430e184603e7b9e813d4977fa6bea500767c647b4526fd3405c297482c355432

Analysis

max time kernel
7917s
max time network
165s
platform
debian-9_armhf
resource
debian9-armhf-20221111-en
resource tags

arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11-02-2023 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4142cadae4e3f428cdc72dca19a5db59.elf
Size

45KB
MD5

4142cadae4e3f428cdc72dca19a5db59
SHA1

70f0a4aae0cbe71e53d5af65e35c8a53cc6b1e90
SHA256

430e184603e7b9e813d4977fa6bea500767c647b4526fd3405c297482c355432
SHA512

953935bab1b781943ad8ee14cf84815244877e76cfa8ea4504f5019e7e8f6f93521b5d0eaeadb6a11f86369bba7f2981386d487e5addd2fef2432b1e0099f7e1
SSDEEP

768:D/TYCoIxdEk+AxoTZAZHFeq8b3Pt9q3UELbUXfi6nVMQHI4vcGpvT:DECFd+A6YHAxoLRQZT

Score

9^/10

Malware Config

Signatures

Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc
/bin/watchdog	/bin/watchdog
/sbin/watchdog	/sbin/watchdog

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/420/cmdline	/proc/420/cmdline	Process not Found
/proc/440/cmdline	/proc/440/cmdline	Process not Found
/proc/447/cmdline	/proc/447/cmdline	Process not Found
/proc/self/exe	/proc/self/exe	4142cadae4e3f428cdc72dca19a5db59.elf
/proc/403/cmdline	/proc/403/cmdline	Process not Found
/proc/404/cmdline	/proc/404/cmdline	Process not Found
/proc/406/cmdline	/proc/406/cmdline	Process not Found
/proc/414/cmdline	/proc/414/cmdline	Process not Found
/proc/465/cmdline	/proc/465/cmdline	Process not Found
/proc/494/cmdline	/proc/494/cmdline	Process not Found
/proc/	/proc/	Process not Found
/proc/401/cmdline	/proc/401/cmdline	Process not Found
/proc/402/cmdline	/proc/402/cmdline	Process not Found
/proc/493/cmdline	/proc/493/cmdline	Process not Found
/proc/495/cmdline	/proc/495/cmdline	Process not Found
/proc/405/cmdline	/proc/405/cmdline	Process not Found
/proc/430/cmdline	/proc/430/cmdline	Process not Found
/proc/451/cmdline	/proc/451/cmdline	Process not Found
/proc/459/cmdline	/proc/459/cmdline	Process not Found
/proc/483/cmdline	/proc/483/cmdline	Process not Found
/proc/409/cmdline	/proc/409/cmdline	Process not Found
/proc/448/cmdline	/proc/448/cmdline	Process not Found
/proc/475/cmdline	/proc/475/cmdline	Process not Found
/proc/497/cmdline	/proc/497/cmdline	Process not Found

/tmp/4142cadae4e3f428cdc72dca19a5db59.elf
/tmp/4142cadae4e3f428cdc72dca19a5db59.elf
1⤵
- Reads runtime system information
PID:361

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads