83441d77abb6cf328e77e372dc17c607fb9c4a261722ae80d83708ae3865053d

Analysis

max time kernel
10s
max time network
14s
platform
debian-9_armhf
resource
debian9-armhf-20231215-en
resource tags

arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
20-12-2023 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd4b6f3216709e193ed9f06c37bcc389
Size

207KB
MD5

dd4b6f3216709e193ed9f06c37bcc389
SHA1

758ba1ab22dd37f0f9d6fd09419bfef44f810345
SHA256

83441d77abb6cf328e77e372dc17c607fb9c4a261722ae80d83708ae3865053d
SHA512

acb30371b0ec9bddf2b2f645af462f9ca7aa90fc4396a9313b891f20506fdb6b9788f151593ed1638982336603c7ca87bebd85b7a86b5658529e87dfaf4c9327
SSDEEP

3072:+8FpcpvBKlbMNZQm03ngoDxFEPuaZCPo5POdOQ33o:PFuBWbZ3ngoDvEQPAPqO1

Score

7^/10

persistence

Malware Config

Signatures

Changes its process name 1 IoCs

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	sshd	676

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc
File opened for reading	/proc/net/tcp

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/S95baby.sh

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/raw
File opened for reading	/proc/net/tcp

/tmp/dd4b6f3216709e193ed9f06c37bcc389
/tmp/dd4b6f3216709e193ed9f06c37bcc389
1⤵
PID:673

/bin/sh
sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
1⤵
PID:682
- /sbin/iptables
  iptables -I INPUT -p tcp --destination-port 58000 -j DROP
  2⤵
  PID:687

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
1⤵
PID:695
- /sbin/iptables
  iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
  2⤵
  PID:696

/bin/sh
sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
1⤵
PID:699

/bin/sh
sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
1⤵
PID:700

/bin/sh
sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
1⤵
PID:701
- /sbin/iptables
  iptables -I INPUT -p tcp --destination-port 35000 -j DROP
  2⤵
  PID:702

/bin/sh
sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
1⤵
PID:704
- /sbin/iptables
  iptables -I INPUT -p tcp --destination-port 50023 -j DROP
  2⤵
  PID:705

/bin/sh
sh -c "iptables -I INPUT -p tcp --destination-port 56091 -j ACCEPT"
1⤵
PID:706
- /sbin/iptables
  iptables -I INPUT -p tcp --destination-port 56091 -j ACCEPT
  2⤵
  PID:708

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
1⤵
PID:707
- /sbin/iptables
  iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
  2⤵
  PID:709

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --source-port 56091 -j ACCEPT"
1⤵
PID:710
- /sbin/iptables
  iptables -I OUTPUT -p tcp --source-port 56091 -j ACCEPT
  2⤵
  PID:712

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
1⤵
PID:713
- /sbin/iptables
  iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
  2⤵
  PID:714

/bin/sh
sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 56091 -j ACCEPT"
1⤵
PID:715
- /sbin/iptables
  iptables -I PREROUTING -t nat -p tcp --destination-port 56091 -j ACCEPT
  2⤵
  PID:717

/bin/sh
sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
1⤵
PID:716
- /sbin/iptables
  iptables -I INPUT -p tcp --destination-port 7547 -j DROP
  2⤵
  PID:718

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/usr/networks

Filesize
92KB

MD5
3590783d29d72e02021cac50440978e8

SHA1
cbc36222f9b6b05b739b83bf99ecea68f72212fd

SHA256
081491b8c14c716c714386c9c735c5efea1919f16bcabc5b29601be5663009d8

SHA512
4b7f19c36f93934a59326d4d8ddf61727be6b2af228f102ad8a9be69a412a3263e789aec383fcf7815be4fbb30e4db05d508e2f6dd70de53f2440b5a3885446c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads