Analysis
-
max time kernel
153s -
max time network
165s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240221-en -
resource tags
arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem -
submitted
01-11-2024 05:19
Behavioral task
behavioral1
Sample
be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf
Resource
debian12-mipsel-20240221-en
General
-
Target
be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf
-
Size
5.6MB
-
MD5
5f7d6a8f455e8f7c990ef1541efc6199
-
SHA1
b25948840f5fa898cacc888074010bf77a8843cd
-
SHA256
be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41
-
SHA512
ae3b3a70f9c1e5de164b534393e5cea48258a8c5ef43a0b9f22bb6caff483d6b2a0dfdfe933fc7a7e8ec15209994809aa620326d8b6bb30ea98ccf93bccd1079
-
SSDEEP
98304:yC91hAFxvW6WGVqq7g3JDCg76dAuE8iW5ay5mIOX+aaNcc8pNkxXkz8xBs3K4HUO:yC91hAFxvW6WGVqq7g3JDCg76dAuE8ip
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
32678id.services.confid.services.conf32678id.services.confioc pid process /etc/32678 771 32678 /etc/id.services.conf 831 id.services.conf /etc/id.services.conf 840 id.services.conf /etc/32678 841 32678 /etc/id.services.conf 881 id.services.conf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elfdescription ioc process File opened for modification /dev/misc/watchdog be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf File opened for modification /dev/watchdog be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Processes:
be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elfdescription ioc process File opened for modification /etc/init.d/linux_kill be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf -
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
Processes:
be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elfdescription ioc process File opened for modification /usr/lib/systemd/system/linux.service be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf -
Reads CPU attributes 1 TTPs 1 IoCs
Processes:
pkilldescription ioc process File opened for reading /sys/devices/system/cpu/possible pkill -
Enumerates kernel/hardware configuration 1 TTPs 6 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elfbe95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elfid.services.confpkillid.services.confid.services.confdescription ioc process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size id.services.conf File opened for reading /sys/devices/system/node pkill File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size id.services.conf File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size id.services.conf -
Processes:
pkillbe95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elfdescription ioc process File opened for reading /proc/334/cmdline pkill File opened for reading /proc/830/cgroup pkill File opened for reading /proc/836/cmdline pkill File opened for reading /proc/37/cmdline pkill File opened for reading /proc/48/stat pkill File opened for reading /proc/837/stat pkill File opened for reading /proc/403/stat be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf File opened for reading /proc/10/status pkill File opened for reading /proc/32/cmdline pkill File opened for reading /proc/35/stat pkill File opened for reading /proc/59/cgroup pkill File opened for reading /proc/691/stat be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf File opened for reading /proc/self/status pkill File opened for reading /proc/13/cgroup pkill File opened for reading /proc/45/status pkill File opened for reading /proc/58/status pkill File opened for reading /proc/59/status pkill File opened for reading /proc/822/stat be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf File opened for reading /proc/34/stat pkill File opened for reading /proc/771/status pkill File opened for reading /proc/27/status pkill File opened for reading /proc/45/cgroup pkill File opened for reading /proc/58/stat pkill File opened for reading /proc/116/stat pkill File opened for reading /proc/392/status pkill File opened for reading /proc/410/cgroup pkill File opened for reading /proc/14/cgroup pkill File opened for reading /proc/390/ctty pkill File opened for reading /proc/835/cgroup pkill File opened for reading /proc/857/stat be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf File opened for reading /proc/113/cmdline pkill File opened for reading /proc/180/cmdline pkill File opened for reading /proc/419/status pkill File opened for reading /proc/732/status pkill File opened for reading /proc/830/status pkill File opened for reading /proc/835/ctty pkill File opened for reading /proc/866/stat be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf File opened for reading /proc/751/status pkill File opened for reading /proc/31/stat pkill File opened for reading /proc/114/cmdline pkill File opened for reading /proc/119/cgroup pkill File opened for reading /proc/403/status pkill File opened for reading /proc/733/stat be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf File opened for reading /proc/793/stat be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf File opened for reading /proc/47/status pkill File opened for reading /proc/20/cgroup pkill File opened for reading /proc/58/cmdline pkill File opened for reading /proc/732/stat pkill File opened for reading /proc/24/stat pkill File opened for reading /proc/24/cmdline pkill File opened for reading /proc/47/stat pkill File opened for reading /proc/403/ctty pkill File opened for reading /proc/852/stat be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf File opened for reading /proc/14/status pkill File opened for reading /proc/22/stat pkill File opened for reading /proc/732/ctty pkill File opened for reading /proc/860/stat be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf File opened for reading /proc/17/status pkill File opened for reading /proc/768/stat pkill File opened for reading /proc/875/stat be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf File opened for reading /proc/782/stat be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf File opened for reading /proc/816/stat be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf File opened for reading /proc/4/status pkill File opened for reading /proc/5/ctty pkill -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 10 Go-http-client/1.1
Processes
-
/tmp/be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf/tmp/be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf1⤵
- Enumerates kernel/hardware configuration
PID:742 -
/usr/bin/shsh -c "/etc/32678&"2⤵PID:766
-
/usr/sbin/serviceservice crond start2⤵PID:767
-
/usr/bin/basenamebasename /usr/sbin/service3⤵PID:772
-
/usr/bin/basenamebasename /usr/sbin/service3⤵PID:779
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"3⤵PID:782
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"3⤵PID:783
-
/tmp/be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf/tmp/be95b29da48e169996c492b3c95f55c8af679136df3adaabd24a5d67d3c2af41.elf " "2⤵
- Modifies Watchdog functionality
- Modifies init.d
- Modifies systemd
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:768 -
/usr/sbin/update-rc.dupdate-rc.d linux_kill defaults3⤵PID:793
-
/usr/local/sbin/systemctlsystemctl daemon-reload4⤵PID:804
-
/usr/local/bin/systemctlsystemctl daemon-reload4⤵PID:804
-
/usr/sbin/systemctlsystemctl daemon-reload4⤵PID:804
-
/usr/bin/systemctlsystemctl daemon-reload4⤵PID:804
-
/usr/bin/shsh -c "cd /boot;systemctl daemon-reload;systemctl enable linux.service;systemctl start linux.service;journalctl -xe --no-pager"3⤵PID:835
-
/usr/bin/systemctlsystemctl daemon-reload4⤵PID:836
-
/usr/bin/systemctlsystemctl enable linux.service4⤵PID:865
-
/etc/32678/etc/326781⤵
- Executes dropped EXE
PID:771 -
/usr/bin/sleepsleep 602⤵PID:776
-
/etc/id.services.conf/etc/id.services.conf2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:831 -
/usr/bin/pkillpkill -9 326783⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:837 -
/usr/bin/shsh -c "/etc/32678&"3⤵PID:838
-
/usr/sbin/serviceservice crond start3⤵PID:839
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:842
-
/usr/bin/basenamebasename /usr/sbin/service4⤵PID:859
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"4⤵PID:861
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"4⤵PID:862
-
/etc/id.services.conf/etc/id.services.conf " "3⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:840
-
/usr/local/sbin/systemctlsystemctl start crond.service1⤵PID:767
-
/usr/local/bin/systemctlsystemctl start crond.service1⤵PID:767
-
/usr/sbin/systemctlsystemctl start crond.service1⤵PID:767
-
/usr/bin/systemctlsystemctl start crond.service1⤵PID:767
-
/etc/32678/etc/326781⤵
- Executes dropped EXE
PID:841 -
/usr/bin/sleepsleep 602⤵PID:857
-
/etc/id.services.conf/etc/id.services.conf2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:881
-
/usr/local/sbin/systemctlsystemctl start crond.service1⤵PID:839
-
/usr/local/bin/systemctlsystemctl start crond.service1⤵PID:839
-
/usr/sbin/systemctlsystemctl start crond.service1⤵PID:839
-
/usr/bin/systemctlsystemctl start crond.service1⤵PID:839
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2XDG Autostart Entries
1Boot or Logon Initialization Scripts
1RC Scripts
1Create or Modify System Process
1Systemd Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61B
MD5768eaf287796da19e1cf5e0b2fb1b161
SHA16a1ce2ee5ccc86d1f33806feb14547b35290df2a
SHA2561d22620dfb2a6715e5d745aed5cf841ede0e75e1747f12b9b925a2d346bc7ecb
SHA512e6af30c9df4f7f47696069511e64ecbc8e841629d692ee4056503df3533fb7a7a74960698826260355e1dba7b6c562482a27a39bb51a4237473ce4b68472d620
-
Filesize
189B
MD53909975f7cc0d1121c1819b800069f31
SHA13e68de708c2e6c40fab6794afdee3104e5590189
SHA2566876dac71f13a068afb863d257134275f2edba43b2acaf4924fabf97c079070b
SHA51250600cceeb03b05f45ae61d890caee9f51ff390b6776930866e527e071d65d08241fc66673fd9b99d62fbc77d3c00fc3de4d7378cbc42f5daba5d83072b0906e