d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8

Analysis

max time kernel
149s
max time network
151s
platform
debian-9_mips
resource
debian9-mipsbe-20240729-en
resource tags

arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
20/09/2024, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8
Size

106KB
MD5

4dde761681684d7edad4e5e1ffdb940b
SHA1

2327be693bc11a618c380d7d3abc2382d870d48b
SHA256

d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8
SHA512

91a61c719128f263f9f95736d55895954cc468c74ff469ee061d35ec382c50b9165e9a5427dc46a835dac6ae0e6e1f9819632475f68b98a907b53196bd4eb02a
SSDEEP

1536:3aQiZDMyqIlMBZ/R0F4E4kcHiNq98wk9njKZjjLuYo68864sNHFEzv7Ld76divkE:KzDMyqIMBZ/R0ufhBmgZy9yNsNmPtcE

Score

9^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Contacts a large (4297) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Patched UPX-packed file 1 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

resource	yara_rule
behavioral1/files/fstream-2.dat	patched_upx

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8
File opened for modification	/dev/misc/watchdog	d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-2.dat	upx

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8

Modifies init.d 2 TTPs 4 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/S95baby.sh	d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8
File opened for modification	/etc/init.d/keyboard-setup.sh	d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8
File opened for modification	/etc/init.d/console-setup.sh	d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8
File opened for modification	/etc/init.d/hwclock.sh	d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8
File opened for modification	/bin/watchdog	d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8

Changes its process name 1 IoCs

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	sshd	741

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/raw	d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8
File opened for reading	/proc/net/tcp	d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8

System Network Configuration Discovery 1 TTPs 11 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
768	sh
773	sh
778	sh
784	sh
799	sh
803	sh
820	sh
827	sh
831	sh
796	sh
808	sh

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/config	d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8

/tmp/d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8
/tmp/d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Modifies init.d
- Writes file to system bin folder
- Reads system network configuration
- Writes file to tmp directory
PID:739
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 22 -j DROP"
  2⤵
  PID:747
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 22 -j DROP
    3⤵
    PID:749
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 23 -j DROP"
  2⤵
  PID:758
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 23 -j DROP
    3⤵
    PID:762
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 2323 -j DROP"
  2⤵
  PID:764
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 2323 -j DROP
    3⤵
    PID:766
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 22 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:768
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 22 -j DROP
    3⤵
    PID:770
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 23 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:773
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 23 -j DROP
    3⤵
    PID:775
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 2323 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:778
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
    3⤵
    PID:780
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
  2⤵
  PID:781
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 58000 -j DROP
    3⤵
    PID:782
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:784
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
    3⤵
    PID:786
- /bin/sh
  sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
  2⤵
  PID:787
- /bin/sh
  sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
  2⤵
  PID:788
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
  2⤵
  PID:790
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 35000 -j DROP
    3⤵
    PID:791
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
  2⤵
  PID:793
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 50023 -j DROP
    3⤵
    PID:795
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:796
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
    3⤵
    PID:797
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:799
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
    3⤵
    PID:800
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
  2⤵
  PID:801
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 7547 -j DROP
    3⤵
    PID:802
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:803
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
    3⤵
    PID:804
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 40667 -j ACCEPT"
  2⤵
  PID:806
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 40667 -j ACCEPT
    3⤵
    PID:807
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 40667 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:808
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 40667 -j ACCEPT
    3⤵
    PID:809
- /bin/sh
  sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 40667 -j ACCEPT"
  2⤵
  PID:810
- - /sbin/iptables
    iptables -I PREROUTING -t nat -p tcp --destination-port 40667 -j ACCEPT
    3⤵
    PID:811
- /bin/sh
  sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 40667 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:820
- - /sbin/iptables
    iptables -I POSTROUTING -t nat -p tcp --source-port 40667 -j ACCEPT
    3⤵
    PID:821
- /bin/sh
  sh -c "iptables -I INPUT -p udp --destination-port 48869 -j ACCEPT"
  2⤵
  PID:825
- - /sbin/iptables
    iptables -I INPUT -p udp --destination-port 48869 -j ACCEPT
    3⤵
    PID:826
- /bin/sh
  sh -c "iptables -I OUTPUT -p udp --source-port 48869 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:827
- - /sbin/iptables
    iptables -I OUTPUT -p udp --source-port 48869 -j ACCEPT
    3⤵
    PID:828
- /bin/sh
  sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 48869 -j ACCEPT"
  2⤵
  PID:829
- - /sbin/iptables
    iptables -I PREROUTING -t nat -p udp --destination-port 48869 -j ACCEPT
    3⤵
    PID:830
- /bin/sh
  sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 48869 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:831
- - /sbin/iptables
    iptables -I POSTROUTING -t nat -p udp --source-port 48869 -j ACCEPT
    3⤵
    PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/rcS.d/S95baby.sh

Filesize
25B

MD5
1b3235ba10fc04836c941d3d27301956

SHA1
8909655763143702430b8c58b3ae3b04cfd3a29c

SHA256
01ba1fb41632594997a41d0c3a911ae5b3034d566ebb991ef76ad76e6f9e283a

SHA512
98bdb5c266222ccbd63b6f80c87e501c8033dc53b0513d300b8da50e39a207a0b69f8cd3ecc4a128dec340a1186779fedd1049c9b0a70e90d2cb3ae6ebfa4c4d

Download Submit
/tmp/config

Filesize
109B

MD5
18a576e4660c72d5d445c3896744f390

SHA1
84eb9170a0350ab5e6bcab6a82c83576be39b821

SHA256
2ae465a253f97dafe16afe0c8086676c2948f95b3d03a62da288ba9c7264353a

SHA512
f4bcf08b3e5f942db835c9457c80a6d79bc66bc593abf8e07721b96a78a31040ac9bc7fe66649778175e8348ba1a35af3dfadabd901313f77c893f34631aa862

Download Submit
/usr/networks

Filesize
106KB

MD5
4dde761681684d7edad4e5e1ffdb940b

SHA1
2327be693bc11a618c380d7d3abc2382d870d48b

SHA256
d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8

SHA512
91a61c719128f263f9f95736d55895954cc468c74ff469ee061d35ec382c50b9165e9a5427dc46a835dac6ae0e6e1f9819632475f68b98a907b53196bd4eb02a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads