d5601202dff3017db238145ff21857415f663031aca9b3d534bec8991b12179a

General

Target

Untitled.i
Size

83KB
MD5

b8ed2cb3e9fedec5b164ce84ad5a08d0
SHA1

b45ef9ad0a29b0a402d1613b10c3f6e95686230c
SHA256

d5601202dff3017db238145ff21857415f663031aca9b3d534bec8991b12179a
SHA512

98aa6abf6bc6b27ea2833122c468e436c267ef40c5ecbbd6446174d0859920e7b7bbcec617e12d7aa9e89e0492e5dcf4cf49a6208e7252fd0619047818454a31
SSDEEP

1536:m3LqE6rUQWzVQR7iAGEcUT5PIi7pLqBNs4LOjcwf4nB6XuzGNy+iSc7tNUZM:mOE6PWo1T5bz4LVMXuzVNScWM

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (15329) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Changes its process name 3 IoCs

Processes:

shshiptables

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	telnetd	333	sh
Changes the process name, possibly in an attempt to hide itself	telnetd	430	sh
Changes the process name, possibly in an attempt to hide itself	telnetd	467	iptables

Deletes itself 3 IoCs

Processes:

shshiptables

pid process

333 sh
430 sh
467 iptables
Executes dropped EXE 2 IoCs

Processes:

shsh

ioc pid process

/tmp/atk 430 sh
/tmp/.i 466 sh

pid	process
333	sh
430	sh
467	iptables

ioc	pid	process
/tmp/atk	430	sh
/tmp/.i	466	sh

Modifies Watchdog functionality 1 TTPs 4 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

Untitled.i.i

description	ioc	process
File opened for modification	/dev/watchdog	Untitled.i
File opened for modification	/dev/misc/watchdog	Untitled.i
File opened for modification	/dev/watchdog	.i
File opened for modification	/dev/misc/watchdog	.i

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

File opened for reading /proc/net/tcp
Enumerates running processes
Discovers information about currently running processes on the system
Reads system routing table 1 TTPs 2 IoCs
Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery
T1016

Processes:

Untitled.i.i

description ioc process

File opened for reading /proc/net/route Untitled.i
File opened for reading /proc/net/route .i

description	ioc
File opened for reading	/proc/net/tcp

description	ioc	process
File opened for reading	/proc/net/route	Untitled.i
File opened for reading	/proc/net/route	.i

Reads system network configuration 1 TTPs 4 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

Processes:

.iUntitled.i

description	ioc
File opened for reading	/proc/net/tcp
File opened for reading	/proc/net/tcp6
File opened for reading	/proc/net/route	.i
File opened for reading	/proc/net/route	Untitled.i

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/6/cmdline
File opened for reading	/proc/331/cmdline
File opened for reading	/proc/301/cmdline
File opened for reading	/proc/74/cmdline
File opened for reading	/proc/467/fd
File opened for reading	/proc/284/cmdline
File opened for reading	/proc/250/cmdline
File opened for reading	/proc/145/cmdline
File opened for reading	/proc/333/cmdline
File opened for reading	/proc/225/cmdline
File opened for reading	/proc/251/fd
File opened for reading	/proc/141/fd
File opened for reading	/proc/22/cmdline
File opened for reading	/proc/18/cmdline
File opened for reading	/proc/3/cmdline
File opened for reading	/proc/467/cmdline
File opened for reading	/proc/258/fd
File opened for reading	/proc/141/cmdline
File opened for reading	/proc/21/cmdline
File opened for reading	/proc/5/cmdline
File opened for reading	/proc/81/cmdline
File opened for reading	/proc/78/cmdline
File opened for reading	/proc/75/cmdline
File opened for reading	/proc/224/fd
File opened for reading	/proc/114/cmdline
File opened for reading	/proc/69/cmdline
File opened for reading	/proc/2/cmdline
File opened for reading	/proc/336/cmdline
File opened for reading	/proc/301/fd
File opened for reading	/proc/300/cmdline
File opened for reading	/proc/225/fd
File opened for reading	/proc/37/cmdline
File opened for reading	/proc/17/cmdline
File opened for reading	/proc/12/cmdline
File opened for reading	/proc/1/cmdline
File opened for reading	/proc/327/cmdline
File opened for reading	/proc/209/cmdline
File opened for reading	/proc/71/cmdline
File opened for reading	/proc/10/cmdline
File opened for reading	/proc/8/cmdline
File opened for reading	/proc/465/cmdline
File opened for reading	/proc/251/cmdline
File opened for reading	/proc/250/fd
File opened for reading	/proc/156/cmdline
File opened for reading	/proc/83/cmdline
File opened for reading	/proc/1/fd
File opened for reading	/proc/330/cmdline
File opened for reading	/proc/284/fd
File opened for reading	/proc/282/cmdline
File opened for reading	/proc/224/cmdline
File opened for reading	/proc/209/fd
File opened for reading	/proc/156/fd
File opened for reading	/proc/115/cmdline
File opened for reading	/proc/19/cmdline
File opened for reading	/proc/291/cmdline
File opened for reading	/proc/258/cmdline
File opened for reading	/proc/228/cmdline
File opened for reading	/proc/7/cmdline
File opened for reading	/proc/14/cmdline
File opened for reading	/proc/13/cmdline
File opened for reading	/proc/228/fd
File opened for reading	/proc/24/cmdline
File opened for reading	/proc/16/cmdline
File opened for reading	/proc/72/cmdline

