8ec222368d75e7deb89848d4d9e44fa3119a20bdcbbb119a896f91b271b2e7a3

Analysis

max time kernel
0s
max time network
58s
platform
linux_mips
resource
debian9-mipsbe-en-20211208
resource tags

arch:mipsimage:debian9-mipsbe-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
27/02/2023, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[M].elf
Size

415KB
MD5

e3d9d55db7878ca7cc4af6189e589b8e
SHA1

8ef878c33c1cba59abcac56acae32b94af5cafaf
SHA256

8ec222368d75e7deb89848d4d9e44fa3119a20bdcbbb119a896f91b271b2e7a3
SHA512

0ea2c96d07e8badf29f1f9a3506c099234c888f09761d4b90ab597cb9d729b267e4f226fca1053dac8a1b06dabc17ed29cc0d9ce0d5668403ff7034e00faf826
SSDEEP

6144:ivao2zK0unP2Wu5eyQIl41NzyMRmls68nZqLdDILvzsr3G1:O2zNQPVs+5mls68n8LdDILvzsr3G1

Score

9^/10

persistence

Malware Config

Signatures

Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Writes file to system bin folder 1 TTPs 4 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/bin/login	/bin/login	Process not Found
/sbin/dhclient	/sbin/dhclient	Process not Found
/bin/bash	/bin/bash	Process not Found
/bin/watchdog	/bin/watchdog	[M].elf

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc
/proc/net/tcp	/proc/net/tcp

Modifies rc script 1 TTPs 1 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
/etc/rc.d/rc.local	/etc/rc.d/rc.local	[M].elf

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
/usr/sbin/rsyslogd	/usr/sbin/rsyslogd
/usr/sbin/sshd	/usr/sbin/sshd
/usr/sbin/agent	/usr/sbin/agent
/usr/sbin/cron	/usr/sbin/cron
/usr/bin/dbus-daemon	/usr/bin/dbus-daemon

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
/proc/net/tcp	/proc/net/tcp

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/24/cmdline	/proc/24/cmdline	[M].elf
/proc/139/cmdline	/proc/139/cmdline	[M].elf
/proc/216/cmdline	/proc/216/cmdline	[M].elf
/proc/105/maps	/proc/105/maps	Process not Found
/proc/286/maps	/proc/286/maps	Process not Found
/proc/334/maps	/proc/334/maps	Process not Found
/proc/253/maps	/proc/253/maps	Process not Found
/proc/15/cmdline	/proc/15/cmdline	[M].elf
/proc/20/cmdline	/proc/20/cmdline	[M].elf
/proc/6/cmdline	/proc/6/cmdline	Process not Found
/proc/12/maps	/proc/12/maps	Process not Found
/proc/24/maps	/proc/24/maps	Process not Found
/proc/115/maps	/proc/115/maps	Process not Found
/proc/139/maps	/proc/139/maps	Process not Found
/proc/253/cmdline	/proc/253/cmdline	Process not Found
/proc/303/cmdline	/proc/303/cmdline	Process not Found
/proc/332/cmdline	/proc/332/cmdline	Process not Found
/proc/74/cmdline	/proc/74/cmdline	[M].elf
/proc/11/maps	/proc/11/maps	Process not Found
/proc/19/cmdline	/proc/19/cmdline	Process not Found
/proc/36/cmdline	/proc/36/cmdline	Process not Found
/proc/254/maps	/proc/254/maps	Process not Found
/proc/4/cmdline	/proc/4/cmdline	Process not Found
/proc/9/maps	/proc/9/maps	Process not Found
/proc/329/cmdline	/proc/329/cmdline	[M].elf
/proc/78/maps	/proc/78/maps	Process not Found
/proc/234/maps	/proc/234/maps	Process not Found
/proc/19/cmdline	/proc/19/cmdline	[M].elf
/proc/37/cmdline	/proc/37/cmdline	[M].elf
/proc/289/cmdline	/proc/289/cmdline	[M].elf
/proc/74/maps	/proc/74/maps	Process not Found
/proc/79/maps	/proc/79/maps	Process not Found
/proc/302/cmdline	/proc/302/cmdline	Process not Found
/proc/23/maps	/proc/23/maps	Process not Found
/proc/75/cmdline	/proc/75/cmdline	Process not Found
/proc/334/cmdline	/proc/334/cmdline	Process not Found
/proc/23/cmdline	/proc/23/cmdline	Process not Found
/proc/156/maps	/proc/156/maps	Process not Found
/proc/156/cmdline	/proc/156/cmdline	Process not Found
/proc/227/cmdline	/proc/227/cmdline	Process not Found
/proc/260/maps	/proc/260/maps	Process not Found
/proc/294/maps	/proc/294/maps	Process not Found
/proc/329/maps	/proc/329/maps	Process not Found
/proc/260/cmdline	/proc/260/cmdline	Process not Found
/proc/3/maps	/proc/3/maps	Process not Found
/proc/253/cmdline	/proc/253/cmdline	[M].elf
/proc/294/cmdline	/proc/294/cmdline	[M].elf
/proc/302/cmdline	/proc/302/cmdline	[M].elf
/proc/303/cmdline	/proc/303/cmdline	[M].elf
/proc/21/maps	/proc/21/maps	Process not Found
/proc/105/cmdline	/proc/105/cmdline	Process not Found
/proc/329/cmdline	/proc/329/cmdline	Process not Found
/proc/336/maps	/proc/336/maps	Process not Found
/proc/self/cmdline	/proc/self/cmdline	Process not Found
/proc/227/cmdline	/proc/227/cmdline	[M].elf
/proc/13/cmdline	/proc/13/cmdline	Process not Found
/proc/260/cmdline	/proc/260/cmdline	[M].elf
/proc/14/cmdline	/proc/14/cmdline	Process not Found
/proc/19/maps	/proc/19/maps	Process not Found
/proc/78/cmdline	/proc/78/cmdline	Process not Found
/proc/1/cmdline	/proc/1/cmdline	[M].elf
/proc/82/maps	/proc/82/maps	Process not Found
/proc/17/cmdline	/proc/17/cmdline	[M].elf
/proc/254/cmdline	/proc/254/cmdline	[M].elf