Analysis
-
max time kernel
151s -
max time network
152s -
platform
debian-9_armhf -
resource
debian9-armhf-20221111-en -
resource tags
arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
13-05-2023 20:36
General
-
Target
3e0b0c2014e2bf86e328bb7011579aaa.elf
-
Size
57KB
-
MD5
3e0b0c2014e2bf86e328bb7011579aaa
-
SHA1
5476315a86b12d0f6bd359212c8b631945fe6334
-
SHA256
138a57ba868d36405d93bbb19061cdef1b2600f7e97eb46ac03441202ee5e211
-
SHA512
284f3c6ee140d3fe976cc3fb7aa2a27a87b4d1b03349b9c2b26a9432d53913f9304019246aff6631d10201e67e14ae219991efad40c5edd35df7eb0d46ff805e
-
SSDEEP
768:B5vZRCdVnbBTnBNXj6u/+e2cQKHsrjBpYyTVb7b79q3UELcnPFHbeNNjfNBTBO7K:B5v/sbBTBojXLRjf5VnWLc97eNZzIm
Malware Config
Signatures
-
Contacts a large (68826) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
Processes:
3e0b0c2014e2bf86e328bb7011579aaa.elfdescription ioc pid process Changes the process name, possibly in an attempt to hide itself /bin/watchdog 423 3e0b0c2014e2bf86e328bb7011579aaa.elf -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/tcp -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
description ioc File opened for reading /proc/net/tcp -
Reads runtime system information 3 IoCs
Reads data from /proc virtual filesystem.
Processes:
3e0b0c2014e2bf86e328bb7011579aaa.elfmkdirdescription ioc process File opened for reading /proc/self/exe 3e0b0c2014e2bf86e328bb7011579aaa.elf File opened for reading /proc/filesystems mkdir File opened for reading /proc/433/exe -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
shdescription ioc process File opened for modification /tmp/bin/watchdog sh
Processes
-
/tmp/3e0b0c2014e2bf86e328bb7011579aaa.elf/tmp/3e0b0c2014e2bf86e328bb7011579aaa.elf1⤵
- Changes its process name
- Reads runtime system information
-
/bin/sh/bin/sh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/3e0b0c2014e2bf86e328bb7011579aaa.elf bin/watchdog���a; chmod 777 ���bin/watchdog"2⤵
- Writes file to tmp directory
-
rmrm -rf bin/watchdog3⤵
-
mkdirmkdir "bin"3⤵
- Reads runtime system information
-
chmodchmod 777 "���bin/watchdog"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/423-1-0x00008000-0x000293fc-memory.dmp