020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0

General

Target

.i
Size

83KB
MD5

5377e8f2ebdb280216c37a6195da9d6c
SHA1

b54c705193b7963a0d40699a91cdb34fedecbe88
SHA256

020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0
SHA512

65e5aec56ddde56f245a20f88553d2f76bd7dd8e1940e9d49637d51a868fe73003b8a95fffeb9481110579f6ee4790fc9af1668d435930d4c01b116490908eed
SSDEEP

1536:yYI0ARqw1qAEW67UIWi7M8gmfmJo0WgswnD6Efyq8PxlRkp2K3/J1V+uBNu:yYI0ARqw1qAEv7UIFM8oJorFquyjkRks

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (2281) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Changes its process name 2 IoCs

Processes:

iptablesiptables

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	telnetd	338	iptables
Changes the process name, possibly in an attempt to hide itself	telnetd	364	iptables

Deletes itself 2 IoCs

Processes:

iptablesiptables

pid process

338 iptables
364 iptables
Executes dropped EXE 1 IoCs

Processes:

iptables

ioc pid process

/tmp/atk 364 iptables
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

.i

description ioc process

File opened for modification /dev/watchdog .i
File opened for modification /dev/misc/watchdog .i
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

File opened for reading /proc/net/tcp
Enumerates running processes
Discovers information about currently running processes on the system
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery
T1016

Processes:

description ioc

File opened for reading /proc/net/route
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

description ioc

File opened for reading /proc/net/route
File opened for reading /proc/net/tcp
File opened for reading /proc/net/tcp6

pid	process
338	iptables
364	iptables

ioc	pid	process
/tmp/atk	364	iptables

description	ioc	process
File opened for modification	/dev/watchdog	.i
File opened for modification	/dev/misc/watchdog	.i

description	ioc
File opened for reading	/proc/net/tcp

description	ioc
File opened for reading	/proc/net/route

description	ioc
File opened for reading	/proc/net/route
File opened for reading	/proc/net/tcp
File opened for reading	/proc/net/tcp6

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/22/cmdline
File opened for reading	/proc/14/cmdline
File opened for reading	/proc/294/cmdline
File opened for reading	/proc/260/cmdline
File opened for reading	/proc/82/cmdline
File opened for reading	/proc/23/cmdline
File opened for reading	/proc/227/cmdline
File opened for reading	/proc/225/cmdline
File opened for reading	/proc/18/cmdline
File opened for reading	/proc/1/fd
File opened for reading	/proc/224/cmdline
File opened for reading	/proc/139/fd
File opened for reading	/proc/4/cmdline
File opened for reading	/proc/338/cmdline
File opened for reading	/proc/294/fd
File opened for reading	/proc/286/fd
File opened for reading	/proc/253/cmdline
File opened for reading	/proc/216/fd
File opened for reading	/proc/77/cmdline
File opened for reading	/proc/15/cmdline
File opened for reading	/proc/8/cmdline
File opened for reading	/proc/13/cmdline
File opened for reading	/proc/303/fd
File opened for reading	/proc/253/fd
File opened for reading	/proc/72/cmdline
File opened for reading	/proc/19/cmdline
File opened for reading	/proc/338/fd
File opened for reading	/proc/227/fd
File opened for reading	/proc/224/fd
File opened for reading	/proc/234/cmdline
File opened for reading	/proc/74/cmdline
File opened for reading	/proc/70/cmdline
File opened for reading	/proc/5/cmdline
File opened for reading	/proc/11/cmdline
File opened for reading	/proc/156/fd
File opened for reading	/proc/115/cmdline
File opened for reading	/proc/76/cmdline
File opened for reading	/proc/37/cmdline
File opened for reading	/proc/12/cmdline
File opened for reading	/proc/302/cmdline
File opened for reading	/proc/254/fd
File opened for reading	/proc/156/cmdline
File opened for reading	/proc/16/cmdline
File opened for reading	/proc/302/fd
File opened for reading	/proc/260/fd
File opened for reading	/proc/71/cmdline
File opened for reading	/proc/7/cmdline
File opened for reading	/proc/3/cmdline
File opened for reading	/proc/75/cmdline
File opened for reading	/proc/73/cmdline
File opened for reading	/proc/17/cmdline
File opened for reading	/proc/9/cmdline
File opened for reading	/proc/10/cmdline
File opened for reading	/proc/330/fd
File opened for reading	/proc/303/cmdline
File opened for reading	/proc/105/cmdline
File opened for reading	/proc/36/cmdline
File opened for reading	/proc/216/cmdline
File opened for reading	/proc/78/cmdline
File opened for reading	/proc/333/cmdline
File opened for reading	/proc/330/cmdline
File opened for reading	/proc/286/cmdline
File opened for reading	/proc/254/cmdline
File opened for reading	/proc/331/cmdline

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

Processes:

description	ioc
File opened for modification	/tmp/fifo
File opened for modification	/tmp/.p/atk.mipseb
File opened for modification	/tmp/atk
File opened for modification	/tmp/.p/.i.mipseb

/tmp/.i
/tmp/.i
1⤵
- Modifies Watchdog functionality
PID:335

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
1⤵
PID:339
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 23 -j DROP
  2⤵
  - Changes its process name
  - Deletes itself
  PID:341

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
1⤵
PID:349
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 7547 -j DROP
  2⤵
  PID:350

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
1⤵
PID:351
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 5555 -j DROP
  2⤵
  PID:352

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
1⤵
PID:353
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 5358 -j DROP
  2⤵
  PID:354

/bin/sh
sh -c "iptables -D INPUT -j CWMP_CR"
1⤵
PID:355
- /sbin/iptables
  iptables -D INPUT -j CWMP_CR
  2⤵
  PID:356

/bin/sh
sh -c "iptables -X CWMP_CR"
1⤵
PID:357
- /sbin/iptables
  iptables -X CWMP_CR
  2⤵
  PID:358

/bin/sh
sh -c "iptables -I INPUT -p udp --dport 52907 -j ACCEPT"
1⤵
PID:359
- /sbin/iptables
  iptables -I INPUT -p udp --dport 52907 -j ACCEPT
  2⤵
  PID:360

/tmp/atk
./atk
1⤵
PID:364
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 14460 -j ACCEPT"
  2⤵
  PID:365
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 14460 -j ACCEPT
    3⤵
    - Changes its process name
    - Deletes itself
    - Executes dropped EXE
    PID:366
- /bin/sh
  sh -c "iptables -I INPUT -p udp --dport 14460 -j ACCEPT"
  2⤵
  PID:367
- - /sbin/iptables
    iptables -I INPUT -p udp --dport 14460 -j ACCEPT
    3⤵
    PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Network Service Scanning

1

T1046

System Network Configuration Discovery

2

T1016

System Network Connections Discovery

1

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/atk

Filesize
53KB

MD5
d563e13e0d5efd97b3fce8c4e0f7a09a

SHA1
2bac28b2795b97600ae6ef5439bb133094eef890

SHA256
8844c1bcaa217ebbf73e9ded76d7813e4a84937f8d384bf344678a026f67fb42

SHA512
8f1e795de6bc0ebc8e6e20a2f2456d64ad9933f485b0dbbac9525dfd02f379e60e7bf1e76fb88e0e810187eab2840b83deb36205e512ad1edb59df277f0c4bd1

Download Submit
memory/335-1-0x00400000-0x0047a6c0-memory.dmp

Download
memory/364-2-0x00400000-0x0046ae90-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads