a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3

General

Target

.i
Size

78KB
MD5

9b6c3518a91d23ed77504b5416bfb5b3
SHA1

0a2d170abbf5031566377b01431e3b82d342630a
SHA256

a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
SHA512

b2b08d5d5e6c6708d88b793e9340a780d47b5dce61e0a3026b4cdea8a9e4cbf9824037255e4ea4a40fee5bce956485232376d4677ce72ccb6c7f00badd09956e
SSDEEP

1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (4490) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Changes its process name 2 IoCs

Processes:

shsh

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	telnetd	355	sh
Changes the process name, possibly in an attempt to hide itself	telnetd	403	sh

Deletes itself 2 IoCs

Processes:

shsh

pid process

355 sh
403 sh
Executes dropped EXE 1 IoCs

Processes:

sh

ioc pid process

/tmp/atk 403 sh
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

.i

description ioc process

File opened for modification /dev/watchdog .i
File opened for modification /dev/misc/watchdog .i
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

File opened for reading /proc/net/tcp
Enumerates running processes
Discovers information about currently running processes on the system
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery
T1016

Processes:

.i

description ioc process

File opened for reading /proc/net/route .i
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

.i

description ioc process

File opened for reading /proc/net/route .i
File opened for reading /proc/net/tcp
File opened for reading /proc/net/tcp6

pid	process
355	sh
403	sh

ioc	pid	process
/tmp/atk	403	sh

description	ioc	process
File opened for modification	/dev/watchdog	.i
File opened for modification	/dev/misc/watchdog	.i

description	ioc
File opened for reading	/proc/net/tcp

description	ioc	process
File opened for reading	/proc/net/route	.i

description	ioc	process
File opened for reading	/proc/net/route	.i
File opened for reading	/proc/net/tcp
File opened for reading	/proc/net/tcp6

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/1/cmdline
File opened for reading	/proc/273/fd
File opened for reading	/proc/43/cmdline
File opened for reading	/proc/8/cmdline
File opened for reading	/proc/3/cmdline
File opened for reading	/proc/306/cmdline
File opened for reading	/proc/131/cmdline
File opened for reading	/proc/349/cmdline
File opened for reading	/proc/4/cmdline
File opened for reading	/proc/275/fd
File opened for reading	/proc/272/cmdline
File opened for reading	/proc/232/cmdline
File opened for reading	/proc/167/fd
File opened for reading	/proc/106/cmdline
File opened for reading	/proc/75/cmdline
File opened for reading	/proc/350/cmdline
File opened for reading	/proc/306/fd
File opened for reading	/proc/14/cmdline
File opened for reading	/proc/10/cmdline
File opened for reading	/proc/303/fd
File opened for reading	/proc/134/cmdline
File opened for reading	/proc/18/cmdline
File opened for reading	/proc/352/cmdline
File opened for reading	/proc/348/fd
File opened for reading	/proc/353/cmdline
File opened for reading	/proc/22/cmdline
File opened for reading	/proc/42/cmdline
File opened for reading	/proc/243/fd
File opened for reading	/proc/131/fd
File opened for reading	/proc/213/fd
File opened for reading	/proc/166/cmdline
File opened for reading	/proc/141/cmdline
File opened for reading	/proc/41/cmdline
File opened for reading	/proc/23/cmdline
File opened for reading	/proc/7/cmdline
File opened for reading	/proc/286/fd
File opened for reading	/proc/213/cmdline
File opened for reading	/proc/1/fd
File opened for reading	/proc/228/fd
File opened for reading	/proc/25/cmdline
File opened for reading	/proc/11/cmdline
File opened for reading	/proc/355/fd
File opened for reading	/proc/275/cmdline
File opened for reading	/proc/309/fd
File opened for reading	/proc/308/cmdline
File opened for reading	/proc/109/cmdline
File opened for reading	/proc/96/cmdline
File opened for reading	/proc/29/cmdline
File opened for reading	/proc/27/cmdline
File opened for reading	/proc/355/cmdline
File opened for reading	/proc/309/cmdline
File opened for reading	/proc/26/cmdline
File opened for reading	/proc/19/cmdline
File opened for reading	/proc/145/cmdline
File opened for reading	/proc/20/cmdline
File opened for reading	/proc/15/cmdline
File opened for reading	/proc/303/cmdline
File opened for reading	/proc/272/fd
File opened for reading	/proc/229/cmdline
File opened for reading	/proc/16/cmdline
File opened for reading	/proc/9/cmdline
File opened for reading	/proc/6/cmdline
File opened for reading	/proc/349/fd
File opened for reading	/proc/286/cmdline

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

Processes:

description	ioc
File opened for modification	/tmp/.p/.i.arm7
File opened for modification	/tmp/fifo
File opened for modification	/tmp/.p/atk.arm7
File opened for modification	/tmp/atk

/tmp/.i
/tmp/.i
1⤵
- Modifies Watchdog functionality
- Reads system routing table
- Reads system network configuration
PID:354

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
1⤵
- Changes its process name
- Deletes itself
PID:359
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 23 -j DROP
  2⤵
  PID:360

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
1⤵
PID:365
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 7547 -j DROP
  2⤵
  PID:366

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
1⤵
PID:367
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 5555 -j DROP
  2⤵
  PID:368

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
1⤵
PID:369
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 5358 -j DROP
  2⤵
  PID:370

/bin/sh
/bin/sh -c "iptables -D INPUT -j CWMP_CR"
1⤵
PID:371
- /sbin/iptables
  iptables -D INPUT -j CWMP_CR
  2⤵
  PID:372

/bin/sh
/bin/sh -c "iptables -X CWMP_CR"
1⤵
PID:373
- /sbin/iptables
  iptables -X CWMP_CR
  2⤵
  PID:374

/bin/sh
/bin/sh -c "iptables -I INPUT -p udp --dport 33517 -j ACCEPT"
1⤵
PID:375
- /sbin/iptables
  iptables -I INPUT -p udp --dport 33517 -j ACCEPT
  2⤵
  PID:376

/tmp/atk
./atk
1⤵
PID:403
- /bin/sh
  /bin/sh -c "iptables -I INPUT -p tcp --dport 60861 -j ACCEPT"
  2⤵
  - Changes its process name
  - Deletes itself
  - Executes dropped EXE
  PID:404
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 60861 -j ACCEPT
    3⤵
    PID:405
- /bin/sh
  /bin/sh -c "iptables -I INPUT -p udp --dport 60861 -j ACCEPT"
  2⤵
  PID:406
- - /sbin/iptables
    iptables -I INPUT -p udp --dport 60861 -j ACCEPT
    3⤵
    PID:407

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Network Service Scanning

2

T1046

System Network Configuration Discovery

2

T1016

System Network Connections Discovery

1

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/atk

Filesize
53KB

MD5
fc65dc3f6706f09b0568d86ee83b0e6b

SHA1
3285cbc991ab5964817df8e4773d6774bb889bd4

SHA256
48aa1cdc3c454e2c12248405a49e24f74630caeaa9a11148b99f6f0a50dbcfea

SHA512
bb6ddc18ac0d085332bbbc214e729153cf7c2fdf89c0fe1b8dfe1a8b4623f14b2ecaf7eb61cc3f42c76aadd2f726526d165a726fdc1cee5a6bed3fd2117450dc

Download Submit
memory/354-1-0x00010000-0x000506fc-memory.dmp

Download
memory/403-2-0x00010000-0x00046a30-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads