Analysis
-
max time kernel
33s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20231215-en -
resource tags
arch:mipselimage:debian9-mipsel-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
22-12-2023 05:35
Static task
static1
Behavioral task
behavioral1
Sample
71feec726591d84cea09c54743a830c9
Resource
ubuntu1804-amd64-20231222-en
ubuntu-18.04-amd64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
71feec726591d84cea09c54743a830c9
Resource
debian9-armhf-20231215-en
debian-9-armhf
6 signatures
150 seconds
Behavioral task
behavioral3
Sample
71feec726591d84cea09c54743a830c9
Resource
debian9-mipsbe-20231222-en
debian-9-mips
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
71feec726591d84cea09c54743a830c9
Resource
debian9-mipsel-20231215-en
debian-9-mipsel
6 signatures
150 seconds
General
-
Target
71feec726591d84cea09c54743a830c9
-
Size
434B
-
MD5
71feec726591d84cea09c54743a830c9
-
SHA1
a16de25b76d2fe61abf71a759c9c54e9fddd76fe
-
SHA256
fcdfe2e840ff01799c632fbe055ac3af46422be04482238c73ceeb594fbb616f
-
SHA512
44193fd9716b695ade062061604140aa67a0f4222b5827a2b2bbe23463be629cc4d773b76c08f6db813cac18c5ba7220d486e5e5ca3c9545485456c056a87a25
Score
6/10
Malware Config
Signatures
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 4 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/power find File opened for reading /sys/devices/system/cpu/cpu0 find File opened for reading /sys/devices/system/cpu/cpu0/power find File opened for reading /sys/devices/system/cpu/cpu0/topology find -
Reads network interface configuration 2 TTPs 10 IoCs
Fetches information about one or more active network interfaces.
description ioc Process File opened for reading /sys/devices/virtual/net/lo/statistics find File opened for reading /sys/devices/pci0000:00/0000:00:13.0/net/enp0s19/queues find File opened for reading /sys/devices/pci0000:00/0000:00:13.0/net/enp0s19/queues/tx-0 find File opened for reading /sys/devices/pci0000:00/0000:00:13.0/net/enp0s19/queues/tx-0/byte_queue_limits find File opened for reading /sys/devices/virtual/net/lo/queues find File opened for reading /sys/devices/virtual/net/lo/queues/tx-0 find File opened for reading /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits find File opened for reading /sys/devices/pci0000:00/0000:00:13.0/net/enp0s19/statistics find File opened for reading /sys/devices/pci0000:00/0000:00:13.0/net/enp0s19/power find File opened for reading /sys/devices/virtual/net/lo/power find -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/devices/virtual/tty/tty6 find File opened for reading /sys/class/power_supply find File opened for reading /sys/firmware/devicetree/base/flash@1e000000/partitions/yamon@0 find File opened for reading /sys/fs/cgroup/blkio find File opened for reading /sys/fs/cgroup/systemd/system.slice/systemd-logind.service find File opened for reading /sys/module/hid/holders find File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_writev find File opened for reading /sys/devices/pci0000:00/0000:00:0a.1/ata2/host1/target1:0:1/1:0:1:0/block/sr0/slaves find File opened for reading /sys/devices/system find File opened for reading /sys/devices/virtual/vtconsole/vtcon0/power find File opened for reading /sys/module/libata find File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_fastpath find File opened for reading /sys/devices/pci0000:00/0000:00:14.0/usb1/1-0:1.0/usb1-port3 find File opened for reading /sys/devices/virtual/tty/tty50/power find File opened for reading /sys/fs/cgroup/blkio/user.slice/user-0.slice/session-c2.scope find File opened for reading /sys/devices/pci0000:00/0000:00:0a.2/usb2 find File opened for reading /sys/devices/virtual/tty/tty28 find File opened for reading /sys/fs/cgroup/pids/system.slice/systemd-modules-load.service find File opened for reading /sys/module/fb find File opened for reading /sys/kernel/debug/tracing/events/ftrace find File opened for reading /sys/dev/char find File opened for reading /sys/devices/platform/serial8250.0/tty/ttyS0/power find File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_rr_get_interval find File opened for reading /sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/hidraw/hidraw0/power find File opened for reading /sys/devices/platform/serial8250/power find File opened for reading /sys/devices/virtual/misc/autofs find File opened for reading /sys/bus/hid/devices find File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_open_by_handle_at find File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_io_setup find File opened for reading /sys/devices/virtual/misc/memory_bandwidth find File opened for reading /sys/fs/cgroup/systemd/system.slice/systemd-timedated.service find File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_mb_release_inode_pa find File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_clock_nanosleep find File opened for reading /sys/devices/system/clockevents find File opened for reading /sys/devices/virtual/vc find File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getscheduler find File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_rt_tgsigqueueinfo find File opened for reading /sys/fs/cgroup/devices/init.scope find File opened for reading /sys/module/x_tables/holders find File opened for reading /sys/module/stahp/notes find File opened for reading /sys/module/crc16/holders find File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_lremovexattr find File opened for reading /sys/devices/pci0000:00/0000:00:0a.2/power find File opened for reading /sys/kernel/debug/tracing/events/writeback/wbc_writepage find File opened for reading /sys/devices/virtual/tty/tty0/power find File opened for reading /sys/devices/virtual/vc/vcs3/power find File opened for reading /sys/module/hid_generic/sections find File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_symlinkat find File opened for reading /sys/devices/pci0000:00/0000:00:0a.1/ata1/link1/dev1.0/ata_device/dev1.0 find File opened for reading /sys/bus/serio find File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_rt_sigsuspend find File opened for reading /sys/firmware/devicetree/base/flash@1e000000/partitions/user-fs@100000 find File opened for reading /sys/devices/platform/1f000000.system-controller/1f000000.system-controller:reboot find File opened for reading /sys/devices/system/clockevents/power find File opened for reading /sys/bus/usb/drivers/hub find File opened for reading /sys/kernel/debug/tracing/events/printk find File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_linkat find File opened for reading /sys/fs/ext4/features find File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_ppoll find File opened for reading /sys/devices/virtual find File opened for reading /sys/devices/pci0000:00/0000:00:14.0/usb1/1-0:1.0/usb1-port6/power find File opened for reading /sys/fs/cgroup/cpu,cpuacct find File opened for reading /sys/bus/hid/drivers find File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_tkill find -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/sys/debug find File opened for reading /proc/19/net/stat find File opened for reading /proc/236/task/236/net/netfilter find File opened for reading /proc/82 find File opened for reading /proc/148/task/148/net/stat find File opened for reading /proc/236/task/253/ns find File opened for reading /proc/559/task/559/net/netfilter find File opened for reading /proc/708/net/stat find File opened for reading /proc/irq/17 find File opened for reading /proc/3/fdinfo find File opened for reading /proc/9/task/9/fd find File opened for reading /proc/37/attr find File opened for reading /proc/236/task/236/fdinfo find File opened for reading /proc/6/task/6/attr find File opened for reading /proc/10/task/10/net/stat find File opened for reading /proc/21/net/stat find File opened for reading /proc/22/task/22/fdinfo find File opened for reading /proc/82/task/82/net/stat find File opened for reading /proc/4 find File opened for reading /proc/8/net/dev_snmp6 find File opened for reading /proc/14/net/stat find File opened for reading /proc/21/task/21/net find File opened for reading /proc/353/task/374/net find File opened for reading /proc/3/task/3/fd find File opened for reading /proc/12/net/stat find File opened for reading /proc/11/net/stat find File opened for reading /proc/24/fdinfo find File opened for reading /proc/74/task/74/net/dev_snmp6 find File opened for reading /proc/687/attr find File opened for reading /proc/bus find File opened for reading /proc/sys/net/ipv4/conf/enp0s19 find File opened for reading /proc/236/task/253/fdinfo find File opened for reading /proc/405/map_files find File opened for reading /proc/4/fd find File opened for reading /proc/11/task find File opened for reading /proc/122/fd find File opened for reading /proc/36/task/36/attr find File opened for reading /proc/76/task/76/fd find File opened for reading /proc/707/net/stat find File opened for reading /proc/81/task/81/net/netfilter find File opened for reading /proc/82/attr find File opened for reading /proc/357 find File opened for reading /proc/722/task/725 find File opened for reading /proc/sys/fs find File opened for reading /proc/20/task find File opened for reading /proc/36/net/netfilter find File opened for reading /proc/69/task/69/net/stat find File opened for reading /proc/77/attr find File opened for reading /proc/77/task/77 find File opened for reading /proc/148/fd find File opened for reading /proc/560/map_files find File opened for reading /proc/3/task/3/ns find File opened for reading /proc/5 find File opened for reading /proc/14/task/14/net find File opened for reading /proc/20/task/20/fd find File opened for reading /proc/72/net/dev_snmp6 find File opened for reading /proc/121/net/netfilter find File opened for reading /proc/353/map_files find File opened for reading /proc/559/task/559/attr find File opened for reading /proc/10/task/10/fdinfo find File opened for reading /proc/11 find File opened for reading /proc/16/attr find File opened for reading /proc/19/task/19/fdinfo find File opened for reading /proc/20/task/20 find -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/nohup.out nohup
Processes
-
/tmp/71feec726591d84cea09c54743a830c9/tmp/71feec726591d84cea09c54743a830c91⤵PID:718
-
/usr/bin/nohupnohup find / -name index.html -exec /bin/cp index.html "{}" ";"2⤵
- Writes file to tmp directory
PID:719
-
-
/bin/rmrm -f /etc/hosts.deny2⤵PID:720
-
-
/tmp/getip.sh./getip.sh2⤵PID:724
-
-
/usr/local/sbin/findfind / -name index.html -exec /bin/cp index.html "{}" ";"2⤵PID:719
-
-
/usr/local/bin/findfind / -name index.html -exec /bin/cp index.html "{}" ";"2⤵PID:719
-
-
/usr/sbin/findfind / -name index.html -exec /bin/cp index.html "{}" ";"2⤵PID:719
-
-
/usr/bin/findfind / -name index.html -exec /bin/cp index.html "{}" ";"2⤵
- Reads CPU attributes
- Reads network interface configuration
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:719 -
/bin/cp/bin/cp index.html /usr/share/doc/adduser/examples/adduser.local.conf.examples/skel.other/index.html3⤵PID:746
-
-
/bin/cp/bin/cp index.html /usr/share/doc/shared-mime-info/shared-mime-info-spec.html/index.html3⤵PID:747
-
-
/bin/cp/bin/cp index.html /usr/share/doc/python/python-policy.html/index.html3⤵PID:748
-
-
/bin/cp/bin/cp index.html /usr/share/doc/nodejs/api/index.html3⤵PID:749
-
-
-
/bin/cpcp synscan7 synscan2⤵PID:727
-
-
/bin/cpcp w7 w2⤵PID:730
-
-
/bin/cpcp l7 l2⤵PID:733
-
-
/bin/cpcp s7 s2⤵PID:735
-
-
/bin/cpcp randb7 randb2⤵PID:736
-
-
/tmp/bd7.sh./bd7.sh2⤵PID:737
-
-
/tmp/start7.sh./start7.sh2⤵PID:738
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61B
MD5c1142417c0d432d6a7b44ba855e0c63d
SHA16785fe20e89b3dd412d569697df8c506398e96c2
SHA2564a744483e7b0dc530af08ea756d509c1a32fb5016a0a050490c9fa3bf3939fd2
SHA5120415370c92f052c758de3a9546c9aa0ed11cba873c5e420fa51f94869b62b85a8ef6ec166cde1b45a0aa70f048e1cbe8ebebd9e362ba063ecb1a8ea4aac626ac