Analysis
-
max time kernel
150s -
max time network
155s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
21-11-2024 12:09
Static task
static1
Behavioral task
behavioral1
Sample
la.bot.mips.elf
Resource
debian9-mipsbe-20240611-en
debian-9-mips
General
-
Target
la.bot.mips.elf
-
Size
118KB
-
MD5
82f249828b9ad33ed0926bc5d0195d36
-
SHA1
c4d812e645b672e734a2115062f81430ed8459c8
-
SHA256
e4ca7686ae287c44b9a6041b71f309786fe361d8461bdad4aa9d80f8da3331cc
-
SHA512
327745790997f3d1392c5dba269af6ef8ad213b0e5ca4f431152a7cf5b1429a6ee7ae9fb413ba120b44c77e44ed3b3b946371229a3d3fc896651da4f8ce1016c
-
SSDEEP
3072:JmUuH13XyyDWczb0lpTtI6uXGWy7yXdVnecp1kj:JmTV3XDhXGzHG1c
Malware Config
Signatures
-
Contacts a large (20700) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
description ioc Process File deleted /var/log/syslog la.bot.mips.elf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog la.bot.mips.elf File opened for modification /dev/misc/watchdog la.bot.mips.elf -
Renames itself 1 IoCs
pid Process 699 la.bot.mips.elf -
description ioc Process File deleted /var/log/daemon.log la.bot.mips.elf -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp la.bot.mips.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 1 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/1/maps la.bot.mips.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself telnetd 699 la.bot.mips.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp la.bot.mips.elf -
description ioc Process File opened for reading /proc/69/fd la.bot.mips.elf File opened for reading /proc/78/fd la.bot.mips.elf File opened for reading /proc/115/fd la.bot.mips.elf File opened for reading /proc/149/fd la.bot.mips.elf File opened for reading /proc/165/fd la.bot.mips.elf File opened for reading /proc/235/fd la.bot.mips.elf File opened for reading /proc/387/fd la.bot.mips.elf File opened for reading /proc/11/fd la.bot.mips.elf File opened for reading /proc/10/fd la.bot.mips.elf File opened for reading /proc/15/fd la.bot.mips.elf File opened for reading /proc/70/fd la.bot.mips.elf File opened for reading /proc/332/fd la.bot.mips.elf File opened for reading /proc/6/fd la.bot.mips.elf File opened for reading /proc/8/fd la.bot.mips.elf File opened for reading /proc/16/fd la.bot.mips.elf File opened for reading /proc/74/fd la.bot.mips.elf File opened for reading /proc/7/fd la.bot.mips.elf File opened for reading /proc/4/fd la.bot.mips.elf File opened for reading /proc/9/fd la.bot.mips.elf File opened for reading /proc/12/fd la.bot.mips.elf File opened for reading /proc/24/fd la.bot.mips.elf File opened for reading /proc/76/fd la.bot.mips.elf File opened for reading /proc/79/fd la.bot.mips.elf File opened for reading /proc/82/fd la.bot.mips.elf File opened for reading /proc/2/fd la.bot.mips.elf File opened for reading /proc/143/fd la.bot.mips.elf File opened for reading /proc/325/fd la.bot.mips.elf File opened for reading /proc/105/fd la.bot.mips.elf File opened for reading /proc/13/fd la.bot.mips.elf File opened for reading /proc/14/fd la.bot.mips.elf File opened for reading /proc/20/fd la.bot.mips.elf File opened for reading /proc/22/fd la.bot.mips.elf File opened for reading /proc/23/fd la.bot.mips.elf File opened for reading /proc/36/fd la.bot.mips.elf File opened for reading /proc/37/fd la.bot.mips.elf File opened for reading /proc/1/fd la.bot.mips.elf File opened for reading /proc/72/fd la.bot.mips.elf File opened for reading /proc/73/fd la.bot.mips.elf File opened for reading /proc/77/fd la.bot.mips.elf File opened for reading /proc/114/fd la.bot.mips.elf File opened for reading /proc/71/fd la.bot.mips.elf File opened for reading /proc/5/fd la.bot.mips.elf File opened for reading /proc/21/fd la.bot.mips.elf File opened for reading /proc/357/fd la.bot.mips.elf File opened for reading /proc/375/fd la.bot.mips.elf File opened for reading /proc/3/fd la.bot.mips.elf File opened for reading /proc/19/fd la.bot.mips.elf File opened for reading /proc/329/fd la.bot.mips.elf File opened for reading /proc/334/fd la.bot.mips.elf File opened for reading /proc/377/fd la.bot.mips.elf File opened for reading /proc/17/fd la.bot.mips.elf File opened for reading /proc/18/fd la.bot.mips.elf -
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 699 la.bot.mips.elf
Processes
-
/tmp/la.bot.mips.elf/tmp/la.bot.mips.elf1⤵
- Deletes system logs
- Modifies Watchdog functionality
- Renames itself
- Deletes log files
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:699