Analysis
-
max time kernel
15s -
max time network
1795s -
platform
debian-9_armhf -
resource
debian9-armhf-20240226-en -
resource tags
arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
11-04-2024 09:15
Static task
static1
Behavioral task
behavioral1
Sample
2808037.bin
Resource
debian9-armhf-20240226-en
General
-
Target
2808037.bin
-
Size
249KB
-
MD5
038814ff17c4e2f6e286dc858e3c3e38
-
SHA1
57b63f3ed966b91f2dbc107e87d81201c329671b
-
SHA256
3bd5be1f538f8cc195dbffd77d01e0c2509c56139a307b72d72d5bdbe2245584
-
SHA512
5225c9dd4adcaab0547e267c5f207cc89a007268a6c2fe2c3be84d94d08ca92340c3552ac4d59109721224c480cee7a4995a94d1dbe9f3a2e498cef0b1e90e87
-
SSDEEP
6144:REn8buta+6HwGQJk8a+MrZP6Ffk+figv49e/CKvVA6tnY:RNr2JxahZPl+L8eaKvVAcY
Malware Config
Extracted
mirai
LZRD
Signatures
-
Modifies Watchdog functionality 1 TTPs 1 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 114.114.114.114 Destination IP 134.195.4.2 Destination IP 54.36.111.116 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 192.3.165.37 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 192.3.165.37 Destination IP 134.195.4.2 Destination IP 1.0.0.1 Destination IP 54.36.111.116 Destination IP 54.36.111.116 Destination IP 168.138.12.137 Destination IP 134.195.4.2 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 168.138.12.137 Destination IP 192.3.165.37 Destination IP 168.138.12.137 Destination IP 1.0.0.1 Destination IP 54.36.111.116 Destination IP 1.0.0.1 Destination IP 94.247.43.254 Destination IP 168.138.12.137 Destination IP 192.3.165.37 Destination IP 1.0.0.1 Destination IP 192.3.165.37 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 54.36.111.116 Destination IP 192.3.165.37 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 54.36.111.116 Destination IP 1.0.0.1 Destination IP 54.36.111.116 Destination IP 1.0.0.1 Destination IP 192.3.165.37 Destination IP 134.195.4.2 Destination IP 192.3.165.37 Destination IP 1.0.0.1 Destination IP 54.36.111.116 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 54.36.111.116 Destination IP 192.3.165.37 Destination IP 94.247.43.254 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 54.36.111.116 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 192.3.165.37 Destination IP 192.3.165.37 Destination IP 1.0.0.1 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.46uPWw crontab -
Processes:
description ioc File opened for modification /etc/init.d/dnsconfig -
Modifies systemd 1 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
Processes:
description ioc File opened for modification /etc/systemd/system/dnsconfigs.service -
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
description ioc File opened for modification /bin/watchdog File opened for modification /sbin/watchdog -
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
systemctlsystemctlsystemctldescription ioc process File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl -
Reads runtime system information 18 IoCs
Reads data from /proc virtual filesystem.
Processes:
systemctlcrontabsystemctlsystemctlcpmount2808037.binmountdescription ioc process File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems crontab File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/655/cmdline File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mount File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/exe 2808037.bin File opened for reading /proc/filesystems mount File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/server_session.lock
Processes
-
/tmp/2808037.bin/tmp/2808037.bin1⤵
- Reads runtime system information
-
/bin/sh/bin/sh -c "mount -o bind /tmp/nginx_server /proc/655/ > /dev/null 2>&1"2⤵
-
/bin/mountmount -o bind /tmp/nginx_server /proc/655/3⤵
- Reads runtime system information
-
/bin/cpcp -f /tmp/2808037.bin /var/tmp/nginx_kel2⤵
- Reads runtime system information
-
/bin/sh/bin/sh -c "crontab /var/tmp/.recoverys"1⤵
-
/usr/bin/crontabcrontab /var/tmp/.recoverys2⤵
- Creates/modifies Cron job
