b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605

Analysis

max time kernel
30s
max time network
32s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
20/03/2025, 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bin.sh
Size

132KB
MD5

a73ddd6ec22462db955439f665cad4e6
SHA1

ac6962542a4b23ac13bddff22f8df9aeb702ef12
SHA256

b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605
SHA512

92a52f68a7324c4d5876e1f7e2cb87d14b8604b057ceee2e537815568faa96abf576a22111c5c976eff72ab9015f1261b2331d4b4d711f4e62c8eb403c2377aa
SSDEEP

3072:2glZ3FtCKXhkmHtZ9TEKzjfj/WMngyIfsJ0F7xPtoM:2IIKXhZtL7jOTyIG87Xl

Score

8^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Contacts a large (1841) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Patched UPX-packed file 1 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

resource	yara_rule
behavioral4/files/fstream-3.dat	patched_upx

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	bin.sh
File opened for modification	/dev/misc/watchdog	bin.sh

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

discovery

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	bin.sh

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 2 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/S95baby.sh	bin.sh

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	bin.sh

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	bin.sh
File opened for modification	/bin/watchdog	bin.sh

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/fstream-3.dat	upx

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	sshd	712	bin.sh

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	bin.sh
File opened for reading	/proc/net/tcp	bin.sh
File opened for reading	/proc/net/raw	bin.sh

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/75/stat	killall
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/14/stat	killall
File opened for reading	/proc/701/cmdline	killall
File opened for reading	/proc/self/exe	bin.sh
File opened for reading	/proc/161/stat	killall
File opened for reading	/proc/687/stat	killall
File opened for reading	/proc/707/stat	killall
File opened for reading	/proc/70/stat	killall
File opened for reading	/proc/125/stat	killall
File opened for reading	/proc/674/stat	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/21/stat	killall
File opened for reading	/proc/114/stat	killall
File opened for reading	/proc/322/stat	killall
File opened for reading	/proc/mounts	bin.sh
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/78/stat	killall
File opened for reading	/proc/702/cmdline	killall
File opened for reading	/proc/708/stat	killall
File opened for reading	/proc/82/stat	killall
File opened for reading	/proc/154/cmdline	killall
File opened for reading	/proc/235/stat	killall
File opened for reading	/proc/324/stat	killall
File opened for reading	/proc/715/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/74/stat	killall
File opened for reading	/proc/701/stat	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/3/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/36/stat	killall
File opened for reading	/proc/432/stat	killall
File opened for reading	/proc/677/stat	killall
File opened for reading	/proc/5/stat	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/81/stat	killall
File opened for reading	/proc/385/stat	killall
File opened for reading	/proc/702/stat	killall
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/72/stat	killall
File opened for reading	/proc/73/stat	killall
File opened for reading	/proc/125/cmdline	killall
File opened for reading	/proc/320/stat	killall
File opened for reading	/proc/325/stat	killall
File opened for reading	/proc/350/stat	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/84/stat	killall
File opened for reading	/proc/124/stat	killall
File opened for reading	/proc/179/stat	killall
File opened for reading	/proc/706/stat	killall
File opened for reading	/proc/712/stat	killall
File opened for reading	/proc/713/stat	killall
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/77/stat	killall
File opened for reading	/proc/154/stat	killall

System Network Configuration Discovery 1 TTPs 12 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
850	sh
856	sh
797	sh
830	sh
842	sh
861	sh
807	sh
812	sh
816	sh
824	sh
828	sh
846	sh

