0bb4dce69365ae39f2477b04ec5156dbff08c8ef3e11350bc7dbd3f61bae904d

Analysis

max time kernel
32608s
max time network
124s
platform
linux_mips
resource
debian9-mipsbe-en-20211208
resource tags

arch:mipsimage:debian9-mipsbe-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
21/12/2022, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e5ea611c546f5777fdd727ca3b17423.elf
Size

386KB
MD5

3e5ea611c546f5777fdd727ca3b17423
SHA1

6e9c06bd59693fca79d743f64b718505527ce01b
SHA256

0bb4dce69365ae39f2477b04ec5156dbff08c8ef3e11350bc7dbd3f61bae904d
SHA512

89f57182d748bddfdf32b2ac72ca9817e6047ee4c656e041e12c4e52a1c15aa49f9d045c975de663d3bb021123f94c78948a62b01da47904aec69042ca40abbd
SSDEEP

6144:tRH+4s+F4xh2ewR83PyOGyTc+vWkekvaJu81Vn6A914/tT30D:E9NCsP+wDvaJu81Vn6A914/tT30D

Score

9^/10

persistence

Malware Config

Signatures

Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc
/bin/watchdog	/bin/watchdog

Modifies rc script 1 TTPs 1 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
/etc/rc.d/rc.local	/etc/rc.d/rc.local

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/299/cmdline	/proc/299/cmdline	Process not Found
/proc/273/cmdline	/proc/273/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/70/maps	/proc/70/maps	Process not Found
/proc/74/cmdline	/proc/74/cmdline	Process not Found
/proc/75/maps	/proc/75/maps	Process not Found
/proc/76/cmdline	/proc/76/cmdline	Process not Found
/proc/79/cmdline	/proc/79/cmdline	Process not Found
/proc/3/cmdline	/proc/3/cmdline	Process not Found
/proc/223/cmdline	/proc/223/cmdline	Process not Found
/proc/299/maps	/proc/299/maps	Process not Found
/proc/82/cmdline	/proc/82/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/226/cmdline	/proc/226/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/76/maps	/proc/76/maps	Process not Found
/proc/77/maps	/proc/77/maps	Process not Found
/proc/307/maps	/proc/307/maps	Process not Found
/proc/155/cmdline	/proc/155/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/15/cmdline	/proc/15/cmdline	Process not Found
/proc/17/maps	/proc/17/maps	Process not Found
/proc/273/cmdline	/proc/273/cmdline	Process not Found
/proc/325/maps	/proc/325/maps	Process not Found
/proc/255/maps	/proc/255/maps	Process not Found
/proc/295/maps	/proc/295/maps	Process not Found
/proc/69/cmdline	/proc/69/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/6/cmdline	/proc/6/cmdline	Process not Found
/proc/7/maps	/proc/7/maps	Process not Found
/proc/20/cmdline	/proc/20/cmdline	Process not Found
/proc/142/cmdline	/proc/142/cmdline	Process not Found
/proc/224/maps	/proc/224/maps	Process not Found
/proc/325/cmdline	/proc/325/cmdline	Process not Found
/proc/326/maps	/proc/326/maps	Process not Found
/proc/328/maps	/proc/328/maps	Process not Found
/proc/4/cmdline	/proc/4/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/20/cmdline	/proc/20/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/5/cmdline	/proc/5/cmdline	Process not Found
/proc/115/cmdline	/proc/115/cmdline	Process not Found
/proc/155/cmdline	/proc/155/cmdline	Process not Found
/proc/223/maps	/proc/223/maps	Process not Found
/proc/79/cmdline	/proc/79/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/252/cmdline	/proc/252/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/308/cmdline	/proc/308/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/9/cmdline	/proc/9/cmdline	Process not Found
/proc/307/cmdline	/proc/307/cmdline	Process not Found
/proc/327/cmdline	/proc/327/cmdline	Process not Found
/proc/13/cmdline	/proc/13/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/14/cmdline	/proc/14/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/74/cmdline	/proc/74/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/19/maps	/proc/19/maps	Process not Found
/proc/21/maps	/proc/21/maps	Process not Found
/proc/144/maps	/proc/144/maps	Process not Found
/proc/8/cmdline	/proc/8/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/12/cmdline	/proc/12/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/207/cmdline	/proc/207/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/22/maps	/proc/22/maps	Process not Found
/proc/79/maps	/proc/79/maps	Process not Found
/proc/326/cmdline	/proc/326/cmdline	Process not Found
/proc/142/maps	/proc/142/maps	Process not Found
/proc/251/cmdline	/proc/251/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/307/cmdline	/proc/307/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/2/maps	/proc/2/maps	Process not Found
/proc/4/maps	/proc/4/maps	Process not Found
/proc/36/maps	/proc/36/maps	Process not Found
/proc/114/maps	/proc/114/maps	Process not Found
/proc/24/cmdline	/proc/24/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf
/proc/37/cmdline	/proc/37/cmdline	3e5ea611c546f5777fdd727ca3b17423.elf

/tmp/3e5ea611c546f5777fdd727ca3b17423.elf
/tmp/3e5ea611c546f5777fdd727ca3b17423.elf
1⤵
- Reads runtime system information
PID:325

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads