bba18438991935a5fb91c8f315d08792c2326b2ce19f2be117f7dab984c47bdf | Triage

Submit
Reports

Overview

overview

9

Static

static

8

635d926cac...b5f647

debian-9-armhf

9

Sharing

General

Target

635d926cace851bef7df910d8cb5f647
Size

120KB
Sample

231219-3egjdahha5
MD5

635d926cace851bef7df910d8cb5f647
SHA1

543282811f7ec6ab8743f5ab877c040b16ed9a10
SHA256

bba18438991935a5fb91c8f315d08792c2326b2ce19f2be117f7dab984c47bdf
SHA512

859bd4682e06a511961de11cfe8e4f047a2ac5f85fc388df5108c8f5e0a0af628bb81e378958a32c8606ae50110020f7b8374de06dea1eccabbe89e213415209
SSDEEP

3072:6X8JNZXopYyKyI/LvKtL2faYk+djHdiDI0eXaBLTRP4otGP/x:6Xs4pYy6/LKR2SrsTkDI0eXaBBxwP5

Score

9^/10

discovery persistence upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

635d926cace851bef7df910d8cb5f647

Resource

debian9-armhf-20231215-en

discovery persistence upx

debian-9-armhf

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  635d926cace851bef7df910d8cb5f647
- Size
  
  120KB
- MD5
  
  635d926cace851bef7df910d8cb5f647
- SHA1
  
  543282811f7ec6ab8743f5ab877c040b16ed9a10
- SHA256
  
  bba18438991935a5fb91c8f315d08792c2326b2ce19f2be117f7dab984c47bdf
- SHA512
  
  859bd4682e06a511961de11cfe8e4f047a2ac5f85fc388df5108c8f5e0a0af628bb81e378958a32c8606ae50110020f7b8374de06dea1eccabbe89e213415209
- SSDEEP
  
  3072:6X8JNZXopYyKyI/LvKtL2faYk+djHdiDI0eXaBLTRP4otGP/x:6Xs4pYy6/LKR2SrsTkDI0eXaBBxwP5
Score

9^/10

discovery persistence upx
- Contacts a large (4772) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Patched UPX-packed file
  Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.
- Changes its process name
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Enumerates active TCP sockets
  Gets active TCP sockets from /proc virtual filesystem.
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Writes file to system bin folder
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Privilege Escalation

Boot or Logon Autostart Execution

Hijack Execution Flow

Defense Evasion

Hijack Execution Flow

Impair Defenses

Credential Access

Discovery

Network Service Discovery

System Network Configuration Discovery

System Network Connections Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistenceupx

© 2018-2025

Terms | Privacy