General

  • Target

    Mips.elf

  • Size

    1MB

  • Sample

    221004-1h7hvscfd6

  • MD5

    ae5592bdb0464f06c88f665282991b82

  • SHA1

    be5bf9dfec7fae911666060f584b4ffd0b04185f

  • SHA256

    18a4352b2101b4fa81652d5fce34b08ed7def8bd40e413cebf991ede97692a02

  • SHA512

    4c57878362b342a0928c8ddcb3fccff79be1ee0164e4f16c2d5169d14ea8ce322ac37693f965e8584fa950d733b70fe3d084cce4cf3675d62104482404b870a0

  • SSDEEP

    49152:Um7vtBcWDjchCCpjy3WT/N7SExRtmbj2mEE5MBn:U67cWDoggmrExRtmbHEE2Bn

Malware Config

Targets

    • Target

      Mips.elf

    • Size

      1MB

    • MD5

      ae5592bdb0464f06c88f665282991b82

    • SHA1

      be5bf9dfec7fae911666060f584b4ffd0b04185f

    • SHA256

      18a4352b2101b4fa81652d5fce34b08ed7def8bd40e413cebf991ede97692a02

    • SHA512

      4c57878362b342a0928c8ddcb3fccff79be1ee0164e4f16c2d5169d14ea8ce322ac37693f965e8584fa950d733b70fe3d084cce4cf3675d62104482404b870a0

    • SSDEEP

      49152:Um7vtBcWDjchCCpjy3WT/N7SExRtmbj2mEE5MBn:U67cWDoggmrExRtmbHEE2Bn

    • StealthWorker

      StealthWorker is golang-based brute force malware.

    • Attempts to identify hypervisor via CPU configuration

      Checks CPU information for indicators that the system is a virtual machine.

    • Modifies hosts file

      Adds to hosts file used for mapping hosts to IP addresses.

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Discovery

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Tasks