Resubmissions
13-03-2024 17:05
240313-vl6g3sad51 9Analysis
-
max time kernel
33s -
max time network
37s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240226-en -
resource tags
-
submitted
13-03-2024 17:05
General
-
Target
bin.sh
-
Size
132KB
-
MD5
59ce0baba11893f90527fc951ac69912
-
SHA1
5857a7dd621c4c3ebb0b5a3bec915d409f70d39f
-
SHA256
4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7
-
SHA512
c5b12797b477e5e5964a78766bb40b1c0d9fdfb8eef1f9aee3df451e3441a40c61d325bf400ba51048811b68e1c70a95f15e4166b7a65a4eca0c624864328647
-
SSDEEP
3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xioP:p3lOYoaja8xzx/0wsxzSi2
Score
9/10
Malware Config
Signatures
-
Contacts a large (2080) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
-
Writes file to system bin folder 1 TTPs 2 IoCs
-
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/bin.sh/tmp/bin.sh1⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/shsh -c "killall -9 telnetd utelnetd scfgmgr"1⤵
-
/usr/bin/killallkillall -9 telnetd utelnetd scfgmgr2⤵
- Reads runtime system information
-
-
/bin/shsh -c "iptables -I INPUT -p tcp --destination-port 42141 -j ACCEPT"1⤵
-
/sbin/iptablesiptables -I INPUT -p tcp --destination-port 42141 -j ACCEPT2⤵
-
-
/bin/shsh -c "iptables -I OUTPUT -p tcp --source-port 42141 -j ACCEPT"1⤵
-
/sbin/iptablesiptables -I OUTPUT -p tcp --source-port 42141 -j ACCEPT2⤵
-
-
/bin/shsh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 42141 -j ACCEPT"1⤵
-
/sbin/iptablesiptables -I PREROUTING -t nat -p tcp --destination-port 42141 -j ACCEPT2⤵
-
-
/bin/shsh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 42141 -j ACCEPT"1⤵
-
/sbin/iptablesiptables -I POSTROUTING -t nat -p tcp --source-port 42141 -j ACCEPT2⤵
-
-
/bin/shsh -c "iptables -I INPUT -p tcp --dport 42141 -j ACCEPT"1⤵
-
/sbin/iptablesiptables -I INPUT -p tcp --dport 42141 -j ACCEPT2⤵
-
-
/bin/shsh -c "iptables -I INPUT -p tcp --destination-port 22 -j DROP"1⤵
-
/sbin/iptablesiptables -I INPUT -p tcp --destination-port 22 -j DROP2⤵
-
-
/bin/shsh -c "iptables -I OUTPUT -p tcp --sport 42141 -j ACCEPT"1⤵
-
/sbin/iptablesiptables -I OUTPUT -p tcp --sport 42141 -j ACCEPT2⤵
-
-
/bin/shsh -c "iptables -I INPUT -p tcp --destination-port 23 -j DROP"1⤵
-
/sbin/iptablesiptables -I INPUT -p tcp --destination-port 23 -j DROP2⤵
-
-
/bin/shsh -c "iptables -I PREROUTING -t nat -p tcp --dport 42141 -j ACCEPT"1⤵
-
/sbin/iptablesiptables -I PREROUTING -t nat -p tcp --dport 42141 -j ACCEPT2⤵
-
-
/bin/shsh -c "iptables -I INPUT -p tcp --destination-port 2323 -j DROP"1⤵
-
/sbin/iptablesiptables -I INPUT -p tcp --destination-port 2323 -j DROP2⤵
-
-
/bin/shsh -c "iptables -I POSTROUTING -t nat -p tcp --sport 42141 -j ACCEPT"1⤵
-
/sbin/iptablesiptables -I POSTROUTING -t nat -p tcp --sport 42141 -j ACCEPT2⤵
-
-
/bin/shsh -c "iptables -I OUTPUT -p tcp --source-port 22 -j DROP"1⤵
-
/sbin/iptablesiptables -I OUTPUT -p tcp --source-port 22 -j DROP2⤵
-
-
/bin/shsh -c "iptables -I OUTPUT -p tcp --source-port 23 -j DROP"1⤵
-
/sbin/iptablesiptables -I OUTPUT -p tcp --source-port 23 -j DROP2⤵
-
-
/bin/shsh -c "iptables -I OUTPUT -p tcp --source-port 2323 -j DROP"1⤵
-
/sbin/iptablesiptables -I OUTPUT -p tcp --source-port 2323 -j DROP2⤵
-
-
/bin/shsh -c "iptables -I INPUT -p tcp --dport 22 -j DROP"1⤵
-
/sbin/iptablesiptables -I INPUT -p tcp --dport 22 -j DROP2⤵
-
-
/bin/shsh -c "iptables -I INPUT -p tcp --dport 23 -j DROP"1⤵
-
/sbin/iptablesiptables -I INPUT -p tcp --dport 23 -j DROP2⤵
-
-
/bin/shsh -c "iptables -I INPUT -p tcp --dport 2323 -j DROP"1⤵
-
/sbin/iptablesiptables -I INPUT -p tcp --dport 2323 -j DROP2⤵
-
-
/bin/shsh -c "iptables -I OUTPUT -p tcp --sport 22 -j DROP"1⤵
-
/sbin/iptablesiptables -I OUTPUT -p tcp --sport 22 -j DROP2⤵
-
-
/bin/shsh -c "iptables -I OUTPUT -p tcp --sport 23 -j DROP"1⤵
-
/sbin/iptablesiptables -I OUTPUT -p tcp --sport 23 -j DROP2⤵
-