Analysis
-
max time kernel
39876s -
max time network
152s -
platform
linux_mips -
resource
debian9-mipsbe-en-20211208 -
resource tags
arch:mipsimage:debian9-mipsbe-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
15/03/2023, 05:49
Static task
static1
Behavioral task
behavioral1
Sample
fcf9df6a5bfda43b2025fe0c19c5a7ab0f409d7251a6ade45a0158c0a5827913.elf
Resource
debian9-mipsbe-en-20211208
debian-9-mips
General
-
Target
fcf9df6a5bfda43b2025fe0c19c5a7ab0f409d7251a6ade45a0158c0a5827913.elf
-
Size
35KB
-
MD5
4b79a9d0c402215f4df2b9fc8437a165
-
SHA1
4fbbb0dbfd5489e3cb869742798133d840374331
-
SHA256
fcf9df6a5bfda43b2025fe0c19c5a7ab0f409d7251a6ade45a0158c0a5827913
-
SHA512
2a3fb11a205fe5a0f2993cc04041e2faea874475d274edb52239693d5d5a294293e1577bcfb385b8a5594e8876bc7108c75f6f09e311790df44ecffa2ec7979c
-
SSDEEP
768:FBARh6NpkuEVbzKpzV4cmfP74SUOBSuQRUrnfJgGlzDpbuR1JD:Ft/t0kzuV0SUSQReVJuB
Malware Config
Signatures
-
Contacts a large (46386) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc /proc/21/cmdline /proc/21/cmdline /proc/73/cmdline /proc/73/cmdline /proc/329/cmdline /proc/329/cmdline /proc/352/cmdline /proc/352/cmdline /proc/361/cmdline /proc/361/cmdline /proc/370/cmdline /proc/370/cmdline /proc/378/cmdline /proc/378/cmdline /proc/20/cmdline /proc/20/cmdline /proc/294/cmdline /proc/294/cmdline /proc/335/cmdline /proc/335/cmdline /proc/381/cmdline /proc/381/cmdline /proc/386/cmdline /proc/386/cmdline /proc/366/cmdline /proc/366/cmdline /proc/384/cmdline /proc/384/cmdline /proc/10/cmdline /proc/10/cmdline /proc/102/cmdline /proc/102/cmdline /proc/346/cmdline /proc/346/cmdline /proc/364/cmdline /proc/364/cmdline /proc/389/cmdline /proc/389/cmdline /proc/113/cmdline /proc/113/cmdline /proc/343/cmdline /proc/343/cmdline /proc/15/cmdline /proc/15/cmdline /proc/155/cmdline /proc/155/cmdline /proc/37/cmdline /proc/37/cmdline /proc/248/cmdline /proc/248/cmdline /proc/293/cmdline /proc/293/cmdline /proc/336/cmdline /proc/336/cmdline /proc/377/cmdline /proc/377/cmdline /proc/12/cmdline /proc/12/cmdline /proc/74/cmdline /proc/74/cmdline /proc/286/cmdline /proc/286/cmdline /proc/321/cmdline /proc/321/cmdline /proc/351/cmdline /proc/351/cmdline /proc/4/cmdline /proc/4/cmdline /proc/77/cmdline /proc/77/cmdline /proc/348/cmdline /proc/348/cmdline /proc/363/cmdline /proc/363/cmdline /proc/374/cmdline /proc/374/cmdline /proc/398/cmdline /proc/398/cmdline /proc/69/cmdline /proc/69/cmdline /proc/367/cmdline /proc/367/cmdline /proc/7/cmdline /proc/7/cmdline /proc/135/cmdline /proc/135/cmdline /proc/247/cmdline /proc/247/cmdline /proc/353/cmdline /proc/353/cmdline /proc/373/cmdline /proc/373/cmdline /proc/14/cmdline /proc/14/cmdline /proc/217/cmdline /proc/217/cmdline /proc/272/cmdline /proc/272/cmdline /proc/331/cmdline /proc/331/cmdline /proc/36/cmdline /proc/36/cmdline /proc/72/cmdline /proc/72/cmdline /proc/334/cmdline /proc/334/cmdline /proc/383/cmdline /proc/383/cmdline /proc/143/cmdline /proc/143/cmdline /proc/253/cmdline /proc/253/cmdline /proc/1/cmdline /proc/1/cmdline /proc/78/cmdline /proc/78/cmdline /proc/345/cmdline /proc/345/cmdline /proc/387/cmdline /proc/387/cmdline /proc/396/cmdline /proc/396/cmdline /proc/157/cmdline /proc/157/cmdline /proc/368/cmdline /proc/368/cmdline /proc/390/cmdline /proc/390/cmdline -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process /tmp/fcf9df6a5bfda43b2025fe0c19c5a7ab0f409d7251a6ade45a0158c0a5827913.elf /tmp/fcf9df6a5bfda43b2025fe0c19c5a7ab0f409d7251a6ade45a0158c0a5827913.elf fcf9df6a5bfda43b2025fe0c19c5a7ab0f409d7251a6ade45a0158c0a5827913.elf