219f9b6973c92dfe86b1018344b2113fd79d138509204dda6a5b5839de4b2de6 | Triage

Analysis

max time kernel
151s
max time network
170s
platform
debian-12_mipsel
resource
debian12-mipsel-20240221-en
resource tags

arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
23-11-2024 18:27

Sharing

Report Analysis Logs

General

Target

cve_2024_6387/mipsel
Size

5.6MB
MD5

4ffce2d01ec451f990369781dc98d1b4
SHA1

a67a00f6cb7f003504fe28d3265392a482727e0f
SHA256

d0c443e61a1f050728572f6417261efc67b43e09b785c90d1ddca8214cdb3583
SHA512

3a91c2f221e2ad50e6b01709d490c07e57b735aa415b2acfb49519ed6eac94509a182fcd68df91953b9d8f53ea0bbea2dd58730f192bfd4ad19d243d9de185bd
SSDEEP

49152:Aur3a8E7Hc+zXubT3xFwLtVtNu9OKpjfsF:ZSbc+zXtEe

Score

7^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

description	ioc	Process
File opened for modification	/dev/misc/watchdog	mipsel
File opened for modification	/dev/watchdog	mipsel

Creates/modifies environment variables 1 TTPs 3 IoCs

Creating/modifying environment variables is a common persistence mechanism.

persistence privilege_escalation defense_evasion

Path Interception by PATH Environment Variable

description	ioc	Process
File opened for modification	/etc/profile.d/bash.cfg	mipsel
File opened for modification	/etc/profile.d/bash.cfg.sh	mipsel
File opened for modification	/etc/profile.d/gateway.sh	mipsel

Modifies init.d 2 TTPs 18 IoCs

Adds/modifies system service, likely for persistence.

Boot or Logon Autostart Execution

RC Scripts

description	ioc	Process
File opened for modification	/etc/init.d/networking	mipsel
File opened for modification	/etc/init.d/ssh	mipsel
File opened for modification	/etc/init.d/alsa-utils	mipsel
File opened for modification	/etc/init.d/console-setup.sh	mipsel
File opened for modification	/etc/init.d/kmod	mipsel
File opened for modification	/etc/init.d/hwclock.sh	mipsel
File opened for modification	/etc/init.d/sudo	mipsel
File opened for modification	/etc/init.d/dns-udp4	mipsel
File opened for modification	/etc/init.d/apparmor	mipsel
File opened for modification	/etc/init.d/auditd	mipsel
File opened for modification	/etc/init.d/cron	mipsel
File opened for modification	/etc/init.d/keyboard-setup.sh	mipsel
File opened for modification	/etc/init.d/x11-common	mipsel
File opened for modification	/etc/init.d/selinux-autorelabel	mipsel
File opened for modification	/etc/init.d/udev	mipsel
File opened for modification	/etc/init.d/dbus	mipsel
File opened for modification	/etc/init.d/exim4	mipsel
File opened for modification	/etc/init.d/procps	mipsel

Modifies Bash startup script 2 TTPs 3 IoCs

Boot or Logon Autostart Execution

Unix Shell Configuration Modification

description	ioc	Process
File opened for modification	/etc/profile.d/bash.cfg	mipsel
File opened for modification	/etc/profile.d/bash.cfg.sh	mipsel
File opened for modification	/etc/profile.d/gateway.sh	mipsel

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	mipsel
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	mipsel

