Analysis
-
max time kernel
150s -
max time network
151s -
platform
debian-9_mips -
resource
debian9-mipsbe-20221125-en -
resource tags
arch:mipsimage:debian9-mipsbe-20221125-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
30-06-2023 12:54
Static task
static1
Behavioral task
behavioral1
Sample
.i
Resource
debian9-mipsbe-20221125-en
General
-
Target
.i
-
Size
83KB
-
MD5
5377e8f2ebdb280216c37a6195da9d6c
-
SHA1
b54c705193b7963a0d40699a91cdb34fedecbe88
-
SHA256
020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0
-
SHA512
65e5aec56ddde56f245a20f88553d2f76bd7dd8e1940e9d49637d51a868fe73003b8a95fffeb9481110579f6ee4790fc9af1668d435930d4c01b116490908eed
-
SSDEEP
1536:yYI0ARqw1qAEW67UIWi7M8gmfmJo0WgswnD6Efyq8PxlRkp2K3/J1V+uBNu:yYI0ARqw1qAEv7UIFM8oJorFquyjkRks
Malware Config
Signatures
-
Changes its process name 1 IoCs
Processes:
iptablesdescription ioc pid process Changes the process name, possibly in an attempt to hide itself telnetd 332 iptables -
Deletes itself 1 IoCs
Processes:
iptablespid process 332 iptables -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
.idescription ioc process File opened for modification /dev/watchdog .i File opened for modification /dev/misc/watchdog .i -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/tcp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/route -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
description ioc File opened for reading /proc/net/route File opened for reading /proc/net/tcp File opened for reading /proc/net/tcp6 -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/5/cmdline File opened for reading /proc/325/fd File opened for reading /proc/309/cmdline File opened for reading /proc/71/cmdline File opened for reading /proc/3/cmdline File opened for reading /proc/296/cmdline File opened for reading /proc/24/cmdline File opened for reading /proc/259/cmdline File opened for reading /proc/36/cmdline File opened for reading /proc/14/cmdline File opened for reading /proc/12/cmdline File opened for reading /proc/1/cmdline File opened for reading /proc/256/cmdline File opened for reading /proc/227/cmdline File opened for reading /proc/9/cmdline File opened for reading /proc/6/cmdline File opened for reading /proc/255/cmdline File opened for reading /proc/18/cmdline File opened for reading /proc/10/cmdline File opened for reading /proc/153/cmdline File opened for reading /proc/141/fd File opened for reading /proc/21/cmdline File opened for reading /proc/20/cmdline File opened for reading /proc/325/cmdline File opened for reading /proc/276/cmdline File opened for reading /proc/225/cmdline File opened for reading /proc/222/fd File opened for reading /proc/7/cmdline File opened for reading /proc/1/fd File opened for reading /proc/209/cmdline File opened for reading /proc/81/cmdline File opened for reading /proc/79/cmdline File opened for reading /proc/8/cmdline File opened for reading /proc/301/fd File opened for reading /proc/225/fd File opened for reading /proc/105/cmdline File opened for reading /proc/228/fd File opened for reading /proc/77/cmdline File opened for reading /proc/17/cmdline File opened for reading /proc/328/cmdline File opened for reading /proc/309/fd File opened for reading /proc/296/fd File opened for reading /proc/255/fd File opened for reading /proc/69/cmdline File opened for reading /proc/23/cmdline File opened for reading /proc/4/cmdline File opened for reading /proc/2/cmdline File opened for reading /proc/332/fd File opened for reading /proc/301/cmdline File opened for reading /proc/158/fd File opened for reading /proc/115/cmdline File opened for reading /proc/276/fd File opened for reading /proc/146/cmdline File opened for reading /proc/76/cmdline File opened for reading /proc/82/cmdline File opened for reading /proc/19/cmdline File opened for reading /proc/332/cmdline File opened for reading /proc/308/fd File opened for reading /proc/256/fd File opened for reading /proc/209/fd File opened for reading /proc/68/cmdline File opened for reading /proc/13/cmdline File opened for reading /proc/228/cmdline File opened for reading /proc/158/cmdline -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/fifo
Processes
-
/tmp/.i/tmp/.i1⤵
- Modifies Watchdog functionality
PID:330
-
/bin/shsh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"1⤵PID:334
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 23 -j DROP2⤵
- Changes its process name
- Deletes itself
PID:337
-
-
/bin/shsh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"1⤵PID:342
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 7547 -j DROP2⤵PID:343
-
-
/bin/shsh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"1⤵PID:344
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 5555 -j DROP2⤵PID:345
-
-
/bin/shsh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"1⤵PID:346
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 5358 -j DROP2⤵PID:347
-
-
/bin/shsh -c "iptables -D INPUT -j CWMP_CR"1⤵PID:348
-
/sbin/iptablesiptables -D INPUT -j CWMP_CR2⤵PID:349
-
-
/bin/shsh -c "iptables -X CWMP_CR"1⤵PID:350
-
/sbin/iptablesiptables -X CWMP_CR2⤵PID:351
-
-
/bin/shsh -c "iptables -I INPUT -p udp --dport 59170 -j ACCEPT"1⤵PID:352
-
/sbin/iptablesiptables -I INPUT -p udp --dport 59170 -j ACCEPT2⤵PID:353
-