Analysis
-
max time kernel
15s -
max time network
18s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20221125-en -
resource tags
-
submitted
02-07-2023 12:41
General
-
Target
243157-binsh.sh
-
Size
131KB
-
MD5
3313e9cc72e7cf75851dc62b84ca932c
-
SHA1
b5f914ad11626070f6cf466069c8d5d9ee25f5bb
-
SHA256
9e0a15a4318e3e788bad61398b8a40d4916d63ab27b47f3bdbe329c462193600
-
SHA512
7c3f1cce6b3b2b0464382ad923076da3a2e81463ed25a8d1979caa7c7305ad6681d1df32893c9c973ac6a897f6d638720ed7d73dda5b06c99c1fe669d98960da
-
SSDEEP
3072:YpPb16aDVPfKxQZHYz02ROYgym0pv9k3TakVC1ecQTKnQR:iPZfDlCuuQVp0nk3TaeC8czu
Malware Config
Signatures
-
Contacts a large (597) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
-
Writes file to system bin folder 1 TTPs 2 IoCs
-
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/243157-binsh.sh/tmp/243157-binsh.sh1⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/shsh -c "killall -9 telnetd utelnetd scfgmgr"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/325-1-0x00400000-0x004bba68-memory.dmp