4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7

Analysis

max time kernel
15s
max time network
19s
platform
debian-9_mips
resource
debian9-mipsbe-20221111-en
resource tags

arch:mipsimage:debian9-mipsbe-20221111-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
01-07-2023 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bin.sh
Size

132KB
MD5

59ce0baba11893f90527fc951ac69912
SHA1

5857a7dd621c4c3ebb0b5a3bec915d409f70d39f
SHA256

4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7
SHA512

c5b12797b477e5e5964a78766bb40b1c0d9fdfb8eef1f9aee3df451e3441a40c61d325bf400ba51048811b68e1c70a95f15e4166b7a65a4eca0c624864328647
SSDEEP

3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xioP:p3lOYoaja8xzx/0wsxzSi2

Score

7^/10

Malware Config

Signatures

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	dropbear	329	Process not Found

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	bin.sh

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/route

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc	Process
File opened for reading	/proc/net/tcp	bin.sh
File opened for reading	/proc/net/raw	bin.sh
File opened for reading	/proc/net/route	Process not Found

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/exe	bin.sh

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.ips	bin.sh

/tmp/bin.sh
/tmp/bin.sh
1⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:327

/bin/sh
sh -c "killall -9 telnetd utelnetd scfgmgr"
1⤵
PID:330

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads