Analysis
-
max time kernel
150s -
max time network
152s -
platform
debian-9_armhf -
resource
debian9-armhf-20221125-en -
resource tags
arch:armhfimage:debian9-armhf-20221125-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
30-06-2023 11:54
Static task
static1
Behavioral task
behavioral1
Sample
.i
Resource
debian9-armhf-20221125-en
General
-
Target
.i
-
Size
78KB
-
MD5
9b6c3518a91d23ed77504b5416bfb5b3
-
SHA1
0a2d170abbf5031566377b01431e3b82d342630a
-
SHA256
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
-
SHA512
b2b08d5d5e6c6708d88b793e9340a780d47b5dce61e0a3026b4cdea8a9e4cbf9824037255e4ea4a40fee5bce956485232376d4677ce72ccb6c7f00badd09956e
-
SSDEEP
1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL
Malware Config
Signatures
-
Contacts a large (7505) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 2 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself telnetd 354 sh Changes the process name, possibly in an attempt to hide itself telnetd 399 sh -
Deletes itself 2 IoCs
pid Process 354 sh 399 sh -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/atk 399 sh -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog .i File opened for modification /dev/watchdog .i -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc File opened for reading /proc/net/tcp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route .i -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/route .i File opened for reading /proc/net/tcp Process not Found File opened for reading /proc/net/tcp6 Process not Found -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/145/cmdline File opened for reading /proc/134/cmdline File opened for reading /proc/25/cmdline File opened for reading /proc/273/fd File opened for reading /proc/345/fd File opened for reading /proc/279/fd File opened for reading /proc/19/cmdline File opened for reading /proc/17/cmdline File opened for reading /proc/354/fd File opened for reading /proc/307/fd File opened for reading /proc/227/cmdline File opened for reading /proc/107/cmdline File opened for reading /proc/74/cmdline File opened for reading /proc/3/cmdline File opened for reading /proc/307/cmdline File opened for reading /proc/164/cmdline File opened for reading /proc/164/fd File opened for reading /proc/140/fd File opened for reading /proc/13/cmdline File opened for reading /proc/273/cmdline File opened for reading /proc/347/cmdline File opened for reading /proc/302/fd File opened for reading /proc/270/cmdline File opened for reading /proc/269/fd File opened for reading /proc/229/cmdline File opened for reading /proc/229/fd File opened for reading /proc/95/cmdline File opened for reading /proc/348/cmdline File opened for reading /proc/11/cmdline File opened for reading /proc/1/cmdline File opened for reading /proc/14/cmdline File opened for reading /proc/270/fd File opened for reading /proc/132/cmdline File opened for reading /proc/22/cmdline File opened for reading /proc/12/cmdline File opened for reading /proc/5/cmdline File opened for reading /proc/354/cmdline File opened for reading /proc/269/cmdline File opened for reading /proc/207/fd File opened for reading /proc/27/cmdline File opened for reading /proc/6/cmdline File opened for reading /proc/1/fd File opened for reading /proc/351/cmdline File opened for reading /proc/20/cmdline File opened for reading /proc/10/cmdline File opened for reading /proc/9/cmdline File opened for reading /proc/8/cmdline File opened for reading /proc/304/cmdline File opened for reading /proc/29/cmdline File opened for reading /proc/239/fd File opened for reading /proc/106/cmdline File opened for reading /proc/279/cmdline File opened for reading /proc/226/cmdline File opened for reading /proc/226/fd File opened for reading /proc/43/cmdline File opened for reading /proc/15/cmdline File opened for reading /proc/347/fd File opened for reading /proc/306/cmdline File opened for reading /proc/41/cmdline File opened for reading /proc/18/cmdline File opened for reading /proc/4/cmdline File opened for reading /proc/2/cmdline File opened for reading /proc/302/cmdline File opened for reading /proc/304/fd -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
description ioc File opened for modification /tmp/.p/.i.arm7 File opened for modification /tmp/fifo File opened for modification /tmp/.p/atk.arm7 File opened for modification /tmp/atk
Processes
-
/tmp/.i/tmp/.i1⤵
- Modifies Watchdog functionality
- Reads system routing table
- Reads system network configuration
PID:352
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"1⤵
- Changes its process name
- Deletes itself
PID:359 -
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 23 -j DROP2⤵PID:360
-
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"1⤵PID:365
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 7547 -j DROP2⤵PID:366
-
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"1⤵PID:367
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 5555 -j DROP2⤵PID:368
-
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"1⤵PID:369
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 5358 -j DROP2⤵PID:370
-
-
/bin/sh/bin/sh -c "iptables -D INPUT -j CWMP_CR"1⤵PID:371
-
/sbin/iptablesiptables -D INPUT -j CWMP_CR2⤵PID:372
-
-
/bin/sh/bin/sh -c "iptables -X CWMP_CR"1⤵PID:373
-
/sbin/iptablesiptables -X CWMP_CR2⤵PID:374
-
-
/bin/sh/bin/sh -c "iptables -I INPUT -p udp --dport 62673 -j ACCEPT"1⤵PID:375
-
/sbin/iptablesiptables -I INPUT -p udp --dport 62673 -j ACCEPT2⤵PID:376
-
-
/tmp/atk./atk1⤵PID:399
-
/bin/sh/bin/sh -c "iptables -I INPUT -p tcp --dport 33506 -j ACCEPT"2⤵
- Changes its process name
- Deletes itself
- Executes dropped EXE
PID:400 -
/sbin/iptablesiptables -I INPUT -p tcp --dport 33506 -j ACCEPT3⤵PID:401
-
-
-
/bin/sh/bin/sh -c "iptables -I INPUT -p udp --dport 33506 -j ACCEPT"2⤵PID:402
-
/sbin/iptablesiptables -I INPUT -p udp --dport 33506 -j ACCEPT3⤵PID:403
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5fc65dc3f6706f09b0568d86ee83b0e6b
SHA13285cbc991ab5964817df8e4773d6774bb889bd4
SHA25648aa1cdc3c454e2c12248405a49e24f74630caeaa9a11148b99f6f0a50dbcfea
SHA512bb6ddc18ac0d085332bbbc214e729153cf7c2fdf89c0fe1b8dfe1a8b4623f14b2ecaf7eb61cc3f42c76aadd2f726526d165a726fdc1cee5a6bed3fd2117450dc