Analysis
-
max time kernel
150s -
max time network
152s -
platform
debian-9_mips -
resource
debian9-mipsbe-20221125-en -
resource tags
arch:mipsimage:debian9-mipsbe-20221125-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
20/07/2023, 02:50
Behavioral task
behavioral1
Sample
mips.elf
Resource
debian9-mipsbe-20221125-en
debian-9-mips
6 signatures
150 seconds
General
-
Target
mips.elf
-
Size
83KB
-
MD5
18ba12dd768349bfeaa9d5f53e6c6996
-
SHA1
d24e449d254f92d2584a2a575993dd71c4927414
-
SHA256
1a766597645aaac1363b2935feb55ca8ebfc324f30483636ad934182c28f7c44
-
SHA512
f570a83f7c4e994c47ce93e2970ef38b267c98eaa2e371f630696e6682968b506d5c94bad086dc1aa417dbcc2ed499d2d93fe53b35e2f79ddba2e3a5bd2117a4
-
SSDEEP
1536:CnE3bnaTw6A4fkImsj9HbcFecmB2W7hVP:CE3bnaTw6A4hmsj9Hbc824VP
Score
9/10
Malware Config
Signatures
-
Contacts a large (35324) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /bin/systemd 327 mips.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/14/cmdline Process not Found File opened for reading /proc/36/cmdline Process not Found File opened for reading /proc/206/cmdline Process not Found File opened for reading /proc/222/cmdline Process not Found File opened for reading /proc/322/cmdline Process not Found File opened for reading /proc/23/cmdline Process not Found File opened for reading /proc/8/cmdline Process not Found File opened for reading /proc/71/cmdline Process not Found File opened for reading /proc/72/cmdline Process not Found File opened for reading /proc/74/cmdline Process not Found File opened for reading /proc/296/cmdline Process not Found File opened for reading /proc/326/cmdline Process not Found File opened for reading /proc/filesystems mv File opened for reading /proc/20/cmdline Process not Found File opened for reading /proc/37/cmdline Process not Found File opened for reading /proc/73/cmdline Process not Found File opened for reading /proc/18/cmdline Process not Found File opened for reading /proc/15/cmdline Process not Found File opened for reading /proc/78/cmdline Process not Found File opened for reading /proc/105/cmdline Process not Found File opened for reading /proc/158/cmdline Process not Found File opened for reading /proc/6/cmdline Process not Found File opened for reading /proc/13/cmdline Process not Found File opened for reading /proc/218/cmdline Process not Found File opened for reading /proc/297/cmdline Process not Found File opened for reading /proc/7/cmdline Process not Found File opened for reading /proc/81/cmdline Process not Found File opened for reading /proc/219/cmdline Process not Found File opened for reading /proc/399/cmdline Process not Found File opened for reading /proc/3/cmdline Process not Found File opened for reading /proc/21/cmdline Process not Found File opened for reading /proc/287/cmdline Process not Found File opened for reading /proc/16/cmdline Process not Found File opened for reading /proc/82/cmdline Process not Found File opened for reading /proc/116/cmdline Process not Found File opened for reading /proc/437/cmdline Process not Found File opened for reading /proc/5/cmdline Process not Found File opened for reading /proc/19/cmdline Process not Found File opened for reading /proc/22/cmdline Process not Found File opened for reading /proc/144/cmdline Process not Found File opened for reading /proc/1/cmdline Process not Found File opened for reading /proc/255/cmdline Process not Found File opened for reading /proc/325/cmdline Process not Found File opened for reading /proc/336/cmdline Process not Found File opened for reading /proc/217/cmdline Process not Found File opened for reading /proc/10/cmdline Process not Found File opened for reading /proc/17/cmdline Process not Found File opened for reading /proc/256/cmdline Process not Found File opened for reading /proc/filesystems mkdir File opened for reading /proc/4/cmdline Process not Found File opened for reading /proc/9/cmdline Process not Found File opened for reading /proc/70/cmdline Process not Found File opened for reading /proc/251/cmdline Process not Found File opened for reading /proc/348/cmdline Process not Found File opened for reading /proc/2/cmdline Process not Found File opened for reading /proc/141/cmdline Process not Found File opened for reading /proc/344/cmdline Process not Found File opened for reading /proc/68/cmdline Process not Found File opened for reading /proc/24/cmdline Process not Found File opened for reading /proc/115/cmdline Process not Found File opened for reading /proc/252/cmdline Process not Found File opened for reading /proc/277/cmdline Process not Found File opened for reading /proc/335/cmdline Process not Found File opened for reading /proc/384/cmdline Process not Found -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/bin/systemd sh
Processes
-
/tmp/mips.elf/tmp/mips.elf1⤵
- Changes its process name
PID:327 -
/bin/shsh -c "rm -rf bin/systemd && mkdir bin; >bin/systemd && mv /tmp/mips.elf bin/systemd; chmod 777 bin/systemd"2⤵
- Writes file to tmp directory
PID:328 -
/bin/rmrm -rf bin/systemd3⤵PID:329
-
-
/bin/mkdirmkdir bin3⤵
- Reads runtime system information
PID:330
-
-
/bin/mvmv /tmp/mips.elf bin/systemd3⤵
- Reads runtime system information
PID:331
-
-
/bin/chmodchmod 777 bin/systemd3⤵PID:332
-
-