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

Processes:

description	ioc
File opened for modification	/tmp/fifo
File opened for modification	/tmp/.p/.d
File opened for modification	/tmp/.p/atk.mipsel
File opened for modification	/tmp/atk
File opened for modification	/tmp/.p/.i.mipsel
File opened for modification	/tmp/.i

/tmp/Untitled.i
/tmp/Untitled.i
1⤵
- Modifies Watchdog functionality
- Reads system routing table
- Reads system network configuration
PID:332

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
1⤵
- Changes its process name
- Deletes itself
PID:334
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 23 -j DROP
  2⤵
  PID:335

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
1⤵
PID:344
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 7547 -j DROP
  2⤵
  PID:345

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
1⤵
PID:346
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 5555 -j DROP
  2⤵
  PID:347

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
1⤵
PID:348
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 5358 -j DROP
  2⤵
  PID:349

/bin/sh
sh -c "iptables -D INPUT -j CWMP_CR"
1⤵
PID:350
- /sbin/iptables
  iptables -D INPUT -j CWMP_CR
  2⤵
  PID:351

/bin/sh
sh -c "iptables -X CWMP_CR"
1⤵
PID:352
- /sbin/iptables
  iptables -X CWMP_CR
  2⤵
  PID:353

/bin/sh
sh -c "iptables -I INPUT -p udp --dport 37714 -j ACCEPT"
1⤵
PID:354
- /sbin/iptables
  iptables -I INPUT -p udp --dport 37714 -j ACCEPT
  2⤵
  PID:355

/tmp/atk
./atk
1⤵
PID:430
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 37632 -j ACCEPT"
  2⤵
  - Changes its process name
  - Deletes itself
  - Executes dropped EXE
  PID:431
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 37632 -j ACCEPT
    3⤵
    PID:432
- /bin/sh
  sh -c "iptables -I INPUT -p udp --dport 37632 -j ACCEPT"
  2⤵
  PID:435
- - /sbin/iptables
    iptables -I INPUT -p udp --dport 37632 -j ACCEPT
    3⤵
    PID:436

/tmp/.i
./.i
1⤵
- Modifies Watchdog functionality
- Reads system routing table
- Reads system network configuration
PID:466

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
1⤵
- Executes dropped EXE
PID:468
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 23 -j DROP
  2⤵
  - Changes its process name
  - Deletes itself
  PID:469

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
1⤵
PID:470
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 7547 -j DROP
  2⤵
  PID:471

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
1⤵
PID:472
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 5555 -j DROP
  2⤵
  PID:473

/bin/sh
sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
1⤵
PID:474
- /sbin/iptables
  iptables -A INPUT -p tcp --destination-port 5358 -j DROP
  2⤵
  PID:475

/bin/sh
sh -c "iptables -D INPUT -j CWMP_CR"
1⤵
PID:476
- /sbin/iptables
  iptables -D INPUT -j CWMP_CR
  2⤵
  PID:477

/bin/sh
sh -c "iptables -X CWMP_CR"
1⤵
PID:478
- /sbin/iptables
  iptables -X CWMP_CR
  2⤵
  PID:479

/bin/sh
sh -c "iptables -I INPUT -p udp --dport 37714 -j ACCEPT"
1⤵
PID:480
- /sbin/iptables
  iptables -I INPUT -p udp --dport 37714 -j ACCEPT
  2⤵
  PID:481

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Network Service Discovery

2

T1046

System Network Configuration Discovery

2

T1016

System Network Connections Discovery

1

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.i

Filesize
83KB

MD5
b8ed2cb3e9fedec5b164ce84ad5a08d0

SHA1
b45ef9ad0a29b0a402d1613b10c3f6e95686230c

SHA256
d5601202dff3017db238145ff21857415f663031aca9b3d534bec8991b12179a

SHA512
98aa6abf6bc6b27ea2833122c468e436c267ef40c5ecbbd6446174d0859920e7b7bbcec617e12d7aa9e89e0492e5dcf4cf49a6208e7252fd0619047818454a31

Download Submit
/tmp/.p/.d

Filesize
596B

MD5
6107001cc26d4fd4f7690fc98cd1c638

SHA1
7e329ad74736ce7c91f0dae6a77869de0ab8669f

SHA256
71de04a046b0480a6d4cbd3efce153382031510c691ceb7443d515f719516a01

SHA512
ce01c064145cb88023c88a54b65936bb61bbff9f589f3f2a3aa7cee48fc7c8e7dff3c5e65218ee005c436a70fb326ccf1d283e9f77f2f5db0b79330948e820b9

Download Submit
/tmp/atk

Filesize
47KB

MD5
4b5a3d4ff5e6722d35a4d86200eb46a2

SHA1
b157df100f52ccdf5413ca25fff91a97596aa3d6

SHA256
e0bc7ca2ad04110fd5b76d0a55565f7356ed0d669d5988896073cc0e58b6b944

SHA512
53fa0a5a6710c4acef19f930e68a50b026a5259d22c89804b387bfc432e63a73091069b9b8e5dc40ef5c7940e04f667d7cc6a4c585cdf1c096745614ee2c3770

Download Submit
memory/332-1-0x00400000-0x0047a5a0-memory.dmp

Download
memory/430-2-0x00400000-0x00466fe0-memory.dmp

Download
memory/466-3-0x00400000-0x0047a5a0-memory.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads