372488b8cecb45ce03923f19df5d904980761cd8a7f2ca87ce6c5b7fcff0e20a

Analysis

max time kernel
111s
max time network
116s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
23/02/2025, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

372488b8cecb45ce03923f19df5d904980761cd8a7f2ca87ce6c5b7fcff0e20a.elf
Size

175KB
MD5

4e71504e4a8a3d4d5c7f60701c4cd36c
SHA1

39f8b713d31c70b4d887ef95d347b48c8f68c98e
SHA256

372488b8cecb45ce03923f19df5d904980761cd8a7f2ca87ce6c5b7fcff0e20a
SHA512

70e59bf2b7c8e0a4919686265002f4c65e7817a08f17759d148e5c1ffa90c38651593f06b61c52eece6d0655a4586abca34ccf76ae2626463d2b0968b68adb59
SSDEEP

3072:XDmNX+56DbtVO4x90ssgy4R695h3W+BTmsj3tKIWe:qZ+56TT0gxR695h3W+BTmsj3oIWe

Score

7^/10

defense_evasion discovery execution

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
698	372488b8cecb45ce03923f19df5d904980761cd8a7f2ca87ce6c5b7fcff0e20a.elf

Flushes firewall rules 1 TTPs 9 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
728	iptables
762	systemctl
762	systemctl
762	systemctl
759	iptables
760	iptables
762	systemctl
762	systemctl
762	systemctl

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Adversary-in-the-Middle

T1557

description	ioc	Process
File opened for modification	/etc/resolv.conf	372488b8cecb45ce03923f19df5d904980761cd8a7f2ca87ce6c5b7fcff0e20a.elf

Enumerates running processes
Discovers information about currently running processes on the system

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	372488b8cecb45ce03923f19df5d904980761cd8a7f2ca87ce6c5b7fcff0e20a.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	omsmdxoumouqouqsgpcsbqcdaoxfufof	698	372488b8cecb45ce03923f19df5d904980761cd8a7f2ca87ce6c5b7fcff0e20a.elf

Reads CPU attributes 1 TTPs 3 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	372488b8cecb45ce03923f19df5d904980761cd8a7f2ca87ce6c5b7fcff0e20a.elf

Command and Scripting Interpreter: Unix Shell 1 TTPs 13 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
783	sh
701	sh
719	sh
727	sh
734	sh
736	sh
722	sh
724	sh
732	sh
738	sh
758	sh
761	sh
781	sh

Enumerates kernel/hardware configuration 1 TTPs 30 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/115/status	pkill
File opened for reading	/proc/114/status	pkill
File opened for reading	/proc/377/cmdline	pkill
File opened for reading	/proc/690/status	pkill
File opened for reading	/proc/1/cmdline	pkill
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/235/cmdline	pkill
File opened for reading	/proc/23/status	pkill
File opened for reading	/proc/79/cmdline	pkill
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/334/status	pkill
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/12/status	pkill
File opened for reading	/proc/17/cmdline	pkill
File opened for reading	/proc/325/cmdline	pkill
File opened for reading	/proc/11/cmdline	pkill
File opened for reading	/proc/70/status	pkill
File opened for reading	/proc/325/cmdline	pkill
File opened for reading	/proc/375/status	pkill
File opened for reading	/proc/70/cmdline	pkill
File opened for reading	/proc/15/cmdline	pkill
File opened for reading	/proc/732/cmdline	pkill
File opened for reading	/proc/7/status	pkill
File opened for reading	/proc/332/cmdline	pkill
File opened for reading	/proc/700/status	pkill
File opened for reading	/proc/9/cmdline	pkill
File opened for reading	/proc/21/status	pkill
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/16/status	pkill
File opened for reading	/proc/387/cmdline	pkill
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/status	pkill
File opened for reading	/proc/10/cmdline	pkill
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/69/cmdline	pkill
File opened for reading	/proc/3/status	pkill
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/2/status	pkill
File opened for reading	/proc/18/status	pkill
File opened for reading	/proc/77/cmdline	pkill
File opened for reading	/proc/13/status	pkill
File opened for reading	/proc/16/cmdline	pkill
File opened for reading	/proc/69/cmdline	pkill
File opened for reading	/proc/696/status	pkill
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/76/cmdline	pkill
File opened for reading	/proc/676/cmdline	pkill
File opened for reading	/proc/21/status	pkill
File opened for reading	/proc/703/cmdline	pkill
File opened for reading	/proc/70/cmdline	pkill
File opened for reading	/proc/736/cmdline	pkill
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/6/cmdline	pkill
File opened for reading	/proc/16/cmdline	pkill
File opened for reading	/proc/23/cmdline	pkill
File opened for reading	/proc/71/status	pkill
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
727	sh
738	sh
739	service
758	sh

