Analysis
-
max time kernel
0s -
max time network
124s -
platform
linux_armhf -
resource
debian9-armhf-en-20211208 -
resource tags
arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
25-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral2
Sample
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral3
Sample
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral4
Sample
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
Resource
debian9-mipsel-20221111-en
General
-
Target
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
-
Size
1KB
-
MD5
6acfc27bf16bf39d7cd6618fc2b57137
-
SHA1
3a3759c509e8ca578c504f162d2e1ee336193f3c
-
SHA256
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
-
SHA512
4d4ce060047d41364fd0a7a4c6e615af6657c46347abafe6e93bf8363dfa2648185c229699525397938c77ca4b802893cbffe39b572f534ddb5f7b9402f34bda
Malware Config
Signatures
-
Modifies rc script 1 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
Processes:
grepdescription ioc process /etc/rc.local /etc/rc.local grep -
Reads CPU attributes 1 TTPs 2 IoCs
Processes:
pspsdescription ioc process /sys/devices/system/cpu/online /sys/devices/system/cpu/online ps /sys/devices/system/cpu/online /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pspsmkdircpdescription ioc process /proc/104/cmdline /proc/104/cmdline ps /proc/320/stat /proc/320/stat ps /proc/17/cmdline /proc/17/cmdline ps /proc/208/status /proc/208/status ps /proc/322/stat /proc/322/stat ps /proc/370/stat /proc/370/stat ps /proc/370/cmdline /proc/370/cmdline ps /proc/2/status /proc/2/status ps /proc/278/cmdline /proc/278/cmdline ps /proc/106/status /proc/106/status ps /proc/320/cmdline /proc/320/cmdline ps /proc/363/status /proc/363/status ps /proc/28/status /proc/28/status ps /proc/42/cmdline /proc/42/cmdline ps /proc/362/cmdline /proc/362/cmdline ps /proc/320/status /proc/320/status ps /proc/360/cmdline /proc/360/cmdline ps /proc/15/stat /proc/15/stat ps /proc/269/cmdline /proc/269/cmdline ps /proc/360/stat /proc/360/stat ps /proc/131/cmdline /proc/131/cmdline ps /proc/161/stat /proc/161/stat ps /proc/13/cmdline /proc/13/cmdline ps /proc/23/stat /proc/23/stat ps /proc/226/stat /proc/226/stat ps /proc/226/cmdline /proc/226/cmdline ps /proc/13/status /proc/13/status ps /proc/226/status /proc/226/status ps /proc/369/status /proc/369/status ps /proc/27/cmdline /proc/27/cmdline ps /proc/323/stat /proc/323/stat ps /proc/278/status /proc/278/status ps /proc/363/stat /proc/363/stat ps /proc/stat /proc/stat ps /proc/8/stat /proc/8/stat ps /proc/12/status /proc/12/status ps /proc/95/stat /proc/95/stat ps /proc/135/status /proc/135/status ps /proc/226/stat /proc/226/stat ps /proc/29/cmdline /proc/29/cmdline ps /proc/375/stat /proc/375/stat ps /proc/filesystems /proc/filesystems mkdir /proc/41/status /proc/41/status ps /proc/139/status /proc/139/status ps /proc/145/cmdline /proc/145/cmdline ps /proc/2/cmdline /proc/2/cmdline ps /proc/7/status /proc/7/status ps /proc/27/stat /proc/27/stat ps /proc/27/status /proc/27/status ps /proc/29/cmdline /proc/29/cmdline ps /proc/226/cmdline /proc/226/cmdline ps /proc/363/cmdline /proc/363/cmdline ps /proc/10/stat /proc/10/stat ps /proc/95/status /proc/95/status ps /proc/287/status /proc/287/status ps /proc/3/status /proc/3/status ps /proc/14/cmdline /proc/14/cmdline ps /proc/236/cmdline /proc/236/cmdline ps /proc/17/stat /proc/17/stat ps /proc/24/cmdline /proc/24/cmdline ps /proc/322/status /proc/322/status ps /proc/filesystems /proc/filesystems cp /proc/7/stat /proc/7/stat ps /proc/25/stat /proc/25/stat ps -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556edescription ioc process /tmp/6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e /tmp/6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e 6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
Processes
-
/tmp/6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e/tmp/6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e1⤵
- Writes file to tmp directory
PID:363 -
/bin/cpcp -f /tmp/combinebmp.sh /apps/bzw/bin/kit/2⤵PID:366
-
/bin/rmrm -rf /apps/www/htdocs/nm/xDown.sh2⤵PID:379
-
/bin/rmrm -rf /apps/www/htdocs/nm/xDown_mon.sh2⤵PID:380
-
/bin/mkdirmkdir -p /apps/www/htdocs/nm2⤵
- Reads runtime system information
PID:381 -
/bin/cpcp -f /tmp/xDown.sh /apps/www/htdocs/nm2⤵
- Reads runtime system information
PID:383 -
/bin/cpcp -f /tmp/xDown_mon.sh /apps/www/htdocs/nm2⤵PID:385
-
/bin/chmodchmod +x /apps/www/htdocs/nm/xDown.sh2⤵PID:386
-
/bin/chmodchmod +x /apps/www/htdocs/nm/xDown_mon.sh2⤵PID:387
-
/bin/grepgrep -c /apps/www/htdocs/nm/xDown_mon.sh /etc/rc.local2⤵
- Modifies rc script
PID:388 -
/apps/www/htdocs/nm/xDown_mon.sh/apps/www/htdocs/nm/xDown_mon.sh2⤵PID:389
-
/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
PID:370
-
/bin/grepgrep xDown_mon.sh1⤵PID:371
-
/bin/grepgrep -v grep1⤵PID:372
-
/usr/bin/awkawk "{print \$2}"1⤵PID:373
-
/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
PID:375
-
/bin/grepgrep xDown.sh1⤵PID:376
-
/bin/grepgrep -v grep1⤵PID:377
-
/usr/bin/awkawk "{print \$2}"1⤵PID:378