Analysis
-
max time kernel
6998s -
max time network
151s -
platform
debian-9_mips -
resource
debian9-mipsbe-20221111-en -
resource tags
arch:mipsimage:debian9-mipsbe-20221111-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
31/01/2023, 17:43
Behavioral task
behavioral1
Sample
22236418d66d092a868814a050662cb6.elf
Resource
debian9-mipsbe-20221111-en
debian-9-mips
General
-
Target
22236418d66d092a868814a050662cb6.elf
-
Size
95KB
-
MD5
22236418d66d092a868814a050662cb6
-
SHA1
0bf047cdeb6ce406a32e0c305a2b9089c9e369c3
-
SHA256
ebab385a00e909ff7748edeecf15ffceba7748e9b0f9850142fe7ef8d5ed5ffe
-
SHA512
4b96f8ec59c601c8f880968beeabf4c617235518f6ad8a1091e22beb6494cc03bf81730f9bce6d7bda7ceb0ef963a3b9f4ec923711f07a1be4e55e5588255a0e
-
SSDEEP
1536:+DdgrUgifAhAWUq1gt4h/m4iXGmLl5yDiywPveFpZNzJ:sgr7iIhymO4ajIiywPEDzJ
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc /proc/77/cmdline /proc/77/cmdline /proc/244/fd /proc/244/fd /proc/321/fd /proc/321/fd /proc/76/maps /proc/76/maps /proc/12/maps /proc/12/maps /proc/78/fd /proc/78/fd /proc/214/fd /proc/214/fd /proc/10/fd /proc/10/fd /proc/19/cmdline /proc/19/cmdline /proc/23/maps /proc/23/maps /proc/292/fd /proc/292/fd /proc/18/fd /proc/18/fd /proc/3/cmdline /proc/3/cmdline /proc/8/maps /proc/8/maps /proc/69/cmdline /proc/69/cmdline /proc/77/fd /proc/77/fd /proc/291/maps /proc/291/maps /proc/ /proc/ /proc/13/maps /proc/13/maps /proc/13/cmdline /proc/13/cmdline /proc/67/maps /proc/67/maps /proc/9/maps /proc/9/maps /proc/272/fd /proc/272/fd /proc/22/fd /proc/22/fd /proc/12/cmdline /proc/12/cmdline /proc/14/fd /proc/14/fd /proc/70/cmdline /proc/70/cmdline /proc/228/maps /proc/228/maps /proc/4/maps /proc/4/maps /proc/292/cmdline /proc/292/cmdline /proc/284/fd /proc/284/fd /proc/9/fd /proc/9/fd /proc/327/maps /proc/327/maps /proc/5/maps /proc/5/maps /proc/75/maps /proc/75/maps /proc/81/cmdline /proc/81/cmdline /proc/114/maps /proc/114/maps /proc/329/cmdline /proc/329/cmdline /proc/3/maps /proc/3/maps /proc/36/fd /proc/36/fd /proc/37/maps /proc/37/maps /proc/69/maps /proc/69/maps /proc/74/cmdline /proc/74/cmdline /proc/164/cmdline /proc/164/cmdline /proc/329/maps /proc/329/maps /proc/272/cmdline /proc/272/cmdline /proc/16/fd /proc/16/fd /proc/326/maps /proc/326/maps /proc/321/maps /proc/321/maps /proc/5/fd /proc/5/fd /proc/7/fd /proc/7/fd /proc/15/cmdline /proc/15/cmdline /proc/145/fd /proc/145/fd /proc/2/cmdline /proc/2/cmdline /proc/69/fd /proc/69/fd /proc/204/cmdline /proc/204/cmdline /proc/216/maps /proc/216/maps /proc/249/maps /proc/249/maps /proc/14/maps /proc/14/maps /proc/2/fd /proc/2/fd /proc/7/maps /proc/7/maps /proc/8/cmdline /proc/8/cmdline /proc/10/cmdline /proc/10/cmdline /proc/75/fd /proc/75/fd -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process /tmp/22236418d66d092a868814a050662cb6.elf /tmp/22236418d66d092a868814a050662cb6.elf 22236418d66d092a868814a050662cb6.elf