Analysis
-
max time kernel
152s -
max time network
159s -
platform
linux_armhf -
resource
debian9-armhf-en-20211208 -
resource tags
arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
30-06-2023 12:00
Static task
static1
Behavioral task
behavioral1
Sample
.i
Resource
debian9-armhf-en-20211208
General
-
Target
.i
-
Size
78KB
-
MD5
9b6c3518a91d23ed77504b5416bfb5b3
-
SHA1
0a2d170abbf5031566377b01431e3b82d342630a
-
SHA256
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
-
SHA512
b2b08d5d5e6c6708d88b793e9340a780d47b5dce61e0a3026b4cdea8a9e4cbf9824037255e4ea4a40fee5bce956485232376d4677ce72ccb6c7f00badd09956e
-
SSDEEP
1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL
Malware Config
Signatures
-
Contacts a large (2728) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 2 IoCs
Processes:
shshdescription ioc pid process Changes the process name, possibly in an attempt to hide itself telnetd 360 sh Changes the process name, possibly in an attempt to hide itself telnetd 468 sh -
Deletes itself 2 IoCs
Processes:
shshpid process 360 sh 468 sh -
Executes dropped EXE 1 IoCs
Processes:
shioc pid process /tmp/atk 468 sh -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
.idescription ioc process File opened for modification /dev/misc/watchdog .i File opened for modification /dev/watchdog .i -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/tcp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
.idescription ioc process File opened for reading /proc/net/route .i -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
.idescription ioc process File opened for reading /proc/net/route .i File opened for reading /proc/net/tcp File opened for reading /proc/net/tcp6 -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/19/cmdline File opened for reading /proc/17/cmdline File opened for reading /proc/4/cmdline File opened for reading /proc/238/cmdline File opened for reading /proc/354/fd File opened for reading /proc/314/fd File opened for reading /proc/308/cmdline File opened for reading /proc/291/cmdline File opened for reading /proc/233/fd File opened for reading /proc/169/fd File opened for reading /proc/147/fd File opened for reading /proc/358/cmdline File opened for reading /proc/10/cmdline File opened for reading /proc/7/cmdline File opened for reading /proc/12/cmdline File opened for reading /proc/238/fd File opened for reading /proc/233/cmdline File opened for reading /proc/110/cmdline File opened for reading /proc/101/cmdline File opened for reading /proc/43/cmdline File opened for reading /proc/279/cmdline File opened for reading /proc/5/cmdline File opened for reading /proc/210/cmdline File opened for reading /proc/139/cmdline File opened for reading /proc/312/cmdline File opened for reading /proc/236/fd File opened for reading /proc/42/cmdline File opened for reading /proc/25/cmdline File opened for reading /proc/15/cmdline File opened for reading /proc/8/cmdline File opened for reading /proc/360/cmdline File opened for reading /proc/315/cmdline File opened for reading /proc/234/fd File opened for reading /proc/41/cmdline File opened for reading /proc/29/cmdline File opened for reading /proc/355/cmdline File opened for reading /proc/280/cmdline File opened for reading /proc/279/fd File opened for reading /proc/217/cmdline File opened for reading /proc/217/fd File opened for reading /proc/9/cmdline File opened for reading /proc/291/fd File opened for reading /proc/112/cmdline File opened for reading /proc/1/cmdline File opened for reading /proc/348/cmdline File opened for reading /proc/314/cmdline File opened for reading /proc/169/cmdline File opened for reading /proc/80/cmdline File opened for reading /proc/20/cmdline File opened for reading /proc/1/fd File opened for reading /proc/354/cmdline File opened for reading /proc/22/cmdline File opened for reading /proc/16/cmdline File opened for reading /proc/6/cmdline File opened for reading /proc/234/cmdline File opened for reading /proc/348/fd File opened for reading /proc/308/fd File opened for reading /proc/283/cmdline File opened for reading /proc/280/fd File opened for reading /proc/23/cmdline File opened for reading /proc/360/fd File opened for reading /proc/236/cmdline File opened for reading /proc/147/cmdline File opened for reading /proc/27/cmdline -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/.p/.i.arm7 File opened for modification /tmp/.p/atk.arm7 File opened for modification /tmp/atk File opened for modification /tmp/fifo
Processes
-
/tmp/.i/tmp/.i1⤵
- Modifies Watchdog functionality
- Reads system routing table
- Reads system network configuration
PID:359
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"1⤵
- Changes its process name
- Deletes itself
PID:364 -
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 23 -j DROP2⤵PID:365
-
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"1⤵PID:370
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 7547 -j DROP2⤵PID:371
-
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"1⤵PID:372
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 5555 -j DROP2⤵PID:373
-
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"1⤵PID:374
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 5358 -j DROP2⤵PID:375
-
-
/bin/sh/bin/sh -c "iptables -D INPUT -j CWMP_CR"1⤵PID:376
-
/sbin/iptablesiptables -D INPUT -j CWMP_CR2⤵PID:377
-
-
/bin/sh/bin/sh -c "iptables -X CWMP_CR"1⤵PID:378
-
/sbin/iptablesiptables -X CWMP_CR2⤵PID:379
-
-
/bin/sh/bin/sh -c "iptables -I INPUT -p udp --dport 36918 -j ACCEPT"1⤵PID:380
-
/sbin/iptablesiptables -I INPUT -p udp --dport 36918 -j ACCEPT2⤵PID:381
-
-
/tmp/atk./atk1⤵PID:468
-
/bin/sh/bin/sh -c "iptables -I INPUT -p tcp --dport 27635 -j ACCEPT"2⤵
- Changes its process name
- Deletes itself
- Executes dropped EXE
PID:469 -
/sbin/iptablesiptables -I INPUT -p tcp --dport 27635 -j ACCEPT3⤵PID:471
-
-
-
/bin/sh/bin/sh -c "iptables -I INPUT -p udp --dport 27635 -j ACCEPT"2⤵PID:474
-
/sbin/iptablesiptables -I INPUT -p udp --dport 27635 -j ACCEPT3⤵PID:476
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5fc65dc3f6706f09b0568d86ee83b0e6b
SHA13285cbc991ab5964817df8e4773d6774bb889bd4
SHA25648aa1cdc3c454e2c12248405a49e24f74630caeaa9a11148b99f6f0a50dbcfea
SHA512bb6ddc18ac0d085332bbbc214e729153cf7c2fdf89c0fe1b8dfe1a8b4623f14b2ecaf7eb61cc3f42c76aadd2f726526d165a726fdc1cee5a6bed3fd2117450dc