f7113577b5a2b5bb4bb27d8ba723cbbf638ec572de5d21d4e65c2c3e3ac9fd3b

Analysis

max time kernel
8919s
max time network
124s
platform
debian-9_mipsel
resource
debian9-mipsel-20221111-en
resource tags

arch:mipselimage:debian9-mipsel-20221111-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
22-02-2023 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[MS]
Size

415KB
MD5

7e7f8052cc34a6e6318d8b3dd396b4f7
SHA1

049b8ea8b94e5cf49d5631df73406263df0c3f06
SHA256

f7113577b5a2b5bb4bb27d8ba723cbbf638ec572de5d21d4e65c2c3e3ac9fd3b
SHA512

b28b9c1799adfe06c32a27c0ddc2caac0c1c1ff6ae98058daddd2567b6904fbd456683de048ac74e2da89088011281d9adc30902145932b520a5e4c85640748e
SSDEEP

6144:KXR1XbA69flWQIDK+rcjExHC3f9Vmws68nZqLdDILvzsr3G6:KB1s69flMKsQVmws68n8LdDILvzsr3G6

Score

9^/10

persistence

Malware Config

Signatures

Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Writes file to system bin folder 1 TTPs 4 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/bin/login	/bin/login	Process not Found
/sbin/dhclient	/sbin/dhclient	Process not Found
/bin/bash	/bin/bash	Process not Found
/bin/watchdog	/bin/watchdog	[MS]

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc
/proc/net/tcp	/proc/net/tcp

Modifies rc script 1 TTPs 1 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
/etc/rc.d/rc.local	/etc/rc.d/rc.local	[MS]

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
/usr/sbin/cron	/usr/sbin/cron
/usr/sbin/rsyslogd	/usr/sbin/rsyslogd
/usr/bin/dbus-daemon	/usr/bin/dbus-daemon
/usr/sbin/agent	/usr/sbin/agent
/usr/sbin/sshd	/usr/sbin/sshd

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
/proc/net/tcp	/proc/net/tcp

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/1/cmdline	/proc/1/cmdline	[MS]
/proc/14/cmdline	/proc/14/cmdline	[MS]
/proc/165/cmdline	/proc/165/cmdline	[MS]
/proc/287/cmdline	/proc/287/cmdline	[MS]
/proc/6/cmdline	/proc/6/cmdline	Process not Found
/proc/15/maps	/proc/15/maps	Process not Found
/proc/24/cmdline	/proc/24/cmdline	Process not Found
/proc/74/cmdline	/proc/74/cmdline	Process not Found
/proc/115/maps	/proc/115/maps	Process not Found
/proc/37/maps	/proc/37/maps	Process not Found
/proc/81/maps	/proc/81/maps	Process not Found
/proc/215/cmdline	/proc/215/cmdline	Process not Found
/proc/7/cmdline	/proc/7/cmdline	[MS]
/proc/24/cmdline	/proc/24/cmdline	[MS]
/proc/81/cmdline	/proc/81/cmdline	[MS]
/proc/5/maps	/proc/5/maps	Process not Found
/proc/105/cmdline	/proc/105/cmdline	[MS]
/proc/333/cmdline	/proc/333/cmdline	[MS]
/proc/140/maps	/proc/140/maps	Process not Found
/proc/165/cmdline	/proc/165/cmdline	Process not Found
/proc/244/cmdline	/proc/244/cmdline	Process not Found
/proc/245/cmdline	/proc/245/cmdline	Process not Found
/proc/245/cmdline	/proc/245/cmdline	[MS]
/proc/307/cmdline	/proc/307/cmdline	[MS]
/proc/	/proc/	[MS]
/proc/72/cmdline	/proc/72/cmdline	[MS]
/proc/7/maps	/proc/7/maps	Process not Found
/proc/36/maps	/proc/36/maps	Process not Found
/proc/15/cmdline	/proc/15/cmdline	[MS]
/proc/36/cmdline	/proc/36/cmdline	[MS]
/proc/12/maps	/proc/12/maps	Process not Found
/proc/215/cmdline	/proc/215/cmdline	[MS]
/proc/24/maps	/proc/24/maps	Process not Found
/proc/71/maps	/proc/71/maps	Process not Found
/proc/105/maps	/proc/105/maps	Process not Found
/proc/229/cmdline	/proc/229/cmdline	Process not Found
/proc/306/cmdline	/proc/306/cmdline	Process not Found
/proc/8/cmdline	/proc/8/cmdline	[MS]
/proc/73/cmdline	/proc/73/cmdline	[MS]
/proc/22/cmdline	/proc/22/cmdline	Process not Found
/proc/82/maps	/proc/82/maps	Process not Found
/proc/157/maps	/proc/157/maps	Process not Found
/proc/229/maps	/proc/229/maps	Process not Found
/proc/332/cmdline	/proc/332/cmdline	Process not Found
/proc/12/cmdline	/proc/12/cmdline	[MS]
/proc/17/cmdline	/proc/17/cmdline	[MS]
/proc/74/cmdline	/proc/74/cmdline	[MS]
/proc/4/maps	/proc/4/maps	Process not Found
/proc/12/cmdline	/proc/12/cmdline	Process not Found
/proc/13/cmdline	/proc/13/cmdline	Process not Found
/proc/229/cmdline	/proc/229/cmdline	[MS]
/proc/231/cmdline	/proc/231/cmdline	[MS]
/proc/20/maps	/proc/20/maps	Process not Found
/proc/296/cmdline	/proc/296/cmdline	[MS]
/proc/70/maps	/proc/70/maps	Process not Found
/proc/74/maps	/proc/74/maps	Process not Found
/proc/115/cmdline	/proc/115/cmdline	Process not Found
/proc/330/maps	/proc/330/maps	Process not Found
/proc/19/cmdline	/proc/19/cmdline	[MS]
/proc/self/cmdline	/proc/self/cmdline	Process not Found
/proc/140/cmdline	/proc/140/cmdline	[MS]
/proc/72/cmdline	/proc/72/cmdline	Process not Found
/proc/260/maps	/proc/260/maps	Process not Found
/proc/4/cmdline	/proc/4/cmdline	[MS]