Analysis
-
max time kernel
30452s -
max time network
121s -
platform
linux_mipsel -
resource
debian9-mipsel-en-20211208 -
resource tags
arch:mipselimage:debian9-mipsel-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
25-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral2
Sample
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral3
Sample
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
Resource
debian9-mipsbe-20221111-en
Behavioral task
behavioral4
Sample
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
Resource
debian9-mipsel-en-20211208
General
-
Target
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
-
Size
1KB
-
MD5
3b2586fd81c0ca699acfa342ca7e248f
-
SHA1
25d0f7abafe4e229c1aeaed0137988628263f63d
-
SHA256
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
-
SHA512
eb969364b7b884a2038180d2b6511db1eca0abff69147f63750347d3b9dc0ec37689939927f398e86acdb74e630fe7a071462e739cc502d8e26b2b3f3c37086d
Malware Config
Signatures
-
Reads CPU attributes 1 TTPs 3 IoCs
Processes:
pspspsdescription ioc process /sys/devices/system/cpu/online /sys/devices/system/cpu/online ps /sys/devices/system/cpu/online /sys/devices/system/cpu/online ps /sys/devices/system/cpu/online /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pspspsdescription ioc process /proc/36/stat /proc/36/stat ps /proc/77/task/77/stat /proc/77/task/77/stat ps /proc/18/cmdline /proc/18/cmdline ps /proc/251/status /proc/251/status ps /proc/282/task/282/cmdline /proc/282/task/282/cmdline ps /proc/329/task/329/stat /proc/329/task/329/stat ps /proc/18/cmdline /proc/18/cmdline ps /proc/20/task/20/stat /proc/20/task/20/stat ps /proc/326/task/326/status /proc/326/task/326/status ps /proc/10/task/10/stat /proc/10/task/10/stat ps /proc/115/status /proc/115/status ps /proc/328/cmdline /proc/328/cmdline ps /proc/228/task /proc/228/task ps /proc/301/cmdline /proc/301/cmdline ps /proc/71/cmdline /proc/71/cmdline ps /proc/329/stat /proc/329/stat ps /proc/329/task/329/stat /proc/329/task/329/stat ps /proc/13/task/13/cmdline /proc/13/task/13/cmdline ps /proc/14/stat /proc/14/stat ps /proc/10/stat /proc/10/stat ps /proc/24/task /proc/24/task ps /proc/73/task/73/cmdline /proc/73/task/73/cmdline ps /proc/83/task/83/cmdline /proc/83/task/83/cmdline ps /proc/114/stat /proc/114/stat ps /proc/350/task/350/cmdline /proc/350/task/350/cmdline ps /proc/36/task/36/stat /proc/36/task/36/stat ps /proc/73/task/73/stat /proc/73/task/73/stat ps /proc/224/stat /proc/224/stat ps /proc/387/status /proc/387/status ps /proc/83/task/83/stat /proc/83/task/83/stat ps /proc/229/stat /proc/229/stat ps /proc/77/status /proc/77/status ps /proc/300/stat /proc/300/stat ps /proc/72/status /proc/72/status ps /proc/224/task/234/stat /proc/224/task/234/stat ps /proc/224/task/236/cmdline /proc/224/task/236/cmdline ps /proc/329/task/333/cmdline /proc/329/task/333/cmdline ps /proc/7/cmdline /proc/7/cmdline ps /proc/145/stat /proc/145/stat ps /proc/258/cmdline /proc/258/cmdline ps /proc/16/status /proc/16/status ps /proc/24/task/24/stat /proc/24/task/24/stat ps /proc/105/task/105/status /proc/105/task/105/status ps /proc/2/task/2/stat /proc/2/task/2/stat ps /proc/16/task/16/stat /proc/16/task/16/stat ps /proc/36/task/36/cmdline /proc/36/task/36/cmdline ps /proc/75/task/75/status /proc/75/task/75/status ps /proc/387/cmdline /proc/387/cmdline ps /proc/251/cmdline /proc/251/cmdline ps /proc/71/task/71/stat /proc/71/task/71/stat ps /proc/5/status /proc/5/status ps /proc/16/task /proc/16/task ps /proc/326/task/326/stat /proc/326/task/326/stat ps /proc/346/status /proc/346/status ps /proc/21/task/21/status /proc/21/task/21/status ps /proc/356/stat /proc/356/stat ps /proc/3/task /proc/3/task ps /proc/24/task/24/status /proc/24/task/24/status ps /proc/83/task/83/cmdline /proc/83/task/83/cmdline ps /proc/329/task/329/status /proc/329/task/329/status ps /proc/13/task /proc/13/task ps /proc/17/stat /proc/17/stat ps /proc/17/task/17/status /proc/17/task/17/status ps /proc/348/task/348/cmdline /proc/348/task/348/cmdline ps -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8deadescription ioc process /tmp/cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea /tmp/cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea
Processes
-
/tmp/cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea/tmp/cf79606eae2e092774cd526aab8792b57ad36b6ab85cd7522cf04f57289b8dea1⤵
- Writes file to tmp directory
PID:328 -
/bin/datedate2⤵PID:330
-
/usr/bin/exprexpr 02⤵PID:340
-
/usr/bin/killall/usr/bin/killall -9 xDown.sh2⤵PID:341
-
/apps/www/htdocs/nm/xDown.sh/apps/www/htdocs/nm/xDown.sh2⤵PID:342
-
/bin/sleepsleep 602⤵PID:343
-
/bin/datedate2⤵PID:344
-
/usr/bin/exprexpr 02⤵PID:351
-
/usr/bin/killall/usr/bin/killall -9 xDown.sh2⤵PID:352
-
/apps/www/htdocs/nm/xDown.sh/apps/www/htdocs/nm/xDown.sh2⤵PID:353
-
/bin/sleepsleep 602⤵PID:354
-
/bin/datedate2⤵PID:381
-
/usr/bin/exprexpr 02⤵PID:388
-
/usr/bin/killall/usr/bin/killall -9 xDown.sh2⤵PID:389
-
/apps/www/htdocs/nm/xDown.sh/apps/www/htdocs/nm/xDown.sh2⤵PID:390
-
/bin/psps wuxm1⤵
- Reads CPU attributes
- Reads runtime system information
PID:335
-
/bin/grepgrep -v grep1⤵PID:337
-
/bin/grepgrep xDown.sh1⤵PID:336
-
/bin/grepgrep -v defunct1⤵PID:338
-
/usr/bin/wcwc -l1⤵PID:339
-
/bin/psps wuxm1⤵
- Reads CPU attributes
- Reads runtime system information
PID:346
-
/bin/grepgrep xDown.sh1⤵PID:347
-
/bin/grepgrep -v defunct1⤵PID:349
-
/bin/grepgrep -v grep1⤵PID:348
-
/usr/bin/wcwc -l1⤵PID:350
-
/bin/psps wuxm1⤵
- Reads CPU attributes
- Reads runtime system information
PID:383
-
/bin/grepgrep -v grep1⤵PID:385
-
/bin/grepgrep xDown.sh1⤵PID:384
-
/bin/grepgrep -v defunct1⤵PID:386
-
/usr/bin/wcwc -l1⤵PID:387