90afe1dbb17c11ff9bc870842bcda7d9829a996b4f40de6a40e1235ce9d15fba

Analysis

max time kernel
150s
max time network
153s
platform
debian-9_armhf
resource
debian9-armhf-20221111-en
resource tags

arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
18/04/2023, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fedd7b9e3fb66cd8a521a5e1916696ae.elf
Size

104KB
MD5

fedd7b9e3fb66cd8a521a5e1916696ae
SHA1

8d74dc8783724da05a20135c7225d12c68dbb2aa
SHA256

90afe1dbb17c11ff9bc870842bcda7d9829a996b4f40de6a40e1235ce9d15fba
SHA512

ce03cc85fb2c31c130212e9c37f64d4086a59a31ee72bb2076b0c37ec1f5d44a2842067dbcdca8dbe4d8c5c1412bf4177f8c6d4ef8f7f946cd9ca1b57de92411
SSDEEP

3072:olhUX+jP9NWjVzH4hh+d2TBvMt9M/9QhMeF:oUujPWjVzH0hPvMXM/9QhMeF

Score

9^/10

discovery

Malware Config

Signatures

Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562
Contacts a large (1493) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc
/proc/9/maps	/proc/9/maps
/proc/12/cmdline	/proc/12/cmdline
/proc/41/maps	/proc/41/maps
/proc/144/maps	/proc/144/maps
/proc/307/maps	/proc/307/maps
/proc/363/maps	/proc/363/maps
/proc/368/maps	/proc/368/maps
/proc/3/maps	/proc/3/maps
/proc/271/cmdline	/proc/271/cmdline
/proc/390/maps	/proc/390/maps
/proc/18/maps	/proc/18/maps
/proc/103/cmdline	/proc/103/cmdline
/proc/388/cmdline	/proc/388/cmdline
/proc/350/maps	/proc/350/maps
/proc/350/cmdline	/proc/350/cmdline
/proc/386/maps	/proc/386/maps
/proc/10/cmdline	/proc/10/cmdline
/proc/5/cmdline	/proc/5/cmdline
/proc/26/maps	/proc/26/maps
/proc/26/cmdline	/proc/26/cmdline
/proc/103/maps	/proc/103/maps
/proc/307/cmdline	/proc/307/cmdline
/proc/356/maps	/proc/356/maps
/proc/356/cmdline	/proc/356/cmdline
/proc/383/maps	/proc/383/maps
/proc/15/maps	/proc/15/maps
/proc/226/maps	/proc/226/maps
/proc/348/cmdline	/proc/348/cmdline
/proc/378/maps	/proc/378/maps
/proc/380/maps	/proc/380/maps
/proc/1/cmdline	/proc/1/cmdline
/proc/6/maps	/proc/6/maps
/proc/12/maps	/proc/12/maps
/proc/18/cmdline	/proc/18/cmdline
/proc/20/maps	/proc/20/maps
/proc/22/maps	/proc/22/maps
/proc/25/maps	/proc/25/maps
/proc/165/maps	/proc/165/maps
/proc/273/cmdline	/proc/273/cmdline
/proc/11/cmdline	/proc/11/cmdline
/proc/15/cmdline	/proc/15/cmdline
/proc/20/cmdline	/proc/20/cmdline
/proc/206/maps	/proc/206/maps
/proc/223/cmdline	/proc/223/cmdline
/proc/11/maps	/proc/11/maps
/proc/2/maps	/proc/2/maps
/proc/24/cmdline	/proc/24/cmdline
/proc/134/maps	/proc/134/maps
/proc/270/cmdline	/proc/270/cmdline
/proc/273/maps	/proc/273/maps
/proc/341/cmdline	/proc/341/cmdline
/proc/374/maps	/proc/374/maps
/proc/5/maps	/proc/5/maps
/proc/29/maps	/proc/29/maps
/proc/41/cmdline	/proc/41/cmdline
/proc/42/cmdline	/proc/42/cmdline
/proc/106/cmdline	/proc/106/cmdline
/proc/140/cmdline	/proc/140/cmdline
/proc/351/maps	/proc/351/maps
/proc/373/maps	/proc/373/maps
/proc/378/cmdline	/proc/378/cmdline
/proc/16/maps	/proc/16/maps
/proc/27/maps	/proc/27/maps
/proc/43/cmdline	/proc/43/cmdline

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/fedd7b9e3fb66cd8a521a5e1916696ae.elf	/tmp/fedd7b9e3fb66cd8a521a5e1916696ae.elf	fedd7b9e3fb66cd8a521a5e1916696ae.elf

/tmp/fedd7b9e3fb66cd8a521a5e1916696ae.elf
/tmp/fedd7b9e3fb66cd8a521a5e1916696ae.elf
1⤵
- Writes file to tmp directory
PID:352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...