59b10e76d708320ee2a62fa62d811416f48fe3bd97149dcf8acf256940efcb54

Analysis

max time kernel
20445s
max time network
221s
platform
linux_armhf
resource
debian9-armhf-en-20211208
resource tags

arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
02-08-2022 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arm
Size

4.6MB
MD5

ab9781119e7ce3ecc064441b85453885
SHA1

a93c147609fd3527808dd06760f40464de60d804
SHA256

59b10e76d708320ee2a62fa62d811416f48fe3bd97149dcf8acf256940efcb54
SHA512

f92c9d373bdcd3b07fa4832682cf5b493d7296c8c50a308bf77bc1aa63059284abcd802a423d15f215af01ac3ffd80aa1acf0105740fec26cd319e9186ae6e77

Score

9^/10

persistence

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/bin/README_FOR_DECRYPT.txtt	/bin/README_FOR_DECRYPT.txtt	arm
/sbin/README_FOR_DECRYPT.txtt	/sbin/README_FOR_DECRYPT.txtt	arm

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
/etc/init.d/System.sh	/etc/init.d/System.sh	arm

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/usr/local/sbin/7z	/usr/local/sbin/7z	arm
/usr/bin/README_FOR_DECRYPT.txtt	/usr/bin/README_FOR_DECRYPT.txtt	Process not Found
/usr/local/bin/README_FOR_DECRYPT.txtt	/usr/local/bin/README_FOR_DECRYPT.txtt	Process not Found
/usr/local/sbin/README_FOR_DECRYPT.txtt	/usr/local/sbin/README_FOR_DECRYPT.txtt	Process not Found
/usr/sbin/README_FOR_DECRYPT.txtt	/usr/sbin/README_FOR_DECRYPT.txtt	Process not Found

Reads CPU attributes 1 TTPs 7 IoCs

System Information Discovery

T1082

description	ioc
/sys/devices/system/cpu/cpu0/hotplug	/sys/devices/system/cpu/cpu0/hotplug
/sys/devices/system/cpu/cpu0/power	/sys/devices/system/cpu/cpu0/power
/sys/devices/system/cpu/cpu0/topology	/sys/devices/system/cpu/cpu0/topology
/sys/devices/system/cpu/cpufreq	/sys/devices/system/cpu/cpufreq
/sys/devices/system/cpu/hotplug	/sys/devices/system/cpu/hotplug
/sys/devices/system/cpu/power	/sys/devices/system/cpu/power
/sys/devices/system/cpu/cpu0	/sys/devices/system/cpu/cpu0

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/363/task/375/attr	/proc/363/task/375/attr	Process not Found
/proc/226/net	/proc/226/net	Process not Found
/proc/14/task/14/fd	/proc/14/task/14/fd	arm
/proc/24/task	/proc/24/task	Process not Found
/proc/269/ns	/proc/269/ns	Process not Found
/proc/4/ns	/proc/4/ns	Process not Found
/proc/13/task	/proc/13/task	arm
/proc/135/task/135	/proc/135/task/135	arm
/proc/17/task/17/ns	/proc/17/task/17/ns	arm
/proc/21/task/21/fd	/proc/21/task/21/fd	arm
/proc/26/ns	/proc/26/ns	Process not Found
/proc/sys/kernel/usermodehelper	/proc/sys/kernel/usermodehelper	Process not Found
/proc/106/net	/proc/106/net	Process not Found
/proc/17/ns	/proc/17/ns	arm
/proc/278/net	/proc/278/net	arm
/proc/320	/proc/320	Process not Found
/proc/4/task/4/fdinfo	/proc/4/task/4/fdinfo	Process not Found
/proc/42/task/42/fdinfo	/proc/42/task/42/fdinfo	Process not Found
/proc/11/fd	/proc/11/fd	Process not Found
/proc/363/task/370/fd	/proc/363/task/370/fd	Process not Found
/proc/42/map_files	/proc/42/map_files	Process not Found
/proc/238/net/netfilter	/proc/238/net/netfilter	Process not Found
/proc/287/task/287/net	/proc/287/task/287/net	arm
/proc/316/fdinfo	/proc/316/fdinfo	Process not Found
/proc/322/task/322/ns	/proc/322/task/322/ns	Process not Found
/proc/363/task	/proc/363/task	Process not Found
/proc/363/task/371/net/dev_snmp6	/proc/363/task/371/net/dev_snmp6	Process not Found
/proc/42/net/stat	/proc/42/net/stat	Process not Found
/proc/104/task/104/net	/proc/104/task/104/net	Process not Found
/proc/18	/proc/18	arm
/proc/3/ns	/proc/3/ns	Process not Found
/proc/9/task/9/fdinfo	/proc/9/task/9/fdinfo	Process not Found
/proc/15/attr	/proc/15/attr	arm
/proc/27/task/27/net	/proc/27/task/27/net	Process not Found
/proc/42/task/42/attr	/proc/42/task/42/attr	Process not Found
/proc/fs/nfsd	/proc/fs/nfsd	Process not Found
/proc/20/task	/proc/20/task	arm
/proc/10/fd	/proc/10/fd	Process not Found
/proc/13/task/13/ns	/proc/13/task/13/ns	arm
/proc/16/task/16/fdinfo	/proc/16/task/16/fdinfo	arm
/proc/322/attr	/proc/322/attr	Process not Found
/proc/7/task/7/net/dev_snmp6	/proc/7/task/7/net/dev_snmp6	Process not Found
/proc/1/task	/proc/1/task	Process not Found
/proc/29	/proc/29	Process not Found
/proc/29/task/29/attr	/proc/29/task/29/attr	Process not Found
/proc/41/attr	/proc/41/attr	Process not Found
/proc/74/net/netfilter	/proc/74/net/netfilter	Process not Found
/proc/sys	/proc/sys	Process not Found
/proc/238/map_files	/proc/238/map_files	Process not Found
/proc/15/net/netfilter	/proc/15/net/netfilter	arm
/proc/17/task/17/net/dev_snmp6	/proc/17/task/17/net/dev_snmp6	arm
/proc/18/task/18/attr	/proc/18/task/18/attr	arm
/proc/22/net	/proc/22/net	arm
/proc/236/task	/proc/236/task	Process not Found
/proc/287/fd	/proc/287/fd	arm
/proc/359/task/359/net/dev_snmp6	/proc/359/task/359/net/dev_snmp6	Process not Found
/proc/139/ns	/proc/139/ns	arm
/proc/8/net/dev_snmp6	/proc/8/net/dev_snmp6	Process not Found
/proc/365	/proc/365	Process not Found
/proc/3/net/stat	/proc/3/net/stat	Process not Found
/proc/359/task/359/net/netfilter	/proc/359/task/359/net/netfilter	Process not Found
/proc/363/task/364/net	/proc/363/task/364/net	Process not Found
/proc/74/ns	/proc/74/ns	Process not Found
/proc/21/task/21/fdinfo	/proc/21/task/21/fdinfo	arm

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/.XIM-unix	/tmp/.XIM-unix	Process not Found
/tmp/.font-unix	/tmp/.font-unix	Process not Found
/tmp/systemd-private-f713a8858f794794838d8fb5c40c5a28-systemd-timesyncd.service-hh8mJD	/tmp/systemd-private-f713a8858f794794838d8fb5c40c5a28-systemd-timesyncd.service-hh8mJD	Process not Found
/tmp/systemd-private-f713a8858f794794838d8fb5c40c5a28-systemd-timesyncd.service-hh8mJD/tmp	/tmp/systemd-private-f713a8858f794794838d8fb5c40c5a28-systemd-timesyncd.service-hh8mJD/tmp	Process not Found
/tmp/arm.pid	/tmp/arm.pid	arm
/tmp/.ICE-unix	/tmp/.ICE-unix	Process not Found
/tmp/.Test-unix	/tmp/.Test-unix	Process not Found
/tmp/.X11-unix	/tmp/.X11-unix	Process not Found

/tmp/arm
/tmp/arm
1⤵
- Writes file to system bin folder
- Modifies init.d
- Write file to user bin folder
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:363

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

description	ioc	Process
/sys/devices/virtual/vc/vcsa/power	/sys/devices/virtual/vc/vcsa/power	Process not Found
/sys/kernel/debug/tracing/events/ext4/ext4_direct_IO_enter	/sys/kernel/debug/tracing/events/ext4/ext4_direct_IO_enter	arm
/sys/kernel/debug/tracing/events/syscalls/sys_enter_getpid	/sys/kernel/debug/tracing/events/syscalls/sys_enter_getpid	arm
/sys/module/virtio_blk/notes	/sys/module/virtio_blk/notes	Process not Found
/sys/kernel/debug/tracing/events/fib/fib_table_lookup_nh	/sys/kernel/debug/tracing/events/fib/fib_table_lookup_nh	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_enter_mlockall	/sys/kernel/debug/tracing/events/syscalls/sys_enter_mlockall	arm
/sys/module/sysrq	/sys/module/sysrq	Process not Found
/sys/kernel/debug/tracing/events/jbd2/jbd2_run_stats	/sys/kernel/debug/tracing/events/jbd2/jbd2_run_stats	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_exit_setxattr	/sys/kernel/debug/tracing/events/syscalls/sys_exit_setxattr	Process not Found
/sys/bus/platform/drivers/imx-sdma	/sys/bus/platform/drivers/imx-sdma	Process not Found
/sys/devices/platform/a003c00.virtio_mmio/virtio0/block/vda/vda2/holders	/sys/devices/platform/a003c00.virtio_mmio/virtio0/block/vda/vda2/holders	Process not Found
/sys/fs/cgroup/devices/system.slice/systemd-timesyncd.service	/sys/fs/cgroup/devices/system.slice/systemd-timesyncd.service	arm
/sys/bus/pci/drivers	/sys/bus/pci/drivers	arm
/sys/kernel/debug/tracing/events/writeback/writeback_single_inode	/sys/kernel/debug/tracing/events/writeback/writeback_single_inode	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_exit_fchownat	/sys/kernel/debug/tracing/events/syscalls/sys_exit_fchownat	arm
/sys/kernel/debug/tracing/events/v4l2/v4l2_qbuf	/sys/kernel/debug/tracing/events/v4l2/v4l2_qbuf	Process not Found
/sys/module/crc16/holders	/sys/module/crc16/holders	Process not Found
/sys/devices/virtual/tty/tty62/power	/sys/devices/virtual/tty/tty62/power	Process not Found
/sys/kernel/debug/tracing/events/compaction/mm_compaction_finished	/sys/kernel/debug/tracing/events/compaction/mm_compaction_finished	arm
/sys/kernel/debug/tracing/events/ext4/ext4_discard_preallocations	/sys/kernel/debug/tracing/events/ext4/ext4_discard_preallocations	arm
/sys/devices/platform/platform@c000000/power	/sys/devices/platform/platform@c000000/power	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_enter_removexattr	/sys/kernel/debug/tracing/events/syscalls/sys_enter_removexattr	arm
/sys/kernel/irq/42	/sys/kernel/irq/42	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_enter_ustat	/sys/kernel/debug/tracing/events/syscalls/sys_enter_ustat	arm
/sys/module/ecb/notes	/sys/module/ecb/notes	Process not Found
/sys/devices/tracepoint/power	/sys/devices/tracepoint/power	Process not Found
/sys/fs/cgroup/devices/system.slice/dev-mqueue.mount	/sys/fs/cgroup/devices/system.slice/dev-mqueue.mount	arm
/sys/kernel/debug/tracing/events/ext4/ext4_es_find_delayed_extent_range_enter	/sys/kernel/debug/tracing/events/ext4/ext4_es_find_delayed_extent_range_enter	arm
/sys/bus/platform/drivers/sunxi-rtc	/sys/bus/platform/drivers/sunxi-rtc	Process not Found
/sys/class/i2c-adapter	/sys/class/i2c-adapter	Process not Found
/sys/kernel/debug/tracing/events/ext4/ext4_get_implied_cluster_alloc_exit	/sys/kernel/debug/tracing/events/ext4/ext4_get_implied_cluster_alloc_exit	arm
/sys/kernel/debug/tracing/events/syscalls/sys_exit_setrlimit	/sys/kernel/debug/tracing/events/syscalls/sys_exit_setrlimit	Process not Found
/sys/module/virtio_mmio/drivers	/sys/module/virtio_mmio/drivers	Process not Found
/sys/kernel/debug/tracing/events/cgroup/cgroup_attach_task	/sys/kernel/debug/tracing/events/cgroup/cgroup_attach_task	arm
/sys/kernel/debug/tracing/events/cgroup/cgroup_remount	/sys/kernel/debug/tracing/events/cgroup/cgroup_remount	arm
/sys/kernel/debug/tracing/events/syscalls/sys_exit_io_setup	/sys/kernel/debug/tracing/events/syscalls/sys_exit_io_setup	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_exit_setfsgid16	/sys/kernel/debug/tracing/events/syscalls/sys_exit_setfsgid16	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_exit_tkill	/sys/kernel/debug/tracing/events/syscalls/sys_exit_tkill	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_enter_fchdir	/sys/kernel/debug/tracing/events/syscalls/sys_enter_fchdir	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_enter_setregid16	/sys/kernel/debug/tracing/events/syscalls/sys_enter_setregid16	arm
/sys/kernel/debug/tracing/events/syscalls/sys_exit_chmod	/sys/kernel/debug/tracing/events/syscalls/sys_exit_chmod	arm
/sys/kernel/debug/tracing/events/syscalls/sys_exit_eventfd2	/sys/kernel/debug/tracing/events/syscalls/sys_exit_eventfd2	arm
/sys/kernel/debug/tracing/events/syscalls/sys_exit_mknod	/sys/kernel/debug/tracing/events/syscalls/sys_exit_mknod	Process not Found
/sys/fs/cgroup/devices/system.slice/dev-vda5.swap	/sys/fs/cgroup/devices/system.slice/dev-vda5.swap	arm
/sys/fs/cgroup/pids/system.slice/systemd-random-seed.service	/sys/fs/cgroup/pids/system.slice/systemd-random-seed.service	arm
/sys/kernel/debug/tracing/events/syscalls/sys_enter_faccessat	/sys/kernel/debug/tracing/events/syscalls/sys_enter_faccessat	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setparam	/sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setparam	Process not Found
/sys/kernel/debug/tracing/events/timer/itimer_expire	/sys/kernel/debug/tracing/events/timer/itimer_expire	Process not Found
/sys/module/spidev	/sys/module/spidev	Process not Found
/sys/bus/sunxi-rsb/devices	/sys/bus/sunxi-rsb/devices	Process not Found
/sys/devices/platform/serial8250/tty/ttyS3/power	/sys/devices/platform/serial8250/tty/ttyS3/power	Process not Found
/sys/kernel/debug/tracing/events/ext4/ext4_mballoc_discard	/sys/kernel/debug/tracing/events/ext4/ext4_mballoc_discard	arm
/sys/devices/virtual/tty/tty40/power	/sys/devices/virtual/tty/tty40/power	Process not Found
/sys/kernel/debug/tracing/events/huge_memory/mm_collapse_huge_page	/sys/kernel/debug/tracing/events/huge_memory/mm_collapse_huge_page	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_enter_pwritev	/sys/kernel/debug/tracing/events/syscalls/sys_enter_pwritev	arm
/sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getattr	/sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getattr	Process not Found
/sys/devices/platform/a001800.virtio_mmio	/sys/devices/platform/a001800.virtio_mmio	Process not Found
/sys/kernel/debug/tracing/events/clk/clk_set_rate	/sys/kernel/debug/tracing/events/clk/clk_set_rate	arm
/sys/kernel/debug/tracing/events/power/pm_qos_update_request_timeout	/sys/kernel/debug/tracing/events/power/pm_qos_update_request_timeout	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_exit_pwritev2	/sys/kernel/debug/tracing/events/syscalls/sys_exit_pwritev2	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_enter_mkdirat	/sys/kernel/debug/tracing/events/syscalls/sys_enter_mkdirat	arm
/sys/kernel/debug/tracing/events/syscalls/sys_enter_newuname	/sys/kernel/debug/tracing/events/syscalls/sys_enter_newuname	arm
/sys/bus/i2c/drivers/twl	/sys/bus/i2c/drivers/twl	arm
/sys/bus/platform/drivers/as3722-regulator	/sys/bus/platform/drivers/as3722-regulator	Process not Found

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads