Analysis
-
max time kernel
8s -
max time network
150s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240226-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
24-04-2024 13:12
Behavioral task
behavioral1
Sample
7cabc7d9ac4490fb547415bdf7269c33.elf
Resource
debian9-mipsbe-20240226-en
General
-
Target
7cabc7d9ac4490fb547415bdf7269c33.elf
-
Size
590KB
-
MD5
7cabc7d9ac4490fb547415bdf7269c33
-
SHA1
ac72e44f7e7a30727d356b3c5e00317d09ad94e9
-
SHA256
ed6964fb655c02b74298d9b1a979921abb3dfd42565084053593123af9259f79
-
SHA512
4e5b86721e06d57e465c2b5353c9427c600f4896b1b073ab889f1f5c36574ed3326c7d2038585106fd4226db33e5f7d252c921a7e5646d70a1e30d5bec0e56e5
-
SSDEEP
6144:PnRWqReH3BRzqfMC5fuUQh8+Qk8jVJntQf2Avz156Vmw3lgUekJGmOa2j1DluC9s:5UJz9emvo70Tlu0qXK0
Malware Config
Signatures
-
Modifies Watchdog functionality 1 TTPs 1 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
7cabc7d9ac4490fb547415bdf7269c33.elfdescription ioc process File opened for modification /dev/watchdog 7cabc7d9ac4490fb547415bdf7269c33.elf -
Unexpected DNS network traffic destination 11 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 54.36.111.116 Destination IP 1.0.0.1 Destination IP 192.3.165.37 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 114.114.114.114 Destination IP 134.195.4.2 Destination IP 1.0.0.1 Destination IP 168.138.12.137 Destination IP 192.3.165.37 Destination IP 94.247.43.254 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.pHhP7w crontab -
Processes:
7cabc7d9ac4490fb547415bdf7269c33.elfdescription ioc process File opened for modification /etc/init.d/dnsconfig 7cabc7d9ac4490fb547415bdf7269c33.elf -
Modifies systemd 1 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
Processes:
7cabc7d9ac4490fb547415bdf7269c33.elfdescription ioc process File opened for modification /etc/systemd/system/dnsconfigs.service 7cabc7d9ac4490fb547415bdf7269c33.elf -
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
7cabc7d9ac4490fb547415bdf7269c33.elfdescription ioc process File opened for modification /sbin/watchdog 7cabc7d9ac4490fb547415bdf7269c33.elf File opened for modification /bin/watchdog 7cabc7d9ac4490fb547415bdf7269c33.elf -
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
systemctlsystemctlsystemctldescription ioc process File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl -
Reads runtime system information 17 IoCs
Reads data from /proc virtual filesystem.
Processes:
systemctlsystemctlmount7cabc7d9ac4490fb547415bdf7269c33.elfmountsystemctlcpcrontabdescription ioc process File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems mount File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/712/cmdline 7cabc7d9ac4490fb547415bdf7269c33.elf File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems mount File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems crontab File opened for reading /proc/self/stat systemctl -
Writes file to tmp directory 13 IoCs
Malware often drops required files in the /tmp directory.
Processes:
7cabc7d9ac4490fb547415bdf7269c33.elfdescription ioc process File opened for modification /tmp/139.199.214.202 7cabc7d9ac4490fb547415bdf7269c33.elf File opened for modification /tmp/114.118.7.163 7cabc7d9ac4490fb547415bdf7269c33.elf File opened for modification /tmp/129.6.15.28 7cabc7d9ac4490fb547415bdf7269c33.elf File opened for modification /tmp/110.75.0.81 7cabc7d9ac4490fb547415bdf7269c33.elf File opened for modification /tmp/119.29.0.254 7cabc7d9ac4490fb547415bdf7269c33.elf File opened for modification /tmp/132.163.96.12 7cabc7d9ac4490fb547415bdf7269c33.elf File opened for modification /tmp/131.188.3.221 7cabc7d9ac4490fb547415bdf7269c33.elf File opened for modification /tmp/114.118.7.161 7cabc7d9ac4490fb547415bdf7269c33.elf File opened for modification /tmp/202.112.29.82 7cabc7d9ac4490fb547415bdf7269c33.elf File opened for modification /tmp/182.92.12.11 7cabc7d9ac4490fb547415bdf7269c33.elf File opened for modification /tmp/132.163.97.1 7cabc7d9ac4490fb547415bdf7269c33.elf File opened for modification /tmp/����������TX��J���V '=<�عŃ�-6���6Ad3�̓��$�>�}/�ccu������az�����ea$3�_nЅceU=���W^W�5�Op���w⦉����r�X�6��50��OH:yz� ���$�a��K�����jڷ`��hOB��9M��V��cr���� mp��������4�(4/a�r��酃��O2������;Lo�s;���.� Ŏ��}����J&�����kB8a(\��������� 7cabc7d9ac4490fb547415bdf7269c33.elf File opened for modification /tmp/server_session.lock 7cabc7d9ac4490fb547415bdf7269c33.elf
