Analysis
-
max time kernel
0s -
max time network
126s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20221111-en -
resource tags
arch:mipselimage:debian9-mipsel-20221111-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
25-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral2
Sample
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral3
Sample
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral4
Sample
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
Resource
debian9-mipsel-20221111-en
General
-
Target
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
-
Size
1KB
-
MD5
6acfc27bf16bf39d7cd6618fc2b57137
-
SHA1
3a3759c509e8ca578c504f162d2e1ee336193f3c
-
SHA256
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
-
SHA512
4d4ce060047d41364fd0a7a4c6e615af6657c46347abafe6e93bf8363dfa2648185c229699525397938c77ca4b802893cbffe39b572f534ddb5f7b9402f34bda
Malware Config
Signatures
-
Modifies rc script 1 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
Processes:
grepdescription ioc process /etc/rc.local /etc/rc.local grep -
Reads CPU attributes 1 TTPs 2 IoCs
Processes:
pspsdescription ioc process /sys/devices/system/cpu/online /sys/devices/system/cpu/online ps /sys/devices/system/cpu/online /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pspscpdescription ioc process /proc/338/cmdline /proc/338/cmdline ps /proc/347/status /proc/347/status ps /proc/157/status /proc/157/status ps /proc/143/status /proc/143/status ps /proc/36/cmdline /proc/36/cmdline ps /proc/19/status /proc/19/status ps /proc/21/stat /proc/21/stat ps /proc/260/status /proc/260/status ps /proc/292/stat /proc/292/stat ps /proc/334/cmdline /proc/334/cmdline ps /proc/7/cmdline /proc/7/cmdline ps /proc/17/stat /proc/17/stat ps /proc/19/cmdline /proc/19/cmdline ps /proc/1/stat /proc/1/stat ps /proc/146/stat /proc/146/stat ps /proc/24/cmdline /proc/24/cmdline ps /proc/1/status /proc/1/status ps /proc/235/status /proc/235/status ps /proc/sys/kernel/osrelease /proc/sys/kernel/osrelease ps /proc/75/stat /proc/75/stat ps /proc/331/status /proc/331/status ps /proc/self/stat /proc/self/stat ps /proc/6/stat /proc/6/stat ps /proc/6/status /proc/6/status ps /proc/75/cmdline /proc/75/cmdline ps /proc/115/stat /proc/115/stat ps /proc/2/stat /proc/2/stat ps /proc/meminfo /proc/meminfo ps /proc/20/stat /proc/20/stat ps /proc/81/status /proc/81/status ps /proc/15/status /proc/15/status ps /proc/21/cmdline /proc/21/cmdline ps /proc/74/stat /proc/74/stat ps /proc/116/stat /proc/116/stat ps /proc/345/stat /proc/345/stat ps /proc/329/cmdline /proc/329/cmdline ps /proc/81/stat /proc/81/stat ps /proc/116/status /proc/116/status ps /proc/234/cmdline /proc/234/cmdline ps /proc/7/status /proc/7/status ps /proc/9/cmdline /proc/9/cmdline ps /proc/263/cmdline /proc/263/cmdline ps /proc/filesystems /proc/filesystems cp /proc/2/status /proc/2/status ps /proc/336/status /proc/336/status ps /proc/23/stat /proc/23/stat ps /proc/157/status /proc/157/status ps /proc/284/stat /proc/284/stat ps /proc/14/cmdline /proc/14/cmdline ps /proc/69/cmdline /proc/69/cmdline ps /proc/74/stat /proc/74/stat ps /proc/75/cmdline /proc/75/cmdline ps /proc/263/status /proc/263/status ps /proc/339/stat /proc/339/stat ps /proc/343/stat /proc/343/stat ps /proc/18/status /proc/18/status ps /proc/7/status /proc/7/status ps /proc/10/status /proc/10/status ps /proc/36/stat /proc/36/stat ps /proc/filesystems /proc/filesystems ps /proc/105/cmdline /proc/105/cmdline ps /proc/227/status /proc/227/status ps /proc/69/status /proc/69/status ps /proc/79/stat /proc/79/stat ps -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556edescription ioc process /tmp/6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e /tmp/6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e 6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e
Processes
-
/tmp/6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e/tmp/6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e1⤵
- Writes file to tmp directory
-
/bin/cpcp -f /tmp/combinebmp.sh /apps/bzw/bin/kit/2⤵
-
/bin/rmrm -rf /apps/www/htdocs/nm/xDown.sh2⤵
-
/bin/rmrm -rf /apps/www/htdocs/nm/xDown_mon.sh2⤵
-
/bin/mkdirmkdir -p /apps/www/htdocs/nm2⤵
-
/bin/cpcp -f /tmp/xDown.sh /apps/www/htdocs/nm2⤵
-
/bin/cpcp -f /tmp/xDown_mon.sh /apps/www/htdocs/nm2⤵
- Reads runtime system information
-
/bin/chmodchmod +x /apps/www/htdocs/nm/xDown.sh2⤵
-
/bin/chmodchmod +x /apps/www/htdocs/nm/xDown_mon.sh2⤵
-
/bin/grepgrep -c /apps/www/htdocs/nm/xDown_mon.sh /etc/rc.local2⤵
- Modifies rc script
-
/apps/www/htdocs/nm/xDown_mon.sh/apps/www/htdocs/nm/xDown_mon.sh2⤵
-
/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep xDown_mon.sh1⤵
-
/bin/grepgrep -v grep1⤵
-
/usr/bin/awkawk "{print \$2}"1⤵
-
/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v grep1⤵
-
/bin/grepgrep xDown.sh1⤵
-
/usr/bin/awkawk "{print \$2}"1⤵