020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0

Analysis

max time kernel
150s
max time network
153s
platform
linux_mips
resource
debian9-mipsbe-en-20211208
resource tags

arch:mipsimage:debian9-mipsbe-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
30/06/2023, 12:53 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.i
Size

83KB
MD5

5377e8f2ebdb280216c37a6195da9d6c
SHA1

b54c705193b7963a0d40699a91cdb34fedecbe88
SHA256

020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0
SHA512

65e5aec56ddde56f245a20f88553d2f76bd7dd8e1940e9d49637d51a868fe73003b8a95fffeb9481110579f6ee4790fc9af1668d435930d4c01b116490908eed
SSDEEP

1536:yYI0ARqw1qAEW67UIWi7M8gmfmJo0WgswnD6Efyq8PxlRkp2K3/J1V+uBNu:yYI0ARqw1qAEv7UIFM8oJorFquyjkRks

Score

7^/10

Malware Config

Signatures

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	telnetd	337	iptables

Deletes itself 1 IoCs

pid	Process
337	iptables

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	.i
File opened for modification	/dev/misc/watchdog	.i

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc
File opened for reading	/proc/net/tcp

Enumerates running processes
Discovers information about currently running processes on the system

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/route

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/route
File opened for reading	/proc/net/tcp
File opened for reading	/proc/net/tcp6

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc
File opened for reading	/proc/78/cmdline
File opened for reading	/proc/19/cmdline
File opened for reading	/proc/1/fd
File opened for reading	/proc/14/cmdline
File opened for reading	/proc/3/cmdline
File opened for reading	/proc/253/cmdline
File opened for reading	/proc/224/fd
File opened for reading	/proc/115/cmdline
File opened for reading	/proc/144/cmdline
File opened for reading	/proc/114/cmdline
File opened for reading	/proc/37/cmdline
File opened for reading	/proc/15/cmdline
File opened for reading	/proc/333/cmdline
File opened for reading	/proc/331/cmdline
File opened for reading	/proc/227/fd
File opened for reading	/proc/337/fd
File opened for reading	/proc/6/cmdline
File opened for reading	/proc/227/cmdline
File opened for reading	/proc/75/cmdline
File opened for reading	/proc/73/cmdline
File opened for reading	/proc/294/cmdline
File opened for reading	/proc/286/fd
File opened for reading	/proc/254/cmdline
File opened for reading	/proc/13/cmdline
File opened for reading	/proc/330/fd
File opened for reading	/proc/224/cmdline
File opened for reading	/proc/21/cmdline
File opened for reading	/proc/302/fd
File opened for reading	/proc/260/cmdline
File opened for reading	/proc/156/fd
File opened for reading	/proc/4/cmdline
File opened for reading	/proc/334/cmdline
File opened for reading	/proc/74/cmdline
File opened for reading	/proc/12/cmdline
File opened for reading	/proc/216/fd
File opened for reading	/proc/76/cmdline
File opened for reading	/proc/8/cmdline
File opened for reading	/proc/234/cmdline
File opened for reading	/proc/225/cmdline
File opened for reading	/proc/71/cmdline
File opened for reading	/proc/10/cmdline
File opened for reading	/proc/289/cmdline
File opened for reading	/proc/289/fd
File opened for reading	/proc/286/cmdline
File opened for reading	/proc/260/fd
File opened for reading	/proc/156/cmdline
File opened for reading	/proc/70/cmdline
File opened for reading	/proc/139/fd
File opened for reading	/proc/17/cmdline
File opened for reading	/proc/11/cmdline
File opened for reading	/proc/5/cmdline
File opened for reading	/proc/337/cmdline
File opened for reading	/proc/294/fd
File opened for reading	/proc/216/cmdline
File opened for reading	/proc/16/cmdline
File opened for reading	/proc/225/fd
File opened for reading	/proc/79/cmdline
File opened for reading	/proc/72/cmdline
File opened for reading	/proc/20/cmdline
File opened for reading	/proc/18/cmdline
File opened for reading	/proc/7/cmdline
File opened for reading	/proc/303/fd
File opened for reading	/proc/105/cmdline
File opened for reading	/proc/77/cmdline

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/fifo

/tmp/.i
/tmp/.i
1⤵
- Modifies Watchdog functionality
PID:335

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
1⤵
PID:338
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 23 -j DROP
  2⤵
  - Changes its process name
  - Deletes itself
  PID:340

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
1⤵
PID:348
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 7547 -j DROP
  2⤵
  PID:349

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
1⤵
PID:350
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 5555 -j DROP
  2⤵
  PID:351

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
1⤵
PID:352
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 5358 -j DROP
  2⤵
  PID:353

/bin/sh
sh -c "iptables -D INPUT -j CWMP_CR"
1⤵
PID:354
- /sbin/iptables
  iptables -D INPUT -j CWMP_CR
  2⤵
  PID:355

/bin/sh
sh -c "iptables -X CWMP_CR"
1⤵
PID:356
- /sbin/iptables
  iptables -X CWMP_CR
  2⤵
  PID:357

/bin/sh
sh -c "iptables -I INPUT -p udp --dport 52907 -j ACCEPT"
1⤵
PID:358
- /sbin/iptables
  iptables -I INPUT -p udp --dport 52907 -j ACCEPT
  2⤵
  PID:359

Network

DNS

pool.ntp.org

Remote address:

