Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
17s -
max time network
49s -
platform
debian-9_mips -
resource
debian9-mipsbe-20231215-en -
resource tags
arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
25/01/2024, 19:04
Behavioral task
behavioral1
Sample
7546b0b643c6138637aa072bbda61d6d
Resource
debian9-mipsbe-20231215-en
debian-9-mips
9 signatures
150 seconds
General
-
Target
7546b0b643c6138637aa072bbda61d6d
-
Size
204KB
-
MD5
7546b0b643c6138637aa072bbda61d6d
-
SHA1
98eea3fa6d56d5457049479980ca53affa7db72a
-
SHA256
379fb36f6e1f8c1161528d11a1e5b79e09b9d202a692b674f3b2ffe8df320ba3
-
SHA512
3b7055f369ccb220a224687fa07e80edef2786f3089129885ef1985b07b2583cc01e5bbddf9b10d732dd552447839d9fdedcb6e60049a7f55ed7ea10fe323a0b
-
SSDEEP
3072:/TNVO/QJHZcfFj4rwLQGTNO5VZLwHm7vuQTpZUyY6co:7O/QJHZweEL/NOjCHm7FZZnc
Score
7/10
Malware Config
Signatures
-
Changes its process name 1 IoCs
description ioc pid Changes the process name, possibly in an attempt to hide itself sshd 725 -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp 7546b0b643c6138637aa072bbda61d6d -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc File opened for reading /proc/net/route -
Writes file to system bin folder 1 TTPs 2 IoCs
description ioc File opened for modification /sbin/watchdog File opened for modification /bin/watchdog -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp 7546b0b643c6138637aa072bbda61d6d File opened for reading /proc/net/raw 7546b0b643c6138637aa072bbda61d6d File opened for reading /proc/net/route Process not Found -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/3/stat killall File opened for reading /proc/8/stat killall File opened for reading /proc/11/stat killall File opened for reading /proc/23/stat killall File opened for reading /proc/74/stat killall File opened for reading /proc/387/stat killall File opened for reading /proc/719/stat killall File opened for reading /proc/13/stat killall File opened for reading /proc/116/stat killall File opened for reading /proc/166/stat killall File opened for reading /proc/489/stat killall File opened for reading /proc/730/stat killall File opened for reading /proc/73/stat killall File opened for reading /proc/82/stat killall File opened for reading /proc/146/stat killall File opened for reading /proc/707/stat killall File opened for reading /proc/19/stat killall File opened for reading /proc/706/stat killall File opened for reading /proc/716/cmdline killall File opened for reading /proc/16/stat killall File opened for reading /proc/72/stat killall File opened for reading /proc/150/stat killall File opened for reading /proc/319/stat killall File opened for reading /proc/474/stat killall File opened for reading /proc/706/cmdline killall File opened for reading /proc/725/cmdline killall File opened for reading /proc/14/stat killall File opened for reading /proc/76/stat killall File opened for reading /proc/115/stat killall File opened for reading /proc/116/cmdline killall File opened for reading /proc/2/stat killall File opened for reading /proc/10/stat killall File opened for reading /proc/18/stat killall File opened for reading /proc/707/cmdline killall File opened for reading /proc/716/stat killall File opened for reading /proc/37/stat killall File opened for reading /proc/78/stat killall File opened for reading /proc/327/stat killall File opened for reading /proc/399/stat killall File opened for reading /proc/522/stat killall File opened for reading /proc/692/stat killall File opened for reading /proc/726/stat killall File opened for reading /proc/731/stat killall File opened for reading /proc/self/exe 7546b0b643c6138637aa072bbda61d6d File opened for reading /proc/79/stat killall File opened for reading /proc/1/stat killall File opened for reading /proc/5/stat killall File opened for reading /proc/36/stat killall File opened for reading /proc/71/stat killall File opened for reading /proc/146/cmdline killall File opened for reading /proc/24/stat killall File opened for reading /proc/228/stat killall File opened for reading /proc/324/stat killall File opened for reading /proc/712/stat killall File opened for reading /proc/725/stat killall File opened for reading /proc/9/stat killall File opened for reading /proc/12/stat killall File opened for reading /proc/17/stat killall File opened for reading /proc/20/stat killall File opened for reading /proc/70/stat killall File opened for reading /proc/384/stat killall File opened for reading /proc/22/stat killall File opened for reading /proc/713/stat killall File opened for reading /proc/4/stat killall -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/.ips 7546b0b643c6138637aa072bbda61d6d
Processes
-
/tmp/7546b0b643c6138637aa072bbda61d6d/tmp/7546b0b643c6138637aa072bbda61d6d1⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:723
-
/bin/shsh -c "killall -9 telnetd utelnetd scfgmgr"1⤵PID:726
-
/usr/bin/killallkillall -9 telnetd utelnetd scfgmgr2⤵
- Reads runtime system information
PID:729
-