Analysis
-
max time kernel
152s -
max time network
155s -
platform
debian-9_armhf -
resource
debian9-armhf-20231215-en -
resource tags
arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
19-12-2023 23:50
Behavioral task
behavioral1
Sample
6f35104a34e9387f3963dfe7e92f30fa
Resource
debian9-armhf-20231215-en
General
-
Target
6f35104a34e9387f3963dfe7e92f30fa
-
Size
109KB
-
MD5
6f35104a34e9387f3963dfe7e92f30fa
-
SHA1
2a75e8ab821d8b3324028ae6da6a21732c0fd5bd
-
SHA256
21f7ba43e7293b5eef06d67f0574ffe291a5346b7799bea9dbb4a945f9614aef
-
SHA512
8aa9f14edb8c567c67440133992237cf44ef3259937834c6631ffb7188ed27af122ea36b6ae769a4c63271b3273264ad47b6a1f01fd713a3547ed07af17f8938
-
SSDEEP
3072:R0fOdOiMRyssfthw04XiuaXV6rMM/9FhO7:R0fOcyssfthl45aF6gM/9XO7
Malware Config
Signatures
-
Contacts a large (53256) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
Processes:
6f35104a34e9387f3963dfe7e92f30fadescription ioc pid process Changes the process name, possibly in an attempt to hide itself [NetworkSwitch] 660 6f35104a34e9387f3963dfe7e92f30fa -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/tcp -
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
description ioc File opened for modification /sbin/watchdog File opened for modification /bin/watchdog -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
description ioc File opened for reading /proc/net/tcp -
Reads runtime system information 24 IoCs
Reads data from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/210/fd File opened for reading /proc/275/fd File opened for reading /proc/281/fd File opened for reading /proc/286/fd File opened for reading /proc/584/fd File opened for reading /proc/605/fd File opened for reading /proc/638/fd File opened for reading /proc/645/fd File opened for reading /proc/653/fd File opened for reading /proc/171/fd File opened for reading /proc/282/fd File opened for reading /proc/306/fd File opened for reading /proc/644/fd File opened for reading /proc/1/fd File opened for reading /proc/139/fd File opened for reading /proc/285/fd File opened for reading /proc/308/fd File opened for reading /proc/318/fd File opened for reading /proc/572/fd File opened for reading /proc/665/fd File opened for reading /proc/347/fd File opened for reading /proc/590/fd File opened for reading /proc/591/fd File opened for reading /proc/664/fd