Analysis
-
max time kernel
30453s -
max time network
124s -
platform
linux_armhf -
resource
debian9-armhf-en-20211208 -
resource tags
arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
25-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral2
Sample
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral3
Sample
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
Resource
debian9-mipsbe-20221111-en
Behavioral task
behavioral4
Sample
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
Resource
debian9-mipsel-en-20211208
General
-
Target
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
-
Size
1KB
-
MD5
3b2586fd81c0ca699acfa342ca7e248f
-
SHA1
25d0f7abafe4e229c1aeaed0137988628263f63d
-
SHA256
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
-
SHA512
eb969364b7b884a2038180d2b6511db1eca0abff69147f63750347d3b9dc0ec37689939927f398e86acdb74e630fe7a071462e739cc502d8e26b2b3f3c37086d
Malware Config
Signatures
-
Reads CPU attributes 1 TTPs 3 IoCs
Processes:
pspspsdescription ioc process /sys/devices/system/cpu/online /sys/devices/system/cpu/online ps /sys/devices/system/cpu/online /sys/devices/system/cpu/online ps /sys/devices/system/cpu/online /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pspspsdescription ioc process /proc/12/task /proc/12/task ps /proc/13/stat /proc/13/stat ps /proc/20/task/20/status /proc/20/task/20/status ps /proc/381/status /proc/381/status ps /proc/4/cmdline /proc/4/cmdline ps /proc/244/task/244/stat /proc/244/task/244/stat ps /proc/151/task/151/status /proc/151/task/151/status ps /proc/272/status /proc/272/status ps /proc/348/status /proc/348/status ps /proc/353/status /proc/353/status ps /proc/1/task/1/status /proc/1/task/1/status ps /proc/14/stat /proc/14/stat ps /proc/15/stat /proc/15/stat ps /proc/tty/drivers /proc/tty/drivers ps /proc/405/task/405/status /proc/405/task/405/status ps /proc/432/status /proc/432/status ps /proc/359/status /proc/359/status ps /proc/3/task/3/stat /proc/3/task/3/stat ps /proc/103/cmdline /proc/103/cmdline ps /proc/231/task/240/stat /proc/231/task/240/stat ps /proc/310/task /proc/310/task ps /proc/2/task/2/stat /proc/2/task/2/stat ps /proc/3/task /proc/3/task ps /proc/17/cmdline /proc/17/cmdline ps /proc/106/stat /proc/106/stat ps /proc/103/stat /proc/103/stat ps /proc/234/stat /proc/234/stat ps /proc/435/status /proc/435/status ps /proc/19/task/19/status /proc/19/task/19/status ps /proc/351/task/351/status /proc/351/task/351/status ps /proc/360/task/360/cmdline /proc/360/task/360/cmdline ps /proc/13/stat /proc/13/stat ps /proc/309/task/309/status /proc/309/task/309/status ps /proc/348/task/348/stat /proc/348/task/348/stat ps /proc/2/cmdline /proc/2/cmdline ps /proc/6/task /proc/6/task ps /proc/218/status /proc/218/status ps /proc/353/task/354/cmdline /proc/353/task/354/cmdline ps /proc/9/task/9/cmdline /proc/9/task/9/cmdline ps /proc/15/cmdline /proc/15/cmdline ps /proc/25/cmdline /proc/25/cmdline ps /proc/105/task/105/cmdline /proc/105/task/105/cmdline ps /proc/41/task/41/cmdline /proc/41/task/41/cmdline ps /proc/353/task/353/stat /proc/353/task/353/stat ps /proc/362/task /proc/362/task ps /proc/16/task/16/cmdline /proc/16/task/16/cmdline ps /proc/105/task /proc/105/task ps /proc/103/status /proc/103/status ps /proc/11/task/11/stat /proc/11/task/11/stat ps /proc/41/task/41/status /proc/41/task/41/status ps /proc/1/task/1/status /proc/1/task/1/status ps /proc/1/task/1/stat /proc/1/task/1/stat ps /proc/106/task /proc/106/task ps /proc/310/status /proc/310/status ps /proc/stat /proc/stat ps /proc/16/task/16/stat /proc/16/task/16/stat ps /proc/20/cmdline /proc/20/cmdline ps /proc/9/status /proc/9/status ps /proc/305/task/305/cmdline /proc/305/task/305/cmdline ps /proc/380/stat /proc/380/stat ps /proc/18/stat /proc/18/stat ps /proc/353/task/354/status /proc/353/task/354/status ps /proc/13/status /proc/13/status ps /proc/310/status /proc/310/status ps -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8deadescription ioc process /tmp/cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea /tmp/cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
Processes
-
/tmp/cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea/tmp/cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea1⤵
- Writes file to tmp directory
PID:351 -
/bin/datedate2⤵PID:352
-
/usr/bin/exprexpr 02⤵PID:363
-
/usr/bin/killall/usr/bin/killall -9 xDown.sh2⤵PID:364
-
/apps/www/htdocs/nm/xDown.sh/apps/www/htdocs/nm/xDown.sh2⤵PID:365
-
/bin/sleepsleep 602⤵PID:366
-
/bin/datedate2⤵PID:379
-
/usr/bin/exprexpr 02⤵PID:386
-
/usr/bin/killall/usr/bin/killall -9 xDown.sh2⤵PID:387
-
/apps/www/htdocs/nm/xDown.sh/apps/www/htdocs/nm/xDown.sh2⤵PID:388
-
/bin/sleepsleep 602⤵PID:389
-
/bin/datedate2⤵PID:428
-
/usr/bin/exprexpr 02⤵PID:439
-
/usr/bin/killall/usr/bin/killall -9 xDown.sh2⤵PID:441
-
/apps/www/htdocs/nm/xDown.sh/apps/www/htdocs/nm/xDown.sh2⤵PID:443
-
/bin/psps wuxm1⤵
- Reads CPU attributes
- Reads runtime system information
PID:358
-
/bin/grepgrep xDown.sh1⤵PID:359
-
/bin/grepgrep -v grep1⤵PID:360
-
/bin/grepgrep -v defunct1⤵PID:361
-
/usr/bin/wcwc -l1⤵PID:362
-
/bin/psps wuxm1⤵
- Reads CPU attributes
- Reads runtime system information
PID:381
-
/bin/grepgrep xDown.sh1⤵PID:382
-
/bin/grepgrep -v grep1⤵PID:383
-
/bin/grepgrep -v defunct1⤵PID:384
-
/usr/bin/wcwc -l1⤵PID:385
-
/bin/psps wuxm1⤵
- Reads CPU attributes
- Reads runtime system information
PID:432
-
/bin/grepgrep xDown.sh1⤵PID:433
-
/bin/grepgrep -v grep1⤵PID:434
-
/bin/grepgrep -v defunct1⤵PID:435
-
/usr/bin/wcwc -l1⤵PID:436