81812b3f367c2e89ad7071be98f1c58630cfa6d0606265afa06309954af785d6

Analysis

max time kernel
151s
max time network
149s
platform
debian-9_armhf
resource
debian9-armhf-20221125-en
resource tags

arch:armhfimage:debian9-armhf-20221125-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11-07-2023 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

376-1-0x00008000-0x00026464-memory.dmp
Size

76KB
MD5

79fe28be097f9ad5d8db427606665f74
SHA1

da27ba9babdec7e7232ee55d3f44e88dfcf269a2
SHA256

81812b3f367c2e89ad7071be98f1c58630cfa6d0606265afa06309954af785d6
SHA512

a2ad8abf793d776afadcb9682f742e6069d980d164c0ba8bcabccde313199ceca182f4bc5a09d59cce002ce5cb27698fa80ac2573f7852f1413a50aca4f5ea1c
SSDEEP

1536:TJnF9sFw8gu6+wyKaw1KpIPrbvr/6Ra1styKtI8ll5BihwlTQP+8oR:RowpuQyNSG2eRa1styK9flTQPHo

Score

7^/10

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc
File opened for modification	/dev/misc/watchdog
File opened for modification	/dev/watchdog

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

Reads runtime system information 19 IoCs

Reads data from /proc virtual filesystem.

description	ioc
File opened for reading	/proc/428/cmdline
File opened for reading	/proc/454/cmdline
File opened for reading	/proc/459/cmdline
File opened for reading	/proc/469/cmdline
File opened for reading	/proc/493/cmdline
File opened for reading	/proc/503/cmdline
File opened for reading	/proc/422/cmdline
File opened for reading	/proc/429/cmdline
File opened for reading	/proc/440/cmdline
File opened for reading	/proc/467/cmdline
File opened for reading	/proc/481/cmdline
File opened for reading	/proc/404/cmdline
File opened for reading	/proc/500/cmdline
File opened for reading	/proc/442/cmdline
File opened for reading	/proc/419/cmdline
File opened for reading	/proc/455/cmdline
File opened for reading	/proc/494/cmdline
File opened for reading	/proc/502/cmdline
File opened for reading	/proc/401/cmdline

/tmp/376-1-0x00008000-0x00026464-memory.dmp
/tmp/376-1-0x00008000-0x00026464-memory.dmp
1⤵
PID:363

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads