Analysis
-
max time kernel
122s -
max time network
151s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240729-en -
resource tags
arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
28/03/2025, 03:08
Static task
static1
Behavioral task
behavioral1
Sample
mpsl.elf
Resource
debian9-mipsel-20240729-en
debian-9-mipsel
8 signatures
150 seconds
General
-
Target
mpsl.elf
-
Size
210KB
-
MD5
1782fdd594d9de61100f48caa6f00428
-
SHA1
288e7960a9a4fd1ff09cc74b3688b178c7245867
-
SHA256
4e09c106804c14e8232998d46bd3f0d2c934af514770bb0d9d24402f167b0429
-
SHA512
bcfeed061aae04f8d79b7760e574df00b38890f00f7caaea889f311fa2c78ba559972eb68eb257b93c595a86745233d163241b9c5c6fdc0850f2bc7fe46d5df5
-
SSDEEP
1536:1kpV4KWyy/yuhWbNaeZRmMvgebb3nvwc47ERdbDrQEWN87aNEElxnnHO0jsns9Xi:ep6Kvrlbrnb3IchRuEY5nH6
Score
9/10
Malware Config
Signatures
-
Contacts a large (28628) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Renames itself 1 IoCs
pid Process 717 mpsl.elf -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.220.220 Destination IP 208.67.222.222 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 50 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/756/maps mpsl.elf File opened for reading /proc/761/maps mpsl.elf File opened for reading /proc/766/maps mpsl.elf File opened for reading /proc/728/maps mpsl.elf File opened for reading /proc/734/maps mpsl.elf File opened for reading /proc/738/maps mpsl.elf File opened for reading /proc/751/maps mpsl.elf File opened for reading /proc/757/maps mpsl.elf File opened for reading /proc/762/maps mpsl.elf File opened for reading /proc/768/maps mpsl.elf File opened for reading /proc/770/maps mpsl.elf File opened for reading /proc/390/maps mpsl.elf File opened for reading /proc/739/maps mpsl.elf File opened for reading /proc/749/maps mpsl.elf File opened for reading /proc/763/maps mpsl.elf File opened for reading /proc/765/maps mpsl.elf File opened for reading /proc/1/maps mpsl.elf File opened for reading /proc/389/maps mpsl.elf File opened for reading /proc/730/maps mpsl.elf File opened for reading /proc/759/maps mpsl.elf File opened for reading /proc/771/maps mpsl.elf File opened for reading /proc/693/maps mpsl.elf File opened for reading /proc/737/maps mpsl.elf File opened for reading /proc/746/maps mpsl.elf File opened for reading /proc/750/maps mpsl.elf File opened for reading /proc/758/maps mpsl.elf File opened for reading /proc/760/maps mpsl.elf File opened for reading /proc/764/maps mpsl.elf File opened for reading /proc/767/maps mpsl.elf File opened for reading /proc/692/maps mpsl.elf File opened for reading /proc/731/maps mpsl.elf File opened for reading /proc/735/maps mpsl.elf File opened for reading /proc/741/maps mpsl.elf File opened for reading /proc/744/maps mpsl.elf File opened for reading /proc/745/maps mpsl.elf File opened for reading /proc/743/maps mpsl.elf File opened for reading /proc/747/maps mpsl.elf File opened for reading /proc/755/maps mpsl.elf File opened for reading /proc/729/maps mpsl.elf File opened for reading /proc/732/maps mpsl.elf File opened for reading /proc/736/maps mpsl.elf File opened for reading /proc/753/maps mpsl.elf File opened for reading /proc/754/maps mpsl.elf File opened for reading /proc/769/maps mpsl.elf File opened for reading /proc/772/maps mpsl.elf File opened for reading /proc/733/maps mpsl.elf File opened for reading /proc/740/maps mpsl.elf File opened for reading /proc/742/maps mpsl.elf File opened for reading /proc/748/maps mpsl.elf File opened for reading /proc/752/maps mpsl.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself dvrDecoder 717 mpsl.elf -
description ioc Process File opened for reading /proc/752/cmdline mpsl.elf File opened for reading /proc/755/cmdline mpsl.elf File opened for reading /proc/1/cmdline mpsl.elf File opened for reading /proc/740/cmdline mpsl.elf File opened for reading /proc/752/fd mpsl.elf File opened for reading /proc/151/cmdline mpsl.elf File opened for reading /proc/339/cmdline mpsl.elf File opened for reading /proc/683/cmdline mpsl.elf File opened for reading /proc/175/fd mpsl.elf File opened for reading /proc/742/fd mpsl.elf File opened for reading /proc/249/cmdline mpsl.elf File opened for reading /proc/336/cmdline mpsl.elf File opened for reading /proc/151/fd mpsl.elf File opened for reading /proc/736/cmdline mpsl.elf File opened for reading /proc/758/fd mpsl.elf File opened for reading /proc/761/fd mpsl.elf File opened for reading /proc/71/cmdline mpsl.elf File opened for reading /proc/110/cmdline mpsl.elf File opened for reading /proc/395/fd mpsl.elf File opened for reading /proc/764/fd mpsl.elf File opened for reading /proc/770/fd mpsl.elf File opened for reading /proc/mounts mpsl.elf File opened for reading /proc/6/cmdline mpsl.elf File opened for reading /proc/682/cmdline mpsl.elf File opened for reading /proc/743/cmdline mpsl.elf File opened for reading /proc/8/cmdline mpsl.elf File opened for reading /proc/342/cmdline mpsl.elf File opened for reading /proc/709/cmdline mpsl.elf File opened for reading /proc/390/fd mpsl.elf File opened for reading /proc/732/fd mpsl.elf File opened for reading /proc/745/fd mpsl.elf File opened for reading /proc/758/cmdline mpsl.elf File opened for reading /proc/688/cmdline mpsl.elf File opened for reading /proc/729/cmdline mpsl.elf File opened for reading /proc/744/cmdline mpsl.elf File opened for reading /proc/750/cmdline mpsl.elf File opened for reading /proc/18/cmdline mpsl.elf File opened for reading /proc/74/cmdline mpsl.elf File opened for reading /proc/370/cmdline mpsl.elf File opened for reading /proc/730/cmdline mpsl.elf File opened for reading /proc/749/cmdline mpsl.elf File opened for reading /proc/760/fd mpsl.elf File opened for reading /proc/763/cmdline mpsl.elf File opened for reading /proc/15/cmdline mpsl.elf File opened for reading /proc/36/cmdline mpsl.elf File opened for reading /proc/715/cmdline mpsl.elf File opened for reading /proc/712/fd mpsl.elf File opened for reading /proc/757/fd mpsl.elf File opened for reading /proc/716/cmdline mpsl.elf File opened for reading /proc/336/fd mpsl.elf File opened for reading /proc/751/fd mpsl.elf File opened for reading /proc/733/cmdline mpsl.elf File opened for reading /proc/19/cmdline mpsl.elf File opened for reading /proc/175/cmdline mpsl.elf File opened for reading /proc/714/cmdline mpsl.elf File opened for reading /proc/339/fd mpsl.elf File opened for reading /proc/749/fd mpsl.elf File opened for reading /proc/37/cmdline mpsl.elf File opened for reading /proc/72/cmdline mpsl.elf File opened for reading /proc/728/cmdline mpsl.elf File opened for reading /proc/742/cmdline mpsl.elf File opened for reading /proc/757/cmdline mpsl.elf File opened for reading /proc/756/fd mpsl.elf File opened for reading /proc/767/fd mpsl.elf