Analysis
-
max time kernel
96s -
max time network
152s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
28/03/2025, 04:08
Static task
static1
Behavioral task
behavioral1
Sample
mpsl.elf
Resource
debian9-mipsel-20240611-en
debian-9-mipsel
8 signatures
150 seconds
General
-
Target
mpsl.elf
-
Size
210KB
-
MD5
55076d662d3e4ab0ebed50e63bc9de51
-
SHA1
900a6070b2463704cf1e872ffe79f42c7648f9de
-
SHA256
9f725587128c1eb840279db0ce8256f9cb8098b742f7f863addf18be610d4979
-
SHA512
06a4c8c28eeda5d62858d1b8f92b5aafb6305077782266354c7895128a7990c940a269668e703113e8a1e888ad9228275d7ef910ef8e7b627c1afd7cb7a7ed1a
-
SSDEEP
1536:CispmDKOVez/ot3umsrIu9aTsmMD+zo57HSo20bIxQbDrKpHN8cUMEll+nHO0jsC:Vs+K8ez/c+Zrv9P57N2Bx/ptNnHS
Score
9/10
Malware Config
Signatures
-
Contacts a large (18513) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Renames itself 1 IoCs
pid Process 712 mpsl.elf -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.220.220 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 16 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/723/maps mpsl.elf File opened for reading /proc/735/maps mpsl.elf File opened for reading /proc/736/maps mpsl.elf File opened for reading /proc/722/maps mpsl.elf File opened for reading /proc/724/maps mpsl.elf File opened for reading /proc/725/maps mpsl.elf File opened for reading /proc/726/maps mpsl.elf File opened for reading /proc/730/maps mpsl.elf File opened for reading /proc/733/maps mpsl.elf File opened for reading /proc/377/maps mpsl.elf File opened for reading /proc/680/maps mpsl.elf File opened for reading /proc/732/maps mpsl.elf File opened for reading /proc/1/maps mpsl.elf File opened for reading /proc/378/maps mpsl.elf File opened for reading /proc/729/maps mpsl.elf File opened for reading /proc/681/maps mpsl.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself dvrEncoder 712 mpsl.elf -
description ioc Process File opened for reading /proc/12/cmdline mpsl.elf File opened for reading /proc/79/cmdline mpsl.elf File opened for reading /proc/82/cmdline mpsl.elf File opened for reading /proc/148/cmdline mpsl.elf File opened for reading /proc/387/fd mpsl.elf File opened for reading /proc/733/cmdline mpsl.elf File opened for reading /proc/mounts mpsl.elf File opened for reading /proc/116/cmdline mpsl.elf File opened for reading /proc/321/fd mpsl.elf File opened for reading /proc/717/fd mpsl.elf File opened for reading /proc/15/cmdline mpsl.elf File opened for reading /proc/77/cmdline mpsl.elf File opened for reading /proc/326/cmdline mpsl.elf File opened for reading /proc/668/cmdline mpsl.elf File opened for reading /proc/21/cmdline mpsl.elf File opened for reading /proc/704/fd mpsl.elf File opened for reading /proc/73/cmdline mpsl.elf File opened for reading /proc/324/cmdline mpsl.elf File opened for reading /proc/680/cmdline mpsl.elf File opened for reading /proc/709/cmdline mpsl.elf File opened for reading /proc/735/fd mpsl.elf File opened for reading /proc/353/fd mpsl.elf File opened for reading /proc/725/cmdline mpsl.elf File opened for reading /proc/733/fd mpsl.elf File opened for reading /proc/11/cmdline mpsl.elf File opened for reading /proc/105/cmdline mpsl.elf File opened for reading /proc/325/cmdline mpsl.elf File opened for reading /proc/688/cmdline mpsl.elf File opened for reading /proc/17/cmdline mpsl.elf File opened for reading /proc/320/cmdline mpsl.elf File opened for reading /proc/325/fd mpsl.elf File opened for reading /proc/712/fd mpsl.elf File opened for reading /proc/724/cmdline mpsl.elf File opened for reading /proc/726/cmdline mpsl.elf File opened for reading /proc/18/cmdline mpsl.elf File opened for reading /proc/668/fd mpsl.elf File opened for reading /proc/715/fd mpsl.elf File opened for reading /proc/723/cmdline mpsl.elf File opened for reading /proc/732/fd mpsl.elf File opened for reading /proc/10/cmdline mpsl.elf File opened for reading /proc/13/cmdline mpsl.elf File opened for reading /proc/84/cmdline mpsl.elf File opened for reading /proc/166/cmdline mpsl.elf File opened for reading /proc/353/cmdline mpsl.elf File opened for reading /proc/3/cmdline mpsl.elf File opened for reading /proc/5/cmdline mpsl.elf File opened for reading /proc/672/fd mpsl.elf File opened for reading /proc/705/fd mpsl.elf File opened for reading /proc/718/fd mpsl.elf File opened for reading /proc/726/fd mpsl.elf File opened for reading /proc/735/cmdline mpsl.elf File opened for reading /proc/711/cmdline mpsl.elf File opened for reading /proc/2/cmdline mpsl.elf File opened for reading /proc/71/cmdline mpsl.elf File opened for reading /proc/713/cmdline mpsl.elf File opened for reading /proc/377/cmdline mpsl.elf File opened for reading /proc/688/fd mpsl.elf File opened for reading /proc/378/cmdline mpsl.elf File opened for reading /proc/387/cmdline mpsl.elf File opened for reading /proc/7/cmdline mpsl.elf File opened for reading /proc/8/cmdline mpsl.elf File opened for reading /proc/36/cmdline mpsl.elf File opened for reading /proc/144/cmdline mpsl.elf File opened for reading /proc/166/fd mpsl.elf