General

  • Target

    linux_mipsel.elf

  • Size

    2.2MB

  • Sample

    250416-w94ttstyhs

  • MD5

    06a141032d508ea7639d82c044851727

  • SHA1

    e49bf29f0c21f0e5a5d0ccee733ed1626df57d6b

  • SHA256

    d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55

  • SHA512

    8173fc77c9ba84dc1a980c907dec6d2a37e20b3dec5438189fb1990e6c161de5a7ebc033091be2bcd7b80fb1bfe1478eb9f81f6811c9417fd95d3419c9cc2e05

  • SSDEEP

    24576:TTq+DZ51ZFBI2dNPSn3MKEuPVXlod+lCmISWz1v:fT18MyEd+lsSWz1

Malware Config

Targets

    • Target

      linux_mipsel.elf

    • Size

      2.2MB

    • MD5

      06a141032d508ea7639d82c044851727

    • SHA1

      e49bf29f0c21f0e5a5d0ccee733ed1626df57d6b

    • SHA256

      d3030e1575b48293f9364353127bd44892ec65120c11d1710eead510373aab55

    • SHA512

      8173fc77c9ba84dc1a980c907dec6d2a37e20b3dec5438189fb1990e6c161de5a7ebc033091be2bcd7b80fb1bfe1478eb9f81f6811c9417fd95d3419c9cc2e05

    • SSDEEP

      24576:TTq+DZ51ZFBI2dNPSn3MKEuPVXlod+lCmISWz1v:fT18MyEd+lsSWz1

    • Renames multiple (1004) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Disables SELinux

      Disables SELinux security module.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Write file to user bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v16

Tasks