850bba518a88aa16d6cd99e47ca5c090cb03db132ea735e3b08e85b6a57ce315

Analysis

max time kernel
11285s
max time network
151s
platform
debian-9_armhf
resource
debian9-armhf-20221111-en
resource tags

arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
22/03/2023, 08:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bd8c65affa470f7065db06be0a623574.elf
Size

5.1MB
MD5

bd8c65affa470f7065db06be0a623574
SHA1

1117971925758354e4dc29d8ad2a381258c88a41
SHA256

850bba518a88aa16d6cd99e47ca5c090cb03db132ea735e3b08e85b6a57ce315
SHA512

66edcc2f08537897bee8328b3c4eafa5e13b6eaff77481a5089026c58064424df568331b36f9288d16bacf90bafcc72cb059059531c87e7651bfaffc889b6469
SSDEEP

24576:f0hITSaxCsmLTRScFkLwYgib6kEVtQ2gLApZf3vrTXKWXDReUHxeR7j81v9oT19b:GsLSjzCX1H9qzaiKRFjhIlkK1VI1V

Score

9^/10

persistence

Malware Config

Signatures

Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Modifies hosts file 1 IoCs

Adds to hosts file used for mapping hosts to IP addresses.

description	ioc	Process
/etc/hosts	/etc/hosts	bd8c65affa470f7065db06be0a623574.elf

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
/etc/resolv.conf	/etc/resolv.conf	bd8c65affa470f7065db06be0a623574.elf

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task

T1053

description	ioc	Process
/etc/crontab	/etc/crontab	sh

Modifies Bash startup script 1 TTPs 9 IoCs

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
/etc/profile.d/bash_cfg	/etc/profile.d/bash_cfg	bd8c65affa470f7065db06be0a623574.elf
/etc/profile.d/bash_cfg.sh	/etc/profile.d/bash_cfg.sh	bd8c65affa470f7065db06be0a623574.elf
/etc/profile.d/gateway.sh	/etc/profile.d/gateway.sh	Process not Found
/etc/profile.d/bash_config.sh	/etc/profile.d/bash_config.sh	opt.services.cfg
/etc/profile.d/linux.sh	/etc/profile.d/linux.sh	Process not Found
/etc/profile.d/bash_config.sh	/etc/profile.d/bash_config.sh	Process not Found
/etc/profile.d/bash_config	/etc/profile.d/bash_config	opt.services.cfg
/etc/profile.d/bash_config	/etc/profile.d/bash_config	Process not Found
/etc/profile.d/linux.sh	/etc/profile.d/linux.sh	opt.services.cfg

Modifies init.d 1 TTPs 14 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
/etc/init.d/procps	/etc/init.d/procps	bd8c65affa470f7065db06be0a623574.elf
/etc/init.d/rsyslog	/etc/init.d/rsyslog	bd8c65affa470f7065db06be0a623574.elf
/etc/init.d/ssh	/etc/init.d/ssh	bd8c65affa470f7065db06be0a623574.elf
/etc/init.d/sudo	/etc/init.d/sudo	bd8c65affa470f7065db06be0a623574.elf
/etc/init.d/cron	/etc/init.d/cron	bd8c65affa470f7065db06be0a623574.elf
/etc/init.d/dbus	/etc/init.d/dbus	bd8c65affa470f7065db06be0a623574.elf
/etc/init.d/keyboard-setup.sh	/etc/init.d/keyboard-setup.sh	bd8c65affa470f7065db06be0a623574.elf
/etc/init.d/udev	/etc/init.d/udev	bd8c65affa470f7065db06be0a623574.elf
/etc/init.d/linux_kill	/etc/init.d/linux_kill	opt.services.cfg
/etc/init.d/linux_kill	/etc/init.d/linux_kill	Process not Found
/etc/init.d/hwclock.sh	/etc/init.d/hwclock.sh	bd8c65affa470f7065db06be0a623574.elf
/etc/init.d/networking	/etc/init.d/networking	bd8c65affa470f7065db06be0a623574.elf
/etc/init.d/console-setup.sh	/etc/init.d/console-setup.sh	bd8c65affa470f7065db06be0a623574.elf
/etc/init.d/kmod	/etc/init.d/kmod	bd8c65affa470f7065db06be0a623574.elf

Write file to user bin folder 1 TTPs 7 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/usr/bin/include/find	/usr/bin/include/find	bd8c65affa470f7065db06be0a623574.elf
/usr/bin/find	/usr/bin/find	Process not Found
/usr/sbin/service	/usr/sbin/service	service
/usr/sbin/ifconfig.conf	/usr/sbin/ifconfig.conf	opt.services.cfg
/usr/sbin/ifconfig.conf	/usr/sbin/ifconfig.conf	Process not Found
/usr/sbin/service	/usr/sbin/service	service
/usr/bin/find	/usr/bin/find	bd8c65affa470f7065db06be0a623574.elf

Enumerates kernel/hardware configuration 1 TTPs 37 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	opt.services.cfg
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	opt.services.cfg
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	opt.services.cfg
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	bd8c65affa470f7065db06be0a623574.elf
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	bd8c65affa470f7065db06be0a623574.elf
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	opt.services.cfg
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl
/sys/fs/kdbus/0-system/bus	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/1/environ	/proc/1/environ	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/239/stat	/proc/239/stat	Process not Found
/proc/cmdline	/proc/cmdline	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/252/stat	/proc/252/stat	Process not Found
/proc/314/stat	/proc/314/stat	Process not Found
/proc/filesystems	/proc/filesystems	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/132/stat	/proc/132/stat	Process not Found
/proc/filesystems	/proc/filesystems	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/23/stat	/proc/23/stat	Process not Found
/proc/11/stat	/proc/11/stat	Process not Found
/proc/238/stat	/proc/238/stat	Process not Found
/proc/316/stat	/proc/316/stat	Process not Found
/proc/1/environ	/proc/1/environ	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/2/stat	/proc/2/stat	Process not Found
/proc/self/stat	/proc/self/stat	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/166/stat	/proc/166/stat	Process not Found
/proc/self/stat	/proc/self/stat	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/13/stat	/proc/13/stat	Process not Found
/proc/146/stat	/proc/146/stat	Process not Found
/proc/filesystems	/proc/filesystems	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/43/stat	/proc/43/stat	Process not Found
/proc/22/stat	/proc/22/stat	Process not Found
/proc/cmdline	/proc/cmdline	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/filesystems	/proc/filesystems	mount
/proc/15/stat	/proc/15/stat	Process not Found
/proc/1/environ	/proc/1/environ	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/296/stat	/proc/296/stat	Process not Found
/proc/cmdline	/proc/cmdline	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/1/environ	/proc/1/environ	systemctl

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/seeintlog	/tmp/seeintlog	opt.services.cfg
/tmp/seeintlog	/tmp/seeintlog	Process not Found
/tmp/bd8c65affa470f7065db06be0a623574.elf	/tmp/bd8c65affa470f7065db06be0a623574.elf	Process not Found
/tmp/bd8c65affa470f7065db06be0a623574.elf	/tmp/bd8c65affa470f7065db06be0a623574.elf	bd8c65affa470f7065db06be0a623574.elf

/tmp/bd8c65affa470f7065db06be0a623574.elf
/tmp/bd8c65affa470f7065db06be0a623574.elf
1⤵
- Enumerates kernel/hardware configuration
PID:363
- /tmp/bd8c65affa470f7065db06be0a623574.elf
  /tmp/bd8c65affa470f7065db06be0a623574.elf " "
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  - Modifies Bash startup script
  - Modifies init.d
  - Write file to user bin folder
  - Enumerates kernel/hardware configuration
  - Writes file to tmp directory
  PID:367
- - /bin/sh
    /bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"
    3⤵
    - Creates/modifies Cron job
    PID:397

/bin/sh
/bin/sh -c "/etc/32675&"
1⤵
PID:375
- /etc/32675
  /etc/32675
  2⤵
  PID:376
- - /bin/sleep
    sleep 60
    3⤵
    PID:378
- - /etc/opt.services.cfg
    /etc/opt.services.cfg
    3⤵
    - Enumerates kernel/hardware configuration
    PID:445
  - - /etc/opt.services.cfg
      /etc/opt.services.cfg " "
      4⤵
      Modifies Bash startup script
      Modifies init.d
      Write file to user bin folder
      Enumerates kernel/hardware configuration
      Writes file to tmp directory
      PID:449
- - /bin/sleep
    sleep 60
    3⤵
    PID:450
- - /etc/opt.services.cfg
    /etc/opt.services.cfg
    3⤵
    - Enumerates kernel/hardware configuration
    PID:474
  - - /etc/opt.services.cfg
      /etc/opt.services.cfg " "
      4⤵
      Enumerates kernel/hardware configuration
      PID:478
- - /bin/sleep
    sleep 60
    3⤵
    PID:479

/usr/sbin/service
service crond start
1⤵
- Write file to user bin folder
PID:377
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:379
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:380
- /bin/systemctl
  systemctl --quiet is-active multi-user.target
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:381
- /bin/systemctl
  systemctl -p Triggers show dbus.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:385
- /bin/systemctl
  systemctl -p Triggers show ssh.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:386
- /bin/systemctl
  systemctl -p Triggers show syslog.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:387
- /bin/systemctl
  systemctl -p Triggers show systemd-fsckd.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:388
- /bin/systemctl
  systemctl -p Triggers show systemd-initctl.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:389
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-audit.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:390
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-dev-log.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:391
- /bin/systemctl
  systemctl -p Triggers show systemd-journald.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:392
- /bin/systemctl
  systemctl -p Triggers show systemd-networkd.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:393
- /bin/systemctl
  systemctl -p Triggers show systemd-rfkill.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:394
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-control.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:395
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-kernel.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:396

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:383

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:384

/usr/local/sbin/systemctl
systemctl start crond.service
1⤵
PID:377

/usr/local/bin/systemctl
systemctl start crond.service
1⤵
PID:377

/usr/sbin/systemctl
systemctl start crond.service
1⤵
PID:377

/usr/bin/systemctl
systemctl start crond.service
1⤵
PID:377

/sbin/systemctl
systemctl start crond.service
1⤵
PID:377

/bin/systemctl
systemctl start crond.service
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:377

/usr/bin/renice
renice -20 367
1⤵
PID:398

/bin/mount
mount -o bind /tmp/ /proc/367
1⤵
- Reads runtime system information
PID:399

/usr/sbin/service
service cron start
1⤵
- Write file to user bin folder
PID:400
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:401
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:403
- /bin/systemctl
  systemctl --quiet is-active multi-user.target
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:405
- /bin/systemctl
  systemctl -p Triggers show dbus.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:409
- /bin/systemctl
  systemctl -p Triggers show ssh.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:410
- /bin/systemctl
  systemctl -p Triggers show syslog.socket
  2⤵
  - Enumerates kernel/hardware configuration
  PID:411
- /bin/systemctl
  systemctl -p Triggers show systemd-fsckd.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:412
- /bin/systemctl
  systemctl -p Triggers show systemd-initctl.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:413
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-audit.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:414
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-dev-log.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:415
- /bin/systemctl
  systemctl -p Triggers show systemd-journald.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:416
- /bin/systemctl
  systemctl -p Triggers show systemd-networkd.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:417
- /bin/systemctl
  systemctl -p Triggers show systemd-rfkill.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:418
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-control.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:419
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-kernel.socket
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:420

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:407