Analysis
-
max time kernel
151s -
max time network
148s -
platform
debian-9_armhf -
resource
debian9-armhf-20221125-en -
resource tags
arch:armhfimage:debian9-armhf-20221125-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
30-06-2023 12:08
Static task
static1
Behavioral task
behavioral1
Sample
.i
Resource
debian9-armhf-20221125-en
General
-
Target
.i
-
Size
78KB
-
MD5
9b6c3518a91d23ed77504b5416bfb5b3
-
SHA1
0a2d170abbf5031566377b01431e3b82d342630a
-
SHA256
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
-
SHA512
b2b08d5d5e6c6708d88b793e9340a780d47b5dce61e0a3026b4cdea8a9e4cbf9824037255e4ea4a40fee5bce956485232376d4677ce72ccb6c7f00badd09956e
-
SSDEEP
1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL
Malware Config
Signatures
-
Changes its process name 1 IoCs
Processes:
shdescription ioc pid process Changes the process name, possibly in an attempt to hide itself telnetd 353 sh -
Deletes itself 1 IoCs
Processes:
shpid process 353 sh -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
.idescription ioc process File opened for modification /dev/watchdog .i File opened for modification /dev/misc/watchdog .i -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/tcp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
.idescription ioc process File opened for reading /proc/net/route .i -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
.idescription ioc process File opened for reading /proc/net/route .i File opened for reading /proc/net/tcp File opened for reading /proc/net/tcp6 -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/106/cmdline File opened for reading /proc/95/cmdline File opened for reading /proc/25/cmdline File opened for reading /proc/19/cmdline File opened for reading /proc/353/cmdline File opened for reading /proc/353/fd File opened for reading /proc/345/fd File opened for reading /proc/273/cmdline File opened for reading /proc/132/cmdline File opened for reading /proc/18/cmdline File opened for reading /proc/7/cmdline File opened for reading /proc/350/cmdline File opened for reading /proc/348/cmdline File opened for reading /proc/347/cmdline File opened for reading /proc/347/fd File opened for reading /proc/12/cmdline File opened for reading /proc/11/cmdline File opened for reading /proc/269/fd File opened for reading /proc/227/cmdline File opened for reading /proc/164/cmdline File opened for reading /proc/21/cmdline File opened for reading /proc/43/cmdline File opened for reading /proc/13/cmdline File opened for reading /proc/270/cmdline File opened for reading /proc/104/cmdline File opened for reading /proc/6/cmdline File opened for reading /proc/273/fd File opened for reading /proc/229/cmdline File opened for reading /proc/74/cmdline File opened for reading /proc/23/cmdline File opened for reading /proc/24/cmdline File opened for reading /proc/16/cmdline File opened for reading /proc/1/cmdline File opened for reading /proc/304/cmdline File opened for reading /proc/279/fd File opened for reading /proc/229/fd File opened for reading /proc/227/fd File opened for reading /proc/41/cmdline File opened for reading /proc/29/cmdline File opened for reading /proc/28/cmdline File opened for reading /proc/27/cmdline File opened for reading /proc/226/cmdline File opened for reading /proc/140/cmdline File opened for reading /proc/107/cmdline File opened for reading /proc/42/cmdline File opened for reading /proc/10/cmdline File opened for reading /proc/5/cmdline File opened for reading /proc/307/cmdline File opened for reading /proc/239/cmdline File opened for reading /proc/279/cmdline File opened for reading /proc/134/cmdline File opened for reading /proc/8/cmdline File opened for reading /proc/4/cmdline File opened for reading /proc/302/cmdline File opened for reading /proc/164/fd File opened for reading /proc/17/cmdline File opened for reading /proc/2/cmdline File opened for reading /proc/226/fd File opened for reading /proc/345/cmdline File opened for reading /proc/302/fd File opened for reading /proc/270/fd File opened for reading /proc/269/cmdline File opened for reading /proc/15/cmdline File opened for reading /proc/3/cmdline -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/fifo
Processes
-
/tmp/.i/tmp/.i1⤵
- Modifies Watchdog functionality
- Reads system routing table
- Reads system network configuration
PID:352
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"1⤵
- Changes its process name
- Deletes itself
PID:358 -
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 23 -j DROP2⤵PID:359
-
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"1⤵PID:365
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 7547 -j DROP2⤵PID:366
-
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"1⤵PID:367
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 5555 -j DROP2⤵PID:368
-
-
/bin/sh/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"1⤵PID:369
-
/sbin/iptablesiptables -A INPUT -p tcp --destination-port 5358 -j DROP2⤵PID:370
-
-
/bin/sh/bin/sh -c "iptables -D INPUT -j CWMP_CR"1⤵PID:371
-
/sbin/iptablesiptables -D INPUT -j CWMP_CR2⤵PID:372
-
-
/bin/sh/bin/sh -c "iptables -X CWMP_CR"1⤵PID:373
-
/sbin/iptablesiptables -X CWMP_CR2⤵PID:374
-
-
/bin/sh/bin/sh -c "iptables -I INPUT -p udp --dport 62673 -j ACCEPT"1⤵PID:375
-
/sbin/iptablesiptables -I INPUT -p udp --dport 62673 -j ACCEPT2⤵PID:376
-