f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

Analysis

max time kernel
925s
max time network
981s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
04-10-2024 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
Size

134KB
MD5

3849f30b51a5c49e8d1546960cc206c7
SHA1

61c74136534b826059c63221a2373dc0613a47b7
SHA256

f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
SHA512

43d79293d1fbf716111c27e50df95a0860a0d706079625fa2b8a6b57c5ee06fa7b5b6b8c0acae33714a2181686426728513c990534e44b6f03a05dde0629ab86
SSDEEP

3072:biMYFJvw6Yh0b1gKobtCGCmCRlrisfrYm:fYFJvwe1gKCYVl2szN

Score

9^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Contacts a large (73883) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Patched UPX-packed file 1 IoCs
Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

Processes:

resource yara_rule

/usr/networks patched_upx

resource	yara_rule
/usr/networks	patched_upx

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

description	ioc	process
File opened for modification	/dev/watchdog	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
File opened for modification	/dev/misc/watchdog	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
discovery

System Network Connections Discovery
T1049

Processes:

f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

description ioc process

File opened for reading /proc/net/tcp f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 2 TTPs 4 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

Processes:

f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

description	ioc	process
File opened for modification	/etc/init.d/S95baby.sh	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
File opened for modification	/etc/init.d/hwclock.sh	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
File opened for modification	/etc/init.d/console-setup.sh	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
File opened for modification	/etc/init.d/keyboard-setup.sh	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
discovery

Internet Connection Discovery
T1016.001

Processes:

f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

description ioc process

File opened for reading /proc/net/route f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

description	ioc	process
File opened for reading	/proc/net/route	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

Writes file to system bin folder 2 IoCs

Processes:

f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

description	ioc	process
File opened for modification	/sbin/watchdog	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
File opened for modification	/bin/watchdog	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

/usr/networks upx

resource	yara_rule
/usr/networks	upx

Changes its process name 1 IoCs

Processes:

f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	sshd	710	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

description	ioc	process
File opened for reading	/proc/net/tcp	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
File opened for reading	/proc/net/raw	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
File opened for reading	/proc/net/route	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

killallf6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

description	ioc	process
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/82/stat	killall
File opened for reading	/proc/self/exe	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
File opened for reading	/proc/9/stat	killall
File opened for reading	/proc/153/stat	killall
File opened for reading	/proc/674/stat	killall
File opened for reading	/proc/675/stat	killall
File opened for reading	/proc/702/stat	killall
File opened for reading	/proc/710/cmdline	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/16/stat	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/324/stat	killall
File opened for reading	/proc/416/stat	killall
File opened for reading	/proc/120/stat	killall
File opened for reading	/proc/316/stat	killall
File opened for reading	/proc/708/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/232/stat	killall
File opened for reading	/proc/666/stat	killall
File opened for reading	/proc/708/cmdline	killall
File opened for reading	/proc/710/stat	killall
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/315/stat	killall
File opened for reading	/proc/697/cmdline	killall
File opened for reading	/proc/703/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/73/stat	killall
File opened for reading	/proc/145/cmdline	killall
File opened for reading	/proc/714/stat	killall
File opened for reading	/proc/5/stat	killall
File opened for reading	/proc/84/stat	killall
File opened for reading	/proc/mounts	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/14/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/36/stat	killall
File opened for reading	/proc/74/stat	killall
File opened for reading	/proc/75/stat	killall
File opened for reading	/proc/78/stat	killall
File opened for reading	/proc/3/stat	killall
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/110/stat	killall
File opened for reading	/proc/711/stat	killall
File opened for reading	/proc/70/stat	killall
File opened for reading	/proc/119/stat	killall
File opened for reading	/proc/321/stat	killall
File opened for reading	/proc/381/stat	killall
File opened for reading	/proc/698/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/375/stat	killall
File opened for reading	/proc/698/cmdline	killall
File opened for reading	/proc/72/stat	killall
File opened for reading	/proc/145/stat	killall
File opened for reading	/proc/171/stat	killall
File opened for reading	/proc/376/stat	killall
File opened for reading	/proc/filesystems	killall

System Network Configuration Discovery 1 TTPs 22 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

shshshshshshshshshshshshshshshshshshshshshsh

pid process

892 sh
862 sh
870 sh
886 sh
909 sh
832 sh
835 sh
868 sh
888 sh
904 sh
913 sh
834 sh
874 sh
878 sh
866 sh
898 sh
900 sh
918 sh
922 sh
839 sh
847 sh
854 sh

pid	process
892	sh
862	sh
870	sh
886	sh
909	sh
832	sh
835	sh
868	sh
888	sh
904	sh
913	sh
834	sh
874	sh
878	sh
866	sh
898	sh
900	sh
918	sh
922	sh
839	sh
847	sh
854	sh

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

Processes:

f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

description	ioc	process
File opened for modification	/tmp/.ips	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
File opened for modification	/tmp/.config	f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

/tmp/f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
/tmp/f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Modifies init.d
- Reads system routing table
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:707
- /bin/sh
  sh -c "killall -9 telnetd utelnetd scfgmgr"
  2⤵
  PID:711
- - /usr/bin/killall
    killall -9 telnetd utelnetd scfgmgr
    3⤵
    - Reads runtime system information
    PID:713
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 45877 -j ACCEPT"
  2⤵
  PID:817
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 45877 -j ACCEPT
    3⤵
    PID:822
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 22 -j DROP"
  2⤵
  PID:821
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 22 -j DROP
    3⤵
    PID:823
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 23 -j DROP"
  2⤵
  PID:826
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 23 -j DROP
    3⤵
    PID:829
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 2323 -j DROP"
  2⤵
  PID:830
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 2323 -j DROP
    3⤵
    PID:831
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 22 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:832
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 22 -j DROP
    3⤵
    PID:833
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 45877 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:834
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 45877 -j ACCEPT
    3⤵
    PID:836
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 23 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:835
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 23 -j DROP
    3⤵
    PID:837
- /bin/sh
  sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 45877 -j ACCEPT"
  2⤵
  PID:838
- - /sbin/iptables
    iptables -I PREROUTING -t nat -p tcp --destination-port 45877 -j ACCEPT
    3⤵
    PID:840
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 2323 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:839
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
    3⤵
    PID:841
- /bin/sh
  sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 45877 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:847
- - /sbin/iptables
    iptables -I POSTROUTING -t nat -p tcp --source-port 45877 -j ACCEPT
    3⤵
    PID:851
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 45877 -j ACCEPT"
  2⤵
  PID:852
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 45877 -j ACCEPT
    3⤵
    PID:853
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 45877 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:854
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 45877 -j ACCEPT
    3⤵
    PID:855
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 22 -j DROP"
  2⤵
  PID:856
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 22 -j DROP
    3⤵
    PID:857
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 23 -j DROP"
  2⤵
  PID:858
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 23 -j DROP
    3⤵
    PID:859
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 2323 -j DROP"
  2⤵
  PID:860
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 2323 -j DROP
    3⤵
    PID:861
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 22 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:862
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 22 -j DROP
    3⤵
    PID:863
- /bin/sh
  sh -c "iptables -I PREROUTING -t nat -p tcp --dport 45877 -j ACCEPT"
  2⤵
  PID:864
- - /sbin/iptables
    iptables -I PREROUTING -t nat -p tcp --dport 45877 -j ACCEPT
    3⤵
    PID:865
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 23 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:866
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 23 -j DROP
    3⤵
    PID:867
- /bin/sh
  sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 45877 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:868
- - /sbin/iptables
    iptables -I POSTROUTING -t nat -p tcp --sport 45877 -j ACCEPT
    3⤵
    PID:869
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 2323 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:870
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 2323 -j DROP
    3⤵
    PID:871
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
  2⤵
  PID:872
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 58000 -j DROP
    3⤵
    PID:873
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:874
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
    3⤵
    PID:875
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
  2⤵
  PID:876
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 58000 -j DROP
    3⤵
    PID:877
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:878
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 58000 -j DROP
    3⤵
    PID:879
- /bin/sh
  sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
  2⤵
  PID:880
- /bin/sh
  sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
  2⤵
  PID:881
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
  2⤵
  PID:882
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 35000 -j DROP
    3⤵
    PID:883
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
  2⤵
  PID:884
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 50023 -j DROP
    3⤵
    PID:885
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:886
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
    3⤵
    PID:887
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:888
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
    3⤵
    PID:889
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
  2⤵
  PID:890
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 7547 -j DROP
    3⤵
    PID:891
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:892
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
    3⤵
    PID:893
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
  2⤵
  PID:894
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 35000 -j DROP
    3⤵
    PID:895
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
  2⤵
  PID:896
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 50023 -j DROP
    3⤵
    PID:897
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:898
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 50023 -j DROP
    3⤵
    PID:899
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:900
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 35000 -j DROP
    3⤵
    PID:901
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
  2⤵
  PID:902
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 7547 -j DROP
    3⤵
    PID:903
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:904
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 7547 -j DROP
    3⤵
    PID:905
- /bin/sh
  sh -c "iptables -I INPUT -p udp --destination-port 8082 -j ACCEPT"
  2⤵
  PID:907
- - /sbin/iptables
    iptables -I INPUT -p udp --destination-port 8082 -j ACCEPT
    3⤵
    PID:908
- /bin/sh
  sh -c "iptables -I OUTPUT -p udp --source-port 8082 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:909
- - /sbin/iptables
    iptables -I OUTPUT -p udp --source-port 8082 -j ACCEPT
    3⤵
    PID:910
- /bin/sh
  sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 8082 -j ACCEPT"
  2⤵
  PID:911
- - /sbin/iptables
    iptables -I PREROUTING -t nat -p udp --destination-port 8082 -j ACCEPT
    3⤵
    PID:912
- /bin/sh
  sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 8082 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:913
- - /sbin/iptables
    iptables -I POSTROUTING -t nat -p udp --source-port 8082 -j ACCEPT
    3⤵
    PID:915
- /bin/sh
  sh -c "iptables -I INPUT -p udp --dport 8082 -j ACCEPT"
  2⤵
  PID:916
- - /sbin/iptables
    iptables -I INPUT -p udp --dport 8082 -j ACCEPT
    3⤵
    PID:917
- /bin/sh
  sh -c "iptables -I OUTPUT -p udp --sport 8082 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:918
- - /sbin/iptables
    iptables -I OUTPUT -p udp --sport 8082 -j ACCEPT
    3⤵
    PID:919
- /bin/sh
  sh -c "iptables -I PREROUTING -t nat -p udp --dport 8082 -j ACCEPT"
  2⤵
  PID:920
- - /sbin/iptables
    iptables -I PREROUTING -t nat -p udp --dport 8082 -j ACCEPT
    3⤵
    PID:921
- /bin/sh
  sh -c "iptables -I POSTROUTING -t nat -p udp --sport 8082 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:922
- - /sbin/iptables
    iptables -I POSTROUTING -t nat -p udp --sport 8082 -j ACCEPT
    3⤵
    PID:923

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/rcS.d/S95baby.sh

Filesize
25B

MD5
1b3235ba10fc04836c941d3d27301956

SHA1
8909655763143702430b8c58b3ae3b04cfd3a29c

SHA256
01ba1fb41632594997a41d0c3a911ae5b3034d566ebb991ef76ad76e6f9e283a

SHA512
98bdb5c266222ccbd63b6f80c87e501c8033dc53b0513d300b8da50e39a207a0b69f8cd3ecc4a128dec340a1186779fedd1049c9b0a70e90d2cb3ae6ebfa4c4d

Download Submit
/tmp/.config

Filesize
140B

MD5
457412db2275c971a2f32aef0c05f0ef

SHA1
81634d651b7bd25434966cb91dd5f1f1683ae363

SHA256
348a557ecef7585e315fa04bea4a179b715c795993ca331fbaf3677c79e0be5e

SHA512
4bf11f480c43a51666b8ddb335c59159c142299995ef5aad0cabe266e9652482f3032759150d6c467494ac10e7210976a935b61642cb214a438be016a7244a2c

Download Submit
/tmp/.config

Filesize
150B

MD5
83a8690fccbe0604585559ef1a9f8fe3

SHA1
62beaaf0e86e517e8e6da059ba063eb58958a205

SHA256
f53d6155f670e52be7bca53f09e798661c23fb39178da2460928fe1ce9a80f7d

SHA512
9f1780a7c868018d295933a585f0a82799dd6cdba6b3d22f38c77baf3dc44ed5df4955d6c338a3c92892f4159bde2040c96530a1a1bbb61376186c932ed268bb

Download Submit
/usr/networks

Filesize
134KB

MD5
3849f30b51a5c49e8d1546960cc206c7

SHA1
61c74136534b826059c63221a2373dc0613a47b7

SHA256
f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

SHA512
43d79293d1fbf716111c27e50df95a0860a0d706079625fa2b8a6b57c5ee06fa7b5b6b8c0acae33714a2181686426728513c990534e44b6f03a05dde0629ab86

Download Submit
memory/707-1-0x00400000-0x004c2f18-memory.dmp

Download

pid	process
892	sh
862	sh
870	sh
886	sh
909	sh
832	sh
835	sh
868	sh
888	sh
904	sh
913	sh
834	sh
874	sh
878	sh
866	sh
898	sh
900	sh
918	sh
922	sh
839	sh
847	sh
854	sh

pid	process
892	sh
862	sh
870	sh
886	sh
909	sh
832	sh
835	sh
868	sh
888	sh
904	sh
913	sh
834	sh
874	sh
878	sh
866	sh
898	sh
900	sh
918	sh
922	sh
839	sh
847	sh
854	sh

pid	process
892	sh
862	sh
870	sh
886	sh
909	sh
832	sh
835	sh
868	sh
888	sh
904	sh
913	sh
834	sh
874	sh
878	sh
866	sh
898	sh
900	sh
918	sh
922	sh
839	sh
847	sh
854	sh