/tmp/372488b8cecb45ce03923f19df5d904980761cd8a7f2ca87ce6c5b7fcff0e20a.elf
/tmp/372488b8cecb45ce03923f19df5d904980761cd8a7f2ca87ce6c5b7fcff0e20a.elf
1⤵
- Deletes itself
- Writes DNS configuration
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:698
- /bin/sh
  /bin/sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:701
- - /bin/rm
    rm -rf /tmp/systemd-private-1efad5a3dfef4e41ba998db6220ca005-systemd-timedated.service-lNM5mw /var/backups /var/cache /var/lib /var/local /var/lock /var/log /var/mail /var/opt /var/run /var/spool /var/tmp /var/run/atd.pid /var/run/auditd.pid /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/dbus /var/run/dhclient.enp0s19.pid /var/run/exim4 /var/run/initctl /var/run/initramfs /var/run/lock /var/run/log /var/run/motd.dynamic /var/run/mount /var/run/network /var/run/rsyslogd.pid /var/run/sendsigs.omit.d /var/run/shm /var/run/sshd /var/run/sshd.pid /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/user /var/run/utmp /var/tmp/systemd-private-1efad5a3dfef4e41ba998db6220ca005-systemd-timedated.service-kbJBeR
    3⤵
    PID:704
- /bin/sh
  /bin/sh -c "rm -rf /var/log/wtmp"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:719
- - /bin/rm
    rm -rf /var/log/wtmp
    3⤵
    PID:721
- /bin/sh
  /bin/sh -c "rm -rf /tmp/*"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:722
- - /bin/rm
    rm -rf "/tmp/*"
    3⤵
    PID:723
- /bin/sh
  /bin/sh -c "rm -rf /bin/netstat"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:724
- - /bin/rm
    rm -rf /bin/netstat
    3⤵
    PID:725
- /bin/sh
  /bin/sh -c "iptables -F"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:727
- - /sbin/iptables
    iptables -F
    3⤵
    - Flushes firewall rules
    PID:728
- /bin/sh
  /bin/sh -c "pkill -9 busybox"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:732
- - /usr/bin/pkill
    pkill -9 busybox
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:733
- /bin/sh
  /bin/sh -c "pkill -9 perl"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:734
- - /usr/bin/pkill
    pkill -9 perl
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:735
- /bin/sh
  /bin/sh -c "pkill -9 python"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:736
- - /usr/bin/pkill
    pkill -9 python
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:737
- /bin/sh
  /bin/sh -c "service iptables stop"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:738
- - /usr/sbin/service
    service iptables stop
    3⤵
    - System Network Configuration Discovery
    PID:739
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:740
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:741
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:742
  - - /bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      Enumerates kernel/hardware configuration
      PID:744
  - - /bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      Reads runtime system information
      PID:745
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:746
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:747
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:748
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:749
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:750
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:751
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:752
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:753
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:754
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:755
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:756
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:757
- - /usr/local/sbin/systemctl
    systemctl stop iptables.service
    3⤵
    PID:739
- - /usr/local/bin/systemctl
    systemctl stop iptables.service
    3⤵
    PID:739
- - /usr/sbin/systemctl
    systemctl stop iptables.service
    3⤵
    PID:739
- - /usr/bin/systemctl
    systemctl stop iptables.service
    3⤵
    PID:739
- - /sbin/systemctl
    systemctl stop iptables.service
    3⤵
    PID:739
- - /bin/systemctl
    systemctl stop iptables.service
    3⤵
    - Enumerates kernel/hardware configuration
    PID:739
- /bin/sh
  /bin/sh -c "/sbin/iptables -F; /sbin/iptables -X"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:758
- - /sbin/iptables
    /sbin/iptables -F
    3⤵
    - Flushes firewall rules
    PID:759
- - /sbin/iptables
    /sbin/iptables -X
    3⤵
    - Flushes firewall rules
    PID:760
- /bin/sh
  /bin/sh -c "service firewalld stop"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:761
- - /usr/sbin/service
    service firewalld stop
    3⤵
    PID:762
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:763
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:764
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:765
  - - /bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:767
  - - /bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      PID:768
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:769
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:770
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:771
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:772
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:773
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:774
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:775
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:776
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:777
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:778
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:779
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:780
- - /usr/local/sbin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    PID:762
- - /usr/local/bin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    PID:762
- - /usr/sbin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    PID:762
- - /usr/bin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    PID:762
- - /sbin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    PID:762
- - /bin/systemctl
    systemctl stop firewalld.service
    3⤵
    - Flushes firewall rules
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:762
- /bin/sh
  /bin/sh -c "rm -rf ~/.bash_history"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:781
- - /bin/rm
    rm -rf "~/.bash_history"
    3⤵
    PID:782
- /bin/sh
  /bin/sh -c "history -c"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:783