Analysis
-
max time kernel
26873s -
max time network
152s -
platform
linux_mipsel -
resource
debian9-mipsel-en-20211208 -
resource tags
arch:mipselimage:debian9-mipsel-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
15-10-2022 17:51
Behavioral task
behavioral1
Sample
3bd1de59102fdae01bd44fc1b820441d.elf
Resource
debian9-mipsel-en-20211208
debian-9-mipsel
General
-
Target
3bd1de59102fdae01bd44fc1b820441d.elf
-
Size
67KB
-
MD5
3bd1de59102fdae01bd44fc1b820441d
-
SHA1
29e6b5e85bf1f47b15b3105412f41fe078f8fd32
-
SHA256
cf6a31deb14f809c91689a4600560c9cec53c907457d98b492f68ae3d5277192
-
SHA512
abfc6d35ea2dff747c7a46cff024ae90dcedfa238debe717a27d59999020abff40aa28992a4d6d98999283f6eae9147449a6cf1ef87aae56100603f09fcec515
-
SSDEEP
1536:qm1lyOqdC1s7dYbpmnAn4bfjCdLbZAozIT:qalyOqdC1aYtmqLb
Malware Config
Signatures
-
Contacts a large (113102) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc /proc/23/cmdline /proc/23/cmdline /proc/336/cmdline /proc/336/cmdline /proc/1/cmdline /proc/1/cmdline /proc/4/cmdline /proc/4/cmdline /proc/5/cmdline /proc/5/cmdline /proc/335/cmdline /proc/335/cmdline /proc/399/cmdline /proc/399/cmdline /proc/69/cmdline /proc/69/cmdline /proc/77/cmdline /proc/77/cmdline /proc/299/cmdline /proc/299/cmdline /proc/347/cmdline /proc/347/cmdline /proc/24/cmdline /proc/24/cmdline /proc/227/cmdline /proc/227/cmdline /proc/261/cmdline /proc/261/cmdline /proc/20/cmdline /proc/20/cmdline /proc/312/cmdline /proc/312/cmdline /proc/329/cmdline /proc/329/cmdline /proc/78/cmdline /proc/78/cmdline /proc/ /proc/ /proc/7/cmdline /proc/7/cmdline /proc/16/cmdline /proc/16/cmdline /proc/18/cmdline /proc/18/cmdline /proc/70/cmdline /proc/70/cmdline /proc/216/cmdline /proc/216/cmdline /proc/407/cmdline /proc/407/cmdline /proc/22/cmdline /proc/22/cmdline /proc/74/cmdline /proc/74/cmdline /proc/76/cmdline /proc/76/cmdline /proc/83/cmdline /proc/83/cmdline /proc/139/cmdline /proc/139/cmdline /proc/17/cmdline /proc/17/cmdline /proc/71/cmdline /proc/71/cmdline /proc/146/cmdline /proc/146/cmdline /proc/240/cmdline /proc/240/cmdline /proc/281/cmdline /proc/281/cmdline /proc/14/cmdline /proc/14/cmdline /proc/353/cmdline /proc/353/cmdline /proc/6/cmdline /proc/6/cmdline /proc/36/cmdline /proc/36/cmdline /proc/260/cmdline /proc/260/cmdline /proc/12/cmdline /proc/12/cmdline /proc/81/cmdline /proc/81/cmdline /proc/15/cmdline /proc/15/cmdline /proc/72/cmdline /proc/72/cmdline /proc/115/cmdline /proc/115/cmdline /proc/242/cmdline /proc/242/cmdline /proc/344/cmdline /proc/344/cmdline /proc/340/cmdline /proc/340/cmdline /proc/376/cmdline /proc/376/cmdline /proc/395/cmdline /proc/395/cmdline /proc/8/cmdline /proc/8/cmdline /proc/9/cmdline /proc/9/cmdline /proc/19/cmdline /proc/19/cmdline /proc/37/cmdline /proc/37/cmdline /proc/264/cmdline /proc/264/cmdline /proc/156/cmdline /proc/156/cmdline /proc/214/cmdline /proc/214/cmdline /proc/302/cmdline /proc/302/cmdline /proc/2/cmdline /proc/2/cmdline /proc/10/cmdline /proc/10/cmdline /proc/11/cmdline /proc/11/cmdline /proc/13/cmdline /proc/13/cmdline /proc/21/cmdline /proc/21/cmdline /proc/334/cmdline /proc/334/cmdline