Analysis
-
max time kernel
120s -
max time network
15s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
31/12/2024, 13:28
Behavioral task
behavioral1
Sample
mips
Resource
debian9-mipsbe-20240611-en
debian-9-mips
General
-
Target
mips
-
Size
104KB
-
MD5
4eb5418188eb447aeb7bbcd87c9f58cf
-
SHA1
dc58321f3ef78a5a291ea7a40479378d4dfb67a7
-
SHA256
c43f68e816ac1f52cbcb87424add3311d9fb7bb5922d7a4c2692d40b1722b299
-
SHA512
1d1d3171a06f5d9d5b98b89dddbcc8e58a4fbe2ff453b0351391da131a51d972059929116c64196e07958838838998529a23e74b468ddded007381469d044845
-
SSDEEP
1536:frfxe7NbaACXuBvgB13X9ScuTmMy03Vs0Q/v94SDmeS8RBCH:zxe7haACXII7X9Sw+3u0Q/viSDEeBCH
Malware Config
Signatures
-
description ioc Process File deleted /var/log/audit/audit.log mips -
Deletes itself 1 IoCs
pid Process 708 mips -
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
description ioc Process File deleted /var/log/syslog mips -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog mips File opened for modification /dev/misc/watchdog mips -
description ioc Process File deleted /var/log/daemon.log mips -
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
description ioc Process File opened for modification /etc/systemd/system/startup_command.service mips -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself jwtgtqb2vd78fkaivs2rl8ja 708 mips -
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/fs/kdbus/0-system/bus systemctl -
description ioc Process File opened for reading /proc/700/cmdline mips File opened for reading /proc/5/cmdline mips File opened for reading /proc/12/cmdline mips File opened for reading /proc/79/cmdline mips File opened for reading /proc/681/cmdline mips File opened for reading /proc/701/cmdline mips File opened for reading /proc/710/cmdline mips File opened for reading /proc/714/cmdline mips File opened for reading /proc/381/cmdline mips File opened for reading /proc/703/cmdline mips File opened for reading /proc/728/cmdline mips File opened for reading /proc/8/cmdline mips File opened for reading /proc/72/cmdline mips File opened for reading /proc/124/cmdline mips File opened for reading /proc/359/cmdline mips File opened for reading /proc/721/cmdline mips File opened for reading /proc/725/cmdline mips File opened for reading /proc/17/cmdline mips File opened for reading /proc/23/cmdline mips File opened for reading /proc/69/cmdline mips File opened for reading /proc/111/cmdline mips File opened for reading /proc/13/cmdline mips File opened for reading /proc/15/cmdline mips File opened for reading /proc/68/cmdline mips File opened for reading /proc/679/cmdline mips File opened for reading /proc/1/environ systemctl File opened for reading /proc/3/cmdline mips File opened for reading /proc/70/cmdline mips File opened for reading /proc/707/cmdline mips File opened for reading /proc/723/cmdline mips File opened for reading /proc/726/cmdline mips File opened for reading /proc/356/cmdline mips File opened for reading /proc/676/cmdline mips File opened for reading /proc/7/cmdline mips File opened for reading /proc/37/cmdline mips File opened for reading /proc/125/cmdline mips File opened for reading /proc/355/cmdline mips File opened for reading /proc/380/cmdline mips File opened for reading /proc/708/cmdline mips File opened for reading /proc/filesystems systemctl File opened for reading /proc/729/cmdline mips File opened for reading /proc/4/cmdline mips File opened for reading /proc/6/cmdline mips File opened for reading /proc/81/cmdline mips File opened for reading /proc/154/cmdline mips File opened for reading /proc/73/cmdline mips File opened for reading /proc/157/cmdline mips File opened for reading /proc/243/cmdline mips File opened for reading /proc/cmdline systemctl File opened for reading /proc/16/cmdline mips File opened for reading /proc/24/cmdline mips File opened for reading /proc/386/cmdline mips File opened for reading /proc/174/cmdline mips File opened for reading /proc/354/cmdline mips File opened for reading /proc/680/cmdline mips File opened for reading /proc/704/cmdline mips File opened for reading /proc/1/cmdline mips File opened for reading /proc/36/cmdline mips File opened for reading /proc/76/cmdline mips File opened for reading /proc/84/cmdline mips File opened for reading /proc/706/cmdline mips File opened for reading /proc/715/cmdline mips File opened for reading /proc/9/cmdline mips File opened for reading /proc/14/cmdline mips -
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 708 mips
Processes
-
/tmp/mips/tmp/mips1⤵
- Deletes Audit logs
- Deletes itself
- Deletes system logs
- Modifies Watchdog functionality
- Deletes log files
- Modifies systemd
- Changes its process name
- Reads runtime system information
- System Network Configuration Discovery
PID:708 -
/bin/shsh -c "systemctl daemon-reload"2⤵PID:713
-
/bin/systemctlsystemctl daemon-reload3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:716
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Privilege Escalation
Boot or Logon Autostart Execution
1XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
361B
MD54d2c868f454b6c55731485cf0f886dc0
SHA1032b125de0a28dcee8d8d25fbeeb56db7f403f04
SHA2568c4ae1b82477698f3a8c273b439cb9079794afb8fc33cd4def854936ba37ea2c
SHA512060b2413a0cb2dec0db059c190467b5cb0d76209effea4ae3de2701fa71429b811a6f7e11e813b26806cf72578d1f32b608a02a4ce670ec58b5b65433e3cf11d