Analysis
-
max time kernel
15s -
max time network
24s -
platform
debian-9_mips -
resource
debian9-mipsbe-20231222-en -
resource tags
arch:mipsimage:debian9-mipsbe-20231222-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
24-12-2023 22:44
Behavioral task
behavioral1
Sample
16a9d0a22e69e66728747bbc3490b407
Resource
debian9-mipsbe-20231222-en
debian-9-mips
9 signatures
150 seconds
General
-
Target
16a9d0a22e69e66728747bbc3490b407
-
Size
142KB
-
MD5
16a9d0a22e69e66728747bbc3490b407
-
SHA1
b91d9902e67ca9cd6d8df7cf9eca341e49ac62e9
-
SHA256
fc9aa55efe4638867d5e5059820a322ecfbf785c76407e75fe33218df79eca6b
-
SHA512
e90f0a2a9b157b5913238c5d4fe5fac33052bae3c3380a518d5c8f2106e1c918f40f41f8579be96713839f13013005058e86281a33d4bb6ac3015c1aa80e1830
-
SSDEEP
3072:2glZ3FtCKXhkmHtZ9TEKzjfj/WMngyIfsJ0F7xPto:2IIKXhZtL7jOTyIG87X
Score
7/10
Malware Config
Signatures
-
Changes its process name 1 IoCs
description ioc pid Changes the process name, possibly in an attempt to hide itself sshd 733 -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/misc/watchdog File opened for modification /dev/watchdog -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp 16a9d0a22e69e66728747bbc3490b407 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc File opened for reading /proc/net/route -
Writes file to system bin folder 1 TTPs 2 IoCs
description ioc File opened for modification /bin/watchdog File opened for modification /sbin/watchdog -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/raw 16a9d0a22e69e66728747bbc3490b407 File opened for reading /proc/net/route Process not Found File opened for reading /proc/net/tcp 16a9d0a22e69e66728747bbc3490b407 -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/17/stat killall File opened for reading /proc/19/stat killall File opened for reading /proc/73/stat killall File opened for reading /proc/348/stat killall File opened for reading /proc/392/stat killall File opened for reading /proc/686/stat killall File opened for reading /proc/701/stat killall File opened for reading /proc/716/cmdline killall File opened for reading /proc/3/stat killall File opened for reading /proc/7/stat killall File opened for reading /proc/110/stat killall File opened for reading /proc/152/cmdline killall File opened for reading /proc/176/stat killall File opened for reading /proc/715/cmdline killall File opened for reading /proc/5/stat killall File opened for reading /proc/9/stat killall File opened for reading /proc/81/stat killall File opened for reading /proc/126/stat killall File opened for reading /proc/127/cmdline killall File opened for reading /proc/71/stat killall File opened for reading /proc/689/stat killall File opened for reading /proc/716/stat killall File opened for reading /proc/720/stat killall File opened for reading /proc/734/stat killall File opened for reading /proc/737/stat killall File opened for reading /proc/self/exe 16a9d0a22e69e66728747bbc3490b407 File opened for reading /proc/1/stat killall File opened for reading /proc/21/stat killall File opened for reading /proc/350/stat killall File opened for reading /proc/733/cmdline killall File opened for reading /proc/733/stat killall File opened for reading /proc/2/stat killall File opened for reading /proc/11/stat killall File opened for reading /proc/16/stat killall File opened for reading /proc/77/stat killall File opened for reading /proc/445/stat killall File opened for reading /proc/75/stat killall File opened for reading /proc/721/stat killall File opened for reading /proc/724/cmdline killall File opened for reading /proc/4/stat killall File opened for reading /proc/10/stat killall File opened for reading /proc/14/stat killall File opened for reading /proc/79/stat killall File opened for reading /proc/380/stat killall File opened for reading /proc/15/stat killall File opened for reading /proc/70/stat killall File opened for reading /proc/718/stat killall File opened for reading /proc/74/stat killall File opened for reading /proc/82/stat killall File opened for reading /proc/396/stat killall File opened for reading /proc/filesystems killall File opened for reading /proc/12/stat killall File opened for reading /proc/13/stat killall File opened for reading /proc/18/stat killall File opened for reading /proc/22/stat killall File opened for reading /proc/690/stat killall File opened for reading /proc/724/stat killall File opened for reading /proc/727/stat killall File opened for reading /proc/6/stat killall File opened for reading /proc/23/stat killall File opened for reading /proc/72/stat killall File opened for reading /proc/352/stat killall File opened for reading /proc/381/stat killall File opened for reading /proc/684/stat killall -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/.ips 16a9d0a22e69e66728747bbc3490b407
Processes
-
/tmp/16a9d0a22e69e66728747bbc3490b407/tmp/16a9d0a22e69e66728747bbc3490b4071⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:729
-
/bin/shsh -c "killall -9 telnetd utelnetd scfgmgr"1⤵PID:734
-
/usr/bin/killallkillall -9 telnetd utelnetd scfgmgr2⤵
- Reads runtime system information
PID:735
-