Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
47s -
max time network
53s -
platform
debian-9_mips -
resource
debian9-mipsbe-20231215-en -
resource tags
arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
31/12/2023, 15:49
Behavioral task
behavioral1
Sample
3a5333e2143b48fce02d877063c94b2d
Resource
debian9-mipsbe-20231215-en
General
-
Target
3a5333e2143b48fce02d877063c94b2d
-
Size
177KB
-
MD5
3a5333e2143b48fce02d877063c94b2d
-
SHA1
6c54cadbae1fad7ac5c601822fba4329991e8bc3
-
SHA256
912849731336584f384a87a1ce421aa04c43e8f6bf36a7f8b874fb8db08bb58f
-
SHA512
c7764dbe31a0249c4acc32f71550d6ff69b57b2256d6601ea65893d5f9ead3a0bf2fd4f4987161b8890b2212a64149644aefd42336c37d3ac37005d0dd52ddee
-
SSDEEP
3072:/TNVO/QJHZcfFj4rwLQGTNO5VZLwHm7vuQTpZUyY6coj:7O/QJHZweEL/NOjCHm7FZZnc6
Malware Config
Signatures
-
Contacts a large (1389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
description ioc pid Changes the process name, possibly in an attempt to hide itself sshd 708 -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp 3a5333e2143b48fce02d877063c94b2d -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc File opened for reading /proc/net/route -
Writes file to system bin folder 1 TTPs 2 IoCs
description ioc File opened for modification /bin/watchdog File opened for modification /sbin/watchdog -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/route Process not Found File opened for reading /proc/net/tcp 3a5333e2143b48fce02d877063c94b2d File opened for reading /proc/net/raw 3a5333e2143b48fce02d877063c94b2d -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/391/stat killall File opened for reading /proc/472/stat killall File opened for reading /proc/485/stat killall File opened for reading /proc/2/stat killall File opened for reading /proc/71/stat killall File opened for reading /proc/76/stat killall File opened for reading /proc/138/cmdline killall File opened for reading /proc/325/stat killall File opened for reading /proc/17/stat killall File opened for reading /proc/72/stat killall File opened for reading /proc/6/stat killall File opened for reading /proc/10/stat killall File opened for reading /proc/37/stat killall File opened for reading /proc/80/stat killall File opened for reading /proc/701/stat killall File opened for reading /proc/5/stat killall File opened for reading /proc/16/stat killall File opened for reading /proc/79/stat killall File opened for reading /proc/103/stat killall File opened for reading /proc/689/stat killall File opened for reading /proc/4/stat killall File opened for reading /proc/14/stat killall File opened for reading /proc/115/cmdline killall File opened for reading /proc/321/stat killall File opened for reading /proc/323/stat killall File opened for reading /proc/12/stat killall File opened for reading /proc/73/stat killall File opened for reading /proc/375/stat killall File opened for reading /proc/708/stat killall File opened for reading /proc/709/stat killall File opened for reading /proc/11/stat killall File opened for reading /proc/235/stat killall File opened for reading /proc/self/exe 3a5333e2143b48fce02d877063c94b2d File opened for reading /proc/115/stat killall File opened for reading /proc/689/cmdline killall File opened for reading /proc/698/cmdline killall File opened for reading /proc/710/stat killall File opened for reading /proc/376/stat killall File opened for reading /proc/698/stat killall File opened for reading /proc/filesystems killall File opened for reading /proc/7/stat killall File opened for reading /proc/8/stat killall File opened for reading /proc/19/stat killall File opened for reading /proc/148/stat killall File opened for reading /proc/690/cmdline killall File opened for reading /proc/36/stat killall File opened for reading /proc/74/stat killall File opened for reading /proc/75/stat killall File opened for reading /proc/386/stat killall File opened for reading /proc/690/stat killall File opened for reading /proc/1/stat killall File opened for reading /proc/22/stat killall File opened for reading /proc/514/stat killall File opened for reading /proc/353/stat killall File opened for reading /proc/692/stat killall File opened for reading /proc/695/stat killall File opened for reading /proc/708/cmdline killall File opened for reading /proc/15/stat killall File opened for reading /proc/18/stat killall File opened for reading /proc/24/stat killall File opened for reading /proc/69/stat killall File opened for reading /proc/513/stat killall File opened for reading /proc/716/stat killall File opened for reading /proc/13/stat killall -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/.ips 3a5333e2143b48fce02d877063c94b2d
Processes
-
/tmp/3a5333e2143b48fce02d877063c94b2d/tmp/3a5333e2143b48fce02d877063c94b2d1⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:705
-
/bin/shsh -c "killall -9 telnetd utelnetd scfgmgr"1⤵PID:709
-
/usr/bin/killallkillall -9 telnetd utelnetd scfgmgr2⤵
- Reads runtime system information
PID:714
-
-
/bin/shsh -c "iptables -I INPUT -p tcp --destination-port 55907 -j ACCEPT"1⤵PID:811
-
/sbin/iptablesiptables -I INPUT -p tcp --destination-port 55907 -j ACCEPT2⤵PID:813
-