Analysis
-
max time kernel
152s -
max time network
155s -
platform
debian-9_armhf -
resource
debian9-armhf-20221125-en -
resource tags
arch:armhfimage:debian9-armhf-20221125-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
23-08-2023 16:00
Behavioral task
behavioral1
Sample
botx.arm7.elf
Resource
debian9-armhf-20221125-en
debian-9-armhf
5 signatures
150 seconds
General
-
Target
botx.arm7.elf
-
Size
128KB
-
MD5
faaf1c09390b150e61b0438f4aa67e41
-
SHA1
907f907bb1d8af5abde0e865634a15dad54a4b64
-
SHA256
2e59755d2cca18a7fd0e8924fac30075fbf6402f0ebf4e4d96e4188c4d8ca414
-
SHA512
a40497998b610ad58423ec6ff7bb3c090b0ccd097da1ced3f7b84e315a5f22e821d3b76d0a33e61775d232a4dd2e3a59fc3cf6b1738a4d3c084cf9ec6f243352
-
SSDEEP
3072:FMHPp2YD4jMB2CSHfFBR5KVbweCS9j6RM/918mywPoIlq:FMHPp2VjxCSHfFBzK+XS98M/9OmywPo1
Score
9/10
Malware Config
Signatures
-
Contacts a large (46438) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
Processes:
botx.arm7.elfdescription ioc pid process Changes the process name, possibly in an attempt to hide itself xkjpftkwk7j8 380 botx.arm7.elf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Writes file to system bin folder 1 TTPs 1 IoCs