4d874d2d07fb4bf1cd523114c162b7971b2b72a29ac5b6e44de362774f8252df

Analysis

max time kernel
150s
max time network
150s
platform
debian-12_mipsel
resource
debian12-mipsel-20240221-en
resource tags

arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
20/03/2024, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7929972ed8714b8d8eb92f97a39e9a1
Size

891KB
MD5

d7929972ed8714b8d8eb92f97a39e9a1
SHA1

23e862d6509ea33da8de58fe0b1669fbe11a0fae
SHA256

4d874d2d07fb4bf1cd523114c162b7971b2b72a29ac5b6e44de362774f8252df
SHA512

27b41d4dfdb5f32b55f416c033c06238ab3c4c9424a67d2d0da3f86e367d96c6383c9d340a97027d3fd1c3d16dea988b24ab0a65dd0394d222f9cee7e94a40d4
SSDEEP

24576:zK5RSQFCPrZOOmsTLTQAWeMUYzWRavwYEi:C1clOOlQAWfUF7i

Score

7^/10

persistence

Malware Config

Signatures

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	emptiness	723	d7929972ed8714b8d8eb92f97a39e9a1

Flushes firewall rules 6 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
798	iptables
799	systemctl
799	systemctl
799	systemctl
799	systemctl
797	iptables

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/init.d/rcS	sh

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc	Process
File opened for reading	/proc/net/unix	fuser

Reads runtime system information 11 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/net/core/somaxconn	d7929972ed8714b8d8eb92f97a39e9a1
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	cp

/tmp/d7929972ed8714b8d8eb92f97a39e9a1
/tmp/d7929972ed8714b8d8eb92f97a39e9a1
1⤵
- Changes its process name
- Reads runtime system information
PID:723

/usr/bin/rm
rm -rf "/tmp/*" "/var/*" "/var/run/*" "/var/tmp/*"
1⤵
PID:788

/usr/bin/fuser
fuser
1⤵
- Reads system network configuration
PID:789

/usr/bin/rm
rm -rf /bin/netstat
1⤵
PID:790

/usr/sbin/service
service iptables stop
1⤵
PID:791
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:792
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:793

/usr/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
- Reads runtime system information
PID:796

/usr/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Reads runtime system information
PID:795

/usr/local/sbin/systemctl
systemctl stop iptables.service
1⤵
PID:791

/usr/local/bin/systemctl
systemctl stop iptables.service
1⤵
PID:791

/usr/sbin/systemctl
systemctl stop iptables.service
1⤵
PID:791

/usr/bin/systemctl
systemctl stop iptables.service
1⤵
- Reads runtime system information
PID:791

/sbin/iptables
/sbin/iptables -F
1⤵
- Flushes firewall rules
PID:797

/sbin/iptables
/sbin/iptables -X
1⤵
- Flushes firewall rules
PID:798

/usr/sbin/service
service firewalld stop
1⤵
PID:799
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:800
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:801

/usr/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
- Reads runtime system information
PID:804

/usr/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Reads runtime system information
PID:803

/usr/local/sbin/systemctl
systemctl stop firewalld.service
1⤵
- Flushes firewall rules
PID:799

/usr/local/bin/systemctl
systemctl stop firewalld.service
1⤵
- Flushes firewall rules
PID:799

/usr/sbin/systemctl
systemctl stop firewalld.service
1⤵
- Flushes firewall rules
PID:799

/usr/bin/systemctl
systemctl stop firewalld.service
1⤵
- Flushes firewall rules
- Reads runtime system information
PID:799

/usr/bin/rm
rm -rf "~/.bash_history"
1⤵
PID:807

/usr/bin/sh
sh -c "mv /etc/rc.bak /etc/rc.local"
1⤵
PID:808
- /usr/bin/mv
  mv /etc/rc.bak /etc/rc.local
  2⤵
  - Reads runtime system information
  PID:809

/usr/bin/cp
cp /etc/rc.local /etc/rc.bak
1⤵
- Reads runtime system information
PID:810

/usr/bin/sh
sh -c "mv /etc/init.d/rcS.bak /etc/init.d/rcS"
1⤵
PID:811
- /usr/bin/mv
  mv /etc/init.d/rcS.bak /etc/init.d/rcS
  2⤵
  - Reads runtime system information
  PID:812

/usr/bin/cp
cp /etc/init.d/rcS /etc/init.d/rcS.bak
1⤵
- Reads runtime system information
PID:813

/usr/bin/sh
sh -c "echo '/bin/.developer -d' >> /etc/init.d/rcS"
1⤵
- Modifies init.d
PID:814

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/rcS

Filesize
19B

MD5
65f08b98a5fbdc258c4cafdb81a52d82

SHA1
b5c5f77dec2479683a28c66b923719f171ff3c03

SHA256
b2c7631a98d50928f4848b7f7ea78e47318d82cd100296f9806eb88837b995ff

SHA512
bdf5655b8202b16b881f0d5c9573a4df3c6fad74cdedf464afa6d2288436f9214a0eb66287839612dfcebd096126e8ee17ebb2476e46c190a6508b02444b2ceb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads