5f5512bea1ed7e22b806faca3a77dc918dc5657f8057eea4cbdc780af06d9475

Analysis

max time kernel
5s
platform
debian-9_mipsel
resource
debian9-mipsel-20231215-en
resource tags

arch:mipselimage:debian9-mipsel-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
24/12/2023, 02:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

951c1b23c9f6ca7fcd52cd3e5aaf553c.bin
Size

487B
MD5

951c1b23c9f6ca7fcd52cd3e5aaf553c
SHA1

9220bd5b94ba5faec011482cc98b70b18819aedf
SHA256

5f5512bea1ed7e22b806faca3a77dc918dc5657f8057eea4cbdc780af06d9475
SHA512

8ed5240e19b87f4d7b184da51f7895763f74dc7cc8f8378ddfd3cceb12e9aca2b8f8aa50bf383af6179a33e5b2a4d5189bf5224549396b1ad01f1d593f01cf50

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/r	734	r

Enumerates kernel/hardware configuration 1 TTPs 10 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel	find
File opened for reading	/sys/devices	find
File opened for reading	/sys/power	find
File opened for reading	/sys/dev	find
File opened for reading	/sys/block	find
File opened for reading	/sys/class	find
File opened for reading	/sys/firmware	find
File opened for reading	/sys/fs	find
File opened for reading	/sys/bus	find
File opened for reading	/sys/module	find

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/11	find
File opened for reading	/proc/73	find
File opened for reading	/proc/82	find
File opened for reading	/proc/323	find
File opened for reading	/proc/347	find
File opened for reading	/proc/fs	find
File opened for reading	/proc/24	find
File opened for reading	/proc/685	find
File opened for reading	/proc/704	find
File opened for reading	/proc/17	find
File opened for reading	/proc/20	find
File opened for reading	/proc/22	find
File opened for reading	/proc/79	find
File opened for reading	/proc/150	find
File opened for reading	/proc/377	find
File opened for reading	/proc/sys	find
File opened for reading	/proc/2	find
File opened for reading	/proc/12	find
File opened for reading	/proc/78	find
File opened for reading	/proc/14	find
File opened for reading	/proc/19	find
File opened for reading	/proc/389	find
File opened for reading	/proc/726	find
File opened for reading	/proc/7	find
File opened for reading	/proc/70	find
File opened for reading	/proc/142	find
File opened for reading	/proc/468	find
File opened for reading	/proc/501	find
File opened for reading	/proc/6	find
File opened for reading	/proc/77	find
File opened for reading	/proc/716	find
File opened for reading	/proc/sysvipc	find
File opened for reading	/proc/378	find
File opened for reading	/proc/702	find
File opened for reading	/proc/698	find
File opened for reading	/proc/bus	find
File opened for reading	/proc/tty	find
File opened for reading	/proc/1	find
File opened for reading	/proc/5	find
File opened for reading	/proc/37	find
File opened for reading	/proc/71	find
File opened for reading	/proc/167	find
File opened for reading	/proc/701	find
File opened for reading	/proc/driver	find
File opened for reading	/proc/3	find
File opened for reading	/proc/15	find
File opened for reading	/proc/36	find
File opened for reading	/proc/707	find
File opened for reading	/proc/irq	find
File opened for reading	/proc/21	find
File opened for reading	/proc/233	find
File opened for reading	/proc/349	find
File opened for reading	/proc/699	find
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/16	find
File opened for reading	/proc/18	find
File opened for reading	/proc/75	find
File opened for reading	/proc/351	find
File opened for reading	/proc/714	find
File opened for reading	/proc/23	find
File opened for reading	/proc/105	find
File opened for reading	/proc/115	find
File opened for reading	/proc/461	find
File opened for reading	/proc/502	find

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/~/r	touch
File opened for modification	/tmp/r	touch

/tmp/951c1b23c9f6ca7fcd52cd3e5aaf553c.bin
/tmp/951c1b23c9f6ca7fcd52cd3e5aaf553c.bin
1⤵
PID:714
- /usr/bin/find
  find / -maxdepth 3 -type d "(" -perm -o+w ")"
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:716
- /usr/bin/touch
  touch "~/r"
  2⤵
  - Writes file to tmp directory
  PID:729
- /usr/bin/touch
  touch ./r
  2⤵
  - Writes file to tmp directory
  PID:730
- /bin/chmod
  chmod +x ./r
  2⤵
  PID:733
- /tmp/r
  ./r
  2⤵
  - Executes dropped EXE
  PID:734
- /bin/sh
  /bin/sh ./r
  2⤵
  PID:734
- /bin/rm
  rm ./r
  2⤵
  PID:737

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads