Analysis

  • max time kernel
    14s
  • max time network
    23s
  • platform
    debian-12_mipsel
  • resource
    debian12-mipsel-20240221-en
  • resource tags

    arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
  • submitted
    04-11-2024 15:47

General

  • Target

    linux_mipsel.elf

  • Size

    5.6MB

  • MD5

    a588866d01919ba373464c54536b57a8

  • SHA1

    1bff6f7edc7522ad35563b7998cb85bf7df09baf

  • SHA256

    63e389a3d5251cbeaaab08d5d0cad2b49226eb0764652c64d3f663f7ad8a393f

  • SHA512

    f9743b778aa1fc11b7b95939ab613335b40c5cfbd45f640811af0cc55d22f18bb0a9f90fddbfc91efbfd4b67803d143962cd1a578b59fb0b827d68b405c06cfc

  • SSDEEP

    98304:yC91hAFxvW6WGVqq7g3JDCg76dAuE8iW5ay5mIOX+aaNcc8pNkxXkz8xBs3K4HUj:yC91hAFxvW6WGVqq7g3JDCg76dAuE8iQ

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 2 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 37 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 2 IoCs

    Adversaries may gather information about the network configuration of a system.

Processes

  • /tmp/linux_mipsel.elf
    /tmp/linux_mipsel.elf
    1⤵
    • Enumerates kernel/hardware configuration
    • System Network Configuration Discovery
    PID:741
    • /usr/bin/sh
      sh -c "/etc/32678&"
      2⤵
        PID:764
        • /etc/32678
          /etc/32678
          3⤵
          • Executes dropped EXE
          PID:770
          • /usr/bin/sleep
            sleep 60
            4⤵
              PID:773
        • /usr/sbin/service
          service crond start
          2⤵
            PID:766
            • /usr/bin/basename
              basename /usr/sbin/service
              3⤵
                PID:771
              • /usr/bin/basename
                basename /usr/sbin/service
                3⤵
                  PID:779
                • /usr/bin/sed
                  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                  3⤵
                  • Reads runtime system information
                  PID:784
                • /usr/bin/systemctl
                  systemctl list-unit-files --full "--type=socket"
                  3⤵
                  • Reads runtime system information
                  PID:783
              • /tmp/linux_mipsel.elf
                /tmp/linux_mipsel.elf " "
                2⤵
                • Modifies Watchdog functionality
                • Modifies init.d
                • Enumerates kernel/hardware configuration
                • Reads runtime system information
                • System Network Configuration Discovery
                PID:767
                • /usr/sbin/update-rc.d
                  update-rc.d linux_kill defaults
                  3⤵
                    PID:793

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /etc/32678

                Filesize

                61B

                MD5

                768eaf287796da19e1cf5e0b2fb1b161

                SHA1

                6a1ce2ee5ccc86d1f33806feb14547b35290df2a

                SHA256

                1d22620dfb2a6715e5d745aed5cf841ede0e75e1747f12b9b925a2d346bc7ecb

                SHA512

                e6af30c9df4f7f47696069511e64ecbc8e841629d692ee4056503df3533fb7a7a74960698826260355e1dba7b6c562482a27a39bb51a4237473ce4b68472d620

              • /etc/init.d/linux_kill

                Filesize

                189B

                MD5

                3909975f7cc0d1121c1819b800069f31

                SHA1

                3e68de708c2e6c40fab6794afdee3104e5590189

                SHA256

                6876dac71f13a068afb863d257134275f2edba43b2acaf4924fabf97c079070b

                SHA512

                50600cceeb03b05f45ae61d890caee9f51ff390b6776930866e527e071d65d08241fc66673fd9b99d62fbc77d3c00fc3de4d7378cbc42f5daba5d83072b0906e