Analysis
-
max time kernel
1205s -
max time network
160s -
platform
debian-9_armhf -
resource
debian9-armhf-20221111-en -
resource tags
arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
25/11/2022, 10:17
Behavioral task
behavioral1
Sample
60039878a74f088d33a6d0a3771aedf387ecf0ec5187402a6406c3b8e263cb8a
Resource
debian9-armhf-20221111-en
debian-9-armhf
General
-
Target
60039878a74f088d33a6d0a3771aedf387ecf0ec5187402a6406c3b8e263cb8a
-
Size
66KB
-
MD5
7f4c810359f1c15cba2de83b0a9a4984
-
SHA1
cafe119831a6ba613e71abf82c8e3e8896f7fadf
-
SHA256
60039878a74f088d33a6d0a3771aedf387ecf0ec5187402a6406c3b8e263cb8a
-
SHA512
141509162177f0b73f1f56f107529829d70c2cf7f5ce8000d0a2750e7d9b11d89022896e1a1f8caa952ab6ed3715e27da7e6c9a1c9aed5f3f9537b9dc0d7c824
-
SSDEEP
1536:TtnY01jAj/sGL0P8sSqVmJH5fIF3pB3m2dlVZi/O9Dap:0j/jwUsSPH5fIF3pBLgO9ep
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc /proc/net/tcp /proc/net/tcp -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc /proc/net/tcp /proc/net/tcp -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc /proc/317/fd /proc/317/fd /proc/364/cmdline /proc/364/cmdline /proc/434/cmdline /proc/434/cmdline /proc/465/fd /proc/465/fd /proc/519/fd /proc/519/fd /proc/539/fd /proc/539/fd /proc/249/fd /proc/249/fd /proc/410/cmdline /proc/410/cmdline /proc/441/fd /proc/441/fd /proc/470/fd /proc/470/fd /proc/494/cmdline /proc/494/cmdline /proc/527/cmdline /proc/527/cmdline /proc/565/fd /proc/565/fd /proc/365/fd /proc/365/fd /proc/427/fd /proc/427/fd /proc/237/fd /proc/237/fd /proc/240/fd /proc/240/fd /proc/362/fd /proc/362/fd /proc/422/cmdline /proc/422/cmdline /proc/458/cmdline /proc/458/cmdline /proc/470/cmdline /proc/470/cmdline /proc/487/cmdline /proc/487/cmdline /proc/221/fd /proc/221/fd /proc/475/cmdline /proc/475/cmdline /proc/501/fd /proc/501/fd /proc/546/fd /proc/546/fd /proc/386/cmdline /proc/386/cmdline /proc/162/fd /proc/162/fd /proc/291/fd /proc/291/fd /proc/309/fd /proc/309/fd /proc/374/cmdline /proc/374/cmdline /proc/398/fd /proc/398/fd /proc/415/fd /proc/415/fd /proc/482/cmdline /proc/482/cmdline /proc/ /proc/ /proc/546/cmdline /proc/546/cmdline /proc/581/fd /proc/581/fd /proc/487/fd /proc/487/fd /proc/506/fd /proc/506/fd /proc/617/cmdline /proc/617/cmdline /proc/363/cmdline /proc/363/cmdline /proc/140/fd /proc/140/fd /proc/285/fd /proc/285/fd /proc/374/fd /proc/374/fd /proc/391/cmdline /proc/391/cmdline /proc/403/fd /proc/403/fd /proc/415/cmdline /proc/415/cmdline /proc/499/fd /proc/499/fd /proc/1/fd /proc/1/fd /proc/381/fd /proc/381/fd /proc/410/fd /proc/410/fd /proc/569/fd /proc/569/fd /proc/587/cmdline /proc/587/cmdline /proc/617/fd /proc/617/fd /proc/318/fd /proc/318/fd /proc/429/fd /proc/429/fd /proc/502/fd /proc/502/fd /proc/499/cmdline /proc/499/cmdline /proc/628/fd /proc/628/fd /proc/391/fd /proc/391/fd /proc/362/cmdline /proc/362/cmdline /proc/364/fd /proc/364/fd /proc/393/fd /proc/393/fd /proc/398/cmdline /proc/398/cmdline