47e597e46c1d35ca2eef4ed14f1c666b582d01c9a419f33b87d4a0c6a91c8ac5

Analysis

max time kernel
7238s
max time network
127s
platform
debian-9_armhf
resource
debian9-armhf-20221111-en
resource tags

arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
03-02-2023 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
Size

78KB
MD5

9b6c3518a91d23ed77504b5416bfb5b3
SHA1

0a2d170abbf5031566377b01431e3b82d342630a
SHA256

a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
SHA512

b2b08d5d5e6c6708d88b793e9340a780d47b5dce61e0a3026b4cdea8a9e4cbf9824037255e4ea4a40fee5bce956485232376d4677ce72ccb6c7f00badd09956e
SSDEEP

1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL

Score

9^/10

Malware Config

Signatures

Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.

Processes:

description ioc

/etc/hosts /etc/hosts
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.

Dynamic Resolution
T1568

Processes:

description ioc

/etc/resolv.conf /etc/resolv.conf
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

/proc/net/tcp /proc/net/tcp
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery
T1016

Processes:

a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3

description ioc process

/proc/net/route /proc/net/route a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3

description	ioc
/etc/hosts	/etc/hosts

description	ioc
/etc/resolv.conf	/etc/resolv.conf

description	ioc
/proc/net/tcp	/proc/net/tcp

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

Processes:

a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3

description	ioc	process
/proc/net/route	/proc/net/route	a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
/proc/net/tcp	/proc/net/tcp
/proc/net/tcp6	/proc/net/tcp6

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
/proc/327/cmdline	/proc/327/cmdline
/proc/292/cmdline	/proc/292/cmdline
/proc/134/cmdline	/proc/134/cmdline
/proc/20/cmdline	/proc/20/cmdline
/proc/17/cmdline	/proc/17/cmdline
/proc/370/fd	/proc/370/fd
/proc/362/fd	/proc/362/fd
/proc/24/cmdline	/proc/24/cmdline
/proc/22/cmdline	/proc/22/cmdline
/proc/2/cmdline	/proc/2/cmdline
/proc/278/fd	/proc/278/fd
/proc/74/cmdline	/proc/74/cmdline
/proc/1/cmdline	/proc/1/cmdline
/proc/141/cmdline	/proc/141/cmdline
/proc/10/cmdline	/proc/10/cmdline
/proc/162/fd	/proc/162/fd
/proc/42/cmdline	/proc/42/cmdline
/proc/25/cmdline	/proc/25/cmdline
/proc/7/cmdline	/proc/7/cmdline
/proc/367/cmdline	/proc/367/cmdline
/proc/327/fd	/proc/327/fd
/proc/325/fd	/proc/325/fd
/proc/278/cmdline	/proc/278/cmdline
/proc/241/cmdline	/proc/241/cmdline
/proc/15/cmdline	/proc/15/cmdline
/proc/370/cmdline	/proc/370/cmdline
/proc/328/cmdline	/proc/328/cmdline
/proc/323/cmdline	/proc/323/cmdline
/proc/217/cmdline	/proc/217/cmdline
/proc/14/cmdline	/proc/14/cmdline
/proc/8/cmdline	/proc/8/cmdline
/proc/18/cmdline	/proc/18/cmdline
/proc/9/cmdline	/proc/9/cmdline
/proc/285/fd	/proc/285/fd
/proc/136/cmdline	/proc/136/cmdline
/proc/241/fd	/proc/241/fd
/proc/5/cmdline	/proc/5/cmdline
/proc/328/fd	/proc/328/fd
/proc/285/cmdline	/proc/285/cmdline
/proc/145/cmdline	/proc/145/cmdline
/proc/96/cmdline	/proc/96/cmdline
/proc/1/fd	/proc/1/fd
/proc/292/fd	/proc/292/fd
/proc/162/cmdline	/proc/162/cmdline
/proc/243/fd	/proc/243/fd
/proc/28/cmdline	/proc/28/cmdline
/proc/16/cmdline	/proc/16/cmdline
/proc/325/cmdline	/proc/325/cmdline
/proc/277/cmdline	/proc/277/cmdline
/proc/245/fd	/proc/245/fd
/proc/201/cmdline	/proc/201/cmdline
/proc/106/cmdline	/proc/106/cmdline
/proc/43/cmdline	/proc/43/cmdline
/proc/41/cmdline	/proc/41/cmdline
/proc/29/cmdline	/proc/29/cmdline
/proc/323/fd	/proc/323/fd
/proc/277/fd	/proc/277/fd
/proc/23/cmdline	/proc/23/cmdline
/proc/21/cmdline	/proc/21/cmdline
/proc/26/cmdline	/proc/26/cmdline
/proc/4/cmdline	/proc/4/cmdline
/proc/141/fd	/proc/141/fd
/proc/103/cmdline	/proc/103/cmdline
/proc/19/cmdline	/proc/19/cmdline

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

description	ioc
/tmp/a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3	/tmp/a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
/tmp/ftpupdate.sh	/tmp/ftpupdate.sh
/tmp/ftpupload.sh	/tmp/ftpupload.sh

/tmp/a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
/tmp/a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
1⤵
- Reads system routing table
- Reads system network configuration
PID:369

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
1⤵
PID:375

/sbin/iptables
iptables -A INPUT -p tcp --destination-port 23 -j DROP
2⤵
PID:376

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
1⤵
PID:381

/sbin/iptables
iptables -A INPUT -p tcp --destination-port 7547 -j DROP
2⤵
PID:382

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
1⤵
PID:383

/sbin/iptables
iptables -A INPUT -p tcp --destination-port 5555 -j DROP
2⤵
PID:384

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
1⤵
PID:385

/sbin/iptables
iptables -A INPUT -p tcp --destination-port 5358 -j DROP
2⤵
PID:386

/bin/sh
/bin/sh -c "iptables -D INPUT -j CWMP_CR"
1⤵
PID:387

/sbin/iptables
iptables -D INPUT -j CWMP_CR
2⤵
PID:388

/bin/sh
/bin/sh -c "iptables -X CWMP_CR"
1⤵
PID:389

/sbin/iptables
iptables -X CWMP_CR
2⤵
PID:390

/bin/sh
/bin/sh -c "iptables -I INPUT -p udp --dport 25557 -j ACCEPT"
1⤵
PID:391

/sbin/iptables
iptables -I INPUT -p udp --dport 25557 -j ACCEPT
2⤵
PID:392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Network Connections Discovery

T1049

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

T1568

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads