Analysis
-
max time kernel
150s -
max time network
156s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240221-en -
resource tags
arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem -
submitted
09/11/2024, 21:09
Behavioral task
behavioral1
Sample
mpsl.elf
Resource
debian12-mipsel-20240221-en
General
-
Target
mpsl.elf
-
Size
82KB
-
MD5
c943b0b97d589efafc23f50241007426
-
SHA1
3889e055c16beb780a4f51d7e36dab6d7af1d334
-
SHA256
a4cbd774071d284abcf3b3dcb3dc653cbd9d2c02a6bf4459bcd23f5180e25170
-
SHA512
0c8113299304520817fd41c53c6cf39b51f749e1658b5b657ef4b7186b74e85cfa8cf56af0579892d63d5366efae873edb4f2459198e1e92bbde25024b2db06d
-
SSDEEP
1536:iVLyu95KZxkj752dCexuV/8UZlDwfkJ4MYfW7:iVLyMgqFezxu5VD1eK
Malware Config
Signatures
-
Contacts a large (36599) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 743 sh 756 chmod -
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /bin/watchdog 742 mpsl.elf -
description ioc Process File opened for reading /proc/15/cmdline mpsl.elf File opened for reading /proc/24/cmdline mpsl.elf File opened for reading /proc/30/cmdline mpsl.elf File opened for reading /proc/6/cmdline mpsl.elf File opened for reading /proc/13/cmdline mpsl.elf File opened for reading /proc/761/cmdline mpsl.elf File opened for reading /proc/377/cmdline mpsl.elf File opened for reading /proc/444/cmdline mpsl.elf File opened for reading /proc/733/cmdline mpsl.elf File opened for reading /proc/712/cmdline mpsl.elf File opened for reading /proc/760/cmdline mpsl.elf File opened for reading /proc/7/cmdline mpsl.elf File opened for reading /proc/28/cmdline mpsl.elf File opened for reading /proc/42/cmdline mpsl.elf File opened for reading /proc/58/cmdline mpsl.elf File opened for reading /proc/178/cmdline mpsl.elf File opened for reading /proc/415/cmdline mpsl.elf File opened for reading /proc/12/cmdline mpsl.elf File opened for reading /proc/18/cmdline mpsl.elf File opened for reading /proc/29/cmdline mpsl.elf File opened for reading /proc/53/cmdline mpsl.elf File opened for reading /proc/678/cmdline mpsl.elf File opened for reading /proc/732/cmdline mpsl.elf File opened for reading /proc/1/cmdline mpsl.elf File opened for reading /proc/17/cmdline mpsl.elf File opened for reading /proc/37/cmdline mpsl.elf File opened for reading /proc/200/cmdline mpsl.elf File opened for reading /proc/340/cmdline mpsl.elf File opened for reading /proc/417/cmdline mpsl.elf File opened for reading /proc/2/cmdline mpsl.elf File opened for reading /proc/16/cmdline mpsl.elf File opened for reading /proc/719/cmdline mpsl.elf File opened for reading /proc/25/cmdline mpsl.elf File opened for reading /proc/31/cmdline mpsl.elf File opened for reading /proc/35/cmdline mpsl.elf File opened for reading /proc/111/cmdline mpsl.elf File opened for reading /proc/378/cmdline mpsl.elf File opened for reading /proc/8/cmdline mpsl.elf File opened for reading /proc/20/cmdline mpsl.elf File opened for reading /proc/21/cmdline mpsl.elf File opened for reading /proc/22/cmdline mpsl.elf File opened for reading /proc/32/cmdline mpsl.elf File opened for reading /proc/392/cmdline mpsl.elf File opened for reading /proc/115/cmdline mpsl.elf File opened for reading /proc/665/cmdline mpsl.elf File opened for reading /proc/694/cmdline mpsl.elf File opened for reading /proc/755/cmdline mpsl.elf File opened for reading /proc/710/cmdline mpsl.elf File opened for reading /proc/737/cmdline mpsl.elf File opened for reading /proc/filesystems mkdir File opened for reading /proc/9/cmdline mpsl.elf File opened for reading /proc/48/cmdline mpsl.elf File opened for reading /proc/59/cmdline mpsl.elf File opened for reading /proc/351/cmdline mpsl.elf File opened for reading /proc/696/cmdline mpsl.elf File opened for reading /proc/709/cmdline mpsl.elf File opened for reading /proc/716/cmdline mpsl.elf File opened for reading /proc/3/cmdline mpsl.elf File opened for reading /proc/19/cmdline mpsl.elf File opened for reading /proc/23/cmdline mpsl.elf File opened for reading /proc/114/cmdline mpsl.elf File opened for reading /proc/135/cmdline mpsl.elf File opened for reading /proc/388/cmdline mpsl.elf File opened for reading /proc/136/cmdline mpsl.elf -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/bin/watchdog sh
Processes
-
/tmp/mpsl.elf/tmp/mpsl.elf1⤵
- Changes its process name
- Reads runtime system information
PID:742 -
/bin/shsh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/mpsl.elf bin/watchdog; chmod 777 bin/watchdog"2⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
PID:743 -
/usr/bin/rmrm -rf bin/watchdog3⤵PID:746
-
-
/usr/bin/mkdirmkdir bin3⤵
- Reads runtime system information
PID:748
-
-
/usr/bin/mvmv /tmp/mpsl.elf bin/watchdog3⤵PID:752
-
-
/usr/bin/chmodchmod 777 bin/watchdog3⤵
- File and Directory Permissions Modification
PID:756
-
-