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	sed

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

System Network Configuration Discovery

pid	Process
776	mipsel
780	mipsel

/tmp/cve_2024_6387/mipsel
/tmp/cve_2024_6387/mipsel
1⤵
- Enumerates kernel/hardware configuration
- System Network Configuration Discovery
PID:776
- /tmp/cve_2024_6387/mipsel
  /tmp/cve_2024_6387/mipsel " "
  2⤵
  - Modifies Watchdog functionality
  - Creates/modifies environment variables
  - Modifies init.d
  - Modifies Bash startup script
  - Enumerates kernel/hardware configuration
  - System Network Configuration Discovery
  PID:780
- - /usr/sbin/update-rc.d
    update-rc.d dns-udp4 defaults
    3⤵
    PID:788
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:789
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:789
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:789
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads runtime system information
      PID:789
- - /usr/bin/mount
    mount -o bind /tmp/ /proc/780
    3⤵
    - Reads runtime system information
    PID:811
- - /usr/sbin/service
    service cron start
    3⤵
    PID:812
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:813
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:814
  - - /usr/bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      Reads runtime system information
      PID:817
  - - /usr/bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      Reads runtime system information
      PID:816
- - /usr/local/sbin/systemctl
    systemctl start cron.service
    3⤵
    PID:812
- - /usr/local/bin/systemctl
    systemctl start cron.service
    3⤵
    PID:812
- - /usr/sbin/systemctl
    systemctl start cron.service
    3⤵
    PID:812
- - /usr/bin/systemctl
    systemctl start cron.service
    3⤵
    - Reads runtime system information
    PID:812
- - /usr/bin/systemctl
    systemctl start crond.service
    3⤵
    - Reads runtime system information
    PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Boot or Logon Initialization Scripts

RC Scripts

Event Triggered Execution

Unix Shell Configuration Modification

Hijack Execution Flow

Path Interception by PATH Environment Variable

Privilege Escalation

Boot or Logon Autostart Execution

Boot or Logon Initialization Scripts

RC Scripts

Event Triggered Execution

Unix Shell Configuration Modification

Hijack Execution Flow

Path Interception by PATH Environment Variable

Defense Evasion

Hijack Execution Flow

Path Interception by PATH Environment Variable

Impair Defenses

Credential Access

Discovery

System Information Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.mod

Filesize
27B

MD5
f449ef47c4f79ab4ecfe3d11022333d5

SHA1
61ebb524cee5a049cc96bf2cbf339a47dcb1b622

SHA256
503dffa20530956c5f61187e00935f20fe508c35dbb1fcf665b5d28d07d3d704

SHA512
a7015de8bd582dbf7ce6df708a58a725e1b1cd472c6616fbb89a9738c533c042ac39c071ca0cf2fc5df8e56f33bf8a28b1ebd3076570f5028cff773af89031f6

Download Submit
/etc/.cfg

Filesize
57B

MD5
25bfc97b9241077f7ee65c9d5831c0ae

SHA1
4d1e84cfe6f0619642400cbcc77ee008d452f622

SHA256
7e18da2137e9453fd98ed61aa79420a173383b2f7a5fe6538b70fbb560f9b3f6

SHA512
e3686c1fe664e67fc503275c6c0fa831ee43c1b081d8f826a616314505e3f952f98a8697911d1799e3f8c1957cd3a1bb5f888766877e5081b32942a6f2d8bff3

Download Submit
/etc/.cfg

Filesize
106B

MD5
d22311eddd2cab4362a07e896f185581

SHA1
13a23fc997f2af485780a7f4391fd7ff816304b8

SHA256
1c987600e460a7092aeb64865850855a50e8ea87c98afba901db157013fb1008

SHA512
49e08109e19288c458c27f561c93ae06b9aadba36895d02b042fe35755b31e6871673838e337fc49c7aede2531e3ea8a06b7e60ed57dbd08a76e707ea532f6f8

Download Submit
/etc/init.d/dns-udp4

Filesize
159B

MD5
79f1a0bf1a838c817142e43a5818733a

SHA1
768ed04a737dbdc969165092694e0e977321ca19

SHA256
a3f7d4499b03a14ff2de76122b6a61c221151f59daa6a63a78ae5a805c95a482

SHA512
b6d6f76f3e5b768a6670e05276724b70609259c856ba90ad34f8a782ac40134b9cf5cdabebb4aa55f076a786cedf8491adda9835f9d4aee90bd1820a45b2fbce

Download Submit
/etc/profile.d/gateway.sh

Filesize
3KB

MD5
99322c7a0ae8a43312fa744d7d750dad

SHA1
87c9ad9faeef3e5d8858eaca53f63b0ecbcbb971

SHA256
5e0f8bd7c114c480cd1bd66f09e2bfd0123212997db0eeea222552f5e5b78ac9

SHA512
912c218be81ebb1f66d90c701c13390f7e39fd913424b8b223b709b6569a14c441241b61590321bce1f6fd4236a2f99ef2a46a986b7eeb74cf6a135bfce3e39d

Download Submit