Analysis
-
max time kernel
14s -
max time network
17s -
platform
debian-9_mips -
resource
debian9-mipsbe-20231222-en -
resource tags
arch:mipsimage:debian9-mipsbe-20231222-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
24/01/2024, 21:09
Behavioral task
behavioral1
Sample
72dc7c5966b66cefa2d8296651ee7d17
Resource
debian9-mipsbe-20231222-en
debian-9-mips
9 signatures
150 seconds
General
-
Target
72dc7c5966b66cefa2d8296651ee7d17
-
Size
211KB
-
MD5
72dc7c5966b66cefa2d8296651ee7d17
-
SHA1
150825e47b7fe1c565c7ecbade7a8254946086a2
-
SHA256
038465d0a4225c946eac5c7fdd87b594362e33f4102b696a6eb9294434c804f1
-
SHA512
c9eb3bfd20b5d3b7c8ab2c358fe7b0ad5888c4c579934244daa6d990229aca87fd2dd78efbfe82f0fa9b1d96572a4afd9ba113aa4ca7c4b35cca3eb33c304618
-
SSDEEP
6144:p3lOYoaja8xzx/0wsxzSinwKSDP99zBa77oNsKqq1:p1CG/jsxzXBSDP99zBa/HKqS
Score
7/10
Malware Config
Signatures
-
Changes its process name 1 IoCs
description ioc pid Changes the process name, possibly in an attempt to hide itself sshd 734 -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp 72dc7c5966b66cefa2d8296651ee7d17 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc File opened for reading /proc/net/route -
Writes file to system bin folder 1 TTPs 2 IoCs
description ioc File opened for modification /sbin/watchdog File opened for modification /bin/watchdog -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp 72dc7c5966b66cefa2d8296651ee7d17 File opened for reading /proc/net/raw 72dc7c5966b66cefa2d8296651ee7d17 File opened for reading /proc/net/route Process not Found -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/1/stat killall File opened for reading /proc/335/stat killall File opened for reading /proc/382/stat killall File opened for reading /proc/20/stat killall File opened for reading /proc/24/stat killall File opened for reading /proc/110/stat killall File opened for reading /proc/373/stat killall File opened for reading /proc/715/cmdline killall File opened for reading /proc/718/stat killall File opened for reading /proc/4/stat killall File opened for reading /proc/9/stat killall File opened for reading /proc/22/stat killall File opened for reading /proc/69/stat killall File opened for reading /proc/77/stat killall File opened for reading /proc/126/stat killall File opened for reading /proc/3/stat killall File opened for reading /proc/339/stat killall File opened for reading /proc/340/stat killall File opened for reading /proc/725/stat killall File opened for reading /proc/725/cmdline killall File opened for reading /proc/734/stat killall File opened for reading /proc/738/stat killall File opened for reading /proc/filesystems killall File opened for reading /proc/12/stat killall File opened for reading /proc/153/stat killall File opened for reading /proc/175/stat killall File opened for reading /proc/721/stat killall File opened for reading /proc/722/stat killall File opened for reading /proc/15/stat killall File opened for reading /proc/37/stat killall File opened for reading /proc/237/stat killall File opened for reading /proc/734/cmdline killall File opened for reading /proc/5/stat killall File opened for reading /proc/11/stat killall File opened for reading /proc/80/stat killall File opened for reading /proc/386/stat killall File opened for reading /proc/self/exe 72dc7c5966b66cefa2d8296651ee7d17 File opened for reading /proc/6/stat killall File opened for reading /proc/17/stat killall File opened for reading /proc/71/stat killall File opened for reading /proc/735/stat killall File opened for reading /proc/18/stat killall File opened for reading /proc/21/stat killall File opened for reading /proc/73/stat killall File opened for reading /proc/76/stat killall File opened for reading /proc/384/stat killall File opened for reading /proc/673/stat killall File opened for reading /proc/675/stat killall File opened for reading /proc/19/stat killall File opened for reading /proc/75/stat killall File opened for reading /proc/728/stat killall File opened for reading /proc/8/stat killall File opened for reading /proc/72/stat killall File opened for reading /proc/7/stat killall File opened for reading /proc/13/stat killall File opened for reading /proc/23/stat killall File opened for reading /proc/70/stat killall File opened for reading /proc/79/stat killall File opened for reading /proc/82/stat killall File opened for reading /proc/337/stat killall File opened for reading /proc/676/stat killall File opened for reading /proc/716/stat killall File opened for reading /proc/36/stat killall File opened for reading /proc/716/cmdline killall -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/.ips 72dc7c5966b66cefa2d8296651ee7d17
Processes
-
/tmp/72dc7c5966b66cefa2d8296651ee7d17/tmp/72dc7c5966b66cefa2d8296651ee7d171⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:730
-
/bin/shsh -c "killall -9 telnetd utelnetd scfgmgr"1⤵PID:735
-
/usr/bin/killallkillall -9 telnetd utelnetd scfgmgr2⤵
- Reads runtime system information
PID:737
-