Analysis
-
max time kernel
1246s -
max time network
157s -
platform
debian-9_mips -
resource
debian9-mipsbe-20221111-en -
resource tags
arch:mipsimage:debian9-mipsbe-20221111-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
25-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral2
Sample
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral3
Sample
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
Resource
debian9-mipsbe-20221111-en
Behavioral task
behavioral4
Sample
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
Resource
debian9-mipsel-en-20211208
General
-
Target
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
-
Size
1KB
-
MD5
3b2586fd81c0ca699acfa342ca7e248f
-
SHA1
25d0f7abafe4e229c1aeaed0137988628263f63d
-
SHA256
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
-
SHA512
eb969364b7b884a2038180d2b6511db1eca0abff69147f63750347d3b9dc0ec37689939927f398e86acdb74e630fe7a071462e739cc502d8e26b2b3f3c37086d
Malware Config
Signatures
-
Reads CPU attributes 1 TTPs 3 IoCs
Processes:
pspspsdescription ioc process /sys/devices/system/cpu/online /sys/devices/system/cpu/online ps /sys/devices/system/cpu/online /sys/devices/system/cpu/online ps /sys/devices/system/cpu/online /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pspspsdescription ioc process /proc/330/task /proc/330/task ps /proc/433/status /proc/433/status ps /proc/298/task /proc/298/task ps /proc/340/cmdline /proc/340/cmdline ps /proc/24/task /proc/24/task ps /proc/228/status /proc/228/status ps /proc/333/task/333/stat /proc/333/task/333/stat ps /proc/2/cmdline /proc/2/cmdline ps /proc/5/status /proc/5/status ps /proc/330/task/330/cmdline /proc/330/task/330/cmdline ps /proc/7/task/7/stat /proc/7/task/7/stat ps /proc/23/task /proc/23/task ps /proc/332/cmdline /proc/332/cmdline ps /proc/15/task/15/status /proc/15/task/15/status ps /proc/4/task /proc/4/task ps /proc/330/status /proc/330/status ps /proc/9/task/9/status /proc/9/task/9/status ps /proc/11/task/11/status /proc/11/task/11/status ps /proc/264/task /proc/264/task ps /proc/74/status /proc/74/status ps /proc/24/task/24/cmdline /proc/24/task/24/cmdline ps /proc/8/stat /proc/8/stat ps /proc/340/task/340/status /proc/340/task/340/status ps /proc/258/cmdline /proc/258/cmdline ps /proc/289/task/289/stat /proc/289/task/289/stat ps /proc/79/stat /proc/79/stat ps /proc/339/stat /proc/339/stat ps /proc/228/task/228/stat /proc/228/task/228/stat ps /proc/19/status /proc/19/status ps /proc/72/task/72/stat /proc/72/task/72/stat ps /proc/3/cmdline /proc/3/cmdline ps /proc/115/task/115/cmdline /proc/115/task/115/cmdline ps /proc/11/task/11/status /proc/11/task/11/status ps /proc/115/status /proc/115/status ps /proc/76/cmdline /proc/76/cmdline ps /proc/82/status /proc/82/status ps /proc/16/stat /proc/16/stat ps /proc/uptime /proc/uptime ps /proc/69/task/69/status /proc/69/task/69/status ps /proc/3/task/3/stat /proc/3/task/3/stat ps /proc/76/task /proc/76/task ps /proc/265/task/265/status /proc/265/task/265/status ps /proc/105/task/105/status /proc/105/task/105/status ps /proc/155/task/155/status /proc/155/task/155/status ps /proc/115/stat /proc/115/stat ps /proc/10/task/10/stat /proc/10/task/10/stat ps /proc/74/task/74/cmdline /proc/74/task/74/cmdline ps /proc/224/task/224/cmdline /proc/224/task/224/cmdline ps /proc/225/stat /proc/225/stat ps /proc/225/task/238/cmdline /proc/225/task/238/cmdline ps /proc/75/cmdline /proc/75/cmdline ps /proc/105/cmdline /proc/105/cmdline ps /proc/260/task /proc/260/task ps /proc/289/status /proc/289/status ps /proc/2/task/2/stat /proc/2/task/2/stat ps /proc/4/task/4/stat /proc/4/task/4/stat ps /proc/68/status /proc/68/status ps /proc/306/task/306/cmdline /proc/306/task/306/cmdline ps /proc/10/stat /proc/10/stat ps /proc/8/cmdline /proc/8/cmdline ps /proc/75/task/75/cmdline /proc/75/task/75/cmdline ps /proc/1/task/1/status /proc/1/task/1/status ps /proc/18/status /proc/18/status ps /proc/16/task/16/status /proc/16/task/16/status ps -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8deadescription ioc process /tmp/cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea /tmp/cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
Processes
-
/tmp/cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea/tmp/cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea1⤵
- Writes file to tmp directory
PID:332 -
/bin/datedate2⤵PID:337
-
/usr/bin/exprexpr 02⤵PID:344
-
/usr/bin/killall/usr/bin/killall -9 xDown.sh2⤵PID:345
-
/apps/www/htdocs/nm/xDown.sh/apps/www/htdocs/nm/xDown.sh2⤵PID:346
-
/bin/sleepsleep 602⤵PID:347
-
/bin/datedate2⤵PID:348
-
/usr/bin/exprexpr 02⤵PID:355
-
/usr/bin/killall/usr/bin/killall -9 xDown.sh2⤵PID:356
-
/apps/www/htdocs/nm/xDown.sh/apps/www/htdocs/nm/xDown.sh2⤵PID:357
-
/bin/sleepsleep 602⤵PID:358
-
/bin/datedate2⤵PID:429
-
/usr/bin/exprexpr 02⤵PID:436
-
/usr/bin/killall/usr/bin/killall -9 xDown.sh2⤵PID:437
-
/apps/www/htdocs/nm/xDown.sh/apps/www/htdocs/nm/xDown.sh2⤵PID:438
-
/bin/psps wuxm1⤵
- Reads CPU attributes
- Reads runtime system information
PID:339
-
/bin/grepgrep -v grep1⤵PID:341
-
/bin/grepgrep xDown.sh1⤵PID:340
-
/bin/grepgrep -v defunct1⤵PID:342
-
/usr/bin/wcwc -l1⤵PID:343
-
/bin/psps wuxm1⤵
- Reads CPU attributes
- Reads runtime system information
PID:350
-
/bin/grepgrep xDown.sh1⤵PID:351
-
/bin/grepgrep -v grep1⤵PID:352
-
/bin/grepgrep -v defunct1⤵PID:353
-
/usr/bin/wcwc -l1⤵PID:354
-
/bin/psps wuxm1⤵
- Reads CPU attributes
- Reads runtime system information
PID:431
-
/bin/grepgrep -v grep1⤵PID:433
-
/bin/grepgrep xDown.sh1⤵PID:432
-
/bin/grepgrep -v defunct1⤵PID:434
-
/usr/bin/wcwc -l1⤵PID:435