Processes
-
/tmp/7cabc7d9ac4490fb547415bdf7269c33.elf/tmp/7cabc7d9ac4490fb547415bdf7269c33.elf1⤵
- Modifies Watchdog functionality
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
-
/bin/shsh -c "mount -o bind /tmp/nginx_server /proc/712/ > /dev/null 2>&1"2⤵
-
/bin/mountmount -o bind /tmp/nginx_server /proc/712/3⤵
- Reads runtime system information
-
/bin/cpcp -f /tmp/7cabc7d9ac4490fb547415bdf7269c33.elf /var/tmp/nginx_kel2⤵
- Reads runtime system information
-
/bin/shsh -c "crontab /var/tmp/.recoverys"2⤵
-
/usr/bin/crontabcrontab /var/tmp/.recoverys3⤵
- Creates/modifies Cron job
- Reads runtime system information
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig3⤵
-
/bin/shsh -c "mount -o bind /tmp/nginx_server /proc/722/ > /dev/null 2>&1"2⤵
-
/bin/mountmount -o bind /tmp/nginx_server /proc/722/3⤵
- Reads runtime system information
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig3⤵
-
/bin/shsh -c "systemctl daemon-reload > /dev/null 2>&1"2⤵
-
/bin/systemctlsystemctl daemon-reload3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig3⤵
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig3⤵
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig3⤵
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig3⤵
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig3⤵
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig3⤵
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig3⤵
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs3⤵
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs3⤵
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs3⤵
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs3⤵
-
/bin/shsh -c "systemctl enable dnsconfigs.service > /dev/null 2>&1"2⤵
-
/bin/systemctlsystemctl enable dnsconfigs.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs3⤵
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs3⤵
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs3⤵
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs3⤵
-
/bin/shsh -c "systemctl start dnsconfigs.service > /dev/null 2>&1"2⤵
-
/bin/systemctlsystemctl start dnsconfigs.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/etc/init.d/dnsconfigFilesize
1KB
MD5df56ea52b8cee93884f3872d25a85db0
SHA12fd0c7407ed67253a807d1d01c6ffd3467edaf8e
SHA256a402d683e16519793b06f663163d750b4e82922cf3b18af5a655de41328b9bf5
SHA512e390943755721ba7f0210439f0fc8e5e3daaf98ba1df923464aa547c5a7c6f941240658c8fa59270d6f73539fd8b0a04d7bdc9c407f13d9301588d5cf9aa68da
-
/etc/systemd/system/dnsconfigs.serviceFilesize
174B
MD5900f683b08977636b092fcbfa1ad8a42
SHA16d521f5c3e862f1106d9ac6a3a654e57e6814333
SHA25671d21310d1c7dbb935f3b61311403b0ec0fa32dc73f91720365416a646c2dfb3
SHA51250b5426500d8b5dccb7fd71fe9a448ae1c76770890ba86c37e7decbf2ca1f0e1cd20c50996260f37114ba2bdb16ae927e4afad241a51e3d22112ada8e25604b0
-
/tmp/server_session.lockFilesize
4B
MD52478f20c456da0cfb55d38fe1989b203
SHA1427174f6577a2ef4b540be792e9af99aeec07863
SHA2567830562f506f5e20da1c22e36655349fcb46ecf0bfffbd20c486103cea53512f
SHA512d9ed43ba53bb91197c883cdb6c088f86add50d3191b15fd9a0b9b1ad1767d533cece421a6b603dfb6263808082824f926326f1b22de463b1a7231ebcb86e67ea
-
/var/spool/cron/crontabs/tmp.pHhP7wFilesize
230B
MD5bdb852c8e70df6cb456b00a3550bc5fa
SHA1325f70bb55e376ead783fc23e5fada8ddbe6f4b9
SHA2568171882c8f4e976f4111a1536d274c08e97e565e6e5cfe4a7e6011ca36c4f231
SHA512edee2eeac26ee84d4e73b924eb165e2f16befeae34a5e53fc3aac66b434b3fded3887fc61561f7042f036971b710cbfb40949da8972a7ee3c47c1baa58e0e9a7
-
/var/tmp/.recoverysFilesize
37B
MD5abe9a0e06459d029e0f5183965dbbf3b
SHA17e79e16ea12fed960bcee8eb5a9c6384fa61a2d1
SHA256b2cfe7490d6dd2f81ede3ed9db30c78637f4a1e98ed746eaa00998e95d3de384
SHA512955aece23c24e5b1ce32a90fa014a8a6fac39b68707a13f56cd1bfb07c79dfc59806942732990aaf925db5724f381827e2c35eba21fe95ce9a760760527048cd
-
/var/tmp/nginx_kelFilesize
590KB
MD57cabc7d9ac4490fb547415bdf7269c33
SHA1ac72e44f7e7a30727d356b3c5e00317d09ad94e9
SHA256ed6964fb655c02b74298d9b1a979921abb3dfd42565084053593123af9259f79
SHA5124e5b86721e06d57e465c2b5353c9427c600f4896b1b073ab889f1f5c36574ed3326c7d2038585106fd4226db33e5f7d252c921a7e5646d70a1e30d5bec0e56e5