Analysis
-
max time kernel
152s -
max time network
155s -
platform
linux_armhf -
resource
debian9-armhf-en-20211208 -
resource tags
arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
30-06-2023 12:27
Static task
static1
Behavioral task
behavioral1
Sample
.i
Resource
debian9-armhf-en-20211208
General
-
Target
.i
-
Size
78KB
-
MD5
9b6c3518a91d23ed77504b5416bfb5b3
-
SHA1
0a2d170abbf5031566377b01431e3b82d342630a
-
SHA256
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
-
SHA512
b2b08d5d5e6c6708d88b793e9340a780d47b5dce61e0a3026b4cdea8a9e4cbf9824037255e4ea4a40fee5bce956485232376d4677ce72ccb6c7f00badd09956e
-
SSDEEP
1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL
Malware Config
Signatures
-
Contacts a large (901) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 2 IoCs
Processes:
shshdescription ioc pid Process Changes the process name, possibly in an attempt to hide itself telnetd 352 sh Changes the process name, possibly in an attempt to hide itself telnetd 406 sh -
Deletes itself 2 IoCs
Processes:
shshpid Process 352 sh 406 sh -
Executes dropped EXE 1 IoCs
Processes:
shioc pid Process /tmp/atk 406 sh -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
.idescription ioc Process File opened for modification /dev/watchdog .i File opened for modification /dev/misc/watchdog .i -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/tcp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
.idescription ioc Process File opened for reading /proc/net/route .i -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
.idescription ioc Process File opened for reading /proc/net/route .i File opened for reading /proc/net/tcp