a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3

General

Target

.i
Size

78KB
MD5

9b6c3518a91d23ed77504b5416bfb5b3
SHA1

0a2d170abbf5031566377b01431e3b82d342630a
SHA256

a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
SHA512

b2b08d5d5e6c6708d88b793e9340a780d47b5dce61e0a3026b4cdea8a9e4cbf9824037255e4ea4a40fee5bce956485232376d4677ce72ccb6c7f00badd09956e
SSDEEP

1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL

Score

7^/10

Malware Config

Signatures

Changes its process name 1 IoCs

Processes:

sh

description ioc pid process

Changes the process name, possibly in an attempt to hide itself telnetd 356 sh
Deletes itself 1 IoCs

Processes:

sh

pid process

356 sh
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

.i

description ioc process

File opened for modification /dev/watchdog .i
File opened for modification /dev/misc/watchdog .i
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

File opened for reading /proc/net/tcp
Enumerates running processes
Discovers information about currently running processes on the system
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery
T1016

Processes:

.i

description ioc process

File opened for reading /proc/net/route .i
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

.i

description ioc process

File opened for reading /proc/net/route .i
File opened for reading /proc/net/tcp
File opened for reading /proc/net/tcp6

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	telnetd	356	sh

pid	process
356	sh

description	ioc	process
File opened for modification	/dev/watchdog	.i
File opened for modification	/dev/misc/watchdog	.i

description	ioc
File opened for reading	/proc/net/tcp

description	ioc	process
File opened for reading	/proc/net/route	.i

description	ioc	process
File opened for reading	/proc/net/route	.i
File opened for reading	/proc/net/tcp
File opened for reading	/proc/net/tcp6

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/356/fd
File opened for reading	/proc/310/cmdline
File opened for reading	/proc/162/fd
File opened for reading	/proc/105/cmdline
File opened for reading	/proc/43/cmdline
File opened for reading	/proc/7/cmdline
File opened for reading	/proc/5/cmdline
File opened for reading	/proc/1/fd
File opened for reading	/proc/244/cmdline
File opened for reading	/proc/234/fd
File opened for reading	/proc/73/cmdline
File opened for reading	/proc/26/cmdline
File opened for reading	/proc/25/cmdline
File opened for reading	/proc/21/cmdline
File opened for reading	/proc/17/cmdline
File opened for reading	/proc/14/cmdline
File opened for reading	/proc/9/cmdline
File opened for reading	/proc/233/cmdline
File opened for reading	/proc/6/cmdline
File opened for reading	/proc/348/fd
File opened for reading	/proc/275/fd
File opened for reading	/proc/231/cmdline
File opened for reading	/proc/42/cmdline
File opened for reading	/proc/41/cmdline
File opened for reading	/proc/22/cmdline
File opened for reading	/proc/354/cmdline
File opened for reading	/proc/272/fd
File opened for reading	/proc/218/cmdline
File opened for reading	/proc/145/cmdline
File opened for reading	/proc/8/cmdline
File opened for reading	/proc/276/fd
File opened for reading	/proc/29/cmdline
File opened for reading	/proc/27/cmdline
File opened for reading	/proc/357/fd
File opened for reading	/proc/309/fd
File opened for reading	/proc/275/cmdline
File opened for reading	/proc/151/cmdline
File opened for reading	/proc/106/cmdline
File opened for reading	/proc/18/cmdline
File opened for reading	/proc/272/cmdline
File opened for reading	/proc/231/fd
File opened for reading	/proc/129/cmdline
File opened for reading	/proc/19/cmdline
File opened for reading	/proc/4/cmdline
File opened for reading	/proc/309/cmdline
File opened for reading	/proc/305/cmdline
File opened for reading	/proc/244/fd
File opened for reading	/proc/3/cmdline
File opened for reading	/proc/356/cmdline
File opened for reading	/proc/351/cmdline
File opened for reading	/proc/307/fd
File opened for reading	/proc/276/cmdline
File opened for reading	/proc/234/cmdline
File opened for reading	/proc/162/cmdline
File opened for reading	/proc/137/fd
File opened for reading	/proc/1/cmdline
File opened for reading	/proc/350/fd
File opened for reading	/proc/305/fd
File opened for reading	/proc/233/fd
File opened for reading	/proc/20/cmdline
File opened for reading	/proc/353/cmdline
File opened for reading	/proc/282/fd
File opened for reading	/proc/137/cmdline
File opened for reading	/proc/103/cmdline

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/fifo

description	ioc
File opened for modification	/tmp/fifo

/tmp/.i
/tmp/.i
1⤵
- Modifies Watchdog functionality
- Reads system routing table
- Reads system network configuration
PID:355

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
1⤵
- Changes its process name
- Deletes itself
PID:360
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 23 -j DROP
  2⤵
  PID:361

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
1⤵
PID:367
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 7547 -j DROP
  2⤵
  PID:368

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
1⤵
PID:369
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 5555 -j DROP
  2⤵
  PID:370

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
1⤵
PID:371
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 5358 -j DROP
  2⤵
  PID:372

/bin/sh
/bin/sh -c "iptables -D INPUT -j CWMP_CR"
1⤵
PID:373
- /sbin/iptables
  iptables -D INPUT -j CWMP_CR
  2⤵
  PID:374

/bin/sh
/bin/sh -c "iptables -X CWMP_CR"
1⤵
PID:375
- /sbin/iptables
  iptables -X CWMP_CR
  2⤵
  PID:376

/bin/sh
/bin/sh -c "iptables -I INPUT -p udp --dport 1076 -j ACCEPT"
1⤵
PID:377
- /sbin/iptables
  iptables -I INPUT -p udp --dport 1076 -j ACCEPT
  2⤵
  PID:378

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Network Configuration Discovery

2

T1016

System Network Connections Discovery

1

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/355-1-0x00010000-0x000506fc-memory.dmp

Download

Analysis

Sharing