Analysis
-
max time kernel
152s -
max time network
156s -
platform
debian-9_armhf -
resource
debian9-armhf-20231215-en -
resource tags
arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
20-12-2023 08:14
Behavioral task
behavioral1
Sample
9385071a355bfff6143eabfc25a67e52
Resource
debian9-armhf-20231215-en
General
-
Target
9385071a355bfff6143eabfc25a67e52
-
Size
123KB
-
MD5
9385071a355bfff6143eabfc25a67e52
-
SHA1
e43bd69dc6780450e176b130e946510226942656
-
SHA256
d66b6f8ebee3e5a799ae0b59cf5fbd289e70f5519cfc2ba4bdb42a2288b10218
-
SHA512
67ecf125d5953761f17712c4cb1aa0239f08dcbd955ee1f6ece0f3d7295cbe256c5117d4240930b57d8b8ceb94a275682cfc546a455a4e95085029c7ab2726f6
-
SSDEEP
3072:0BSUK5y5Osablub5ljqxEhfYFWOM1af5EtM/9iL3Ow:0BSUK59sO0njqxEhAIOpf5aM/9Q3Ow
Malware Config
Signatures
-
Contacts a large (74131) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
Processes:
9385071a355bfff6143eabfc25a67e52description ioc pid process Changes the process name, possibly in an attempt to hide itself [cpuHop] 665 9385071a355bfff6143eabfc25a67e52 -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
description ioc File opened for modification /dev/misc/watchdog File opened for modification /dev/watchdog -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/tcp -
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
description ioc File opened for modification /sbin/watchdog File opened for modification /bin/watchdog -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
description ioc File opened for reading /proc/net/tcp