Malware Analysis Report

2025-04-03 19:33

Sample ID 241028-w1f2eavejm
Target mips.elf
SHA256 a1da53cd71a52c9ad1e42f19b8a7c24335fb22c0e3eef5d7b91a5919bc24612e
Tags
upx antivm discovery
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

a1da53cd71a52c9ad1e42f19b8a7c24335fb22c0e3eef5d7b91a5919bc24612e

Threat Level: Likely benign

The file mips.elf was found to be: Likely benign.

Malicious Activity Summary

upx antivm discovery

UPX packed file

Reads system network configuration

Checks CPU configuration

Reads CPU attributes

Reads runtime system information

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-28 18:23

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-28 18:23

Reported

2024-10-28 18:25

Platform

debian12-mipsel-20240221-en

Max time kernel

152s

Max time network

164s

Command Line

[/tmp/mips.elf]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/mips.elf N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /tmp/mips.elf N/A

Reads system network configuration

discovery
Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/mips.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/stat /tmp/mips.elf N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/sed N/A
N/A N/A /bin/sh N/A
N/A N/A /tmp/mips.elf N/A
N/A N/A /bin/sh N/A
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/sed N/A
N/A N/A /usr/bin/sed N/A
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/sed N/A

Processes

/tmp/mips.elf

[/tmp/mips.elf]

/bin/sh

[sh -c sed -i -e '/exit/d' /etc/rc.local]

/usr/bin/sed

[sed -i -e /exit/d /etc/rc.local]

/bin/sh

[sh -c sed -i -e '/^ | | $/d' /etc/rc.local]

/usr/bin/sed

[sed -i -e /^ | | $/d /etc/rc.local]

/bin/sh

[sh -c sed -i -e '/mips.elf reboot/d' /etc/rc.local]

/usr/bin/sed

[sed -i -e /mips.elf reboot/d /etc/rc.local]

/bin/sh

[sh -c sed -i -e '2 i/tmp/mips.elf reboot' /etc/rc.local]

/usr/bin/sed

[sed -i -e 2 i/tmp/mips.elf reboot /etc/rc.local]

/bin/sh

[sh -c sed -i -e '2 i/tmp/mips.elf reboot start' /etc/rc.d/rc.local]

/usr/bin/sed

[sed -i -e 2 i/tmp/mips.elf reboot start /etc/rc.d/rc.local]

/bin/sh

[sh -c sed -i -e '2 i/tmp/mips.elf reboot start' /etc/init.d/boot.local]

/usr/bin/sed

[sed -i -e 2 i/tmp/mips.elf reboot start /etc/init.d/boot.local]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-mipsel-20240221-en-0 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-0 udp
CN 47.98.247.119:48083 tcp
US 1.1.1.1:53 debian12-mipsel-20240221-en-0 udp
US 1.1.1.1:53 debian12-mipsel-20240221-en-0 udp
CN 47.98.247.119:48083 tcp
CN 47.98.247.119:48083 tcp
CN 47.98.247.119:48083 tcp
CN 47.98.247.119:48083 tcp
CN 47.98.247.119:48083 tcp

Files

memory/742-1-0x00400000-0x004dbd44-memory.dmp