACCEPT"

PID:431

/sbin/iptables

iptables -I PREROUTING -t nat -p udp --dport 1027 -j ACCEPT

PID:432

/bin/sh

sh -c "iptables -I POSTROUTING -t nat -p udp --sport 1027 -j ACCEPT"

PID:433

/sbin/iptables

iptables -I POSTROUTING -t nat -p udp --sport 1027 -j ACCEPT

PID:434

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

Filter: none

Description

Tags

Description

Tags

TTPs

Description

TTPs

TTPs

Reported IOCs

Description

Reported IOCs

Description

TTPs

Reported IOCs

Description

TTPs

Reported IOCs

Description

Tags

TTPs

Reported IOCs

Description

TTPs

Reported IOCs

Description

Tags

TTPs

Description

Reported IOCs

Description

TTPs

Reported IOCs

Description

Reported IOCs

Description

Reported IOCs

Title