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.ips	bin.sh

/tmp/bin.sh
/tmp/bin.sh
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Modifies init.d
- Reads system routing table
- Writes file to system bin folder
- Changes its process name
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:709
- /bin/sh
  sh -c "killall -9 telnetd utelnetd scfgmgr"
  2⤵
  PID:713
- - /usr/bin/killall
    killall -9 telnetd utelnetd scfgmgr
    3⤵
    - Reads runtime system information
    PID:714
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 57605 -j ACCEPT"
  2⤵
  PID:791
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 57605 -j ACCEPT
    3⤵
    PID:793
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 57605 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:797
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 57605 -j ACCEPT
    3⤵
    PID:799
- /bin/sh
  sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 57605 -j ACCEPT"
  2⤵
  PID:800
- - /sbin/iptables
    iptables -I PREROUTING -t nat -p tcp --destination-port 57605 -j ACCEPT
    3⤵
    PID:801
- /bin/sh
  sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 57605 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:807
- - /sbin/iptables
    iptables -I POSTROUTING -t nat -p tcp --source-port 57605 -j ACCEPT
    3⤵
    PID:809
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 57605 -j ACCEPT"
  2⤵
  PID:810
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 57605 -j ACCEPT
    3⤵
    PID:811
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 57605 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:812
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 57605 -j ACCEPT
    3⤵
    PID:813
- /bin/sh
  sh -c "iptables -I PREROUTING -t nat -p tcp --dport 57605 -j ACCEPT"
  2⤵
  PID:814
- - /sbin/iptables
    iptables -I PREROUTING -t nat -p tcp --dport 57605 -j ACCEPT
    3⤵
    PID:815
- /bin/sh
  sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 57605 -j ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:816
- - /sbin/iptables
    iptables -I POSTROUTING -t nat -p tcp --sport 57605 -j ACCEPT
    3⤵
    PID:817
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 22 -j DROP"
  2⤵
  PID:818
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 22 -j DROP
    3⤵
    PID:819
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 23 -j DROP"
  2⤵
  PID:820
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 23 -j DROP
    3⤵
    PID:821
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 2323 -j DROP"
  2⤵
  PID:822
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 2323 -j DROP
    3⤵
    PID:823
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 22 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:824
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 22 -j DROP
    3⤵
    PID:826
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 23 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:828
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 23 -j DROP
    3⤵
    PID:829
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 2323 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:830
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
    3⤵
    PID:832
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 22 -j DROP"
  2⤵
  PID:834
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 22 -j DROP
    3⤵
    PID:835
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 23 -j DROP"
  2⤵
  PID:836
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 23 -j DROP
    3⤵
    PID:838
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 2323 -j DROP"
  2⤵
  PID:840
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 2323 -j DROP
    3⤵
    PID:841
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 22 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:842
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 22 -j DROP
    3⤵
    PID:844
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 23 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:846
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 23 -j DROP
    3⤵
    PID:848
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 2323 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:850
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 2323 -j DROP
    3⤵
    PID:851
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
  2⤵
  PID:852
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 58000 -j DROP
    3⤵
    PID:854
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:856
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
    3⤵
    PID:857
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
  2⤵
  PID:858
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 58000 -j DROP
    3⤵
    PID:859
- /bin/sh
  sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
  2⤵
  - System Network Configuration Discovery
  PID:861
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 58000 -j DROP
    3⤵
    PID:863
- /bin/sh
  sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
  2⤵
  PID:867
- /bin/sh
  sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
  2⤵
  PID:868
- /bin/sh
  sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
  2⤵
  PID:869

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/rcS.d/S95baby.sh

Filesize
25B

MD5
1b3235ba10fc04836c941d3d27301956

SHA1
8909655763143702430b8c58b3ae3b04cfd3a29c

SHA256
01ba1fb41632594997a41d0c3a911ae5b3034d566ebb991ef76ad76e6f9e283a

SHA512
98bdb5c266222ccbd63b6f80c87e501c8033dc53b0513d300b8da50e39a207a0b69f8cd3ecc4a128dec340a1186779fedd1049c9b0a70e90d2cb3ae6ebfa4c4d

Download Submit
/usr/networks

Filesize
132KB

MD5
a73ddd6ec22462db955439f665cad4e6

SHA1
ac6962542a4b23ac13bddff22f8df9aeb702ef12

SHA256
b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605

SHA512
92a52f68a7324c4d5876e1f7e2cb87d14b8604b057ceee2e537815568faa96abf576a22111c5c976eff72ab9015f1261b2331d4b4d711f4e62c8eb403c2377aa

Download Submit

pid	Process
850	sh
856	sh
797	sh
830	sh
842	sh
861	sh
807	sh
812	sh
816	sh
824	sh
828	sh
846	sh

pid	Process
850	sh
856	sh
797	sh
830	sh
842	sh
861	sh
807	sh
812	sh
816	sh
824	sh
828	sh
846	sh

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

pid	Process
850	sh
856	sh
797	sh
830	sh
842	sh
861	sh
807	sh
812	sh
816	sh
824	sh
828	sh
846	sh