1.1.1.1:53

Request

pool.ntp.org

IN A

Response

pool.ntp.org

IN A

158.101.221.122

pool.ntp.org

IN A

40.119.148.38

pool.ntp.org

IN A

162.159.200.1

pool.ntp.org

IN A

154.51.12.220
DNS

router.utorrent.com

Remote address:

1.1.1.1:53

Request

router.utorrent.com

IN A

Response

router.utorrent.com

IN A

82.221.103.244
DNS

router.bittorrent.com

Remote address:

1.1.1.1:53

Request

router.bittorrent.com

IN A

Response

router.bittorrent.com

IN A

67.215.246.10
DNS

router.utorrent.com

Remote address:

1.1.1.1:53

Request

router.utorrent.com

IN A

Response

router.utorrent.com

IN A

82.221.103.244
DNS

router.bittorrent.com

Remote address:

1.1.1.1:53

Request

router.bittorrent.com

IN A

Response

router.bittorrent.com

IN A

67.215.246.10
DNS

router.utorrent.com

Remote address:

1.1.1.1:53

Request

router.utorrent.com

IN A

Response

router.utorrent.com

IN A

82.221.103.244
DNS

router.bittorrent.com

Remote address:

1.1.1.1:53

Request

router.bittorrent.com

IN A

Response

router.bittorrent.com

IN A

67.215.246.10

No results found

1.1.1.1:53

pool.ntp.org

dns

58 B
122 B
1
1

DNS Request

pool.ntp.org

DNS Response

158.101.221.122

40.119.148.38

162.159.200.1

154.51.12.220
1.1.1.1:53

router.utorrent.com

dns

65 B
81 B
1
1

DNS Request

router.utorrent.com

DNS Response

82.221.103.244
82.221.103.244:6881

router.utorrent.com

285 B
3
1.1.1.1:53

router.bittorrent.com

dns

67 B
83 B
1
1

DNS Request

router.bittorrent.com

DNS Response

67.215.246.10
67.215.246.10:6881

router.bittorrent.com

550 B
1.3kB
5
5
223.176.51.3:17490

497 B
1.1kB
4
4
27.59.197.1:11439

324 B
3
177.229.228.209:41407

497 B
1.1kB
4
4
209.17.76.36:14705

357 B
762 B
3
3
92.52.240.211:15809

285 B
3
95.90.189.125:47257

321 B
543 B
3
3
181.137.213.22:42601

488 B
1.1kB
4
4
115.164.184.82:4979

695 B
920 B
4
4
27.61.128.190:11807

452 B
870 B
4
4
115.164.84.205:46604

321 B
543 B
3
3
181.44.240.138:52300

452 B
870 B
4
4
1.1.1.1:53

router.utorrent.com

dns

65 B
81 B
1
1

DNS Request

router.utorrent.com

DNS Response

82.221.103.244
1.1.1.1:53

router.bittorrent.com

dns

67 B
83 B
1
1

DNS Request

router.bittorrent.com

DNS Response

67.215.246.10
117.215.255.253:8081

285 B
172 B
3
2
188.253.229.191:31246

285 B
3
109.196.75.182:1055

190 B
216 B
2
2
201.171.139.196:43898

458 B
4
109.207.121.239:61404

134 B
345 B
1
1
172.101.206.46:30811

134 B
1
222.114.60.15:41205

134 B
340 B
1
1
62.210.201.111:55217

134 B
340 B
1
1
217.11.74.88:11090

134 B
340 B
1
1
5.137.172.74:6881

134 B
1
119.196.214.43:40683

134 B
340 B
1
1
46.232.211.163:64799

134 B
340 B
1
1
1.241.234.134:62168

134 B
1
171.221.142.52:14382

268 B
2
49.170.3.26:7867

285 B
3
95.211.19.3:28011

402 B
579 B
3
3
95.32.239.176:49001

134 B
336 B
1
1
123.48.139.118:24421

134 B
326 B
1
1
77.161.238.243:6881

134 B
340 B
1
1
176.120.237.123:6881

134 B
340 B
1
1
203.40.132.59:51413

134 B
313 B
1
1
186.91.2.21:1048

134 B
340 B
1
1
100.14.139.40:32800

134 B
347 B
1
1
60.147.244.32:37863

134 B
347 B
1
1
5.3.67.160:51413

134 B
1
112.171.204.43:7665

134 B
358 B
1
1
89.191.106.45:17843

116 B
2
81.43.222.31:51413

134 B
313 B
1
1
92.244.236.209:1808

134 B
347 B
1
1
86.172.137.127:46541

134 B
573 B
1
1
95.106.140.76:49001

134 B
746 B
1
1
72.133.169.119:50098

134 B
1
177.67.12.68:55990

116 B
2
109.254.67.165:1035

134 B
1
196.150.160.184:9869

134 B
1
106.208.102.111:62552

134 B
1
1.1.1.1:53

router.utorrent.com

dns

65 B
81 B
1
1

DNS Request

router.utorrent.com

DNS Response

82.221.103.244
1.1.1.1:53

router.bittorrent.com

dns

67 B
83 B
1
1

DNS Request

router.bittorrent.com

DNS Response

67.215.246.10
49.86.40.191:6890

95 B
108 B
1
1
175.199.102.157:40823

134 B
340 B
1
1
94.62.190.0:51225

268 B
670 B
2
2
49.204.128.34:26012

268 B
2
124.80.139.153:41085

134 B
1
109.177.41.11:53726

95 B
108 B
1
1
104.254.92.42:54907

134 B
1
103.214.20.157:61971

134 B
1
45.177.77.82:52246

116 B
2
194.208.88.105:64950

116 B
2