Analysis
-
max time kernel
0s -
max time network
46s -
platform
linux_mipsel -
resource
debian9-mipsel-en-20211208 -
resource tags
arch:mipselimage:debian9-mipsel-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
27-02-2023 11:33
Behavioral task
behavioral1
Sample
[MS].elf
Resource
debian9-mipsel-en-20211208
debian-9-mipsel
7 signatures
150 seconds
General
-
Target
[MS].elf
-
Size
415KB
-
MD5
134022ec8a791d12ffeaab4a78262ef1
-
SHA1
c5e64df54b1d71f94e9835423ff89e2c75537fd5
-
SHA256
8c8a257bc47aff1b1629adb0709ded9d4e73016c24015623acc24c966b7535f6
-
SHA512
4e301336610b35d531936c9ce057f681b6bbc5c9d0dda448aa2ced4976f2c68563dc0e221e660a428e9cfd757f8e124666b83a9ea54092d972f1cbc3d9e06ff1
-
SSDEEP
12288:i18prykKI3s4/t2mws68n8LdDILvzsr3G1:i1yrykL3z/cmws68n8LdDILvzsr3G1
Score
9/10
Malware Config
Signatures
-
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Writes file to system bin folder 1 TTPs 4 IoCs
description ioc Process /bin/login /bin/login Process not Found /sbin/dhclient /sbin/dhclient Process not Found /bin/bash /bin/bash Process not Found /bin/watchdog /bin/watchdog [MS].elf -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc /proc/net/tcp /proc/net/tcp -
Modifies rc script 1 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
description ioc Process /etc/rc.d/rc.local /etc/rc.d/rc.local [MS].elf -
Write file to user bin folder 1 TTPs 5 IoCs
description ioc /usr/sbin/agent /usr/sbin/agent /usr/sbin/cron /usr/sbin/cron /usr/sbin/rsyslogd /usr/sbin/rsyslogd /usr/sbin/sshd /usr/sbin/sshd /usr/bin/dbus-daemon /usr/bin/dbus-daemon -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc /proc/net/tcp /proc/net/tcp -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process /proc/1/cmdline /proc/1/cmdline [MS].elf /proc/36/cmdline /proc/36/cmdline [MS].elf /proc/81/cmdline /proc/81/cmdline [MS].elf /proc/3/cmdline /proc/3/cmdline Process not Found /proc/10/maps /proc/10/maps Process not Found /proc/312/maps /proc/312/maps Process not Found /proc/23/cmdline /proc/23/cmdline [MS].elf /proc/74/cmdline /proc/74/cmdline [MS].elf /proc/83/cmdline /proc/83/cmdline [MS].elf /proc/227/cmdline /proc/227/cmdline [MS].elf /proc/20/cmdline /proc/20/cmdline Process not Found /proc/37/cmdline /proc/37/cmdline Process not Found /proc/72/cmdline /proc/72/cmdline Process not Found /proc/83/maps /proc/83/maps Process not Found /proc/139/cmdline /proc/139/cmdline Process not Found /proc/10/cmdline /proc/10/cmdline [MS].elf /proc/13/cmdline /proc/13/cmdline [MS].elf /proc/17/cmdline /proc/17/cmdline [MS].elf /proc/311/cmdline /proc/311/cmdline [MS].elf /proc/17/cmdline /proc/17/cmdline Process not Found /proc/18/maps /proc/18/maps Process not Found /proc/115/maps /proc/115/maps Process not Found /proc/335/cmdline /proc/335/cmdline Process not Found /proc/16/cmdline /proc/16/cmdline [MS].elf /proc/260/cmdline /proc/260/cmdline [MS].elf /proc/8/cmdline /proc/8/cmdline Process not Found /proc/18/cmdline /proc/18/cmdline Process not Found /proc/69/cmdline /proc/69/cmdline Process not Found /proc/332/maps /proc/332/maps Process not Found /proc/37/cmdline /proc/37/cmdline [MS].elf /proc/73/cmdline /proc/73/cmdline [MS].elf /proc/242/cmdline /proc/242/cmdline [MS].elf /proc/21/maps /proc/21/maps Process not Found /proc/214/maps /proc/214/maps Process not Found /proc/260/cmdline /proc/260/cmdline Process not Found /proc/281/maps /proc/281/maps Process not Found /proc/312/cmdline /proc/312/cmdline Process not Found /proc/4/maps /proc/4/maps Process not Found /proc/7/cmdline /proc/7/cmdline Process not Found /proc/14/cmdline /proc/14/cmdline Process not Found /proc/116/maps /proc/116/maps Process not Found /proc/329/maps /proc/329/maps Process not Found /proc/22/cmdline /proc/22/cmdline [MS].elf /proc/71/cmdline /proc/71/cmdline [MS].elf /proc/69/maps /proc/69/maps Process not Found /proc/146/cmdline /proc/146/cmdline Process not Found /proc/216/cmdline /proc/216/cmdline Process not Found /proc/264/maps /proc/264/maps Process not Found /proc/5/maps /proc/5/maps Process not Found /proc/7/maps /proc/7/maps Process not Found /proc/312/cmdline /proc/312/cmdline [MS].elf /proc/16/cmdline /proc/16/cmdline Process not Found /proc/20/maps /proc/20/maps Process not Found /proc/23/maps /proc/23/maps Process not Found /proc/76/cmdline /proc/76/cmdline Process not Found /proc/115/cmdline /proc/115/cmdline Process not Found /proc/9/cmdline /proc/9/cmdline [MS].elf /proc/24/cmdline /proc/24/cmdline [MS].elf /proc/241/cmdline /proc/241/cmdline [MS].elf /proc/83/cmdline /proc/83/cmdline Process not Found /proc/299/cmdline /proc/299/cmdline Process not Found /proc/302/maps /proc/302/maps Process not Found /proc/20/cmdline /proc/20/cmdline [MS].elf /proc/70/cmdline /proc/70/cmdline [MS].elf