Overview

overview

9

Static

static

1d982e5daf...debd30

linux_mipsel

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1d982e5daf65410e1c8315f7d0295325e728ff4970131f3b1aac4bc40bdebd30

  • Size

    146KB

  • Sample

    220521-xtkaxsfgfl

  • MD5

    0b98a88d66b5318b4768b66aa309abd7

  • SHA1

    37d026a9a5444828afe65ed7376b7eec0ea3e744

  • SHA256

    1d982e5daf65410e1c8315f7d0295325e728ff4970131f3b1aac4bc40bdebd30

  • SHA512

    45729317935fbd097a01d34200dcb70285b298a1adfe1b38ece5ecb67b5b12f07b94e924f5031852e8c3b721443e5c57bf0119c81ffb0783a876364dfe339f76

Score
9/10
antivmdiscoverylinuxpersistence

Malware Config

Targets

    • Target

      1d982e5daf65410e1c8315f7d0295325e728ff4970131f3b1aac4bc40bdebd30

    • Size

      146KB

    • MD5

      0b98a88d66b5318b4768b66aa309abd7

    • SHA1

      37d026a9a5444828afe65ed7376b7eec0ea3e744

    • SHA256

      1d982e5daf65410e1c8315f7d0295325e728ff4970131f3b1aac4bc40bdebd30

    • SHA512

      45729317935fbd097a01d34200dcb70285b298a1adfe1b38ece5ecb67b5b12f07b94e924f5031852e8c3b721443e5c57bf0119c81ffb0783a876364dfe339f76

    Score
    9/10
    antivmdiscoverypersistence

    • Attempts to identify hypervisor via CPU configuration

      Checks CPU information for indicators that the system is a virtual machine.

      antivm

    • Contacts a large (47348) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Modifies hosts file

      Adds to hosts file used for mapping hosts to IP addresses.

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

      persistence

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

1
T1497

Network Service Scanning

2
T1046

System Network Connections Discovery

1
T1049

System Network Configuration Discovery

2
T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

1
T1568

Impact

Tasks