a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3

General

Target

.i
Size

78KB
MD5

9b6c3518a91d23ed77504b5416bfb5b3
SHA1

0a2d170abbf5031566377b01431e3b82d342630a
SHA256

a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
SHA512

b2b08d5d5e6c6708d88b793e9340a780d47b5dce61e0a3026b4cdea8a9e4cbf9824037255e4ea4a40fee5bce956485232376d4677ce72ccb6c7f00badd09956e
SSDEEP

1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL

Score

7^/10

Malware Config

Signatures

Changes its process name 1 IoCs

Processes:

sh

description ioc pid process

Changes the process name, possibly in an attempt to hide itself telnetd 360 sh
Deletes itself 1 IoCs

Processes:

sh

pid process

360 sh
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

.i

description ioc process

File opened for modification /dev/watchdog .i
File opened for modification /dev/misc/watchdog .i
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

File opened for reading /proc/net/tcp
Enumerates running processes
Discovers information about currently running processes on the system
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery
T1016

Processes:

.i

description ioc process

File opened for reading /proc/net/route .i
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

.i

description ioc process

File opened for reading /proc/net/route .i
File opened for reading /proc/net/tcp
File opened for reading /proc/net/tcp6

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	telnetd	360	sh

pid	process
360	sh

description	ioc	process
File opened for modification	/dev/watchdog	.i
File opened for modification	/dev/misc/watchdog	.i

description	ioc
File opened for reading	/proc/net/tcp

description	ioc	process
File opened for reading	/proc/net/route	.i

description	ioc	process
File opened for reading	/proc/net/route	.i
File opened for reading	/proc/net/tcp
File opened for reading	/proc/net/tcp6

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/113/cmdline
File opened for reading	/proc/7/cmdline
File opened for reading	/proc/291/fd
File opened for reading	/proc/279/cmdline
File opened for reading	/proc/234/cmdline
File opened for reading	/proc/23/cmdline
File opened for reading	/proc/18/cmdline
File opened for reading	/proc/8/cmdline
File opened for reading	/proc/139/cmdline
File opened for reading	/proc/80/cmdline
File opened for reading	/proc/24/cmdline
File opened for reading	/proc/19/cmdline
File opened for reading	/proc/12/cmdline
File opened for reading	/proc/3/cmdline
File opened for reading	/proc/360/cmdline
File opened for reading	/proc/358/fd
File opened for reading	/proc/6/cmdline
File opened for reading	/proc/314/fd
File opened for reading	/proc/169/fd
File opened for reading	/proc/25/cmdline
File opened for reading	/proc/16/cmdline
File opened for reading	/proc/10/cmdline
File opened for reading	/proc/283/fd
File opened for reading	/proc/4/cmdline
File opened for reading	/proc/352/cmdline
File opened for reading	/proc/315/cmdline
File opened for reading	/proc/169/cmdline
File opened for reading	/proc/112/cmdline
File opened for reading	/proc/110/cmdline
File opened for reading	/proc/9/cmdline
File opened for reading	/proc/5/cmdline
File opened for reading	/proc/352/fd
File opened for reading	/proc/312/fd
File opened for reading	/proc/217/fd
File opened for reading	/proc/43/cmdline
File opened for reading	/proc/1/fd
File opened for reading	/proc/312/cmdline
File opened for reading	/proc/308/fd
File opened for reading	/proc/157/cmdline
File opened for reading	/proc/152/cmdline
File opened for reading	/proc/42/cmdline
File opened for reading	/proc/17/cmdline
File opened for reading	/proc/2/cmdline
File opened for reading	/proc/11/cmdline
File opened for reading	/proc/357/cmdline
File opened for reading	/proc/356/cmdline
File opened for reading	/proc/315/fd
File opened for reading	/proc/314/cmdline
File opened for reading	/proc/283/cmdline
File opened for reading	/proc/233/cmdline
File opened for reading	/proc/41/cmdline
File opened for reading	/proc/279/fd
File opened for reading	/proc/217/cmdline
File opened for reading	/proc/28/cmdline
File opened for reading	/proc/13/cmdline
File opened for reading	/proc/210/cmdline
File opened for reading	/proc/358/cmdline
File opened for reading	/proc/280/cmdline
File opened for reading	/proc/280/fd
File opened for reading	/proc/238/fd
File opened for reading	/proc/236/cmdline
File opened for reading	/proc/236/fd
File opened for reading	/proc/234/fd
File opened for reading	/proc/22/cmdline

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/fifo

description	ioc
File opened for modification	/tmp/fifo

/tmp/.i
/tmp/.i
1⤵
- Modifies Watchdog functionality
- Reads system routing table
- Reads system network configuration
PID:359

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
1⤵
- Changes its process name
- Deletes itself
PID:364

/sbin/iptables
iptables -A INPUT -p tcp --destination-port 23 -j DROP
2⤵
PID:365

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
1⤵
PID:371

/sbin/iptables
iptables -A INPUT -p tcp --destination-port 7547 -j DROP
2⤵
PID:372

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
1⤵
PID:373

/sbin/iptables
iptables -A INPUT -p tcp --destination-port 5555 -j DROP
2⤵
PID:374

/bin/sh
/bin/sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
1⤵
PID:375

/sbin/iptables
iptables -A INPUT -p tcp --destination-port 5358 -j DROP
2⤵
PID:376

/bin/sh
/bin/sh -c "iptables -D INPUT -j CWMP_CR"
1⤵
PID:377

/sbin/iptables
iptables -D INPUT -j CWMP_CR
2⤵
PID:378

/bin/sh
/bin/sh -c "iptables -X CWMP_CR"
1⤵
PID:379

/sbin/iptables
iptables -X CWMP_CR
2⤵
PID:380

/bin/sh
/bin/sh -c "iptables -I INPUT -p udp --dport 36918 -j ACCEPT"
1⤵
PID:381

/sbin/iptables
iptables -I INPUT -p udp --dport 36918 -j ACCEPT
2⤵
PID:382

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Network Configuration Discovery

2

T1016

System Network Connections Discovery

1

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/359-1-0x00010000-0x000506fc-memory.dmp

Download

Analysis

Sharing