96dcd72b44016a049ab24454bc78966dfba63af713e25987dac73cf0c0a1a122

Analysis

max time kernel
0s
max time network
153s
platform
linux_armhf
resource
debian9-armhf-en-20211208
resource tags

arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
25/03/2023, 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd7509992d90badb4cb42623cbbfe8f9c63607faa4025d91ce5b528014f9d73e.elf
Size

145KB
MD5

6a5689b1be862b89400d46b570ad3feb
SHA1

2945ca4fc1ae7fc92fd8249e8c206eea0a4cd1ea
SHA256

fd7509992d90badb4cb42623cbbfe8f9c63607faa4025d91ce5b528014f9d73e
SHA512

2898432caaafac8034de360da5f3c1d045aa13e5c4175aa49bddd94172c35a7c590c9de324e34f7b025de70a82075d12b9287ef6f779f7a08b76c377294929a9
SSDEEP

3072:JLUTTSmaa9Fh8wBIBpne4OiKd3h3GSxQcM/9JUcuc/:JLGaa9Fh8wBILneNth3GSrM/9JUy/

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (34546) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc
/sbin/watchdog	/sbin/watchdog
/bin/watchdog	/bin/watchdog

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/25/cmdline	/proc/25/cmdline	Process not Found
/proc/131/cmdline	/proc/131/cmdline	Process not Found
/proc/16/cmdline	/proc/16/cmdline	Process not Found
/proc/323/cmdline	/proc/323/cmdline	Process not Found
/proc/5/cmdline	/proc/5/cmdline	Process not Found
/proc/8/cmdline	/proc/8/cmdline	Process not Found
/proc/17/cmdline	/proc/17/cmdline	Process not Found
/proc/21/cmdline	/proc/21/cmdline	Process not Found
/proc/29/cmdline	/proc/29/cmdline	Process not Found
/proc/139/cmdline	/proc/139/cmdline	Process not Found
/proc/238/cmdline	/proc/238/cmdline	Process not Found
/proc/373/cmdline	/proc/373/cmdline	Process not Found
/proc/7/cmdline	/proc/7/cmdline	Process not Found
/proc/18/cmdline	/proc/18/cmdline	Process not Found
/proc/383/cmdline	/proc/383/cmdline	Process not Found
/proc/385/cmdline	/proc/385/cmdline	Process not Found
/proc/391/cmdline	/proc/391/cmdline	Process not Found
/proc/107/cmdline	/proc/107/cmdline	Process not Found
/proc/362/cmdline	/proc/362/cmdline	Process not Found
/proc/10/cmdline	/proc/10/cmdline	Process not Found
/proc/12/cmdline	/proc/12/cmdline	Process not Found
/proc/43/cmdline	/proc/43/cmdline	Process not Found
/proc/235/cmdline	/proc/235/cmdline	Process not Found
/proc/359/cmdline	/proc/359/cmdline	Process not Found
/proc/387/cmdline	/proc/387/cmdline	Process not Found
/proc/2/cmdline	/proc/2/cmdline	Process not Found
/proc/3/cmdline	/proc/3/cmdline	Process not Found
/proc/208/cmdline	/proc/208/cmdline	Process not Found
/proc/269/cmdline	/proc/269/cmdline	Process not Found
/proc/389/cmdline	/proc/389/cmdline	Process not Found
/proc/4/cmdline	/proc/4/cmdline	Process not Found
/proc/14/cmdline	/proc/14/cmdline	Process not Found
/proc/41/cmdline	/proc/41/cmdline	Process not Found
/proc/104/cmdline	/proc/104/cmdline	Process not Found
/proc/270/cmdline	/proc/270/cmdline	Process not Found
/proc/368/cmdline	/proc/368/cmdline	Process not Found
/proc/375/cmdline	/proc/375/cmdline	Process not Found
/proc/377/cmdline	/proc/377/cmdline	Process not Found
/proc/1/cmdline	/proc/1/cmdline	Process not Found
/proc/11/cmdline	/proc/11/cmdline	Process not Found
/proc/395/cmdline	/proc/395/cmdline	Process not Found
/proc/399/cmdline	/proc/399/cmdline	Process not Found
/proc/74/cmdline	/proc/74/cmdline	Process not Found
/proc/381/cmdline	/proc/381/cmdline	Process not Found
/proc/24/cmdline	/proc/24/cmdline	Process not Found
/proc/320/cmdline	/proc/320/cmdline	Process not Found
/proc/393/cmdline	/proc/393/cmdline	Process not Found
/proc/	/proc/	Process not Found
/proc/6/cmdline	/proc/6/cmdline	Process not Found
/proc/106/cmdline	/proc/106/cmdline	Process not Found
/proc/403/cmdline	/proc/403/cmdline	Process not Found
/proc/20/cmdline	/proc/20/cmdline	Process not Found
/proc/95/cmdline	/proc/95/cmdline	Process not Found
/proc/135/cmdline	/proc/135/cmdline	Process not Found
/proc/236/cmdline	/proc/236/cmdline	Process not Found
/proc/278/cmdline	/proc/278/cmdline	Process not Found
/proc/287/cmdline	/proc/287/cmdline	Process not Found
/proc/15/cmdline	/proc/15/cmdline	Process not Found
/proc/19/cmdline	/proc/19/cmdline	Process not Found
/proc/397/cmdline	/proc/397/cmdline	Process not Found
/proc/374/cmdline	/proc/374/cmdline	Process not Found
/proc/379/cmdline	/proc/379/cmdline	Process not Found
/proc/filesystems	/proc/filesystems	mkdir
/proc/226/cmdline	/proc/226/cmdline	Process not Found

/tmp/fd7509992d90badb4cb42623cbbfe8f9c63607faa4025d91ce5b528014f9d73e.elf
/tmp/fd7509992d90badb4cb42623cbbfe8f9c63607faa4025d91ce5b528014f9d73e.elf
1⤵
PID:363
- /bin/sh
  /bin/sh -c "rm -rf bin/busybox && mkdir zxcr9999; >bin/busybox && mv /tmp/fd7509992d90badb4cb42623cbbfe8f9c63607faa4025d91ce5b528014f9d73e.elf� ��bin/busybox; chmod 777 bin/busybox"
  2⤵
  PID:364
- - /bin/rm
    rm -rf bin/busybox
    3⤵
    PID:365
- - /bin/mkdir
    mkdir zxcr9999
    3⤵
    - Reads runtime system information
    PID:366
- - /bin/chmod
    chmod 777 bin/busybox
    3⤵
    PID:367

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads