Analysis
-
max time kernel
108s -
max time network
140s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
10-10-2024 09:29
Static task
static1
Behavioral task
behavioral1
Sample
QGUT2_na.elf
Resource
debian9-mipsel-20240611-en
General
-
Target
QGUT2_na.elf
-
Size
130KB
-
MD5
17e4dae04b6c95340a4df08ebde65336
-
SHA1
7aa049001870a285253f4565dbab444ba6cc403f
-
SHA256
1bf7b9aac74f39cae6ee8ae25bbb364ab3f382edb507709be8e5c74f57801e7e
-
SHA512
69efedbc5fc5f047b39577c3f6fc4aab451c42ae44067e7d3a77d178ca0f2b5ef70751b7d32436d0be1bbf855ccbeeb27ab8ef23ec554217d5ef9c4eb33886d0
-
SSDEEP
1536:i/UodEcbuJuMbEOoqWeBq1gfjeH73ZSgcZ0pv5ZH3einUb1/ENZYHw:i/rEcqJuMghqFBqKHg60pv5hHCBENZY
Malware Config
Signatures
-
Contacts a large (213384) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes system logs 1 TTPs 2 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
description ioc Process File deleted /var/log/messages QGUT2_na.elf File deleted /var/log/syslog QGUT2_na.elf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog QGUT2_na.elf File opened for modification /dev/misc/watchdog QGUT2_na.elf -
Renames itself 1 IoCs
pid Process 703 QGUT2_na.elf -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 130.61.69.123 Destination IP 162.243.19.47 Destination IP 162.243.19.47 Destination IP 63.231.92.27 -
description ioc Process File deleted /var/log/daemon.log QGUT2_na.elf File deleted /var/log/kern.log QGUT2_na.elf -
Reads process memory 1 TTPs 1 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/1/maps QGUT2_na.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /usr/sbin/inetd 703 QGUT2_na.elf