Analysis
-
max time kernel
41309s -
max time network
153s -
platform
linux_armhf -
resource
debian9-armhf-en-20211208 -
resource tags
arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
31-03-2023 19:41
Behavioral task
behavioral1
Sample
lok.arm7.elf
Resource
debian9-armhf-en-20211208
General
-
Target
lok.arm7.elf
-
Size
59KB
-
MD5
edb64280b729e3299ca43c99939161b9
-
SHA1
530d42ad15f5da90cbbb700ca8a8d2005dc1471f
-
SHA256
60628ba3c363a8719f43139402794a925059096ac987d12a3370d64f5be0dd5d
-
SHA512
68550ed42b6774cfbf8e1821bcb19a35ffb3d1f46d25f452c04e973bfb2fa45cf45440429cbf3f6289b44041eb265983ed71f66b9aee9ee37b4c9315df9f35be
-
SSDEEP
1536:QqPm6pbZMeQYXQBpqYtgU7ChRPwKL185HApNs:rmcaeQYXQl3AyKLOtH
Malware Config
Signatures
-
Contacts a large (41276) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
description ioc /proc/1/cmdline /proc/1/cmdline /proc/80/cmdline /proc/80/cmdline /proc/312/cmdline /proc/312/cmdline /proc/368/cmdline /proc/368/cmdline /proc/418/cmdline /proc/418/cmdline /proc/448/cmdline /proc/448/cmdline /proc/10/cmdline /proc/10/cmdline /proc/17/cmdline /proc/17/cmdline /proc/19/cmdline /proc/19/cmdline /proc/21/cmdline /proc/21/cmdline /proc/217/cmdline /proc/217/cmdline /proc/379/cmdline /proc/379/cmdline /proc/454/cmdline /proc/454/cmdline /proc/27/cmdline /proc/27/cmdline /proc/110/cmdline /proc/110/cmdline /proc/387/cmdline /proc/387/cmdline /proc/394/cmdline /proc/394/cmdline /proc/398/cmdline /proc/398/cmdline /proc/410/cmdline /proc/410/cmdline /proc/438/cmdline /proc/438/cmdline /proc/441/cmdline /proc/441/cmdline /proc/13/cmdline /proc/13/cmdline /proc/20/cmdline /proc/20/cmdline /proc/283/cmdline /proc/283/cmdline /proc/439/cmdline /proc/439/cmdline /proc/6/cmdline /proc/6/cmdline /proc/29/cmdline /proc/29/cmdline /proc/397/cmdline /proc/397/cmdline /proc/411/cmdline /proc/411/cmdline /proc/426/cmdline /proc/426/cmdline /proc/446/cmdline /proc/446/cmdline /proc/458/cmdline /proc/458/cmdline /proc/378/cmdline /proc/378/cmdline /proc/392/cmdline /proc/392/cmdline /proc/395/cmdline /proc/395/cmdline /proc/413/cmdline /proc/413/cmdline /proc/447/cmdline /proc/447/cmdline /proc/3/cmdline /proc/3/cmdline /proc/43/cmdline /proc/43/cmdline /proc/238/cmdline /proc/238/cmdline /proc/315/cmdline /proc/315/cmdline /proc/371/cmdline /proc/371/cmdline /proc/373/cmdline /proc/373/cmdline /proc/434/cmdline /proc/434/cmdline /proc/456/cmdline /proc/456/cmdline /proc/365/cmdline /proc/365/cmdline /proc/381/cmdline /proc/381/cmdline /proc/412/cmdline /proc/412/cmdline /proc/423/cmdline /proc/423/cmdline /proc/453/cmdline /proc/453/cmdline /proc/377/cmdline /proc/377/cmdline /proc/421/cmdline /proc/421/cmdline /proc/443/cmdline /proc/443/cmdline /proc/291/cmdline /proc/291/cmdline /proc/376/cmdline /proc/376/cmdline /proc/393/cmdline /proc/393/cmdline /proc/404/cmdline /proc/404/cmdline /proc/437/cmdline /proc/437/cmdline /proc/42/cmdline /proc/42/cmdline /proc/279/cmdline /proc/279/cmdline /proc/424/cmdline /proc/424/cmdline /proc/374/cmdline /proc/374/cmdline /proc/430/cmdline /proc/430/cmdline /proc/280/cmdline /proc/280/cmdline -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
lok.arm7.elfdescription ioc process /tmp/lok.arm7.elf /tmp/lok.arm7.elf lok.arm7.elf