3c50ef708fd72b96187e91c30cd80fb3eddd8cc6530e1e81dfaefbe6bc50ef34 | Triage

Analysis

max time kernel
149s
max time network
150s
platform
debian-9_mips
resource
debian9-mipsbe-20240418-en
resource tags

arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
16-09-2024 19:27

Sharing

Report Analysis Logs

General

Target

04d136f4c2bac4196b1795bcd9e625029d686c696e7decabd17970da22a35caf.unknown
Size

371KB
MD5

2b9c8949f8a38de75f7c692d7d768591
SHA1

328d235e38f05b97eadfba5b3aa27826cbb4af66
SHA256

04d136f4c2bac4196b1795bcd9e625029d686c696e7decabd17970da22a35caf
SHA512

e7bdbe98af08501b35ecedaceb2707d4079e5cae62d00161d67328f82e51fa34b3dc94c274596acaad021c1f2db572d991951e63260e294d403c04a8d74f7c34
SSDEEP

6144:pyZjxSZjEVdlcV5r2rjJUfJakVtj+Lp7R+0KoaGB068E4Xn6LFnnP1Iw2Q8TDpBX:pq9lcV5inJ0EkLjCpV+0KoaGBp/4Xn6S

Score

7^/10

discovery

Malware Config

Signatures

Creates Raw socket 1 IoCs

Creates a socket that captures raw packets at the device level

pid
805

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Adversary-in-the-Middle

description	ioc	Process
File opened for modification	/etc/resolv.conf	python2

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

Internet Connection Discovery

description	ioc	Process
File opened for reading	/proc/net/route	python2

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	python2

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

Internet Connection Discovery

description	ioc	Process
File opened for reading	/proc/net/arp	python2
File opened for reading	/proc/net/route	python2

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/status	python2
File opened for reading	/proc/mounts	python2

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/04d136f4c2bac4196b1795bcd9e625029d686c696e7decabd17970da22a35caf.unknown	python2
File opened for modification	/tmp/.. /.logbackups	python2

/tmp/04d136f4c2bac4196b1795bcd9e625029d686c696e7decabd17970da22a35caf.unknown
/tmp/04d136f4c2bac4196b1795bcd9e625029d686c696e7decabd17970da22a35caf.unknown
1⤵
PID:704

/usr/local/sbin/python2
python2 /tmp/04d136f4c2bac4196b1795bcd9e625029d686c696e7decabd17970da22a35caf.unknown
1⤵
PID:704

/usr/local/bin/python2
python2 /tmp/04d136f4c2bac4196b1795bcd9e625029d686c696e7decabd17970da22a35caf.unknown
1⤵
PID:704

/usr/sbin/python2
python2 /tmp/04d136f4c2bac4196b1795bcd9e625029d686c696e7decabd17970da22a35caf.unknown
1⤵
PID:704

/usr/bin/python2
python2 /tmp/04d136f4c2bac4196b1795bcd9e625029d686c696e7decabd17970da22a35caf.unknown
1⤵
- Writes DNS configuration
- Reads system routing table
- Reads CPU attributes
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:704
- /sbin/ldconfig
  /sbin/ldconfig -p
  2⤵
  PID:731
- /bin/sh
  sh -c "uname -p 2> /dev/null"
  2⤵
  PID:806
- - /bin/uname
    uname -p
    3⤵
    PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Adversary-in-the-Middle

Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Adversary-in-the-Middle

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.. /.logbackups

Filesize
3B

MD5
2dace78f80bc92e6d7493423d729448e

SHA1
4912f56aec6f0ac56bbb7fa9231e79891c48afc5

SHA256
1a6d9c97798d8997f85ed9228296d533be6b47f97217709d7e2b628e21800220

SHA512
cc60577d71d73a88018d7896cf3f2f8a202b02791e52b34beb848413c25066d77414f1ebd4e2a3e8b3b6efc31343455bf1140275387e9dd6e1c5feb890aa9bbb

Download Submit