- Reads runtime system information
-
/bin/sh/bin/sh -c "mount -o bind /tmp/nginx_server /proc/666/ > /dev/null 2>&1"1⤵
-
/bin/mountmount -o bind /tmp/nginx_server /proc/666/2⤵
- Reads runtime system information
-
/bin/sh/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig2⤵
-
/bin/sh/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig2⤵
-
/bin/sh/bin/sh -c "systemctl daemon-reload > /dev/null 2>&1"1⤵
-
/bin/systemctlsystemctl daemon-reload2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/bin/sh/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig2⤵
-
/bin/sh/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig2⤵
-
/bin/sh/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig2⤵
-
/bin/sh/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig2⤵
-
/bin/sh/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig2⤵
-
/bin/sh/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig2⤵
-
/bin/sh/bin/sh -c "ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig2⤵
-
/bin/sh/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs2⤵
-
/bin/sh/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs2⤵
-
/bin/sh/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs2⤵
-
/bin/sh/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs2⤵
-
/bin/sh/bin/sh -c "systemctl enable dnsconfigs.service > /dev/null 2>&1"1⤵
-
/bin/systemctlsystemctl enable dnsconfigs.service2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/bin/sh/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs2⤵
-
/bin/sh/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs2⤵
-
/bin/sh/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs2⤵
-
/bin/sh/bin/sh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs > /dev/null 2>&1"1⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs2⤵
-
/bin/sh/bin/sh -c "systemctl start dnsconfigs.service > /dev/null 2>&1"1⤵
-
/bin/systemctlsystemctl start dnsconfigs.service2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/etc/init.d/dnsconfigFilesize
1KB
MD5df56ea52b8cee93884f3872d25a85db0
SHA12fd0c7407ed67253a807d1d01c6ffd3467edaf8e
SHA256a402d683e16519793b06f663163d750b4e82922cf3b18af5a655de41328b9bf5
SHA512e390943755721ba7f0210439f0fc8e5e3daaf98ba1df923464aa547c5a7c6f941240658c8fa59270d6f73539fd8b0a04d7bdc9c407f13d9301588d5cf9aa68da
-
/etc/systemd/system/dnsconfigs.serviceFilesize
174B
MD5900f683b08977636b092fcbfa1ad8a42
SHA16d521f5c3e862f1106d9ac6a3a654e57e6814333
SHA25671d21310d1c7dbb935f3b61311403b0ec0fa32dc73f91720365416a646c2dfb3
SHA51250b5426500d8b5dccb7fd71fe9a448ae1c76770890ba86c37e7decbf2ca1f0e1cd20c50996260f37114ba2bdb16ae927e4afad241a51e3d22112ada8e25604b0
-
/tmp/server_session.lockFilesize
4B
MD58b697894953f807b29db45e3610c5afd
SHA1c31141dc24164ef98ef3a252e0da62df482199b3
SHA256e96f1336fa739b01c04504dea39125dc8d4a7e7d23d8ff24ce5b050c7477ae9e
SHA5126e4649d48128f9dc5bc6b0f5c9beed62c84fe3476dcc09583b8a4bb1bf0a34a495c4b2342a16409d7cfb0897e93d59f4c34bd6da0e5c27d390dcc536725b998f
-
/var/spool/cron/crontabs/tmp.46uPWwFilesize
230B
MD55488db4699c29139923e9972175137d6
SHA1abc33d37b242aeaa569211b80a464c7a98abb508
SHA2567ecb0e72afdafa0a95419220fb76690e70ac83908190514dfcc6c292d202a4c0
SHA512a40a1f34e8c9b2399fb6b318b540e549b120ec019ed0dc894ee4d0a04a1c9c9831bd67208803d5327a241ef6ef99d2aeaa3704a3bdaba99d6903a43b7ca3d4cf
-
/var/tmp/.recoverysFilesize
37B
MD5abe9a0e06459d029e0f5183965dbbf3b
SHA17e79e16ea12fed960bcee8eb5a9c6384fa61a2d1
SHA256b2cfe7490d6dd2f81ede3ed9db30c78637f4a1e98ed746eaa00998e95d3de384
SHA512955aece23c24e5b1ce32a90fa014a8a6fac39b68707a13f56cd1bfb07c79dfc59806942732990aaf925db5724f381827e2c35eba21fe95ce9a760760527048cd
-
/var/tmp/nginx_kelFilesize
249KB
MD5038814ff17c4e2f6e286dc858e3c3e38
SHA157b63f3ed966b91f2dbc107e87d81201c329671b
SHA2563bd5be1f538f8cc195dbffd77d01e0c2509c56139a307b72d72d5bdbe2245584
SHA5125225c9dd4adcaab0547e267c5f207cc89a007268a6c2fe2c3be84d94d08ca92340c3552ac4d59109721224c480cee7a4995a94d1dbe9f3a2e498cef0b1e90e87
-
memory/655-1-0x00008000-0x00089af4-memory.dmp