Analysis
-
max time kernel
151s -
max time network
154s -
platform
debian-9_armhf -
resource
debian9-armhf-20221125-en -
resource tags
arch:armhfimage:debian9-armhf-20221125-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
30-06-2023 12:08
Static task
static1
Behavioral task
behavioral1
Sample
.i
Resource
debian9-armhf-20221125-en
General
-
Target
.i
-
Size
78KB
-
MD5
9b6c3518a91d23ed77504b5416bfb5b3
-
SHA1
0a2d170abbf5031566377b01431e3b82d342630a
-
SHA256
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
-
SHA512
b2b08d5d5e6c6708d88b793e9340a780d47b5dce61e0a3026b4cdea8a9e4cbf9824037255e4ea4a40fee5bce956485232376d4677ce72ccb6c7f00badd09956e
-
SSDEEP
1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL
Malware Config
Signatures
-
Contacts a large (7440) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 2 IoCs
Processes:
shshdescription ioc pid process Changes the process name, possibly in an attempt to hide itself telnetd 369 sh Changes the process name, possibly in an attempt to hide itself telnetd 512 sh -
Deletes itself 2 IoCs
Processes:
shshpid process 369 sh 512 sh -
Executes dropped EXE 1 IoCs
Processes:
shioc pid process /tmp/atk 512 sh -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
.idescription ioc process File opened for modification /dev/watchdog .i File opened for modification /dev/misc/watchdog .i -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/tcp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
.idescription ioc process File opened for reading /proc/net/route .i -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
.idescription ioc File opened for reading /proc/net/tcp6 File opened for reading /proc/net/route .i File opened for reading /proc/net/tcp -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/367/cmdline File opened for reading /proc/290/cmdline File opened for reading /proc/285/fd File opened for reading /proc/224/cmdline File opened for reading /proc/224/fd File opened for reading /proc/106/cmdline File opened for reading /proc/11/cmdline File opened for reading /proc/10/cmdline File opened for reading /proc/5/cmdline File opened for reading /proc/18/cmdline File opened for reading /proc/15/cmdline File opened for reading /proc/369/cmdline File opened for reading /proc/282/fd File opened for reading /proc/242/fd File opened for reading /proc/139/cmdline File opened for reading /proc/73/cmdline File opened for reading /proc/24/cmdline File opened for reading /proc/19/cmdline File opened for reading /proc/303/cmdline File opened for reading /proc/243/cmdline File opened for reading /proc/157/cmdline File opened for reading /proc/157/fd File opened for reading /proc/94/cmdline File opened for reading /proc/23/cmdline File opened for reading /proc/4/cmdline File opened for reading /proc/1/cmdline File opened for reading /proc/369/fd File opened for reading /proc/363/fd File opened for reading /proc/320/cmdline File opened for reading /proc/244/cmdline File opened for reading /proc/42/cmdline File opened for reading /proc/41/cmdline File opened for reading /proc/361/fd File opened for reading /proc/243/fd File opened for reading /proc/105/cmdline File opened for reading /proc/7/cmdline File opened for reading /proc/318/cmdline File opened for reading /proc/291/fd File opened for reading /proc/16/cmdline File opened for reading /proc/9/cmdline File opened for reading /proc/244/fd File opened for reading /proc/137/cmdline File opened for reading /proc/8/cmdline File opened for reading /proc/323/fd File opened for reading /proc/285/cmdline File opened for reading /proc/25/cmdline File opened for reading /proc/1/fd File opened for reading /proc/370/fd File opened for reading /proc/364/cmdline File opened for reading /proc/322/fd File opened for reading /proc/28/cmdline File opened for reading /proc/27/cmdline File opened for reading /proc/20/cmdline File opened for reading /proc/370/cmdline File opened for reading /proc/255/fd File opened for reading /proc/139/fd File opened for reading /proc/132/cmdline File opened for reading /proc/13/cmdline File opened for reading /proc/3/cmdline File opened for reading /proc/322/cmdline File opened for reading /proc/318/fd File opened for reading /proc/282/cmdline File opened for reading /proc/255/cmdline File opened for reading /proc/103/cmdline -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/fifo File opened for modification /tmp/.p/.i.arm7 File opened for modification /tmp/.p/atk.arm7 File opened for modification /tmp/atk
Processes
-
/tmp/.i/tmp/.i1⤵
- Modifies Watchdog functionality
- Reads system routing table
- Reads system network configuration
PID:368
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"1⤵
- Changes its process name
- Deletes itself
PID:374 -
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 23 -j DROP2⤵PID:375
-
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"1⤵PID:380
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 7547 -j DROP2⤵PID:381
-
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"1⤵PID:382
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 5555 -j DROP2⤵PID:383
-
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"1⤵PID:384
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 5358 -j DROP2⤵PID:385
-
-
/bin/sh/bin/sh -c "iptables -D INPUT -j CWMP_CR"1⤵PID:386
-
/sbin/iptablesiptables -D INPUT -j CWMP_CR2⤵PID:387
-
-
/bin/sh/bin/sh -c "iptables -X CWMP_CR"1⤵PID:388
-
/sbin/iptablesiptables -X CWMP_CR2⤵PID:389
-
-
/bin/sh/bin/sh -c "iptables -I INPUT -p udp --dport 57418 -j ACCEPT"1⤵PID:390
-
/sbin/iptablesiptables -I INPUT -p udp --dport 57418 -j ACCEPT2⤵PID:391
-
-
/tmp/atk./atk1⤵PID:512
-
/bin/sh/bin/sh -c "iptables -I INPUT -p tcp --dport 35275 -j ACCEPT"2⤵
- Changes its process name
- Deletes itself
- Executes dropped EXE
PID:513 -
/sbin/iptablesiptables -I INPUT -p tcp --dport 35275 -j ACCEPT3⤵PID:514
-
-
-
/bin/sh/bin/sh -c "iptables -I INPUT -p udp --dport 35275 -j ACCEPT"2⤵PID:515
-
/sbin/iptablesiptables -I INPUT -p udp --dport 35275 -j ACCEPT3⤵PID:516
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5fc65dc3f6706f09b0568d86ee83b0e6b
SHA13285cbc991ab5964817df8e4773d6774bb889bd4
SHA25648aa1cdc3c454e2c12248405a49e24f74630caeaa9a11148b99f6f0a50dbcfea
SHA512bb6ddc18ac0d085332bbbc214e729153cf7c2fdf89c0fe1b8dfe1a8b4623f14b2ecaf7eb61cc3f42c76aadd2f726526d165a726fdc1cee5a6bed3fd2117450dc