dc2b4e6c6a60420bf90627193530aec4134ef2d1eb368f19cb0dde9739579c90

Analysis

max time kernel
9964s
max time network
152s
platform
debian-9_armhf
resource
debian9-armhf-20221111-en
resource tags

arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
07/03/2023, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66003ca71cf12278398fde7082696869f0d112a1506c46392bdd3b22fa193312.elf
Size

58KB
MD5

67bd742c0085406671c1f9d392cfcd1e
SHA1

24e81b8fba4eb58b2b4aa3d185538547323556d1
SHA256

66003ca71cf12278398fde7082696869f0d112a1506c46392bdd3b22fa193312
SHA512

93f7bc2acb33a859d788c57a2f44c75e9af24feddc0efc8cb2dd1172510a14dea202af91d86ef219ce9e3d795991bd70dc311ebc6979f8379440dc9734daac53
SSDEEP

1536:J4S15UOp15uPuH16PEFxCCOcPWm11QHcLGPFYG+:JLP9JPUJcTjW3mf

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (168374) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc
/bin/watchdog	/bin/watchdog
/sbin/watchdog	/sbin/watchdog

Reads runtime system information 22 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/453/cmdline	/proc/453/cmdline	Process not Found
/proc/456/cmdline	/proc/456/cmdline	Process not Found
/proc/460/cmdline	/proc/460/cmdline	Process not Found
/proc/466/cmdline	/proc/466/cmdline	Process not Found
/proc/478/cmdline	/proc/478/cmdline	Process not Found
/proc/488/cmdline	/proc/488/cmdline	Process not Found
/proc/self/exe	/proc/self/exe	66003ca71cf12278398fde7082696869f0d112a1506c46392bdd3b22fa193312.elf
/proc/423/cmdline	/proc/423/cmdline	Process not Found
/proc/431/cmdline	/proc/431/cmdline	Process not Found
/proc/468/cmdline	/proc/468/cmdline	Process not Found
/proc/502/cmdline	/proc/502/cmdline	Process not Found
/proc/405/cmdline	/proc/405/cmdline	Process not Found
/proc/404/cmdline	/proc/404/cmdline	Process not Found
/proc/418/cmdline	/proc/418/cmdline	Process not Found
/proc/445/cmdline	/proc/445/cmdline	Process not Found
/proc/479/cmdline	/proc/479/cmdline	Process not Found
/proc/500/cmdline	/proc/500/cmdline	Process not Found
/proc/401/cmdline	/proc/401/cmdline	Process not Found
/proc/419/cmdline	/proc/419/cmdline	Process not Found
/proc/439/cmdline	/proc/439/cmdline	Process not Found
/proc/465/cmdline	/proc/465/cmdline	Process not Found
/proc/	/proc/	Process not Found

/tmp/66003ca71cf12278398fde7082696869f0d112a1506c46392bdd3b22fa193312.elf
/tmp/66003ca71cf12278398fde7082696869f0d112a1506c46392bdd3b22fa193312.elf
1⤵
- Reads runtime system information
PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads