Analysis

  • max time kernel
    120s
  • max time network
    150s
  • platform
    linux_mips
  • resource
    debian9-mipsbe-en-20211208
  • resource tags

    arch:mipsimage:debian9-mipsbe-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    30-06-2023 12:54

General

  • Target

    .i

  • Size

    83KB

  • MD5

    5377e8f2ebdb280216c37a6195da9d6c

  • SHA1

    b54c705193b7963a0d40699a91cdb34fedecbe88

  • SHA256

    020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0

  • SHA512

    65e5aec56ddde56f245a20f88553d2f76bd7dd8e1940e9d49637d51a868fe73003b8a95fffeb9481110579f6ee4790fc9af1668d435930d4c01b116490908eed

  • SSDEEP

    1536:yYI0ARqw1qAEW67UIWi7M8gmfmJo0WgswnD6Efyq8PxlRkp2K3/J1V+uBNu:yYI0ARqw1qAEv7UIFM8oJorFquyjkRks

Score
9/10

Malware Config

Signatures

  • Contacts a large (2281) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Changes its process name 2 IoCs
  • Deletes itself 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads system routing table 1 TTPs 1 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Reads system network configuration 1 TTPs 3 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.i
    /tmp/.i
    1⤵
    • Modifies Watchdog functionality
    PID:335
  • /bin/sh
    sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
    1⤵
      PID:339
      • /sbin/iptables
        iptables -A INPUT -p tcp --destination-port 23 -j DROP
        2⤵
        • Changes its process name
        • Deletes itself
        PID:341
    • /bin/sh
      sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
      1⤵
        PID:349
        • /sbin/iptables
          iptables -A INPUT -p tcp --destination-port 7547 -j DROP
          2⤵
            PID:350
        • /bin/sh
          sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
          1⤵
            PID:351
            • /sbin/iptables
              iptables -A INPUT -p tcp --destination-port 5555 -j DROP
              2⤵
                PID:352
            • /bin/sh
              sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
              1⤵
                PID:353
                • /sbin/iptables
                  iptables -A INPUT -p tcp --destination-port 5358 -j DROP
                  2⤵
                    PID:354
                • /bin/sh
                  sh -c "iptables -D INPUT -j CWMP_CR"
                  1⤵
                    PID:355
                    • /sbin/iptables
                      iptables -D INPUT -j CWMP_CR
                      2⤵
                        PID:356
                    • /bin/sh
                      sh -c "iptables -X CWMP_CR"
                      1⤵
                        PID:357
                        • /sbin/iptables
                          iptables -X CWMP_CR
                          2⤵
                            PID:358
                        • /bin/sh
                          sh -c "iptables -I INPUT -p udp --dport 52907 -j ACCEPT"
                          1⤵
                            PID:359
                            • /sbin/iptables
                              iptables -I INPUT -p udp --dport 52907 -j ACCEPT
                              2⤵
                                PID:360
                            • /tmp/atk
                              ./atk
                              1⤵
                                PID:364
                                • /bin/sh
                                  sh -c "iptables -I INPUT -p tcp --dport 14460 -j ACCEPT"
                                  2⤵
                                    PID:365
                                    • /sbin/iptables
                                      iptables -I INPUT -p tcp --dport 14460 -j ACCEPT
                                      3⤵
                                      • Changes its process name
                                      • Deletes itself
                                      • Executes dropped EXE
                                      PID:366
                                  • /bin/sh
                                    sh -c "iptables -I INPUT -p udp --dport 14460 -j ACCEPT"
                                    2⤵
                                      PID:367
                                      • /sbin/iptables
                                        iptables -I INPUT -p udp --dport 14460 -j ACCEPT
                                        3⤵
                                          PID:368

                                    Network

                                    MITRE ATT&CK Matrix ATT&CK v6

                                    Defense Evasion

                                    Impair Defenses

                                    1
                                    T1562

                                    Discovery

                                    Network Service Scanning

                                    1
                                    T1046

                                    System Network Connections Discovery

                                    1
                                    T1049

                                    System Network Configuration Discovery

                                    2
                                    T1016

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • /tmp/atk
                                      Filesize

                                      53KB

                                      MD5

                                      d563e13e0d5efd97b3fce8c4e0f7a09a

                                      SHA1

                                      2bac28b2795b97600ae6ef5439bb133094eef890

                                      SHA256

                                      8844c1bcaa217ebbf73e9ded76d7813e4a84937f8d384bf344678a026f67fb42

                                      SHA512

                                      8f1e795de6bc0ebc8e6e20a2f2456d64ad9933f485b0dbbac9525dfd02f379e60e7bf1e76fb88e0e810187eab2840b83deb36205e512ad1edb59df277f0c4bd1

                                    • memory/335-1-0x00400000-0x0047a6c0-memory.dmp
                                    • memory/364-2-0x00400000-0x0046ae90-memory.dmp