4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7

Resubmissions

17-09-2024 07:53

240917-jq5ksssckg 9

17-09-2024 07:53

240917-jqx6qascjh 8

17-09-2024 07:52

240917-jqq3eascrp 8

17-09-2024 07:50

240917-jpchmascmm 9

Analysis

max time kernel
64s
max time network
70s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
17-09-2024 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bin.sh
Size

132KB
MD5

59ce0baba11893f90527fc951ac69912
SHA1

5857a7dd621c4c3ebb0b5a3bec915d409f70d39f
SHA256

4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7
SHA512

c5b12797b477e5e5964a78766bb40b1c0d9fdfb8eef1f9aee3df451e3441a40c61d325bf400ba51048811b68e1c70a95f15e4166b7a65a4eca0c624864328647
SSDEEP

3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xioP:p3lOYoaja8xzx/0wsxzSi2

Score

9^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Contacts a large (5045) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Patched UPX-packed file 1 IoCs
Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

Processes:

resource yara_rule

/usr/networks patched_upx
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
defense_evasion

Impair Defenses
T1562

Processes:

bin.sh

description ioc process

File opened for modification /dev/watchdog bin.sh
File opened for modification /dev/misc/watchdog bin.sh
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

/usr/networks upx
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
discovery

System Network Connections Discovery
T1049

Processes:

bin.sh

description ioc process

File opened for reading /proc/net/tcp bin.sh
Enumerates running processes
Discovers information about currently running processes on the system
Modifies init.d 2 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

RC Scripts
T1037.004

Processes:

bin.sh

description ioc process

File opened for modification /etc/init.d/S95baby.sh bin.sh
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
discovery

Internet Connection Discovery
T1016.001

Processes:

bin.sh

description ioc process

File opened for reading /proc/net/route bin.sh
Writes file to system bin folder 2 IoCs

Processes:

bin.sh

description ioc process

File opened for modification /sbin/watchdog bin.sh
File opened for modification /bin/watchdog bin.sh
Changes its process name 1 IoCs

Processes:

description ioc pid

Changes the process name, possibly in an attempt to hide itself sshd 701

resource	yara_rule
/usr/networks	patched_upx

description	ioc	process
File opened for modification	/dev/watchdog	bin.sh
File opened for modification	/dev/misc/watchdog	bin.sh

resource	yara_rule
/usr/networks	upx

description	ioc	process
File opened for reading	/proc/net/tcp	bin.sh

description	ioc	process
File opened for modification	/etc/init.d/S95baby.sh	bin.sh

description	ioc	process
File opened for modification	/sbin/watchdog	bin.sh
File opened for modification	/bin/watchdog	bin.sh

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	sshd	701

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

bin.sh

description	ioc	process
File opened for reading	/proc/net/route	bin.sh
File opened for reading	/proc/net/tcp	bin.sh
File opened for reading	/proc/net/raw	bin.sh

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

killallbin.sh

description	ioc	process
File opened for reading	/proc/81/stat	killall
File opened for reading	/proc/114/cmdline	killall
File opened for reading	/proc/142/cmdline	killall
File opened for reading	/proc/150/stat	killall
File opened for reading	/proc/370/stat	killall
File opened for reading	/proc/690/stat	killall
File opened for reading	/proc/3/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/701/stat	killall
File opened for reading	/proc/70/stat	killall
File opened for reading	/proc/78/stat	killall
File opened for reading	/proc/704/stat	killall
File opened for reading	/proc/self/exe	bin.sh
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/73/stat	killall
File opened for reading	/proc/696/stat	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/9/stat	killall
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/113/stat	killall
File opened for reading	/proc/114/stat	killall
File opened for reading	/proc/166/stat	killall
File opened for reading	/proc/322/stat	killall
File opened for reading	/proc/455/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/676/stat	killall
File opened for reading	/proc/697/stat	killall
File opened for reading	/proc/316/stat	killall
File opened for reading	/proc/691/cmdline	killall
File opened for reading	/proc/705/stat	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/69/stat	killall
File opened for reading	/proc/74/stat	killall
File opened for reading	/proc/479/stat	killall
File opened for reading	/proc/690/cmdline	killall
File opened for reading	/proc/mounts	bin.sh
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/36/stat	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/72/stat	killall
File opened for reading	/proc/478/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/386/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/21/stat	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/83/stat	killall
File opened for reading	/proc/142/stat	killall
File opened for reading	/proc/321/stat	killall
File opened for reading	/proc/387/stat	killall
File opened for reading	/proc/450/stat	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/16/stat	killall
File opened for reading	/proc/77/stat	killall
File opened for reading	/proc/318/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/223/stat	killall
File opened for reading	/proc/5/stat	killall
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/702/stat	killall
File opened for reading	/proc/14/stat	killall

System Network Configuration Discovery 1 TTPs 18 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

shshshshshshshshshshshshshshshshshsh

pid process

753 sh
815 sh
762 sh
770 sh
772 sh
783 sh
785 sh
809 sh
763 sh
787 sh
791 sh
805 sh
831 sh
739 sh
767 sh
795 sh
803 sh
819 sh
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

bin.sh

description ioc process

File opened for modification /tmp/.ips bin.sh

pid	process
753	sh
815	sh
762	sh
770	sh
772	sh
783	sh
785	sh
809	sh
763	sh
787	sh
791	sh
805	sh
831	sh
739	sh
767	sh
795	sh
803	sh
819	sh

description	ioc	process
File opened for modification	/tmp/.ips	bin.sh

/tmp/bin.sh
/tmp/bin.sh
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Modifies init.d
- Reads system routing table
- Writes file to system bin folder
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:698
- /bin/sh
  sh -c "killall -9 telnetd utelnetd scfgmgr"
  2⤵
  PID:702
- - /usr/bin/killall
    killall -9 telnetd utelnetd scfgmgr
    3⤵
    - Reads runtime system information
    PID:703
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 53853 -j ACCEPT"
  2⤵
  PID:735
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 53853 -j ACCEPT
    3⤵
    PID:736
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 53853 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:739
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 53853 -j ACCEPT
    3⤵
    PID:742
- /bin/sh
  sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 53853 -j ACCEPT"
  2⤵
  PID:743
- - /sbin/iptables
    iptables -I PREROUTING -t nat -p tcp --destination-port 53853 -j ACCEPT
    3⤵
    PID:744
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 22 -j DROP"
  2⤵
  PID:750
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 22 -j DROP
    3⤵
    PID:754
- /bin/sh
  sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 53853 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:753
- - /sbin/iptables
    iptables -I POSTROUTING -t nat -p tcp --source-port 53853 -j ACCEPT
    3⤵
    PID:755
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 23 -j DROP"
  2⤵
  PID:756
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 23 -j DROP
    3⤵
    PID:758
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 53853 -j ACCEPT"
  2⤵
  PID:757
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 53853 -j ACCEPT
    3⤵
    PID:759
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 2323 -j DROP"
  2⤵
  PID:760
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 2323 -j DROP
    3⤵
    PID:761
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 53853 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:762
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 53853 -j ACCEPT
    3⤵
    PID:764
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 22 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:763
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 22 -j DROP
    3⤵
    PID:765
- /bin/sh
  sh -c "iptables -I PREROUTING -t nat -p tcp --dport 53853 -j ACCEPT"
  2⤵
  PID:766
- - /sbin/iptables
    iptables -I PREROUTING -t nat -p tcp --dport 53853 -j ACCEPT
    3⤵
    PID:768
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 23 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:767
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 23 -j DROP
    3⤵
    PID:769
- /bin/sh
  sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 53853 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:770
- - /sbin/iptables
    iptables -I POSTROUTING -t nat -p tcp --sport 53853 -j ACCEPT
    3⤵
    PID:771
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 2323 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:772
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
    3⤵
    PID:776
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 22 -j DROP"
  2⤵
  PID:777
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 22 -j DROP
    3⤵
    PID:778
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 23 -j DROP"
  2⤵
  PID:779
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 23 -j DROP
    3⤵
    PID:780
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 2323 -j DROP"
  2⤵
  PID:781
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 2323 -j DROP
    3⤵
    PID:782
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 22 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:783
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 22 -j DROP
    3⤵
    PID:784
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 23 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:785
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 23 -j DROP
    3⤵
    PID:786
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 2323 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:787
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 2323 -j DROP
    3⤵
    PID:788
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
  2⤵
  PID:789
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 58000 -j DROP
    3⤵
    PID:790
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:791
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
    3⤵
    PID:792
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
  2⤵
  PID:793
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 58000 -j DROP
    3⤵
    PID:794
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:795
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 58000 -j DROP
    3⤵
    PID:796
- /bin/sh
  sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
  2⤵
  PID:797
- /bin/sh
  sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
  2⤵
  PID:798
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
  2⤵
  PID:799
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 35000 -j DROP
    3⤵
    PID:800
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
  2⤵
  PID:801
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 50023 -j DROP
    3⤵
    PID:802
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:803
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
    3⤵
    PID:804
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:805
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
    3⤵
    PID:806
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
  2⤵
  PID:807
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 7547 -j DROP
    3⤵
    PID:808
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:809
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
    3⤵
    PID:810
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
  2⤵
  PID:811
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 35000 -j DROP
    3⤵
    PID:812
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
  2⤵
  PID:813
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 50023 -j DROP
    3⤵
    PID:814
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:815
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 50023 -j DROP
    3⤵
    PID:816
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:819
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 35000 -j DROP
    3⤵
    PID:821
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
  2⤵
  PID:828
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 7547 -j DROP
    3⤵
    PID:830
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:831
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 7547 -j DROP
    3⤵
    PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/rcS.d/S95baby.sh

Filesize
25B

MD5
1b3235ba10fc04836c941d3d27301956

SHA1
8909655763143702430b8c58b3ae3b04cfd3a29c

SHA256
01ba1fb41632594997a41d0c3a911ae5b3034d566ebb991ef76ad76e6f9e283a

SHA512
98bdb5c266222ccbd63b6f80c87e501c8033dc53b0513d300b8da50e39a207a0b69f8cd3ecc4a128dec340a1186779fedd1049c9b0a70e90d2cb3ae6ebfa4c4d

Download Submit
/usr/networks

Filesize
132KB

MD5
59ce0baba11893f90527fc951ac69912

SHA1
5857a7dd621c4c3ebb0b5a3bec915d409f70d39f

SHA256
4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7

SHA512
c5b12797b477e5e5964a78766bb40b1c0d9fdfb8eef1f9aee3df451e3441a40c61d325bf400ba51048811b68e1c70a95f15e4166b7a65a4eca0c624864328647

Download Submit
memory/698-1-0x00400000-0x004c2fd8-memory.dmp

Download
memory/802-2-0x7786a000-0x7787b0d0-memory.dmp

Download
memory/815-3-0x77369000-0x7737a0d0-memory.dmp

Download

pid	process
753	sh
815	sh
762	sh
770	sh
772	sh
783	sh
785	sh
809	sh
763	sh
787	sh
791	sh
805	sh
831	sh
739	sh
767	sh
795	sh
803	sh
819	sh

pid	process
753	sh
815	sh
762	sh
770	sh
772	sh
783	sh
785	sh
809	sh
763	sh
787	sh
791	sh
805	sh
831	sh
739	sh
767	sh
795	sh
803	sh
819	sh

pid	process
753	sh
815	sh
762	sh
770	sh
772	sh
783	sh
785	sh
809	sh
763	sh
787	sh
791	sh
805	sh
831	sh
739	sh
767	sh
795	sh
803	sh
819	sh