Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    96s
  • max time network
    147s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    03/01/2025, 14:38 UTC

General

  • Target

    mips

  • Size

    103KB

  • MD5

    ade42a2e91917e954524de04d1e3d86e

  • SHA1

    a642bd1688b2758ccfe482fc467d6555f512141f

  • SHA256

    801c99e4f98a563c705771a06ef9290c3f1b262cec82e521a2f3f39641512e5f

  • SHA512

    2a4d2b577a6dda726670563dd9c6703579dfa2c9c53b98839d5adf9e0c85a1fbe3334257022f5337ee962d44625c7278af03b0ca704b82afd4fea9be5b588c94

  • SSDEEP

    1536:zO9Bm/RtCZiqr33Dc48uuwr7CFKygt6c9e8WDC1ieMbFQIg:yBm/zCZiyn448uuPRgt6c9e8YC1GFQP

Malware Config

Signatures

  • Deletes Audit logs 1 TTPs 1 IoCs

    Deletes logs related to the Linux Audit framework.

  • Deletes itself 1 IoCs
  • Deletes system logs 1 TTPs 2 IoCs

    Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Deletes log files 1 TTPs 3 IoCs

    Deletes log files on the system.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies systemd 2 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

  • Changes its process name 1 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 1 IoCs

    Adversaries may gather information about the network configuration of a system.

Processes

  • /tmp/mips
    /tmp/mips
    1⤵
    • Deletes Audit logs
    • Deletes itself
    • Deletes system logs
    • Modifies Watchdog functionality
    • Deletes log files
    • Modifies systemd
    • Changes its process name
    • Reads runtime system information
    • System Network Configuration Discovery
    PID:705
    • /bin/sh
      sh -c "systemctl daemon-reload"
      2⤵
        PID:710
        • /bin/systemctl
          systemctl daemon-reload
          3⤵
          • Enumerates kernel/hardware configuration
          • Reads runtime system information
          PID:715
      • /bin/sh
        sh -c "systemctl enable startup_command.service"
        2⤵
          PID:729
          • /bin/systemctl
            systemctl enable startup_command.service
            3⤵
            • Enumerates kernel/hardware configuration
            • Reads runtime system information
            PID:736

      Network

      • flag-us
        DNS
        Remote address:
        1.1.1.1:53
        Response
        tcpdown.su
        IN A
        45.200.149.249
        tcpdown.su
        IN A
        104.168.33.8
        tcpdown.su
        IN A
        45.200.149.95
        tcpdown.su
        IN A
        23.94.242.130
        tcpdown.su
        IN A
        23.94.37.42
        tcpdown.su
        IN A
        45.200.149.96
        tcpdown.su
        IN A
        45.200.149.167
      • flag-us
        DNS
        tcpdown.su���p
        Remote address:
        1.1.1.1:53
        Request
        tcpdown.su���p
        IN A
        Response
      • flag-us
        DNS
        tcpdown.su���p
        Remote address:
        1.1.1.1:53
        Request
        tcpdown.su���p
        IN A
        Response
      • flag-us
        DNS
        tcpdown.su���p
        Remote address:
        1.1.1.1:53
        Request
        tcpdown.su���p
        IN A
        Response
      • flag-us
        DNS
        tcpdown.su���p
        Remote address:
        1.1.1.1:53
        Request
        tcpdown.su���p
        IN A
        Response
      • flag-us
        DNS
        tcpdown.su���p
        Remote address:
        1.1.1.1:53
        Request
        tcpdown.su���p
        IN A
        Response
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        280 B
        164 B
        5
        3
      • 107.175.130.16:7722
        285 B
        164 B
        5
        3
      • 107.175.130.16:7722
        287 B
        164 B
        5
        3
      • 107.175.130.16:7722
        287 B
        164 B
        5
        3
      • 107.175.130.16:7722
        304 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 23.94.37.42:2601
        tcpdown.su
        747 B
        700 B
        14
        13
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        294 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        297 B
        164 B
        5
        3
      • 107.175.130.16:7722
        289 B
        164 B
        5
        3
      • 107.175.130.16:7722
        287 B
        164 B
        5
        3
      • 107.175.130.16:7722
        297 B
        164 B
        5
        3
      • 107.175.130.16:7722
        297 B
        164 B
        5
        3
      • 107.175.130.16:7722
        297 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 107.175.130.16:7722
        279 B
        164 B
        5
        3
      • 1.1.1.1:53
        dns
        56 B
        168 B
        1
        1

        DNS Response

        45.200.149.249
        104.168.33.8
        45.200.149.95
        23.94.242.130
        23.94.37.42
        45.200.149.96
        45.200.149.167

      • 1.1.1.1:53
        tcpdown.su���p
        dns
        62 B
        137 B
        1
        1

        DNS Request

        tcpdown.su���p

      • 1.1.1.1:53
        tcpdown.su���p
        dns
        62 B
        137 B
        1
        1

        DNS Request

        tcpdown.su���p

      • 1.1.1.1:53
        tcpdown.su���p
        dns
        62 B
        137 B
        1
        1

        DNS Request

        tcpdown.su���p

      • 1.1.1.1:53
        tcpdown.su���p
        dns
        62 B
        137 B
        1
        1

        DNS Request

        tcpdown.su���p

      • 1.1.1.1:53
        tcpdown.su���p
        dns
        62 B
        137 B
        1
        1

        DNS Request

        tcpdown.su���p

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /etc/systemd/system/startup_command.service

        Filesize

        361B

        MD5

        af7d62b73266e0b457b114fe91f7e926

        SHA1

        11261aef4573b56b67b32020049c69c7282fc212

        SHA256

        14cb525e5a6b8aaf20c38672f8a9f974a684990888214848818326a739906642

        SHA512

        3926fbb53496c3aaa34cc782bd5c8379e0ab94b11fe4e63bbbfeac4e2b5057369c94bbe25ac56c3f04363076c91b978f9199fed97c5ed8377a6dc852b01ebfd9

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.