Analysis
-
max time kernel
123s -
max time network
152s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
28/03/2025, 03:33
Static task
static1
Behavioral task
behavioral1
Sample
mpsl.elf
Resource
debian9-mipsel-20240611-en
debian-9-mipsel
8 signatures
150 seconds
General
-
Target
mpsl.elf
-
Size
210KB
-
MD5
55076d662d3e4ab0ebed50e63bc9de51
-
SHA1
900a6070b2463704cf1e872ffe79f42c7648f9de
-
SHA256
9f725587128c1eb840279db0ce8256f9cb8098b742f7f863addf18be610d4979
-
SHA512
06a4c8c28eeda5d62858d1b8f92b5aafb6305077782266354c7895128a7990c940a269668e703113e8a1e888ad9228275d7ef910ef8e7b627c1afd7cb7a7ed1a
-
SSDEEP
1536:CispmDKOVez/ot3umsrIu9aTsmMD+zo57HSo20bIxQbDrKpHN8cUMEll+nHO0jsC:Vs+K8ez/c+Zrv9P57N2Bx/ptNnHS
Score
9/10
Malware Config
Signatures
-
Contacts a large (28253) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Renames itself 1 IoCs
pid Process 712 mpsl.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.220.220 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 10 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/725/maps mpsl.elf File opened for reading /proc/1/maps mpsl.elf File opened for reading /proc/377/maps mpsl.elf File opened for reading /proc/378/maps mpsl.elf File opened for reading /proc/680/maps mpsl.elf File opened for reading /proc/681/maps mpsl.elf File opened for reading /proc/720/maps mpsl.elf File opened for reading /proc/726/maps mpsl.elf File opened for reading /proc/722/maps mpsl.elf File opened for reading /proc/723/maps mpsl.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself dvrRecorder 712 mpsl.elf -
description ioc Process File opened for reading /proc/74/cmdline mpsl.elf File opened for reading /proc/82/cmdline mpsl.elf File opened for reading /proc/84/cmdline mpsl.elf File opened for reading /proc/432/cmdline mpsl.elf File opened for reading /proc/mounts mpsl.elf File opened for reading /proc/22/cmdline mpsl.elf File opened for reading /proc/73/cmdline mpsl.elf File opened for reading /proc/680/cmdline mpsl.elf File opened for reading /proc/4/cmdline mpsl.elf File opened for reading /proc/9/cmdline mpsl.elf File opened for reading /proc/20/cmdline mpsl.elf File opened for reading /proc/21/cmdline mpsl.elf File opened for reading /proc/75/cmdline mpsl.elf File opened for reading /proc/710/cmdline mpsl.elf File opened for reading /proc/236/fd mpsl.elf File opened for reading /proc/320/fd mpsl.elf File opened for reading /proc/3/cmdline mpsl.elf File opened for reading /proc/24/cmdline mpsl.elf File opened for reading /proc/72/cmdline mpsl.elf File opened for reading /proc/712/cmdline mpsl.elf File opened for reading /proc/704/fd mpsl.elf File opened for reading /proc/723/cmdline mpsl.elf File opened for reading /proc/105/cmdline mpsl.elf File opened for reading /proc/324/cmdline mpsl.elf File opened for reading /proc/681/cmdline mpsl.elf File opened for reading /proc/166/fd mpsl.elf File opened for reading /proc/725/cmdline mpsl.elf File opened for reading /proc/2/cmdline mpsl.elf File opened for reading /proc/672/cmdline mpsl.elf File opened for reading /proc/712/fd mpsl.elf File opened for reading /proc/716/fd mpsl.elf File opened for reading /proc/11/cmdline mpsl.elf File opened for reading /proc/17/cmdline mpsl.elf File opened for reading /proc/78/cmdline mpsl.elf File opened for reading /proc/387/cmdline mpsl.elf File opened for reading /proc/377/fd mpsl.elf File opened for reading /proc/681/fd mpsl.elf File opened for reading /proc/722/cmdline mpsl.elf File opened for reading /proc/15/cmdline mpsl.elf File opened for reading /proc/166/cmdline mpsl.elf File opened for reading /proc/325/cmdline mpsl.elf File opened for reading /proc/387/fd mpsl.elf File opened for reading /proc/10/cmdline mpsl.elf File opened for reading /proc/320/cmdline mpsl.elf File opened for reading /proc/704/cmdline mpsl.elf File opened for reading /proc/707/cmdline mpsl.elf File opened for reading /proc/713/cmdline mpsl.elf File opened for reading /proc/716/cmdline mpsl.elf File opened for reading /proc/718/cmdline mpsl.elf File opened for reading /proc/236/cmdline mpsl.elf File opened for reading /proc/148/cmdline mpsl.elf File opened for reading /proc/70/cmdline mpsl.elf File opened for reading /proc/1/cmdline mpsl.elf File opened for reading /proc/7/cmdline mpsl.elf File opened for reading /proc/8/cmdline mpsl.elf File opened for reading /proc/19/cmdline mpsl.elf File opened for reading /proc/668/cmdline mpsl.elf File opened for reading /proc/12/cmdline mpsl.elf File opened for reading /proc/23/cmdline mpsl.elf File opened for reading /proc/116/cmdline mpsl.elf File opened for reading /proc/688/cmdline mpsl.elf File opened for reading /proc/self/maps mpsl.elf File opened for reading /proc/14/cmdline mpsl.elf File opened for reading /proc/36/cmdline mpsl.elf