Analysis
-
max time kernel
4s -
platform
debian-9_mips -
resource
debian9-mipsbe-20231215-en -
resource tags
arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
24/12/2023, 02:43
Static task
static1
Behavioral task
behavioral1
Sample
951c1b23c9f6ca7fcd52cd3e5aaf553c.bin
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
951c1b23c9f6ca7fcd52cd3e5aaf553c.bin
Resource
debian9-armhf-20231215-en
debian-9-armhf
4 signatures
150 seconds
Behavioral task
behavioral3
Sample
951c1b23c9f6ca7fcd52cd3e5aaf553c.bin
Resource
debian9-mipsbe-20231215-en
debian-9-mips
4 signatures
150 seconds
Behavioral task
behavioral4
Sample
951c1b23c9f6ca7fcd52cd3e5aaf553c.bin
Resource
debian9-mipsel-20231215-en
debian-9-mipsel
4 signatures
150 seconds
General
-
Target
951c1b23c9f6ca7fcd52cd3e5aaf553c.bin
-
Size
487B
-
MD5
951c1b23c9f6ca7fcd52cd3e5aaf553c
-
SHA1
9220bd5b94ba5faec011482cc98b70b18819aedf
-
SHA256
5f5512bea1ed7e22b806faca3a77dc918dc5657f8057eea4cbdc780af06d9475
-
SHA512
8ed5240e19b87f4d7b184da51f7895763f74dc7cc8f8378ddfd3cceb12e9aca2b8f8aa50bf383af6179a33e5b2a4d5189bf5224549396b1ad01f1d593f01cf50
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/r 738 r -
Enumerates kernel/hardware configuration 1 TTPs 10 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/fs find File opened for reading /sys/kernel find File opened for reading /sys/power find File opened for reading /sys/class find File opened for reading /sys/bus find File opened for reading /sys/module find File opened for reading /sys/block find File opened for reading /sys/devices find File opened for reading /sys/dev find File opened for reading /sys/firmware find -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/12 find File opened for reading /proc/22 find File opened for reading /proc/77 find File opened for reading /proc/bus find File opened for reading /proc/6 find File opened for reading /proc/24 find File opened for reading /proc/72 find File opened for reading /proc/76 find File opened for reading /proc/528 find File opened for reading /proc/545 find File opened for reading /proc/715 find File opened for reading /proc/1 find File opened for reading /proc/13 find File opened for reading /proc/78 find File opened for reading /proc/229 find File opened for reading /proc/364 find File opened for reading /proc/700 find File opened for reading /proc/driver find File opened for reading /proc/5 find File opened for reading /proc/21 find File opened for reading /proc/37 find File opened for reading /proc/71 find File opened for reading /proc/120 find File opened for reading /proc/387 find File opened for reading /proc/704 find File opened for reading /proc/tty find File opened for reading /proc/18 find File opened for reading /proc/722 find File opened for reading /proc/81 find File opened for reading /proc/699 find File opened for reading /proc/3 find File opened for reading /proc/36 find File opened for reading /proc/69 find File opened for reading /proc/334 find File opened for reading /proc/9 find File opened for reading /proc/14 find File opened for reading /proc/170 find File opened for reading /proc/68 find File opened for reading /proc/119 find File opened for reading /proc/580 find File opened for reading /proc/702 find File opened for reading /proc/82 find File opened for reading /proc/154 find File opened for reading /proc/685 find File opened for reading /proc/fs find File opened for reading /proc/4 find File opened for reading /proc/378 find File opened for reading /proc/filesystems find File opened for reading /proc/73 find File opened for reading /proc/16 find File opened for reading /proc/111 find File opened for reading /proc/379 find File opened for reading /proc/705 find File opened for reading /proc/7 find File opened for reading /proc/11 find File opened for reading /proc/74 find File opened for reading /proc/150 find File opened for reading /proc/20 find File opened for reading /proc/244 find File opened for reading /proc/361 find File opened for reading /proc/363 find File opened for reading /proc/581 find File opened for reading /proc/708 find File opened for reading /proc/15 find -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/~/r touch File opened for modification /tmp/r touch
Processes
-
/tmp/951c1b23c9f6ca7fcd52cd3e5aaf553c.bin/tmp/951c1b23c9f6ca7fcd52cd3e5aaf553c.bin1⤵PID:715
-
/usr/bin/findfind / -maxdepth 3 -type d "(" -perm -o+w ")"2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:718
-
-
/usr/bin/touchtouch "~/r"2⤵
- Writes file to tmp directory
PID:733
-
-
/usr/bin/touchtouch ./r2⤵
- Writes file to tmp directory
PID:735
-
-
/bin/chmodchmod +x ./r2⤵PID:737
-
-
/tmp/r./r2⤵
- Executes dropped EXE
PID:738
-
-
/bin/sh/bin/sh ./r2⤵PID:738
-
-
/bin/rmrm ./r2⤵PID:740
-