6389f18ae50cc9dc8e1eef30eced0a44b1d77ad27d4862daa01f7e4ff54b9474

Analysis

max time kernel
150s
max time network
152s
platform
debian-12_mipsel
resource
debian12-mipsel-20240418-en
resource tags

arch:mipselimage:debian12-mipsel-20240418-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
02/02/2025, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mpsl.b.elf
Size

106KB
MD5

56820e418dc7fff0b3c057235e6f245a
SHA1

b2999154db9183a76c8b43899423e04ae71ab78b
SHA256

6389f18ae50cc9dc8e1eef30eced0a44b1d77ad27d4862daa01f7e4ff54b9474
SHA512

54ada7d83be974a2eb0faa475cc1d3c5e5e2eb366ca073672217ca2dd90aef69c6b332ac3539b827ae19212d6ca8736edcff4be9ca95b078b53ee5f75fd3c70c
SSDEEP

1536:wAxCZNOM+AZzOMlWJdZqnkj5Y6oPHqa+F1ormJgjkZXpo3LVTB6:wAxCZAMXZznu/qktLCH4oqJgwZZj

Score

7^/10

credential_access defense_evasion

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	mpsl.b.elf
File opened for modification	/dev/misc/watchdog	mpsl.b.elf

Traces itself 1 IoCs

Traces itself to prevent debugging attempts

pid	Process
745	mpsl.b.elf

Reads process memory 1 TTPs 20 IoCs

Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

credential_access

Proc Filesystem

T1003.007

description	ioc	Process
File opened for reading	/proc/413/maps	mpsl.b.elf
File opened for reading	/proc/719/maps	mpsl.b.elf
File opened for reading	/proc/757/maps	mpsl.b.elf
File opened for reading	/proc/402/maps	mpsl.b.elf
File opened for reading	/proc/411/maps	mpsl.b.elf
File opened for reading	/proc/763/maps	mpsl.b.elf
File opened for reading	/proc/785/maps	mpsl.b.elf
File opened for reading	/proc/714/maps	mpsl.b.elf
File opened for reading	/proc/718/maps	mpsl.b.elf
File opened for reading	/proc/722/maps	mpsl.b.elf
File opened for reading	/proc/738/maps	mpsl.b.elf
File opened for reading	/proc/746/maps	mpsl.b.elf
File opened for reading	/proc/681/maps	mpsl.b.elf
File opened for reading	/proc/700/maps	mpsl.b.elf
File opened for reading	/proc/680/maps	mpsl.b.elf
File opened for reading	/proc/698/maps	mpsl.b.elf
File opened for reading	/proc/711/maps	mpsl.b.elf
File opened for reading	/proc/737/maps	mpsl.b.elf
File opened for reading	/proc/417/maps	mpsl.b.elf
File opened for reading	/proc/668/maps	mpsl.b.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	hvo9nnlfnsthknan03	745	mpsl.b.elf

/tmp/mpsl.b.elf
/tmp/mpsl.b.elf
1⤵
- Modifies Watchdog functionality
- Traces itself
- Reads process memory
- Changes its process name
PID:745

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

OS Credential Dumping

T1003

Proc Filesystem

T1003.007

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...