912849731336584f384a87a1ce421aa04c43e8f6bf36a7f8b874fb8db08bb58f

Analysis

max time kernel
47s
max time network
53s
platform
debian-9_mips
resource
debian9-mipsbe-20231215-en
resource tags

arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
31/12/2023, 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a5333e2143b48fce02d877063c94b2d
Size

177KB
MD5

3a5333e2143b48fce02d877063c94b2d
SHA1

6c54cadbae1fad7ac5c601822fba4329991e8bc3
SHA256

912849731336584f384a87a1ce421aa04c43e8f6bf36a7f8b874fb8db08bb58f
SHA512

c7764dbe31a0249c4acc32f71550d6ff69b57b2256d6601ea65893d5f9ead3a0bf2fd4f4987161b8890b2212a64149644aefd42336c37d3ac37005d0dd52ddee
SSDEEP

3072:/TNVO/QJHZcfFj4rwLQGTNO5VZLwHm7vuQTpZUyY6coj:7O/QJHZweEL/NOjCHm7FZZnc6

Score

8^/10

discovery

Malware Config

Signatures

Contacts a large (1389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Changes its process name 1 IoCs

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	sshd	708

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	3a5333e2143b48fce02d877063c94b2d

Enumerates running processes
Discovers information about currently running processes on the system

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/route

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/bin/watchdog
File opened for modification	/sbin/watchdog

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc	Process
File opened for reading	/proc/net/route	Process not Found
File opened for reading	/proc/net/tcp	3a5333e2143b48fce02d877063c94b2d
File opened for reading	/proc/net/raw	3a5333e2143b48fce02d877063c94b2d

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/391/stat	killall
File opened for reading	/proc/472/stat	killall
File opened for reading	/proc/485/stat	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/138/cmdline	killall
File opened for reading	/proc/325/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/72/stat	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/80/stat	killall
File opened for reading	/proc/701/stat	killall
File opened for reading	/proc/5/stat	killall
File opened for reading	/proc/16/stat	killall
File opened for reading	/proc/79/stat	killall
File opened for reading	/proc/103/stat	killall
File opened for reading	/proc/689/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/14/stat	killall
File opened for reading	/proc/115/cmdline	killall
File opened for reading	/proc/321/stat	killall
File opened for reading	/proc/323/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/73/stat	killall
File opened for reading	/proc/375/stat	killall
File opened for reading	/proc/708/stat	killall
File opened for reading	/proc/709/stat	killall
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/235/stat	killall
File opened for reading	/proc/self/exe	3a5333e2143b48fce02d877063c94b2d
File opened for reading	/proc/115/stat	killall
File opened for reading	/proc/689/cmdline	killall
File opened for reading	/proc/698/cmdline	killall
File opened for reading	/proc/710/stat	killall
File opened for reading	/proc/376/stat	killall
File opened for reading	/proc/698/stat	killall
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/148/stat	killall
File opened for reading	/proc/690/cmdline	killall
File opened for reading	/proc/36/stat	killall
File opened for reading	/proc/74/stat	killall
File opened for reading	/proc/75/stat	killall
File opened for reading	/proc/386/stat	killall
File opened for reading	/proc/690/stat	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/514/stat	killall
File opened for reading	/proc/353/stat	killall
File opened for reading	/proc/692/stat	killall
File opened for reading	/proc/695/stat	killall
File opened for reading	/proc/708/cmdline	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/69/stat	killall
File opened for reading	/proc/513/stat	killall
File opened for reading	/proc/716/stat	killall
File opened for reading	/proc/13/stat	killall

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.ips	3a5333e2143b48fce02d877063c94b2d

/tmp/3a5333e2143b48fce02d877063c94b2d
/tmp/3a5333e2143b48fce02d877063c94b2d
1⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:705

/bin/sh
sh -c "killall -9 telnetd utelnetd scfgmgr"
1⤵
PID:709
- /usr/bin/killall
  killall -9 telnetd utelnetd scfgmgr
  2⤵
  - Reads runtime system information
  PID:714

/bin/sh
sh -c "iptables -I INPUT -p tcp --destination-port 55907 -j ACCEPT"
1⤵
PID:811
- /sbin/iptables
  iptables -I INPUT -p tcp --destination-port 55907 -j ACCEPT
  2⤵
  PID:813

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads