Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    debian-12_mipsel
  • resource
    debian12-mipsel-20240418-en
  • resource tags

    arch:mipselimage:debian12-mipsel-20240418-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
  • submitted
    08-11-2024 09:24

General

  • Target

    linux_mipsel_softfloat.elf

  • Size

    5.6MB

  • MD5

    6ea82095eee896f2b4100d8491218f4a

  • SHA1

    6c3be3d799d342265897140c81e8b744d430e3b9

  • SHA256

    4c65f49d6a7b360b0492ee41273fb1c6223d2771286740d1a7f91ee921dce0dd

  • SHA512

    e870c93be276682ef32f0a2f11c0f5f5477bbd1159399ebf13b2c1a42101e9614fb17c9f242527ac3b823e2f47a13b8c28060aa5669581d7c65bc9af6eb5e4ae

  • SSDEEP

    49152:+RxVVRFMTwbupkYzfgh7rxQ2USaU85Jbq1rQcR6VYv0VF1:

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 2 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

  • Modifies systemd 2 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 2 IoCs

    Adversaries may gather information about the network configuration of a system.

Processes

  • /tmp/linux_mipsel_softfloat.elf
    /tmp/linux_mipsel_softfloat.elf
    1⤵
    • Enumerates kernel/hardware configuration
    • System Network Configuration Discovery
    PID:744
    • /usr/bin/sh
      sh -c "/etc/32678&"
      2⤵
        PID:767
        • /etc/32678
          /etc/32678
          3⤵
          • Executes dropped EXE
          PID:771
          • /usr/bin/sleep
            sleep 60
            4⤵
              PID:777
        • /usr/sbin/service
          service crond start
          2⤵
            PID:768
            • /usr/bin/basename
              basename /usr/sbin/service
              3⤵
                PID:772
              • /usr/bin/basename
                basename /usr/sbin/service
                3⤵
                  PID:779
                • /usr/bin/systemctl
                  systemctl list-unit-files --full "--type=socket"
                  3⤵
                  • Reads runtime system information
                  PID:781
                • /usr/bin/sed
                  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                  3⤵
                  • Reads runtime system information
                  PID:782
              • /tmp/linux_mipsel_softfloat.elf
                /tmp/linux_mipsel_softfloat.elf " "
                2⤵
                • Modifies Watchdog functionality
                • Modifies init.d
                • Modifies systemd
                • Enumerates kernel/hardware configuration
                • Reads runtime system information
                • System Network Configuration Discovery
                PID:769
                • /usr/sbin/update-rc.d
                  update-rc.d linux_kill defaults
                  3⤵
                    PID:790
                    • /usr/local/sbin/systemctl
                      systemctl daemon-reload
                      4⤵
                        PID:801
                      • /usr/local/bin/systemctl
                        systemctl daemon-reload
                        4⤵
                          PID:801
                        • /usr/sbin/systemctl
                          systemctl daemon-reload
                          4⤵
                            PID:801
                          • /usr/bin/systemctl
                            systemctl daemon-reload
                            4⤵
                              PID:801
                          • /usr/bin/sh
                            sh -c "cd /boot;systemctl daemon-reload;systemctl enable linux.service;systemctl start linux.service;journalctl -xe --no-pager"
                            3⤵
                              PID:824
                              • /usr/bin/systemctl
                                systemctl daemon-reload
                                4⤵
                                  PID:825
                                • /usr/bin/systemctl
                                  systemctl enable linux.service
                                  4⤵
                                    PID:841
                                  • /usr/bin/systemctl
                                    systemctl start linux.service
                                    4⤵
                                    • Reads runtime system information
                                    PID:859
                                  • /usr/bin/journalctl
                                    journalctl -xe --no-pager
                                    4⤵
                                    • Reads runtime system information
                                    PID:872
                                • /usr/bin/sh
                                  sh -c "cd /boot;ausearch -c 'System.img.conf' --raw | audit2allow -M my-Systemimgconf;semodule -X 300 -i my-Systemimgconf.pp"
                                  3⤵
                                    PID:879
                                    • /usr/sbin/ausearch
                                      ausearch -c System.img.conf --raw
                                      4⤵
                                        PID:880
                                      • /usr/bin/audit2allow
                                        audit2allow -M my-Systemimgconf
                                        4⤵
                                        • Reads runtime system information
                                        PID:881
                                • /usr/local/sbin/systemctl
                                  systemctl start crond.service
                                  1⤵
                                    PID:768
                                  • /usr/local/bin/systemctl
                                    systemctl start crond.service
                                    1⤵
                                      PID:768
                                    • /usr/sbin/systemctl
                                      systemctl start crond.service
                                      1⤵
                                        PID:768
                                      • /usr/bin/systemctl
                                        systemctl start crond.service
                                        1⤵
                                          PID:768

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • /etc/32678

                                          Filesize

                                          61B

                                          MD5

                                          768eaf287796da19e1cf5e0b2fb1b161

                                          SHA1

                                          6a1ce2ee5ccc86d1f33806feb14547b35290df2a

                                          SHA256

                                          1d22620dfb2a6715e5d745aed5cf841ede0e75e1747f12b9b925a2d346bc7ecb

                                          SHA512

                                          e6af30c9df4f7f47696069511e64ecbc8e841629d692ee4056503df3533fb7a7a74960698826260355e1dba7b6c562482a27a39bb51a4237473ce4b68472d620

                                        • /etc/init.d/linux_kill

                                          Filesize

                                          189B

                                          MD5

                                          3909975f7cc0d1121c1819b800069f31

                                          SHA1

                                          3e68de708c2e6c40fab6794afdee3104e5590189

                                          SHA256

                                          6876dac71f13a068afb863d257134275f2edba43b2acaf4924fabf97c079070b

                                          SHA512

                                          50600cceeb03b05f45ae61d890caee9f51ff390b6776930866e527e071d65d08241fc66673fd9b99d62fbc77d3c00fc3de4d7378cbc42f5daba5d83072b0906e