Analysis
-
max time kernel
17s -
max time network
22s -
platform
debian-9_mips -
resource
debian9-mipsbe-20221111-en -
resource tags
arch:mipsimage:debian9-mipsbe-20221111-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
04-07-2023 15:42
Behavioral task
behavioral1
Sample
binsh.sh
Resource
debian9-mipsbe-20221111-en
General
-
Target
binsh.sh
-
Size
300KB
-
MD5
106a736477f5e6efc07bdea0249986f9
-
SHA1
b8cb63180aad940b1356e310e9bcbfee30a028b5
-
SHA256
e629334def73be9e166ecdd9d5d73d6be97ef7f7d16f05383892332acb324b73
-
SHA512
85892182987a55f12a295c6bca9a4eb104b0a1c6c42670fa1b3ba274bfc7a3f2d522daea0022c09181c57cc1024ea21812300f189ef707e2dd66f775adbf3576
-
SSDEEP
6144:p3lOYoaja8xzx/0wsxzSigabE5wKSDP99zBa77oNsKqqfPqOJ:p1CG/jsxzXgabEDSDP99zBa/HKqoPqOJ
Malware Config
Signatures
-
Contacts a large (534) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
Processes:
shdescription ioc pid process Changes the process name, possibly in an attempt to hide itself dropbear 335 sh -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
binsh.shdescription ioc process File opened for reading /proc/net/tcp binsh.sh -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/route -
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
description ioc File opened for modification /sbin/watchdog File opened for modification /bin/watchdog -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
binsh.shdescription ioc process File opened for reading /proc/net/tcp binsh.sh File opened for reading /proc/net/raw binsh.sh File opened for reading /proc/net/route -
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.
Processes:
binsh.shdescription ioc process File opened for reading /proc/self/exe binsh.sh -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
binsh.shdescription ioc process File opened for modification /tmp/.ips binsh.sh
Processes
-
/tmp/binsh.sh/tmp/binsh.sh1⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/shsh -c "killall -9 telnetd utelnetd scfgmgr"1⤵
-
/bin/shsh -c "iptables -I INPUT -p tcp --destination-port 47679 -j ACCEPT"1⤵
- Changes its process name
-
/sbin/iptablesiptables -I INPUT -p tcp --destination-port 47679 -j ACCEPT2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/333-1-0x00400000-0x004c2fd8-memory.dmp