09dce1b6665ae2ab3224de5d03f3b6717888f88ba15546068ba60f6899d322ab

Analysis

max time kernel
3403s
max time network
149s
platform
debian-9_armhf
resource
debian9-armhf-20221111-en
resource tags

arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
21-12-2022 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ff19fe6d7c5c0859f6d54cbe39c4766.elf
Size

228KB
MD5

5ff19fe6d7c5c0859f6d54cbe39c4766
SHA1

6b99c05d0b28015f904104260fdfaabb4d0bf24f
SHA256

09dce1b6665ae2ab3224de5d03f3b6717888f88ba15546068ba60f6899d322ab
SHA512

351612adcf60d659151a246cdbc23f10d900e0ab1df1651c8813271bc6a8bb7cdd8bf8603a9295955a420a7ab3a7d3f5754593c289e65d4e5d42fe38356799c9
SSDEEP

6144:BtrDYHU7N7aFm68KTZ3tfierLmTiPFLYoYOtY:XrTh7aFmUT9/LmOPFLYo1Y

Score

9^/10

persistence

Malware Config

Signatures

Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc
/bin/watchdog	/bin/watchdog

Modifies rc script 1 TTPs 1 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
/etc/rc.d/rc.local	/etc/rc.d/rc.local

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/	/proc/	5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/proc/18/cmdline	/proc/18/cmdline	5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/proc/372/cmdline	/proc/372/cmdline	Process not Found
/proc/417/cmdline	/proc/417/cmdline	Process not Found
/proc/42/cmdline	/proc/42/cmdline	5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/proc/11/maps	/proc/11/maps	Process not Found
/proc/231/cmdline	/proc/231/cmdline	Process not Found
/proc/357/maps	/proc/357/maps	Process not Found
/proc/16/cmdline	/proc/16/cmdline	5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/proc/275/cmdline	/proc/275/cmdline	5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/proc/12/cmdline	/proc/12/cmdline	Process not Found
/proc/474/maps	/proc/474/maps	Process not Found
/proc/409/maps	/proc/409/maps	Process not Found
/proc/22/cmdline	/proc/22/cmdline	5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/proc/309/maps	/proc/309/maps	Process not Found
/proc/367/cmdline	/proc/367/cmdline	Process not Found
/proc/369/cmdline	/proc/369/cmdline	Process not Found
/proc/8/cmdline	/proc/8/cmdline	Process not Found
/proc/230/maps	/proc/230/maps	Process not Found
/proc/349/cmdline	/proc/349/cmdline	Process not Found
/proc/5/cmdline	/proc/5/cmdline	5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/proc/15/maps	/proc/15/maps	Process not Found
/proc/22/cmdline	/proc/22/cmdline	Process not Found
/proc/274/maps	/proc/274/maps	Process not Found
/proc/14/maps	/proc/14/maps	Process not Found
/proc/444/maps	/proc/444/maps	Process not Found
/proc/28/cmdline	/proc/28/cmdline	Process not Found
/proc/311/cmdline	/proc/311/cmdline	Process not Found
/proc/375/cmdline	/proc/375/cmdline	Process not Found
/proc/377/maps	/proc/377/maps	Process not Found
/proc/109/cmdline	/proc/109/cmdline	5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/proc/111/cmdline	/proc/111/cmdline	5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/proc/358/cmdline	/proc/358/cmdline	Process not Found
/proc/381/cmdline	/proc/381/cmdline	Process not Found
/proc/449/maps	/proc/449/maps	Process not Found
/proc/24/cmdline	/proc/24/cmdline	5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/proc/99/maps	/proc/99/maps	Process not Found
/proc/285/cmdline	/proc/285/cmdline	Process not Found
/proc/367/maps	/proc/367/maps	Process not Found
/proc/78/maps	/proc/78/maps	Process not Found
/proc/385/maps	/proc/385/maps	Process not Found
/proc/278/cmdline	/proc/278/cmdline	Process not Found
/proc/358/maps	/proc/358/maps	Process not Found
/proc/373/cmdline	/proc/373/cmdline	Process not Found
/proc/413/cmdline	/proc/413/cmdline	Process not Found
/proc/28/cmdline	/proc/28/cmdline	5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/proc/29/cmdline	/proc/29/cmdline	5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/proc/9/maps	/proc/9/maps	Process not Found
/proc/20/cmdline	/proc/20/cmdline	Process not Found
/proc/383/cmdline	/proc/383/cmdline	Process not Found
/proc/247/cmdline	/proc/247/cmdline	5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/proc/230/cmdline	/proc/230/cmdline	Process not Found
/proc/422/maps	/proc/422/maps	Process not Found
/proc/428/maps	/proc/428/maps	Process not Found
/proc/462/maps	/proc/462/maps	Process not Found
/proc/112/cmdline	/proc/112/cmdline	5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/proc/23/cmdline	/proc/23/cmdline	Process not Found
/proc/274/cmdline	/proc/274/cmdline	Process not Found
/proc/422/cmdline	/proc/422/cmdline	Process not Found
/proc/12/cmdline	/proc/12/cmdline	5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/proc/355/cmdline	/proc/355/cmdline	Process not Found
/proc/4/cmdline	/proc/4/cmdline	Process not Found
/proc/147/maps	/proc/147/maps	Process not Found
/proc/275/cmdline	/proc/275/cmdline	Process not Found

/tmp/5ff19fe6d7c5c0859f6d54cbe39c4766.elf
/tmp/5ff19fe6d7c5c0859f6d54cbe39c4766.elf
1⤵
- Reads runtime system information
PID:353

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads