7b27e3245908a506cf3372e4134d1dd77c0d42e0afe815bd6e50dadec1f2fd6b

Analysis

max time kernel
11415s
max time network
150s
platform
debian-9_mips
resource
debian9-mipsbe-20221111-en
resource tags

arch:mipsimage:debian9-mipsbe-20221111-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
23-03-2023 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nigga.mips.elf
Size

78KB
MD5

586eeca30194a598139d07f830ca475c
SHA1

78c364a6948655497dccb33fb92ae3d494a5d0da
SHA256

7b27e3245908a506cf3372e4134d1dd77c0d42e0afe815bd6e50dadec1f2fd6b
SHA512

c96a3d6bb90029ee0364186e90c09f0e8dec0193a0ea674f9fc8c01cd0a340b14e703b1ee4886fb755bbfae3d51368ca1bb86ec3ff48a62536375776eb34ae3f
SSDEEP

768:SVf6jVtas68qOwV8InABA9rGizHvifit3N2ePqmljwQniGqW8mK/vtDvxuRVJycv:JFOH1G8a9CRqW8v/ZsBeVPogxYB

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (35575) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc
/sbin/watchdog	/sbin/watchdog
/bin/watchdog	/bin/watchdog

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/23/cmdline	/proc/23/cmdline	Process not Found
/proc/73/cmdline	/proc/73/cmdline	Process not Found
/proc/82/cmdline	/proc/82/cmdline	Process not Found
/proc/137/cmdline	/proc/137/cmdline	Process not Found
/proc/339/cmdline	/proc/339/cmdline	Process not Found
/proc/	/proc/	Process not Found
/proc/7/cmdline	/proc/7/cmdline	Process not Found
/proc/70/cmdline	/proc/70/cmdline	Process not Found
/proc/260/cmdline	/proc/260/cmdline	Process not Found
/proc/341/cmdline	/proc/341/cmdline	Process not Found
/proc/12/cmdline	/proc/12/cmdline	Process not Found
/proc/14/cmdline	/proc/14/cmdline	Process not Found
/proc/78/cmdline	/proc/78/cmdline	Process not Found
/proc/156/cmdline	/proc/156/cmdline	Process not Found
/proc/331/cmdline	/proc/331/cmdline	Process not Found
/proc/8/cmdline	/proc/8/cmdline	Process not Found
/proc/10/cmdline	/proc/10/cmdline	Process not Found
/proc/340/cmdline	/proc/340/cmdline	Process not Found
/proc/11/cmdline	/proc/11/cmdline	Process not Found
/proc/15/cmdline	/proc/15/cmdline	Process not Found
/proc/5/cmdline	/proc/5/cmdline	Process not Found
/proc/71/cmdline	/proc/71/cmdline	Process not Found
/proc/105/cmdline	/proc/105/cmdline	Process not Found
/proc/115/cmdline	/proc/115/cmdline	Process not Found
/proc/17/cmdline	/proc/17/cmdline	Process not Found
/proc/21/cmdline	/proc/21/cmdline	Process not Found
/proc/22/cmdline	/proc/22/cmdline	Process not Found
/proc/144/cmdline	/proc/144/cmdline	Process not Found
/proc/296/cmdline	/proc/296/cmdline	Process not Found
/proc/6/cmdline	/proc/6/cmdline	Process not Found
/proc/9/cmdline	/proc/9/cmdline	Process not Found
/proc/37/cmdline	/proc/37/cmdline	Process not Found
/proc/214/cmdline	/proc/214/cmdline	Process not Found
/proc/225/cmdline	/proc/225/cmdline	Process not Found
/proc/229/cmdline	/proc/229/cmdline	Process not Found
/proc/286/cmdline	/proc/286/cmdline	Process not Found
/proc/314/cmdline	/proc/314/cmdline	Process not Found
/proc/1/cmdline	/proc/1/cmdline	Process not Found
/proc/13/cmdline	/proc/13/cmdline	Process not Found
/proc/20/cmdline	/proc/20/cmdline	Process not Found
/proc/4/cmdline	/proc/4/cmdline	Process not Found
/proc/19/cmdline	/proc/19/cmdline	Process not Found
/proc/75/cmdline	/proc/75/cmdline	Process not Found
/proc/76/cmdline	/proc/76/cmdline	Process not Found
/proc/116/cmdline	/proc/116/cmdline	Process not Found
/proc/230/cmdline	/proc/230/cmdline	Process not Found
/proc/313/cmdline	/proc/313/cmdline	Process not Found
/proc/2/cmdline	/proc/2/cmdline	Process not Found
/proc/74/cmdline	/proc/74/cmdline	Process not Found
/proc/24/cmdline	/proc/24/cmdline	Process not Found
/proc/36/cmdline	/proc/36/cmdline	Process not Found
/proc/72/cmdline	/proc/72/cmdline	Process not Found
/proc/302/cmdline	/proc/302/cmdline	Process not Found
/proc/filesystems	/proc/filesystems	mkdir
/proc/16/cmdline	/proc/16/cmdline	Process not Found
/proc/264/cmdline	/proc/264/cmdline	Process not Found
/proc/337/cmdline	/proc/337/cmdline	Process not Found
/proc/77/cmdline	/proc/77/cmdline	Process not Found
/proc/79/cmdline	/proc/79/cmdline	Process not Found
/proc/227/cmdline	/proc/227/cmdline	Process not Found
/proc/261/cmdline	/proc/261/cmdline	Process not Found
/proc/329/cmdline	/proc/329/cmdline	Process not Found
/proc/3/cmdline	/proc/3/cmdline	Process not Found
/proc/18/cmdline	/proc/18/cmdline	Process not Found

/tmp/nigga.mips.elf
/tmp/nigga.mips.elf
1⤵
PID:331

/bin/sh
sh -c "rm -rf bin/systemd && mkdir zxcr9999; >bin/systemd && mv /tmp/nigga.mips.elf bin/systemd; chmod 777 bin/systemd"
1⤵
PID:332
- /bin/rm
  rm -rf bin/systemd
  2⤵
  PID:333
- /bin/mkdir
  mkdir zxcr9999
  2⤵
  - Reads runtime system information
  PID:334
- /bin/chmod
  chmod 777 bin/systemd
  2⤵
  PID:335

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads