Overview

overview

10

Static

static

10

9630b58f33...652eec

debian-9-armhf

9

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20231215-en
  • resource tags

    arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    20-12-2023 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9630b58f33df07e45499c4b3eb652eec

  • Size

    54KB

  • MD5

    9630b58f33df07e45499c4b3eb652eec

  • SHA1

    154428ecb8c91bffbab388acabef578ac8916719

  • SHA256

    d3b42abea11d2459a24848d7861f491cebd0ec8cf1b14833e09e06e40324e2f8

  • SHA512

    485fce45bf77ccbeffcfd7a14feac23aa31d10d305cafb2a11a4317617b22ce23617fff0b0800fd35c56be336597c049d0343c260c49aae606b153da7c18f449

  • SSDEEP

    1536:6qRYWdHTrkurstqXmsFyjZzL+CCvwxRn8:D5TrnQtamsF8zi1X

Score
9/10
discovery

Malware Config

Signatures

  • Contacts a large (10078) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Changes its process name 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Writes file to system bin folder 1 TTPs 2 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/9630b58f33df07e45499c4b3eb652eec
    /tmp/9630b58f33df07e45499c4b3eb652eec
    1⤵
    • Changes its process name
    PID:653

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Hijack Execution Flow

1
T1574

Privilege Escalation

Hijack Execution Flow

1
T1574

Defense Evasion

Impair Defenses

1
T1562

Hijack Execution Flow

1
T1574

Credential Access

Discovery

Network Service Discovery

2
T1046

System Network Connections Discovery

1
T1049

System Network Configuration Discovery

1
T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads