Analysis
-
max time kernel
16s -
max time network
150s -
platform
debian-9_armhf -
resource
debian9-armhf-20240226-en -
resource tags
arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
25-04-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf
Resource
debian9-armhf-20240226-en
General
-
Target
5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf
-
Size
244KB
-
MD5
cef396530992f79dea5d6d8209fc8ee7
-
SHA1
cdaa0b93d9299a00b90edb4b617a9f89c3aa322f
-
SHA256
5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1
-
SHA512
8c7ffcd35b5db373bae1ce7621c97508082aeea2ed1061a167c509d4ca13f1c9e8a30d630e550ffa48ae82c1d0742af62243cd0e93d413f21b69dffd1558fafd
-
SSDEEP
6144:cvZy8EpPYGg9XlNAI61A6OMLf+ZBse1kZcR6:Brg9Xlh6S+8se1x6
Malware Config
Extracted
mirai
LZRD
Signatures
-
Modifies Watchdog functionality 1 TTPs 1 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elfdescription ioc process File opened for modification /dev/watchdog 5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf -
Unexpected DNS network traffic destination 11 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 114.114.114.114 Destination IP 94.247.43.254 Destination IP 134.195.4.2 Destination IP 192.3.165.37 Destination IP 114.114.114.114 Destination IP 94.247.43.254 Destination IP 168.138.12.137 Destination IP 134.195.4.2 Destination IP 1.0.0.1 Destination IP 192.3.165.37 Destination IP 192.3.165.37 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.Jd023h crontab -
Processes:
5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elfdescription ioc process File opened for modification /etc/init.d/dnsconfig 5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf -
Modifies systemd 1 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
Processes:
5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elfdescription ioc process File opened for modification /etc/systemd/system/dnsconfigs.service 5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf -
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elfdescription ioc process File opened for modification /sbin/watchdog 5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf File opened for modification /bin/watchdog 5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf -
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
systemctlsystemctlsystemctldescription ioc process File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl -
Reads runtime system information 18 IoCs
Reads data from /proc virtual filesystem.
Processes:
systemctlsystemctlsystemctl5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elfcrontabmountcpmountdescription ioc process File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/645/cmdline 5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/exe 5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems crontab File opened for reading /proc/filesystems mount File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mount -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elfdescription ioc process File opened for modification /tmp/server_session.lock 5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf
Processes
-
/tmp/5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf/tmp/5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf1⤵
- Modifies Watchdog functionality
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
-
/bin/shsh -c "mount -o bind /tmp/nginx_server /proc/645/ > /dev/null 2>&1"2⤵
-
/bin/mountmount -o bind /tmp/nginx_server /proc/645/3⤵
- Reads runtime system information
-
/bin/cpcp -f /tmp/5c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1.elf /var/tmp/nginx_kel2⤵
- Reads runtime system information
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig3⤵
-
/bin/shsh -c "crontab /var/tmp/.recoverys"2⤵
-
/usr/bin/crontabcrontab /var/tmp/.recoverys3⤵
- Creates/modifies Cron job
- Reads runtime system information
-
/bin/shsh -c "mount -o bind /tmp/nginx_server /proc/656/ > /dev/null 2>&1"2⤵
-
/bin/mountmount -o bind /tmp/nginx_server /proc/656/3⤵
- Reads runtime system information
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig3⤵
-
/bin/shsh -c "systemctl daemon-reload > /dev/null 2>&1"2⤵
-
/bin/systemctlsystemctl daemon-reload3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig3⤵
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig3⤵
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig3⤵
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig3⤵
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig3⤵
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig3⤵
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig3⤵
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs3⤵
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs3⤵
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs3⤵
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs3⤵
-
/bin/shsh -c "systemctl enable dnsconfigs.service > /dev/null 2>&1"2⤵
-
/bin/systemctlsystemctl enable dnsconfigs.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs3⤵
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs3⤵
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs3⤵
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs3⤵
-
/bin/shsh -c "systemctl start dnsconfigs.service > /dev/null 2>&1"2⤵
-
/bin/systemctlsystemctl start dnsconfigs.service3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/etc/init.d/dnsconfigFilesize
1KB
MD5df56ea52b8cee93884f3872d25a85db0
SHA12fd0c7407ed67253a807d1d01c6ffd3467edaf8e
SHA256a402d683e16519793b06f663163d750b4e82922cf3b18af5a655de41328b9bf5
SHA512e390943755721ba7f0210439f0fc8e5e3daaf98ba1df923464aa547c5a7c6f941240658c8fa59270d6f73539fd8b0a04d7bdc9c407f13d9301588d5cf9aa68da
-
/etc/systemd/system/dnsconfigs.serviceFilesize
174B
MD5900f683b08977636b092fcbfa1ad8a42
SHA16d521f5c3e862f1106d9ac6a3a654e57e6814333
SHA25671d21310d1c7dbb935f3b61311403b0ec0fa32dc73f91720365416a646c2dfb3
SHA51250b5426500d8b5dccb7fd71fe9a448ae1c76770890ba86c37e7decbf2ca1f0e1cd20c50996260f37114ba2bdb16ae927e4afad241a51e3d22112ada8e25604b0
-
/tmp/server_session.lockFilesize
4B
MD55667191a54223947887d18fbde93121d
SHA116f444f9af949cee6c6068791694c78aa5910114
SHA256486f5cf7422c96178e696b37354258fe81c16d92e881e8c80f89e31a8d69b362
SHA512e82e6ea2f7b7ce0e211a5d3f71ff3640d2169da588f4506e99433aedb3d6435890d1dcea3124e9d4a25ee50557f99dba8c6a3193406666da4e08ab5246d61364
-
/var/spool/cron/crontabs/tmp.Jd023hFilesize
230B
MD5cafbe07612771765af8b2c0054eb5968
SHA17c1e2576fb6d538ec8aa0ee66dc6d7d0275c0c19
SHA256702333b78d27130469b62666ef2a3b29b6f9a741ff9b6f4018bc5d0fd6cfe56b
SHA512e134257c16ddad641982550eac997cba133a9be94609903cb424ad81a65e1a684be2971310b0e6023b24decb27822e91a4fd4f06a3305432b955548be7cefee9
-
/var/tmp/.recoverysFilesize
37B
MD5abe9a0e06459d029e0f5183965dbbf3b
SHA17e79e16ea12fed960bcee8eb5a9c6384fa61a2d1
SHA256b2cfe7490d6dd2f81ede3ed9db30c78637f4a1e98ed746eaa00998e95d3de384
SHA512955aece23c24e5b1ce32a90fa014a8a6fac39b68707a13f56cd1bfb07c79dfc59806942732990aaf925db5724f381827e2c35eba21fe95ce9a760760527048cd
-
/var/tmp/nginx_kelFilesize
244KB
MD5cef396530992f79dea5d6d8209fc8ee7
SHA1cdaa0b93d9299a00b90edb4b617a9f89c3aa322f
SHA2565c21a3451c7f4bcb6737a8904efc7ea9ee10b3994f324b2ece1610883c2394f1
SHA5128c7ffcd35b5db373bae1ce7621c97508082aeea2ed1061a167c509d4ca13f1c9e8a30d630e550ffa48ae82c1d0742af62243cd0e93d413f21b69dffd1558fafd
-
memory/645-1-0x00008000-0x0008add4-memory.dmp