Analysis
-
max time kernel
72s -
max time network
72s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240221-en -
resource tags
arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem -
submitted
16-04-2024 09:41
Static task
static1
Behavioral task
behavioral1
Sample
d5601202dff3017db238145ff21857415f663031aca9b3d534bec8991b12179a
Resource
debian12-mipsel-20240221-en
General
-
Target
d5601202dff3017db238145ff21857415f663031aca9b3d534bec8991b12179a
-
Size
83KB
-
MD5
b8ed2cb3e9fedec5b164ce84ad5a08d0
-
SHA1
b45ef9ad0a29b0a402d1613b10c3f6e95686230c
-
SHA256
d5601202dff3017db238145ff21857415f663031aca9b3d534bec8991b12179a
-
SHA512
98aa6abf6bc6b27ea2833122c468e436c267ef40c5ecbbd6446174d0859920e7b7bbcec617e12d7aa9e89e0492e5dcf4cf49a6208e7252fd0619047818454a31
-
SSDEEP
1536:m3LqE6rUQWzVQR7iAGEcUT5PIi7pLqBNs4LOjcwf4nB6XuzGNy+iSc7tNUZM:mOE6PWo1T5bz4LVMXuzVNScWM
Malware Config
Signatures
-
Changes its process name 1 IoCs
description ioc pid Changes the process name, possibly in an attempt to hide itself telnetd 730 -
Deletes itself 1 IoCs
pid 730 -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog d5601202dff3017db238145ff21857415f663031aca9b3d534bec8991b12179a File opened for modification /dev/misc/watchdog d5601202dff3017db238145ff21857415f663031aca9b3d534bec8991b12179a -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc File opened for reading /proc/net/tcp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route d5601202dff3017db238145ff21857415f663031aca9b3d534bec8991b12179a -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp Process not Found File opened for reading /proc/net/tcp6 Process not Found File opened for reading /proc/net/route d5601202dff3017db238145ff21857415f663031aca9b3d534bec8991b12179a -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/384/fd File opened for reading /proc/7/cmdline File opened for reading /proc/26/cmdline File opened for reading /proc/9/cmdline File opened for reading /proc/8/cmdline File opened for reading /proc/719/fd File opened for reading /proc/383/fd File opened for reading /proc/111/cmdline File opened for reading /proc/27/cmdline File opened for reading /proc/20/cmdline File opened for reading /proc/710/fd File opened for reading /proc/137/cmdline File opened for reading /proc/15/cmdline File opened for reading /proc/11/cmdline File opened for reading /proc/2/cmdline File opened for reading /proc/344/fd File opened for reading /proc/208/cmdline File opened for reading /proc/17/cmdline File opened for reading /proc/719/cmdline File opened for reading /proc/118/cmdline File opened for reading /proc/45/cmdline File opened for reading /proc/3/cmdline File opened for reading /proc/711/cmdline File opened for reading /proc/691/cmdline File opened for reading /proc/37/cmdline File opened for reading /proc/13/cmdline File opened for reading /proc/31/cmdline File opened for reading /proc/29/cmdline File opened for reading /proc/136/cmdline File opened for reading /proc/732/fd File opened for reading /proc/730/fd File opened for reading /proc/333/fd File opened for reading /proc/333/cmdline File opened for reading /proc/28/cmdline File opened for reading /proc/14/cmdline File opened for reading /proc/53/cmdline File opened for reading /proc/42/cmdline File opened for reading /proc/402/fd File opened for reading /proc/383/cmdline File opened for reading /proc/35/cmdline File opened for reading /proc/22/cmdline File opened for reading /proc/114/cmdline File opened for reading /proc/679/fd File opened for reading /proc/673/fd File opened for reading /proc/694/cmdline File opened for reading /proc/34/cmdline File opened for reading /proc/732/cmdline File opened for reading /proc/671/cmdline File opened for reading /proc/671/fd File opened for reading /proc/208/fd File opened for reading /proc/33/cmdline File opened for reading /proc/722/fd File opened for reading /proc/713/cmdline File opened for reading /proc/402/cmdline File opened for reading /proc/16/cmdline File opened for reading /proc/730/cmdline File opened for reading /proc/714/cmdline File opened for reading /proc/413/cmdline File opened for reading /proc/5/cmdline File opened for reading /proc/113/cmdline File opened for reading /proc/1/cmdline File opened for reading /proc/722/cmdline File opened for reading /proc/713/fd File opened for reading /proc/396/fd -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc File opened for modification /tmp/fifo
Processes
-
/tmp/d5601202dff3017db238145ff21857415f663031aca9b3d534bec8991b12179a/tmp/d5601202dff3017db238145ff21857415f663031aca9b3d534bec8991b12179a1⤵
- Modifies Watchdog functionality
- Reads system routing table
- Reads system network configuration
PID:725
-
/bin/shsh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"1⤵PID:738
-
/bin/shsh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"1⤵PID:741
-
/bin/shsh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"1⤵PID:743
-
/bin/shsh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"1⤵PID:745
-
/bin/shsh -c "iptables -D INPUT -j CWMP_CR"1⤵PID:748
-
/bin/shsh -c "iptables -X CWMP_CR"1⤵PID:749
-
/bin/shsh -c "iptables -I INPUT -p udp --dport 54832 -j ACCEPT"1⤵PID:750