dac5322114b51084952c8390318585c0515fbfe3d4f3eca7d18d1dab55b908e9

Analysis

max time kernel
32608s
max time network
145s
platform
linux_armhf
resource
debian9-armhf-en-20211208
resource tags

arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
21-12-2022 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fd13c597fecea5894b02f61c5ac0f51.elf
Size

228KB
MD5

7fd13c597fecea5894b02f61c5ac0f51
SHA1

7d539eb5e454769153b29e9d10a30a62689dd737
SHA256

dac5322114b51084952c8390318585c0515fbfe3d4f3eca7d18d1dab55b908e9
SHA512

25ea5e96e2f9abec89d587f202080b16c669e00099a7c67bea084be22ea86ee21f58b8558d01a5e91f5657272670eb63dbc183c9e239832695bd510236cd75e0
SSDEEP

6144:1trDYHU7N7aFm68KTZ3tf3OlFLmTiPFLYoYOtY:LrTh7aFmUT9gfLmOPFLYo1Y

Score

9^/10

persistence

Malware Config

Signatures

Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc
/bin/watchdog	/bin/watchdog

Modifies rc script 1 TTPs 1 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
/etc/rc.d/rc.local	/etc/rc.d/rc.local

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/400/maps	/proc/400/maps	Process not Found
/proc/411/cmdline	/proc/411/cmdline	Process not Found
/proc/433/maps	/proc/433/maps	Process not Found
/proc/449/cmdline	/proc/449/cmdline	Process not Found
/proc/361/maps	/proc/361/maps	Process not Found
/proc/43/cmdline	/proc/43/cmdline	7fd13c597fecea5894b02f61c5ac0f51.elf
/proc/233/cmdline	/proc/233/cmdline	Process not Found
/proc/396/cmdline	/proc/396/cmdline	Process not Found
/proc/2/cmdline	/proc/2/cmdline	7fd13c597fecea5894b02f61c5ac0f51.elf
/proc/43/cmdline	/proc/43/cmdline	Process not Found
/proc/407/cmdline	/proc/407/cmdline	Process not Found
/proc/19/maps	/proc/19/maps	Process not Found
/proc/29/cmdline	/proc/29/cmdline	7fd13c597fecea5894b02f61c5ac0f51.elf
/proc/41/cmdline	/proc/41/cmdline	7fd13c597fecea5894b02f61c5ac0f51.elf
/proc/225/cmdline	/proc/225/cmdline	Process not Found
/proc/338/maps	/proc/338/maps	Process not Found
/proc/4/cmdline	/proc/4/cmdline	7fd13c597fecea5894b02f61c5ac0f51.elf
/proc/164/maps	/proc/164/maps	Process not Found
/proc/6/cmdline	/proc/6/cmdline	Process not Found
/proc/8/maps	/proc/8/maps	Process not Found
/proc/13/cmdline	/proc/13/cmdline	Process not Found
/proc/345/cmdline	/proc/345/cmdline	Process not Found
/proc/373/cmdline	/proc/373/cmdline	Process not Found
/proc/16/cmdline	/proc/16/cmdline	7fd13c597fecea5894b02f61c5ac0f51.elf
/proc/271/cmdline	/proc/271/cmdline	7fd13c597fecea5894b02f61c5ac0f51.elf
/proc/15/maps	/proc/15/maps	Process not Found
/proc/144/maps	/proc/144/maps	Process not Found
/proc/348/maps	/proc/348/maps	Process not Found
/proc/413/cmdline	/proc/413/cmdline	Process not Found
/proc/5/cmdline	/proc/5/cmdline	7fd13c597fecea5894b02f61c5ac0f51.elf
/proc/3/maps	/proc/3/maps	Process not Found
/proc/276/cmdline	/proc/276/cmdline	Process not Found
/proc/436/cmdline	/proc/436/cmdline	Process not Found
/proc/207/cmdline	/proc/207/cmdline	7fd13c597fecea5894b02f61c5ac0f51.elf
/proc/17/cmdline	/proc/17/cmdline	7fd13c597fecea5894b02f61c5ac0f51.elf
/proc/363/cmdline	/proc/363/cmdline	Process not Found
/proc/369/cmdline	/proc/369/cmdline	Process not Found
/proc/425/cmdline	/proc/425/cmdline	Process not Found
/proc/1/cmdline	/proc/1/cmdline	7fd13c597fecea5894b02f61c5ac0f51.elf
/proc/285/cmdline	/proc/285/cmdline	Process not Found
/proc/23/maps	/proc/23/maps	Process not Found
/proc/11/cmdline	/proc/11/cmdline	7fd13c597fecea5894b02f61c5ac0f51.elf
/proc/437/cmdline	/proc/437/cmdline	Process not Found
/proc/18/maps	/proc/18/maps	Process not Found
/proc/372/cmdline	/proc/372/cmdline	Process not Found
/proc/386/maps	/proc/386/maps	Process not Found
/proc/404/maps	/proc/404/maps	Process not Found
/proc/421/maps	/proc/421/maps	Process not Found
/proc/232/maps	/proc/232/maps	Process not Found
/proc/22/maps	/proc/22/maps	Process not Found
/proc/74/maps	/proc/74/maps	Process not Found
/proc/306/maps	/proc/306/maps	Process not Found
/proc/338/cmdline	/proc/338/cmdline	Process not Found
/proc/346/cmdline	/proc/346/cmdline	Process not Found
/proc/350/cmdline	/proc/350/cmdline	Process not Found
/proc/368/cmdline	/proc/368/cmdline	Process not Found
/proc/106/cmdline	/proc/106/cmdline	7fd13c597fecea5894b02f61c5ac0f51.elf
/proc/379/maps	/proc/379/maps	Process not Found
/proc/407/maps	/proc/407/maps	Process not Found
/proc/19/cmdline	/proc/19/cmdline	7fd13c597fecea5894b02f61c5ac0f51.elf
/proc/8/cmdline	/proc/8/cmdline	Process not Found
/proc/29/maps	/proc/29/maps	Process not Found
/proc/367/cmdline	/proc/367/cmdline	Process not Found
/proc/386/cmdline	/proc/386/cmdline	Process not Found

/tmp/7fd13c597fecea5894b02f61c5ac0f51.elf
/tmp/7fd13c597fecea5894b02f61c5ac0f51.elf
1⤵
- Reads runtime system information
PID:345

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads