47e597e46c1d35ca2eef4ed14f1c666b582d01c9a419f33b87d4a0c6a91c8ac5

General

Target

a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
Size

78KB
MD5

9b6c3518a91d23ed77504b5416bfb5b3
SHA1

0a2d170abbf5031566377b01431e3b82d342630a
SHA256

a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
SHA512

b2b08d5d5e6c6708d88b793e9340a780d47b5dce61e0a3026b4cdea8a9e4cbf9824037255e4ea4a40fee5bce956485232376d4677ce72ccb6c7f00badd09956e
SSDEEP

1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL

Score

9^/10

Malware Config

Signatures

Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.

Processes:

description ioc

/etc/hosts /etc/hosts
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.

Dynamic Resolution
T1568

Processes:

description ioc

/etc/resolv.conf /etc/resolv.conf
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

/proc/net/tcp /proc/net/tcp
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery
T1016

Processes:

a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3

description ioc process

/proc/net/route /proc/net/route a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3

description	ioc
/etc/hosts	/etc/hosts

description	ioc
/etc/resolv.conf	/etc/resolv.conf

description	ioc
/proc/net/tcp	/proc/net/tcp

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

Processes:

a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3

description	ioc	process
/proc/net/route	/proc/net/route	a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
/proc/net/tcp	/proc/net/tcp
/proc/net/tcp6	/proc/net/tcp6

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
/proc/327/cmdline	/proc/327/cmdline
/proc/292/cmdline	/proc/292/cmdline
/proc/134/cmdline	/proc/134/cmdline
/proc/20/cmdline	/proc/20/cmdline
/proc/17/cmdline	/proc/17/cmdline
/proc/370/fd	/proc/370/fd
/proc/362/fd	/proc/362/fd
/proc/24/cmdline	/proc/24/cmdline
/proc/22/cmdline	/proc/22/cmdline
/proc/2/cmdline	/proc/2/cmdline
/proc/278/fd	/proc/278/fd
/proc/74/cmdline	/proc/74/cmdline
/proc/1/cmdline	/proc/1/cmdline
/proc/141/cmdline	/proc/141/cmdline
/proc/10/cmdline	/proc/10/cmdline
/proc/162/fd	/proc/162/fd
/proc/42/cmdline	/proc/42/cmdline
/proc/25/cmdline	/proc/25/cmdline
/proc/7/cmdline	/proc/7/cmdline
/proc/367/cmdline	/proc/367/cmdline
/proc/327/fd	/proc/327/fd
/proc/325/fd	/proc/325/fd
/proc/278/cmdline	/proc/278/cmdline
/proc/241/cmdline	/proc/241/cmdline
/proc/15/cmdline	/proc/15/cmdline
/proc/370/cmdline	/proc/370/cmdline
/proc/328/cmdline	/proc/328/cmdline
/proc/323/cmdline	/proc/323/cmdline
/proc/217/cmdline	/proc/217/cmdline
/proc/14/cmdline	/proc/14/cmdline
/proc/8/cmdline	/proc/8/cmdline
/proc/18/cmdline	/proc/18/cmdline
/proc/9/cmdline	/proc/9/cmdline
/proc/285/fd	/proc/285/fd
/proc/136/cmdline	/proc/136/cmdline
/proc/241/fd	/proc/241/fd
/proc/5/cmdline	/proc/5/cmdline
/proc/328/fd	/proc/328/fd
/proc/285/cmdline	/proc/285/cmdline
/proc/145/cmdline	/proc/145/cmdline
/proc/96/cmdline	/proc/96/cmdline
/proc/1/fd	/proc/1/fd
/proc/292/fd	/proc/292/fd
/proc/162/cmdline	/proc/162/cmdline
/proc/243/fd	/proc/243/fd
/proc/28/cmdline	/proc/28/cmdline
/proc/16/cmdline	/proc/16/cmdline
/proc/325/cmdline	/proc/325/cmdline
/proc/277/cmdline	/proc/277/cmdline
/proc/245/fd	/proc/245/fd
/proc/201/cmdline	/proc/201/cmdline
/proc/106/cmdline	/proc/106/cmdline
/proc/43/cmdline	/proc/43/cmdline
/proc/41/cmdline	/proc/41/cmdline
/proc/29/cmdline	/proc/29/cmdline
/proc/323/fd	/proc/323/fd
/proc/277/fd	/proc/277/fd
/proc/23/cmdline	/proc/23/cmdline
/proc/21/cmdline	/proc/21/cmdline
/proc/26/cmdline	/proc/26/cmdline
/proc/4/cmdline	/proc/4/cmdline
/proc/141/fd	/proc/141/fd
/proc/103/cmdline	/proc/103/cmdline
/proc/19/cmdline	/proc/19/cmdline

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

description	ioc
/tmp/a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3	/tmp/a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
/tmp/ftpupdate.sh	/tmp/ftpupdate.sh
/tmp/ftpupload.sh	/tmp/ftpupload.sh

/tmp/a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
/tmp/a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
1⤵
- Reads system routing table
- Reads system network configuration
PID:369

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
1⤵
PID:375
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 23 -j DROP
  2⤵
  PID:376

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
1⤵
PID:381
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 7547 -j DROP
  2⤵
  PID:382

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
1⤵
PID:383
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 5555 -j DROP
  2⤵
  PID:384

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
1⤵
PID:385
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 5358 -j DROP
  2⤵
  PID:386

/bin/sh
/bin/sh -c "iptables -D INPUT -j CWMP_CR"
1⤵
PID:387
- /sbin/iptables
  iptables -D INPUT -j CWMP_CR
  2⤵
  PID:388

/bin/sh
/bin/sh -c "iptables -X CWMP_CR"
1⤵
PID:389
- /sbin/iptables
  iptables -X CWMP_CR
  2⤵
  PID:390

/bin/sh
/bin/sh -c "iptables -I INPUT -p udp --dport 25557 -j ACCEPT"
1⤵
PID:391
- /sbin/iptables
  iptables -I INPUT -p udp --dport 25557 -j ACCEPT
  2⤵
  PID:392