General

  • Target

    la.bot.mips.elf

  • Size

    99KB

  • Sample

    241123-jcykbsxmhk

  • MD5

    a5da6231ab2a423f0bf7fad1a31024fa

  • SHA1

    918c3c53b15a6c88af39a8c017fa5719ad37fa74

  • SHA256

    cc352ff2955801b4b45890fc408af9bf4fc67094716dd701ead7ee922c375035

  • SHA512

    851cd689115431f30f83b172b16090fc3cfe698a6b6f094685e5c62421d7f2c3939a024c137bd47e4e7473976179b2a3bd4cdaad171c8d9e027bc99a2099c0e7

  • SSDEEP

    3072:3AUuIdNMvsHdHEUG789ZEhdTZg1CWD6obn3UnT:3e48sHKjqTDPm

Malware Config

Targets

    • Target

      la.bot.mips.elf

    • Size

      99KB

    • MD5

      a5da6231ab2a423f0bf7fad1a31024fa

    • SHA1

      918c3c53b15a6c88af39a8c017fa5719ad37fa74

    • SHA256

      cc352ff2955801b4b45890fc408af9bf4fc67094716dd701ead7ee922c375035

    • SHA512

      851cd689115431f30f83b172b16090fc3cfe698a6b6f094685e5c62421d7f2c3939a024c137bd47e4e7473976179b2a3bd4cdaad171c8d9e027bc99a2099c0e7

    • SSDEEP

      3072:3AUuIdNMvsHdHEUG789ZEhdTZg1CWD6obn3UnT:3e48sHKjqTDPm

    • Contacts a large (33601) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Renames itself

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads process memory

      Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

MITRE ATT&CK Enterprise v15

Tasks