General
Target

mozi.mxlbwttdk

Filesize

132KB

Completed

26-04-2022 08:11

Task

behavioral1

Score
10/10
MD5

59ce0baba11893f90527fc951ac69912

SHA1

5857a7dd621c4c3ebb0b5a3bec915d409f70d39f

SHA256

4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7

SHA512

c5b12797b477e5e5964a78766bb40b1c0d9fdfb8eef1f9aee3df451e3441a40c61d325bf400ba51048811b68e1c70a95f15e4166b7a65a4eca0c624864328647

Malware Config
Signatures 14

Filter: none

Discovery
  • suricata: ET MALWARE Mirai Variant User-Agent (Outbound)

    Description

    suricata: ET MALWARE Mirai Variant User-Agent (Outbound)

    Tags

  • Contacts a large (14674) amount of remote hosts

    Description

    This may indicate a network scan to discover remotely running services.

    Tags

    TTPs

    Network Service Scanning
  • Modifies the Watchdog daemon

    Description

    Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

    TTPs

  • Writes file to system bin folder

    TTPs

    Reported IOCs

    descriptionioc
    /sbin/watchdog/sbin/watchdog
    /bin/watchdog/bin/watchdog
  • Modifies hosts file

    Description

    Adds to hosts file used for mapping hosts to IP addresses.

    Reported IOCs

    descriptionioc
    /etc/hosts/etc/hosts
  • Writes DNS configuration

    Description

    Writes data to DNS resolver config file.

    TTPs

    Reported IOCs

    descriptionioc
    /etc/resolv.conf/etc/resolv.conf
  • Enumerates active TCP sockets
    mozi.mxlbwttdk

    Description

    Gets active TCP sockets from /proc virtual filesystem.

    TTPs

    System Network Connections Discovery

    Reported IOCs

    descriptioniocprocess
    /proc/net/tcp/proc/net/tcpmozi.mxlbwttdk
  • Modifies init.d

    Description

    Adds/modifies system service, likely for persistence.

    TTPs

    Reported IOCs

    descriptionioc
    /etc/init.d/S95baby.sh/etc/init.d/S95baby.sh
  • Reads system routing table

    Description

    Gets active network interfaces from /proc virtual filesystem.

    TTPs

    System Network Configuration Discovery

    Reported IOCs

    descriptionioc
    /proc/net/route/proc/net/route
  • Creates a large amount of network flows

    Description

    This may indicate a network scan to discover remotely running services.

    Tags

    TTPs

    Network Service Scanning
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    8584ipinfo.io
    8587ipinfo.io
  • Reads system network configuration
    mozi.mxlbwttdk

    Description

    Uses contents of /proc filesystem to enumerate network settings.

    TTPs

    System Network Configuration Discovery

    Reported IOCs

    descriptioniocprocess
    /proc/net/tcp/proc/net/tcpmozi.mxlbwttdk
    /proc/net/raw/proc/net/rawmozi.mxlbwttdk
    /proc/net/route/proc/net/route
  • Reads runtime system information
    mozi.mxlbwttdk

    Description

    Reads data from /proc virtual filesystem.

    Reported IOCs

    descriptioniocprocess
    /proc/self/exe/proc/self/exemozi.mxlbwttdk
    /proc/mounts/proc/mounts
  • Writes file to tmp directory

    Description

    Malware often drops required files in the /tmp directory.

    Reported IOCs

    descriptionioc
    /tmp/mozi.mxlbwttdk/tmp/mozi.mxlbwttdk
Processes 92
  • ./mozi.mxlbwttdk
    ./mozi.mxlbwttdk
    Enumerates active TCP sockets
    Reads system network configuration
    Reads runtime system information
    PID:320
  • /bin/sh
    sh -c "killall -9 telnetd utelnetd scfgmgr"
    PID:323
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 35217 -j ACCEPT"
    PID:333
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 35217 -j ACCEPT
      PID:334
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 35217 -j ACCEPT"
    PID:339
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 35217 -j ACCEPT
      PID:340
  • /bin/sh
    sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 35217 -j ACCEPT"
    PID:341
    • /sbin/iptables
      iptables -I PREROUTING -t nat -p tcp --destination-port 35217 -j ACCEPT
      PID:342
  • /bin/sh
    sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 35217 -j ACCEPT"
    PID:350
    • /sbin/iptables
      iptables -I POSTROUTING -t nat -p tcp --source-port 35217 -j ACCEPT
      PID:351
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 35217 -j ACCEPT"
    PID:352
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 35217 -j ACCEPT
      PID:353
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 35217 -j ACCEPT"
    PID:354
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 35217 -j ACCEPT
      PID:355
  • /bin/sh
    sh -c "iptables -I PREROUTING -t nat -p tcp --dport 35217 -j ACCEPT"
    PID:356
    • /sbin/iptables
      iptables -I PREROUTING -t nat -p tcp --dport 35217 -j ACCEPT
      PID:357
  • /bin/sh
    sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 35217 -j ACCEPT"
    PID:358
    • /sbin/iptables
      iptables -I POSTROUTING -t nat -p tcp --sport 35217 -j ACCEPT
      PID:359
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 22 -j DROP"
    PID:360
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 22 -j DROP
      PID:361
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 23 -j DROP"
    PID:362
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 23 -j DROP
      PID:363
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 2323 -j DROP"
    PID:364
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 2323 -j DROP
      PID:365
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 22 -j DROP"
    PID:366
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 22 -j DROP
      PID:367
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 23 -j DROP"
    PID:368
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 23 -j DROP
      PID:369
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 2323 -j DROP"
    PID:370
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
      PID:371
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 22 -j DROP"
    PID:372
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 22 -j DROP
      PID:373
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 23 -j DROP"
    PID:374
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 23 -j DROP
      PID:375
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 2323 -j DROP"
    PID:376
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 2323 -j DROP
      PID:377
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 22 -j DROP"
    PID:378
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 22 -j DROP
      PID:379
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 23 -j DROP"
    PID:380
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 23 -j DROP
      PID:381
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 2323 -j DROP"
    PID:382
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 2323 -j DROP
      PID:383
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
    PID:384
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 58000 -j DROP
      PID:385
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
    PID:386
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
      PID:387
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
    PID:388
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 58000 -j DROP
      PID:389
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
    PID:390
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 58000 -j DROP
      PID:391
  • /bin/sh
    sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
    PID:392
  • /bin/sh
    sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
    PID:393
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
    PID:394
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 35000 -j DROP
      PID:395
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
    PID:396
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 50023 -j DROP
      PID:397
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
    PID:398
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
      PID:399
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
    PID:400
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
      PID:401
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
    PID:402
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 7547 -j DROP
      PID:403
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
    PID:404
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
      PID:405
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
    PID:406
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 35000 -j DROP
      PID:407
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
    PID:408
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 50023 -j DROP
      PID:409
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
    PID:410
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 50023 -j DROP
      PID:411
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
    PID:412
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 35000 -j DROP
      PID:413
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
    PID:414
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 7547 -j DROP
      PID:415
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
    PID:416
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 7547 -j DROP
      PID:417
  • /bin/sh
    sh -c "iptables -I INPUT -p udp --destination-port 28339 -j ACCEPT"
    PID:419
    • /sbin/iptables
      iptables -I INPUT -p udp --destination-port 28339 -j ACCEPT
      PID:420
  • /bin/sh
    sh -c "iptables -I OUTPUT -p udp --source-port 28339 -j ACCEPT"
    PID:421
    • /sbin/iptables
      iptables -I OUTPUT -p udp --source-port 28339 -j ACCEPT
      PID:422
  • /bin/sh
    sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 28339 -j ACCEPT"
    PID:423
    • /sbin/iptables
      iptables -I PREROUTING -t nat -p udp --destination-port 28339 -j ACCEPT
      PID:424
  • /bin/sh
    sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 28339 -j ACCEPT"
    PID:425
    • /sbin/iptables
      iptables -I POSTROUTING -t nat -p udp --source-port 28339 -j ACCEPT
      PID:426
  • /bin/sh
    sh -c "iptables -I INPUT -p udp --dport 28339 -j ACCEPT"
    PID:427
    • /sbin/iptables
      iptables -I INPUT -p udp --dport 28339 -j ACCEPT
      PID:428
  • /bin/sh
    sh -c "iptables -I OUTPUT -p udp --sport 28339 -j ACCEPT"
    PID:429
    • /sbin/iptables
      iptables -I OUTPUT -p udp --sport 28339 -j ACCEPT
      PID:430
  • /bin/sh
    sh -c "iptables -I PREROUTING -t nat -p udp --dport 28339 -j ACCEPT"
    PID:431
    • /sbin/iptables
      iptables -I PREROUTING -t nat -p udp --dport 28339 -j ACCEPT
      PID:432
  • /bin/sh
    sh -c "iptables -I POSTROUTING -t nat -p udp --sport 28339 -j ACCEPT"
    PID:434
    • /sbin/iptables
      iptables -I POSTROUTING -t nat -p udp --sport 28339 -j ACCEPT
      PID:435
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads