Overview

overview

9

Static

static

8

ded36b111f...f5ae65

debian-9-mips

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ded36b111f815e57e2658bd881beaf247be1fea999902456df83840100f5ae65

  • Size

    131KB

  • Sample

    220905-deyp8acda3

  • MD5

    9f8311898543761a53bc9163b4d46d4b

  • SHA1

    a57af9c6a2e9c90b1bc23de281a26395a6710fd0

  • SHA256

    a38ab39ebede2f2ef533a0bd11c928bc7cf398339ffc15b1f1533ba1d5310b99

  • SHA512

    68a3dea6f448b6135dc1d8e911323a793afc6d47db3fb3a67a64a0c39689c5973bc5ba7a77fb3e94b4e2246021464b5513145034d7d02eed6a31b564c6a08083

  • SSDEEP

    3072:iSx/0SYVWKgZe9tZEehI8/8sYBboQASNyYQQv:Bx/0hwbs93hv/NYBFNyVQv

Score
9/10
discoverypersistence

Malware Config

Targets

    • Target

      ded36b111f815e57e2658bd881beaf247be1fea999902456df83840100f5ae65

    • Size

      134KB

    • MD5

      6b0fb88c187a6dbf48017f66f262edab

    • SHA1

      c27a02fbe6525becc24193041359a9adce663f24

    • SHA256

      ded36b111f815e57e2658bd881beaf247be1fea999902456df83840100f5ae65

    • SHA512

      1aae2f3a544e5145747b5f2dfc68957a11d9d14c9229c977dbb954e3f361974c9530ac152fd288e3cec973d9e6660a6f0d185b656647cd7a1e258b8bcf0448a1

    • SSDEEP

      3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xioX:p3lOYoaja8xzx/0wsxzSi6

    Score
    9/10
    discoverypersistence

    • Contacts a large (10950) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Modifies the Watchdog daemon

      Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

    • Writes file to system bin folder

    • Modifies hosts file

      Adds to hosts file used for mapping hosts to IP addresses.

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks