Analysis
-
max time kernel
0s -
max time network
154s -
platform
linux_armhf -
resource
debian9-armhf-en-20211208 -
resource tags
arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
11-03-2023 05:07
Static task
static1
Behavioral task
behavioral1
Sample
bok.arm7-20230311-0506.elf
Resource
debian9-armhf-en-20211208
debian-9-armhf
5 signatures
150 seconds
General
-
Target
bok.arm7-20230311-0506.elf
-
Size
64KB
-
MD5
a1a453693b8bd2292f79aac3a691e074
-
SHA1
bc3748e3bbed4c97312ec1a0e8f6a7bfe2408d16
-
SHA256
ec1377c698dcff593dd387531e6ab2f1be20eb8edfd941f9e0cc154f80d695e2
-
SHA512
217ab9284b4c9d3169423682ca01080d65c8f6d9993636f27a52ff977eb6305cbaf6692d54ceecad8cd45a24fb0e07e8c2f5b0a05a9d6ed8b371aadffb7ce097
-
SSDEEP
1536:ocCWWdbaZ/sUlvnQO/mnVB2B0HmaL+XOUDFW6HMd2MDXLt+9EpWt7:e7ANfnhmC0jS+gFW6VMDXLwV
Score
9/10
Malware Config
Signatures
-
Contacts a large (42874) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process /proc/25/cmdline /proc/25/cmdline Process not Found /proc/270/cmdline /proc/270/cmdline Process not Found /proc/379/cmdline /proc/379/cmdline Process not Found /proc/396/cmdline /proc/396/cmdline Process not Found /proc/10/cmdline /proc/10/cmdline Process not Found /proc/20/cmdline /proc/20/cmdline Process not Found /proc/375/cmdline /proc/375/cmdline Process not Found /proc/383/cmdline /proc/383/cmdline Process not Found /proc/398/cmdline /proc/398/cmdline Process not Found /proc/14/cmdline /proc/14/cmdline Process not Found /proc/107/cmdline /proc/107/cmdline Process not Found /proc/27/cmdline /proc/27/cmdline Process not Found /proc/208/cmdline /proc/208/cmdline Process not Found /proc/269/cmdline /proc/269/cmdline Process not Found /proc/389/cmdline /proc/389/cmdline Process not Found /proc/394/cmdline /proc/394/cmdline Process not Found /proc/13/cmdline /proc/13/cmdline Process not Found /proc/22/cmdline /proc/22/cmdline Process not Found /proc/161/cmdline /proc/161/cmdline Process not Found /proc/388/cmdline /proc/388/cmdline Process not Found /proc/17/cmdline /proc/17/cmdline Process not Found /proc/392/cmdline /proc/392/cmdline Process not Found /proc/278/cmdline /proc/278/cmdline Process not Found /proc/320/cmdline /proc/320/cmdline Process not Found /proc/393/cmdline /proc/393/cmdline Process not Found /proc/9/cmdline /proc/9/cmdline Process not Found /proc/23/cmdline /proc/23/cmdline Process not Found /proc/8/cmdline /proc/8/cmdline Process not Found /proc/16/cmdline /proc/16/cmdline Process not Found /proc/29/cmdline /proc/29/cmdline Process not Found /proc/42/cmdline /proc/42/cmdline Process not Found /proc/74/cmdline /proc/74/cmdline Process not Found /proc/135/cmdline /proc/135/cmdline Process not Found /proc/2/cmdline /proc/2/cmdline Process not Found /proc/4/cmdline /proc/4/cmdline Process not Found /proc/391/cmdline /proc/391/cmdline Process not Found /proc/139/cmdline /proc/139/cmdline Process not Found /proc/238/cmdline /proc/238/cmdline Process not Found /proc/323/cmdline /proc/323/cmdline Process not Found /proc/371/cmdline /proc/371/cmdline Process not Found /proc/377/cmdline /proc/377/cmdline Process not Found /proc/378/cmdline /proc/378/cmdline Process not Found /proc/7/cmdline /proc/7/cmdline Process not Found /proc/322/cmdline /proc/322/cmdline Process not Found /proc/145/cmdline /proc/145/cmdline Process not Found /proc/367/cmdline /proc/367/cmdline Process not Found /proc/373/cmdline /proc/373/cmdline Process not Found /proc/374/cmdline /proc/374/cmdline Process not Found /proc/380/cmdline /proc/380/cmdline Process not Found /proc/self/exe /proc/self/exe bok.arm7-20230311-0506.elf /proc/15/cmdline /proc/15/cmdline Process not Found /proc/28/cmdline /proc/28/cmdline Process not Found /proc/131/cmdline /proc/131/cmdline Process not Found /proc/236/cmdline /proc/236/cmdline Process not Found /proc/287/cmdline /proc/287/cmdline Process not Found /proc/382/cmdline /proc/382/cmdline Process not Found /proc/386/cmdline /proc/386/cmdline Process not Found /proc/3/cmdline /proc/3/cmdline Process not Found /proc/11/cmdline /proc/11/cmdline Process not Found /proc/387/cmdline /proc/387/cmdline Process not Found /proc/237/cmdline /proc/237/cmdline Process not Found /proc/376/cmdline /proc/376/cmdline Process not Found /proc/385/cmdline /proc/385/cmdline Process not Found /proc/12/cmdline /proc/12/cmdline Process not Found -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process /tmp/bok.arm7-20230311-0506.elf /tmp/bok.arm7-20230311-0506.elf bok.arm7-20230311-0506.elf