Overview

overview

10

Static

static

10

hoodlum.mpsl.elf

debian-12-mipsel

7

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    debian-12_mipsel
  • resource
    debian12-mipsel-20240221-en
  • resource tags

    arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
  • submitted
    22/02/2025, 17:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hoodlum.mpsl.elf

  • Size

    175KB

  • MD5

    53eeaa32c2da81e31c8e98445a210369

  • SHA1

    b5a9d9041b91d115be38eea10a30e49f50489178

  • SHA256

    a18ad447236c0345bbaae2ff79e736af5de72ed5eae0d7389690e74b0cd79246

  • SHA512

    c328257a071900adba1d6cdca70c2fe4eb085209800bd6f8d12bf37d1bb841e8d1a429532c19f9b72996afbd6f8c84972448c8d63ac1357a9c106ac1cb85d21b

  • SSDEEP

    1536:CY0XpUX0eej8bxwSOrgflgiLhoykWN1d2RNzSB5hhWQivYtrvxGfosmaVj3OOKIf:p/5nYXiSyR7sM5hhW7vgrfsmsj3tKIWe

Score
7/10
defense_evasiondiscoveryexecutionprivilege_escalation

Malware Config

Signatures

  • Deletes Audit logs 1 TTPs 1 IoCs

    Deletes logs related to the Linux Audit framework.

    defense_evasion
  • Deletes itself 1 IoCs
  • Deletes journal logs 1 TTPs 3 IoCs

    Deletes systemd journal logs. Likely to evade detection.

    defense_evasion
  • Flushes firewall rules 1 TTPs 6 IoCs

    Flushes/ disables firewall rules inside the Linux kernel.

    defense_evasion
  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

    Abuse sudo or cached sudo credentials to execute code.

    privilege_escalationdefense_evasion
  • Deletes log files 1 TTPs 30 IoCs

    Deletes log files on the system.

    defense_evasion
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads system routing table 1 TTPs 1 IoCs

    Gets active network interfaces from /proc virtual filesystem.

    discovery
  • Changes its process name 1 IoCs
  • Reads CPU attributes 1 TTPs 3 IoCs
    discovery
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Command and Scripting Interpreter: Unix Shell 1 TTPs 13 IoCs

    Execute scripts via Unix Shell.

    execution
  • Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 4 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery

Processes

  • /tmp/hoodlum.mpsl.elf
    /tmp/hoodlum.mpsl.elf
    1⤵
    • Deletes itself
    • Writes DNS configuration
    • Reads system routing table
    • Changes its process name
    • Reads system network configuration
    PID:745
    • /bin/sh
      /bin/sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
      2⤵
      • Command and Scripting Interpreter: Unix Shell
      PID:750
      • /usr/bin/rm
        rm -rf /tmp/systemd-private-8aaf9894ee06476383bd6e60f2d5c264-systemd-logind.service-jplWFO /tmp/systemd-private-8aaf9894ee06476383bd6e60f2d5c264-systemd-timedated.service-v53KC5 /var/backups /var/cache /var/lib /var/local /var/lock /var/log /var/mail /var/opt /var/run /var/spool /var/tmp /var/run/atd.pid /var/run/auditd.pid /var/run/console-setup /var/run/credentials /var/run/crond.pid /var/run/crond.reboot /var/run/dbus /var/run/dhclient.enp0s19.pid /var/run/exim4 /var/run/initctl /var/run/initramfs /var/run/lock /var/run/log /var/run/motd.dynamic /var/run/mount /var/run/network /var/run/sendsigs.omit.d /var/run/shm /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/user /var/run/utmp /var/tmp/systemd-private-8aaf9894ee06476383bd6e60f2d5c264-systemd-logind.service-vabGaf /var/tmp/systemd-private-8aaf9894ee06476383bd6e60f2d5c264-systemd-timedated.service-hBxLzD
        3⤵
        • Deletes Audit logs
        • Deletes journal logs
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        • Deletes log files
        PID:752
    • /bin/sh
      /bin/sh -c "rm -rf /var/log/wtmp"
      2⤵
      • Command and Scripting Interpreter: Unix Shell
      PID:777
      • /usr/bin/rm
        rm -rf /var/log/wtmp
        3⤵
        • Deletes log files
        PID:778
    • /bin/sh
      /bin/sh -c "rm -rf /tmp/*"
      2⤵
      • Command and Scripting Interpreter: Unix Shell
      PID:779
      • /usr/bin/rm
        rm -rf "/tmp/*"
        3⤵
          PID:780
      • /bin/sh
        /bin/sh -c "rm -rf /bin/netstat"
        2⤵
        • Command and Scripting Interpreter: Unix Shell
        PID:781
        • /usr/bin/rm
          rm -rf /bin/netstat
          3⤵
            PID:782
        • /bin/sh
          /bin/sh -c "iptables -F"
          2⤵
          • Command and Scripting Interpreter: Unix Shell
          • System Network Configuration Discovery
          PID:783
        • /bin/sh
          /bin/sh -c "pkill -9 busybox"
          2⤵
          • Command and Scripting Interpreter: Unix Shell
          PID:784
          • /usr/bin/pkill
            pkill -9 busybox
            3⤵
            • Reads CPU attributes
            • Enumerates kernel/hardware configuration
            • Reads runtime system information
            PID:785
        • /bin/sh
          /bin/sh -c "pkill -9 perl"
          2⤵
          • Command and Scripting Interpreter: Unix Shell
          PID:786
          • /usr/bin/pkill
            pkill -9 perl
            3⤵
            • Reads CPU attributes
            • Enumerates kernel/hardware configuration
            • Reads runtime system information
            PID:787
        • /bin/sh
          /bin/sh -c "pkill -9 python"
          2⤵
          • Command and Scripting Interpreter: Unix Shell
          PID:788
          • /usr/bin/pkill
            pkill -9 python
            3⤵
            • Reads CPU attributes
            • Enumerates kernel/hardware configuration
            • Reads runtime system information
            PID:789
        • /bin/sh
          /bin/sh -c "service iptables stop"
          2⤵
          • Command and Scripting Interpreter: Unix Shell
          • System Network Configuration Discovery
          PID:790
          • /usr/sbin/service
            service iptables stop
            3⤵
            • System Network Configuration Discovery
            PID:791
            • /usr/bin/basename
              basename /usr/sbin/service
              4⤵
                PID:792
              • /usr/bin/basename
                basename /usr/sbin/service
                4⤵
                  PID:793
                • /usr/bin/sed
                  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                  4⤵
                    PID:796
                  • /usr/bin/systemctl
                    systemctl list-unit-files --full "--type=socket"
                    4⤵
                    • Reads runtime system information
                    PID:795
                • /usr/local/sbin/systemctl
                  systemctl stop iptables.service
                  3⤵
                    PID:791
                  • /usr/local/bin/systemctl
                    systemctl stop iptables.service
                    3⤵
                      PID:791
                    • /usr/sbin/systemctl
                      systemctl stop iptables.service
                      3⤵
                        PID:791
                      • /usr/bin/systemctl
                        systemctl stop iptables.service
                        3⤵
                          PID:791
                      • /bin/sh
                        /bin/sh -c "/sbin/iptables -F; /sbin/iptables -X"
                        2⤵
                        • Command and Scripting Interpreter: Unix Shell
                        • System Network Configuration Discovery
                        PID:803
                        • /sbin/iptables
                          /sbin/iptables -F
                          3⤵
                          • Flushes firewall rules
                          PID:804
                        • /sbin/iptables
                          /sbin/iptables -X
                          3⤵
                          • Flushes firewall rules
                          PID:805
                      • /bin/sh
                        /bin/sh -c "service firewalld stop"
                        2⤵
                        • Command and Scripting Interpreter: Unix Shell
                        PID:806
                        • /usr/sbin/service
                          service firewalld stop
                          3⤵
                            PID:807
                            • /usr/bin/basename
                              basename /usr/sbin/service
                              4⤵
                                PID:808
                              • /usr/bin/basename
                                basename /usr/sbin/service
                                4⤵
                                  PID:809
                                • /usr/bin/sed
                                  sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
                                  4⤵
                                    PID:812
                                  • /usr/bin/systemctl
                                    systemctl list-unit-files --full "--type=socket"
                                    4⤵
                                      PID:811
                                  • /usr/local/sbin/systemctl
                                    systemctl stop firewalld.service
                                    3⤵
                                    • Flushes firewall rules
                                    PID:807
                                  • /usr/local/bin/systemctl
                                    systemctl stop firewalld.service
                                    3⤵
                                    • Flushes firewall rules
                                    PID:807
                                  • /usr/sbin/systemctl
                                    systemctl stop firewalld.service
                                    3⤵
                                    • Flushes firewall rules
                                    PID:807
                                  • /usr/bin/systemctl
                                    systemctl stop firewalld.service
                                    3⤵
                                    • Flushes firewall rules
                                    PID:807
                                • /bin/sh
                                  /bin/sh -c "rm -rf ~/.bash_history"
                                  2⤵
                                  • Command and Scripting Interpreter: Unix Shell
                                  PID:815
                                  • /usr/bin/rm
                                    rm -rf "~/.bash_history"
                                    3⤵
                                      PID:816
                                  • /bin/sh
                                    /bin/sh -c "history -c"
                                    2⤵
                                    • Command and Scripting Interpreter: Unix Shell
                                    PID:817

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads