9e0a15a4318e3e788bad61398b8a40d4916d63ab27b47f3bdbe329c462193600

Analysis

max time kernel
15s
max time network
18s
platform
debian-9_mipsel
resource
debian9-mipsel-20221125-en
resource tags

arch:mipselimage:debian9-mipsel-20221125-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
02-07-2023 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

243157-binsh.sh
Size

131KB
MD5

3313e9cc72e7cf75851dc62b84ca932c
SHA1

b5f914ad11626070f6cf466069c8d5d9ee25f5bb
SHA256

9e0a15a4318e3e788bad61398b8a40d4916d63ab27b47f3bdbe329c462193600
SHA512

7c3f1cce6b3b2b0464382ad923076da3a2e81463ed25a8d1979caa7c7305ad6681d1df32893c9c973ac6a897f6d638720ed7d73dda5b06c99c1fe669d98960da
SSDEEP

3072:YpPb16aDVPfKxQZHYz02ROYgym0pv9k3TakVC1ecQTKnQR:iPZfDlCuuQVp0nk3TaeC8czu

Score

8^/10

discovery

Malware Config

Signatures

Contacts a large (597) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	dropbear	327	Process not Found

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	243157-binsh.sh

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/route

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc	Process
File opened for reading	/proc/net/route	Process not Found
File opened for reading	/proc/net/tcp	243157-binsh.sh
File opened for reading	/proc/net/raw	243157-binsh.sh

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/exe	243157-binsh.sh

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.ips	243157-binsh.sh

/tmp/243157-binsh.sh
/tmp/243157-binsh.sh
1⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:325

/bin/sh
sh -c "killall -9 telnetd utelnetd scfgmgr"
1⤵
PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Network Service Scanning

T1046

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/325-1-0x00400000-0x004bba68-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads