General
Target

Mozi.mzhednqwh

Filesize

132KB

Completed

26-04-2022 08:33

Task

behavioral1

Score
10/10
MD5

59ce0baba11893f90527fc951ac69912

SHA1

5857a7dd621c4c3ebb0b5a3bec915d409f70d39f

SHA256

4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7

SHA512

c5b12797b477e5e5964a78766bb40b1c0d9fdfb8eef1f9aee3df451e3441a40c61d325bf400ba51048811b68e1c70a95f15e4166b7a65a4eca0c624864328647

Malware Config
Signatures 16

Filter: none

Discovery
  • suricata: ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution

    Description

    suricata: ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution

    Tags

  • suricata: ET MALWARE Mirai Variant User-Agent (Outbound)

    Description

    suricata: ET MALWARE Mirai Variant User-Agent (Outbound)

    Tags

  • suricata: ET MALWARE Mozi Botnet DHT Config Sent

    Description

    suricata: ET MALWARE Mozi Botnet DHT Config Sent

    Tags

  • Contacts a large (14139) amount of remote hosts

    Description

    This may indicate a network scan to discover remotely running services.

    Tags

    TTPs

    Network Service Scanning
  • Modifies the Watchdog daemon

    Description

    Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

    TTPs

  • Writes file to system bin folder

    TTPs

    Reported IOCs

    descriptionioc
    /sbin/watchdog/sbin/watchdog
    /bin/watchdog/bin/watchdog
  • Modifies hosts file

    Description

    Adds to hosts file used for mapping hosts to IP addresses.

    Reported IOCs

    descriptionioc
    /etc/hosts/etc/hosts
  • Writes DNS configuration

    Description

    Writes data to DNS resolver config file.

    TTPs

    Reported IOCs

    descriptionioc
    /etc/resolv.conf/etc/resolv.conf
  • Enumerates active TCP sockets
    Mozi.mzhednqwh

    Description

    Gets active TCP sockets from /proc virtual filesystem.

    TTPs

    System Network Connections Discovery

    Reported IOCs

    descriptioniocprocess
    /proc/net/tcp/proc/net/tcpMozi.mzhednqwh
  • Modifies init.d

    Description

    Adds/modifies system service, likely for persistence.

    TTPs

    Reported IOCs

    descriptionioc
    /etc/init.d/S95baby.sh/etc/init.d/S95baby.sh
  • Reads system routing table

    Description

    Gets active network interfaces from /proc virtual filesystem.

    TTPs

    System Network Configuration Discovery

    Reported IOCs

    descriptionioc
    /proc/net/route/proc/net/route
  • Creates a large amount of network flows

    Description

    This may indicate a network scan to discover remotely running services.

    Tags

    TTPs

    Network Service Scanning
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    9466ipinfo.io
    9468ipinfo.io
  • Reads system network configuration
    Mozi.mzhednqwh

    Description

    Uses contents of /proc filesystem to enumerate network settings.

    TTPs

    System Network Configuration Discovery

    Reported IOCs

    descriptioniocprocess
    /proc/net/tcp/proc/net/tcpMozi.mzhednqwh
    /proc/net/raw/proc/net/rawMozi.mzhednqwh
    /proc/net/route/proc/net/route
  • Reads runtime system information
    Mozi.mzhednqwh

    Description

    Reads data from /proc virtual filesystem.

    Reported IOCs

    descriptioniocprocess
    /proc/self/exe/proc/self/exeMozi.mzhednqwh
    /proc/mounts/proc/mounts
  • Writes file to tmp directory

    Description

    Malware often drops required files in the /tmp directory.

    Reported IOCs

    descriptionioc
    /tmp/Mozi.mzhednqwh/tmp/Mozi.mzhednqwh
Processes 92
  • ./Mozi.mzhednqwh
    ./Mozi.mzhednqwh
    Enumerates active TCP sockets
    Reads system network configuration
    Reads runtime system information
    PID:324
  • /bin/sh
    sh -c "killall -9 telnetd utelnetd scfgmgr"
    PID:327
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 42149 -j ACCEPT"
    PID:338
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 42149 -j ACCEPT
      PID:339
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 42149 -j ACCEPT"
    PID:344
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 42149 -j ACCEPT
      PID:345
  • /bin/sh
    sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 42149 -j ACCEPT"
    PID:346
    • /sbin/iptables
      iptables -I PREROUTING -t nat -p tcp --destination-port 42149 -j ACCEPT
      PID:347
  • /bin/sh
    sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 42149 -j ACCEPT"
    PID:354
    • /sbin/iptables
      iptables -I POSTROUTING -t nat -p tcp --source-port 42149 -j ACCEPT
      PID:355
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 42149 -j ACCEPT"
    PID:356
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 42149 -j ACCEPT
      PID:357
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 42149 -j ACCEPT"
    PID:358
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 42149 -j ACCEPT
      PID:359
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 22 -j DROP"
    PID:360
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 22 -j DROP
      PID:362
  • /bin/sh
    sh -c "iptables -I PREROUTING -t nat -p tcp --dport 42149 -j ACCEPT"
    PID:361
    • /sbin/iptables
      iptables -I PREROUTING -t nat -p tcp --dport 42149 -j ACCEPT
      PID:363
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 23 -j DROP"
    PID:364
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 23 -j DROP
      PID:365
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 2323 -j DROP"
    PID:366
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 2323 -j DROP
      PID:367
  • /bin/sh
    sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 42149 -j ACCEPT"
    PID:368
    • /sbin/iptables
      iptables -I POSTROUTING -t nat -p tcp --sport 42149 -j ACCEPT
      PID:370
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 22 -j DROP"
    PID:369
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 22 -j DROP
      PID:371
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 23 -j DROP"
    PID:372
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 23 -j DROP
      PID:373
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 2323 -j DROP"
    PID:374
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
      PID:375
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 22 -j DROP"
    PID:376
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 22 -j DROP
      PID:377
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 23 -j DROP"
    PID:378
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 23 -j DROP
      PID:379
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 2323 -j DROP"
    PID:380
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 2323 -j DROP
      PID:381
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 22 -j DROP"
    PID:382
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 22 -j DROP
      PID:383
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 23 -j DROP"
    PID:384
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 23 -j DROP
      PID:385
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 2323 -j DROP"
    PID:386
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 2323 -j DROP
      PID:387
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
    PID:388
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 58000 -j DROP
      PID:389
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
    PID:390
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
      PID:391
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
    PID:392
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 58000 -j DROP
      PID:393
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
    PID:394
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 58000 -j DROP
      PID:395
  • /bin/sh
    sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
    PID:396
  • /bin/sh
    sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
    PID:397
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
    PID:398
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 35000 -j DROP
      PID:399
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
    PID:400
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 50023 -j DROP
      PID:401
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
    PID:402
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
      PID:403
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
    PID:404
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
      PID:405
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
    PID:406
    • /sbin/iptables
      iptables -I INPUT -p tcp --destination-port 7547 -j DROP
      PID:407
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
    PID:408
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
      PID:409
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
    PID:410
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 35000 -j DROP
      PID:411
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
    PID:412
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 50023 -j DROP
      PID:413
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
    PID:414
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 50023 -j DROP
      PID:415
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
    PID:416
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 35000 -j DROP
      PID:417
  • /bin/sh
    sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
    PID:418
    • /sbin/iptables
      iptables -I INPUT -p tcp --dport 7547 -j DROP
      PID:419
  • /bin/sh
    sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
    PID:420
    • /sbin/iptables
      iptables -I OUTPUT -p tcp --sport 7547 -j DROP
      PID:421
  • /bin/sh
    sh -c "iptables -I INPUT -p udp --destination-port 59273 -j ACCEPT"
    PID:422
    • /sbin/iptables
      iptables -I INPUT -p udp --destination-port 59273 -j ACCEPT
      PID:423
  • /bin/sh
    sh -c "iptables -I OUTPUT -p udp --source-port 59273 -j ACCEPT"
    PID:424
    • /sbin/iptables
      iptables -I OUTPUT -p udp --source-port 59273 -j ACCEPT
      PID:425
  • /bin/sh
    sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 59273 -j ACCEPT"
    PID:426
    • /sbin/iptables
      iptables -I PREROUTING -t nat -p udp --destination-port 59273 -j ACCEPT
      PID:427
  • /bin/sh
    sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 59273 -j ACCEPT"
    PID:428
    • /sbin/iptables
      iptables -I POSTROUTING -t nat -p udp --source-port 59273 -j ACCEPT
      PID:429
  • /bin/sh
    sh -c "iptables -I INPUT -p udp --dport 59273 -j ACCEPT"
    PID:430
    • /sbin/iptables
      iptables -I INPUT -p udp --dport 59273 -j ACCEPT
      PID:431
  • /bin/sh
    sh -c "iptables -I OUTPUT -p udp --sport 59273 -j ACCEPT"
    PID:432
    • /sbin/iptables
      iptables -I OUTPUT -p udp --sport 59273 -j ACCEPT
      PID:433
  • /bin/sh
    sh -c "iptables -I PREROUTING -t nat -p udp --dport 59273 -j ACCEPT"
    PID:434
    • /sbin/iptables
      iptables -I PREROUTING -t nat -p udp --dport 59273 -j ACCEPT
      PID:435
  • /bin/sh
    sh -c "iptables -I POSTROUTING -t nat -p udp --sport 59273 -j ACCEPT"
    PID:436
    • /sbin/iptables
      iptables -I POSTROUTING -t nat -p udp --sport 59273 -j ACCEPT
      PID:437
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads