66a78e0a712638e9317ed2206c660e995b20fea2f36c533fbb9768d925260f6e

Analysis

max time kernel
25551s
max time network
164s
platform
linux_armhf
resource
debian9-armhf-en-20211208
resource tags

arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
30-09-2022 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

linux_arm6
Size

5.1MB
MD5

173cc4ddab87dc75222bab5c44f7cdd5
SHA1

d4cc58b67d9d1d5e4ff191da9c8de9a4982b787e
SHA256

66a78e0a712638e9317ed2206c660e995b20fea2f36c533fbb9768d925260f6e
SHA512

b052f6b661b1e28b6e1de751f7577be6123fc700deb3543f18a5e813dde7ae0bb39c54d732b7fadcc6deb93ac49dfc14a40934e9ee3f5832bd42954a6a2dbd33
SSDEEP

98304:8cSBHdgN2a7JP97kJru8cYWPAXqJu+60:8cS03xu+6

Score

9^/10

persistence

Malware Config

Signatures

Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Modifies hosts file 1 IoCs

Adds to hosts file used for mapping hosts to IP addresses.

description	ioc
/etc/hosts	/etc/hosts

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc
/etc/resolv.conf	/etc/resolv.conf

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task

T1053

description	ioc	Process
/etc/crontab	/etc/crontab	bash

Modifies Bash startup script 1 TTPs 3 IoCs

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
/etc/profile.d/bash_config.sh	/etc/profile.d/bash_config.sh
/etc/profile.d/bash_config	/etc/profile.d/bash_config
/etc/profile.d/linux.sh	/etc/profile.d/linux.sh

Modifies init.d 1 TTPs 3 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
/etc/init.d/linux_kill	/etc/init.d/linux_kill	Process not Found
/etc/init.d/linux_kill	/etc/init.d/linux_kill	update-rc.d
/etc/init.d/ssh	/etc/init.d/ssh	Process not Found

Modifies rc script 1 TTPs 7 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
/etc/rc3.d/	/etc/rc3.d/	update-rc.d
/etc/rc4.d/	/etc/rc4.d/	update-rc.d
/etc/rc2.d/	/etc/rc2.d/	update-rc.d
/etc/rc1.d/	/etc/rc1.d/	update-rc.d
/etc/rc0.d/	/etc/rc0.d/	update-rc.d
/etc/rc5.d/	/etc/rc5.d/	update-rc.d
/etc/rc6.d/	/etc/rc6.d/	update-rc.d

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/usr/sbin/service	/usr/sbin/service	service
/usr/sbin/update-rc.d	/usr/sbin/update-rc.d	update-rc.d
/usr/bin/find	/usr/bin/find	Process not Found
/usr/bin/lib/find	/usr/bin/lib/find	Process not Found
/usr/sbin/service	/usr/sbin/service	service

Enumerates kernel/hardware configuration 1 TTPs 35 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	linux_arm6
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	linux_arm6
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/cmdline	/proc/cmdline	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/428/stat	/proc/428/stat	Process not Found
/proc/cmdline	/proc/cmdline	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/447/stat	/proc/447/stat	Process not Found
/proc/495/stat	/proc/495/stat	Process not Found
/proc/1/environ	/proc/1/environ	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/437/stat	/proc/437/stat	Process not Found
/proc/463/stat	/proc/463/stat	Process not Found
/proc/508/stat	/proc/508/stat	Process not Found
/proc/556/stat	/proc/556/stat	Process not Found
/proc/1/environ	/proc/1/environ	systemctl
/proc/376/stat	/proc/376/stat	Process not Found
/proc/1/environ	/proc/1/environ	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/426/stat	/proc/426/stat	Process not Found
/proc/1/environ	/proc/1/environ	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/270/stat	/proc/270/stat	Process not Found
/proc/filesystems	/proc/filesystems	sed
/proc/1/environ	/proc/1/environ	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/454/stat	/proc/454/stat	Process not Found
/proc/507/stat	/proc/507/stat	Process not Found
/proc/1/environ	/proc/1/environ	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/521/stat	/proc/521/stat	Process not Found
/proc/filesystems	/proc/filesystems	mount
/proc/cmdline	/proc/cmdline	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/524/stat	/proc/524/stat	Process not Found
/proc/323/stat	/proc/323/stat	Process not Found
/proc/377/stat	/proc/377/stat	Process not Found
/proc/filesystems	/proc/filesystems	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/522/stat	/proc/522/stat	Process not Found

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/linux_arm6	/tmp/linux_arm6	linux_arm6
/tmp/linux_arm6	/tmp/linux_arm6	Process not Found

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	4	Go-http-client/1.1

/tmp/linux_arm6
/tmp/linux_arm6
1⤵
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:362
- /bin/sh
  sh -c "/etc/32678&"
  2⤵
  PID:374
- - /etc/32678
    /etc/32678
    3⤵
    PID:376
  - - /bin/sleep
      sleep 60
      4⤵
      PID:377
  - - /etc/id.services.conf
      /etc/id.services.conf
      4⤵
      Enumerates kernel/hardware configuration
      PID:451
- /usr/sbin/service
  service crond start
  2⤵
  - Write file to user bin folder
  PID:375
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:379
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:380
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Enumerates kernel/hardware configuration
    PID:381
- - /bin/systemctl
    systemctl -p Triggers show dbus.socket
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:385
- - /bin/systemctl
    systemctl -p Triggers show ssh.socket
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:388
- - /bin/systemctl
    systemctl -p Triggers show syslog.socket
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:389
- - /bin/systemctl
    systemctl -p Triggers show systemd-fsckd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:391
- - /bin/systemctl
    systemctl -p Triggers show systemd-initctl.socket
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:392
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-audit.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:393
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-dev-log.socket
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:394
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald.socket
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:395
- - /bin/systemctl
    systemctl -p Triggers show systemd-networkd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:396
- - /bin/systemctl
    systemctl -p Triggers show systemd-rfkill.socket
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:397
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-control.socket
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:398
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-kernel.socket
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:399
- /tmp/linux_arm6
  /tmp/linux_arm6 " "
  2⤵
  - Enumerates kernel/hardware configuration
  PID:378
- /usr/local/sbin/systemctl
  systemctl start crond.service
  2⤵
  PID:375
- /usr/local/bin/systemctl
  systemctl start crond.service
  2⤵
  PID:375
- /usr/sbin/systemctl
  systemctl start crond.service
  2⤵
  PID:375
- /usr/bin/systemctl
  systemctl start crond.service
  2⤵
  PID:375
- /sbin/systemctl
  systemctl start crond.service
  2⤵
  PID:375
- /bin/systemctl
  systemctl start crond.service
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:375

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:383

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:384

/usr/sbin/update-rc.d
update-rc.d linux_kill defaults
1⤵
- Modifies init.d
- Modifies rc script
- Write file to user bin folder
PID:405
- /usr/local/sbin/systemctl
  systemctl daemon-reload
  2⤵
  PID:407
- /usr/local/bin/systemctl
  systemctl daemon-reload
  2⤵
  PID:407
- /usr/sbin/systemctl
  systemctl daemon-reload
  2⤵
  PID:407
- /usr/bin/systemctl
  systemctl daemon-reload
  2⤵
  PID:407
- /sbin/systemctl
  systemctl daemon-reload
  2⤵
  PID:407
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:407

/bin/bash
bash -c "echo \"*/1 * * * * root /.img \" >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:422

/usr/bin/renice
renice -20 378
1⤵
PID:424

/bin/mount
mount -o bind /tmp/ /proc/378
1⤵
- Reads runtime system information
PID:427

/usr/sbin/service
service cron start
1⤵
- Write file to user bin folder
PID:428
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:429
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:430
- /bin/systemctl
  systemctl --quiet is-active multi-user.target
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:431
- /bin/systemctl
  systemctl -p Triggers show dbus.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:435
- /bin/systemctl
  systemctl -p Triggers show ssh.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:436
- /bin/systemctl
  systemctl -p Triggers show syslog.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:437
- /bin/systemctl
  systemctl -p Triggers show systemd-fsckd.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:439
- /bin/systemctl
  systemctl -p Triggers show systemd-initctl.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:440
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-audit.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:441
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-dev-log.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:442
- /bin/systemctl
  systemctl -p Triggers show systemd-journald.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:443
- /bin/systemctl
  systemctl -p Triggers show systemd-networkd.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:444
- /bin/systemctl
  systemctl -p Triggers show systemd-rfkill.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:445
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-control.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:448
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-kernel.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:449