Analysis
-
max time kernel
123s -
max time network
151s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240418-en -
resource tags
arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
28/03/2025, 03:11
Static task
static1
Behavioral task
behavioral1
Sample
mpsl.elf
Resource
debian9-mipsel-20240418-en
debian-9-mipsel
8 signatures
150 seconds
General
-
Target
mpsl.elf
-
Size
210KB
-
MD5
1782fdd594d9de61100f48caa6f00428
-
SHA1
288e7960a9a4fd1ff09cc74b3688b178c7245867
-
SHA256
4e09c106804c14e8232998d46bd3f0d2c934af514770bb0d9d24402f167b0429
-
SHA512
bcfeed061aae04f8d79b7760e574df00b38890f00f7caaea889f311fa2c78ba559972eb68eb257b93c595a86745233d163241b9c5c6fdc0850f2bc7fe46d5df5
-
SSDEEP
1536:1kpV4KWyy/yuhWbNaeZRmMvgebb3nvwc47ERdbDrQEWN87aNEElxnnHO0jsns9Xi:ep6Kvrlbrnb3IchRuEY5nH6
Score
9/10
Malware Config
Signatures
-
Contacts a large (29031) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Renames itself 1 IoCs
pid Process 701 mpsl.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.220.220 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 50 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/746/maps mpsl.elf File opened for reading /proc/748/maps mpsl.elf File opened for reading /proc/749/maps mpsl.elf File opened for reading /proc/1/maps mpsl.elf File opened for reading /proc/674/maps mpsl.elf File opened for reading /proc/725/maps mpsl.elf File opened for reading /proc/727/maps mpsl.elf File opened for reading /proc/732/maps mpsl.elf File opened for reading /proc/733/maps mpsl.elf File opened for reading /proc/739/maps mpsl.elf File opened for reading /proc/741/maps mpsl.elf File opened for reading /proc/676/maps mpsl.elf File opened for reading /proc/716/maps mpsl.elf File opened for reading /proc/752/maps mpsl.elf File opened for reading /proc/756/maps mpsl.elf File opened for reading /proc/372/maps mpsl.elf File opened for reading /proc/724/maps mpsl.elf File opened for reading /proc/726/maps mpsl.elf File opened for reading /proc/728/maps mpsl.elf File opened for reading /proc/729/maps mpsl.elf File opened for reading /proc/742/maps mpsl.elf File opened for reading /proc/745/maps mpsl.elf File opened for reading /proc/753/maps mpsl.elf File opened for reading /proc/712/maps mpsl.elf File opened for reading /proc/717/maps mpsl.elf File opened for reading /proc/720/maps mpsl.elf File opened for reading /proc/730/maps mpsl.elf File opened for reading /proc/736/maps mpsl.elf File opened for reading /proc/747/maps mpsl.elf File opened for reading /proc/750/maps mpsl.elf File opened for reading /proc/755/maps mpsl.elf File opened for reading /proc/723/maps mpsl.elf File opened for reading /proc/734/maps mpsl.elf File opened for reading /proc/713/maps mpsl.elf File opened for reading /proc/714/maps mpsl.elf File opened for reading /proc/721/maps mpsl.elf File opened for reading /proc/743/maps mpsl.elf File opened for reading /proc/744/maps mpsl.elf File opened for reading /proc/751/maps mpsl.elf File opened for reading /proc/754/maps mpsl.elf File opened for reading /proc/719/maps mpsl.elf File opened for reading /proc/722/maps mpsl.elf File opened for reading /proc/735/maps mpsl.elf File opened for reading /proc/738/maps mpsl.elf File opened for reading /proc/740/maps mpsl.elf File opened for reading /proc/371/maps mpsl.elf File opened for reading /proc/715/maps mpsl.elf File opened for reading /proc/718/maps mpsl.elf File opened for reading /proc/731/maps mpsl.elf File opened for reading /proc/737/maps mpsl.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself ptzcontrol 701 mpsl.elf -
description ioc Process File opened for reading /proc/73/cmdline mpsl.elf File opened for reading /proc/231/cmdline mpsl.elf File opened for reading /proc/414/fd mpsl.elf File opened for reading /proc/718/cmdline mpsl.elf File opened for reading /proc/722/fd mpsl.elf File opened for reading /proc/22/cmdline mpsl.elf File opened for reading /proc/712/cmdline mpsl.elf File opened for reading /proc/744/cmdline mpsl.elf File opened for reading /proc/747/fd mpsl.elf File opened for reading /proc/752/cmdline mpsl.elf File opened for reading /proc/751/fd mpsl.elf File opened for reading /proc/19/cmdline mpsl.elf File opened for reading /proc/693/cmdline mpsl.elf File opened for reading /proc/727/cmdline mpsl.elf File opened for reading /proc/8/cmdline mpsl.elf File opened for reading /proc/668/fd mpsl.elf File opened for reading /proc/694/fd mpsl.elf File opened for reading /proc/705/fd mpsl.elf File opened for reading /proc/709/fd mpsl.elf File opened for reading /proc/726/cmdline mpsl.elf File opened for reading /proc/732/cmdline mpsl.elf File opened for reading /proc/744/fd mpsl.elf File opened for reading /proc/11/cmdline mpsl.elf File opened for reading /proc/15/cmdline mpsl.elf File opened for reading /proc/18/cmdline mpsl.elf File opened for reading /proc/319/cmdline mpsl.elf File opened for reading /proc/724/cmdline mpsl.elf File opened for reading /proc/733/fd mpsl.elf File opened for reading /proc/754/cmdline mpsl.elf File opened for reading /proc/16/cmdline mpsl.elf File opened for reading /proc/79/cmdline mpsl.elf File opened for reading /proc/115/cmdline mpsl.elf File opened for reading /proc/738/fd mpsl.elf File opened for reading /proc/143/cmdline mpsl.elf File opened for reading /proc/705/cmdline mpsl.elf File opened for reading /proc/741/cmdline mpsl.elf File opened for reading /proc/74/cmdline mpsl.elf File opened for reading /proc/319/fd mpsl.elf File opened for reading /proc/371/fd mpsl.elf File opened for reading /proc/707/cmdline mpsl.elf File opened for reading /proc/734/cmdline mpsl.elf File opened for reading /proc/735/fd mpsl.elf File opened for reading /proc/736/cmdline mpsl.elf File opened for reading /proc/739/cmdline mpsl.elf File opened for reading /proc/4/cmdline mpsl.elf File opened for reading /proc/82/cmdline mpsl.elf File opened for reading /proc/318/cmdline mpsl.elf File opened for reading /proc/167/fd mpsl.elf File opened for reading /proc/318/fd mpsl.elf File opened for reading /proc/674/fd mpsl.elf File opened for reading /proc/676/fd mpsl.elf File opened for reading /proc/704/cmdline mpsl.elf File opened for reading /proc/10/cmdline mpsl.elf File opened for reading /proc/377/fd mpsl.elf File opened for reading /proc/708/fd mpsl.elf File opened for reading /proc/720/cmdline mpsl.elf File opened for reading /proc/742/fd mpsl.elf File opened for reading /proc/749/cmdline mpsl.elf File opened for reading /proc/752/fd mpsl.elf File opened for reading /proc/755/cmdline mpsl.elf File opened for reading /proc/116/cmdline mpsl.elf File opened for reading /proc/self/maps mpsl.elf File opened for reading /proc/713/cmdline mpsl.elf File opened for reading /proc/706/fd mpsl.elf