418b34fe8f70f8449742f56607d810bc1d011b9ab4d32f3c2999334d7ddfe2b4

Analysis

max time kernel
27s
max time network
58s
platform
debian-9_armhf
resource
debian9-armhf-20231222-en
resource tags

arch:armhfimage:debian9-armhf-20231222-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
26-12-2023 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-master/Linux/ELF/2021.04.20-Mozi.m
Size

300KB
MD5

eec5c6c219535fba3a0492ea8118b397
SHA1

292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256

12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
SHA512

3482c8324a18302f0f37b6e23ed85f24fff9f50bb568d8fd7461bf57f077a7c592f7a88bb2e1c398699958946d87bb93ab744d13a0003f9b879c15e6471f7400
SSDEEP

6144:T2s/gAWuboqsJ9xcJxspJBqQgTuaJZRhVabE5wKSDP99zBa77oNsKqqfPqOJ:T2s/bW+UmJqBxAuaPRhVabEDSDP99zBT

Score

9^/10

discovery persistence

Malware Config

Signatures

Contacts a large (2029) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Changes its process name 1 IoCs

Processes:

description ioc pid

Changes the process name, possibly in an attempt to hide itself sshd 682
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

description ioc

File opened for modification /dev/misc/watchdog
File opened for modification /dev/watchdog
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

2021.04.20-Mozi.m

description ioc process

File opened for reading /proc/net/tcp 2021.04.20-Mozi.m
Enumerates running processes
Discovers information about currently running processes on the system
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/S95baby.sh
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery
T1016

Processes:

description ioc

File opened for reading /proc/net/route
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /sbin/watchdog
File opened for modification /bin/watchdog

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	sshd	682

description	ioc
File opened for modification	/dev/misc/watchdog
File opened for modification	/dev/watchdog

description	ioc
File opened for modification	/etc/init.d/S95baby.sh

description	ioc
File opened for reading	/proc/net/route

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

Processes:

2021.04.20-Mozi.m

description	ioc	process
File opened for reading	/proc/net/tcp	2021.04.20-Mozi.m
File opened for reading	/proc/net/raw	2021.04.20-Mozi.m
File opened for reading	/proc/net/route

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

killall

description	ioc	process
File opened for reading	/proc/264/stat	killall
File opened for reading	/proc/685/stat	killall
File opened for reading	/proc/3/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/5/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/656/stat	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/25/stat	killall
File opened for reading	/proc/186/stat	killall
File opened for reading	/proc/603/stat	killall
File opened for reading	/proc/649/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/567/stat	killall
File opened for reading	/proc/28/stat	killall
File opened for reading	/proc/41/stat	killall
File opened for reading	/proc/42/stat	killall
File opened for reading	/proc/43/stat	killall
File opened for reading	/proc/645/stat	killall
File opened for reading	/proc/272/stat	killall
File opened for reading	/proc/273/stat	killall
File opened for reading	/proc/682/cmdline	killall
File opened for reading	/proc/27/stat	killall
File opened for reading	/proc/139/stat	killall
File opened for reading	/proc/141/stat	killall
File opened for reading	/proc/649/cmdline	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/263/stat	killall
File opened for reading	/proc/275/stat	killall
File opened for reading	/proc/307/stat	killall
File opened for reading	/proc/644/stat	killall
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/98/stat	killall
File opened for reading	/proc/141/cmdline	killall
File opened for reading	/proc/683/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/106/stat	killall
File opened for reading	/proc/138/stat	killall
File opened for reading	/proc/640/stat	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/210/stat	killall
File opened for reading	/proc/296/stat	killall
File opened for reading	/proc/568/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/168/stat	killall
File opened for reading	/proc/571/stat	killall
File opened for reading	/proc/stat
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/9/stat	killall
File opened for reading	/proc/580/stat	killall
File opened for reading	/proc/641/cmdline	killall
File opened for reading	/proc/680/stat	killall
File opened for reading	/proc/29/stat	killall
File opened for reading	/proc/109/stat	killall
File opened for reading	/proc/109/cmdline	killall
File opened for reading	/proc/150/stat	killall

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

2021.04.20-Mozi.m

description ioc process

File opened for modification /tmp/Malware-master/Linux/ELF/.ips 2021.04.20-Mozi.m

description	ioc	process
File opened for modification	/tmp/Malware-master/Linux/ELF/.ips	2021.04.20-Mozi.m

/tmp/Malware-master/Linux/ELF/2021.04.20-Mozi.m
/tmp/Malware-master/Linux/ELF/2021.04.20-Mozi.m
1⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Writes file to tmp directory
PID:678

/bin/sh
/bin/sh -c "killall -9 telnetd utelnetd scfgmgr"
1⤵
PID:683
- /usr/bin/killall
  killall -9 telnetd utelnetd scfgmgr
  2⤵
  - Reads runtime system information
  PID:684

/bin/sh
/bin/sh -c "iptables -I INPUT -p tcp --destination-port 58461 -j ACCEPT"
1⤵
PID:764
- /sbin/iptables
  iptables -I INPUT -p tcp --destination-port 58461 -j ACCEPT
  2⤵
  PID:765

/bin/sh
/bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58461 -j ACCEPT"
1⤵
PID:771
- /sbin/iptables
  iptables -I OUTPUT -p tcp --source-port 58461 -j ACCEPT
  2⤵
  PID:772

/bin/sh
/bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 58461 -j ACCEPT"
1⤵
PID:773
- /sbin/iptables
  iptables -I PREROUTING -t nat -p tcp --destination-port 58461 -j ACCEPT
  2⤵
  PID:774

/bin/sh
/bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 58461 -j ACCEPT"
1⤵
PID:781
- /sbin/iptables
  iptables -I POSTROUTING -t nat -p tcp --source-port 58461 -j ACCEPT
  2⤵
  PID:783

/bin/sh
/bin/sh -c "iptables -I INPUT -p tcp --dport 58461 -j ACCEPT"
1⤵
PID:784
- /sbin/iptables
  iptables -I INPUT -p tcp --dport 58461 -j ACCEPT
  2⤵
  PID:785

/bin/sh
/bin/sh -c "iptables -I OUTPUT -p tcp --sport 58461 -j ACCEPT"
1⤵
PID:786
- /sbin/iptables
  iptables -I OUTPUT -p tcp --sport 58461 -j ACCEPT
  2⤵
  PID:787

/bin/sh
/bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 58461 -j ACCEPT"
1⤵
PID:788
- /sbin/iptables
  iptables -I PREROUTING -t nat -p tcp --dport 58461 -j ACCEPT
  2⤵
  PID:789

/bin/sh
/bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 58461 -j ACCEPT"
1⤵
PID:790
- /sbin/iptables
  iptables -I POSTROUTING -t nat -p tcp --sport 58461 -j ACCEPT
  2⤵
  PID:791

/bin/sh
/bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
1⤵
PID:792
- /sbin/iptables
  iptables -I INPUT -p tcp --destination-port 58000 -j DROP
  2⤵
  PID:793

/bin/sh
/bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
1⤵
PID:794
- /sbin/iptables
  iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
  2⤵
  PID:795

/bin/sh
/bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
1⤵
PID:796
- /sbin/iptables
  iptables -I INPUT -p tcp --dport 58000 -j DROP
  2⤵
  PID:797

/bin/sh
/bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
1⤵
PID:799
- /sbin/iptables
  iptables -I OUTPUT -p tcp --sport 58000 -j DROP
  2⤵
  PID:800

/bin/sh
/bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
1⤵
PID:802

/bin/sh
/bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
1⤵
PID:803

/bin/sh
/bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
1⤵
PID:804
- /sbin/iptables
  iptables -I INPUT -p tcp --destination-port 35000 -j DROP
  2⤵
  PID:805

/bin/sh
/bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
1⤵
PID:806
- /sbin/iptables
  iptables -I INPUT -p tcp --destination-port 50023 -j DROP
  2⤵
  PID:807

/bin/sh
/bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
1⤵
PID:808
- /sbin/iptables
  iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
  2⤵
  PID:809

/bin/sh
/bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
1⤵
PID:810
- /sbin/iptables
  iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
  2⤵
  PID:811

/bin/sh
/bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
1⤵
PID:812
- /sbin/iptables
  iptables -I INPUT -p tcp --destination-port 7547 -j DROP
  2⤵
  PID:813

/bin/sh
/bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
1⤵
PID:814
- /sbin/iptables
  iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
  2⤵
  PID:815

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/rcS.d/S95baby.sh

Filesize
25B

MD5
1b3235ba10fc04836c941d3d27301956

SHA1
8909655763143702430b8c58b3ae3b04cfd3a29c

SHA256
01ba1fb41632594997a41d0c3a911ae5b3034d566ebb991ef76ad76e6f9e283a

SHA512
98bdb5c266222ccbd63b6f80c87e501c8033dc53b0513d300b8da50e39a207a0b69f8cd3ecc4a128dec340a1186779fedd1049c9b0a70e90d2cb3ae6ebfa4c4d

Download Submit
/usr/networks

Filesize
300KB

MD5
eec5c6c219535fba3a0492ea8118b397

SHA1
292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21

SHA256
12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef

SHA512
3482c8324a18302f0f37b6e23ed85f24fff9f50bb568d8fd7461bf57f077a7c592f7a88bb2e1c398699958946d87bb93ab744d13a0003f9b879c15e6471f7400

Download Submit