Analysis
-
max time kernel
151s -
max time network
129s -
platform
debian-9_armhf -
resource
debian9-armhf-20231215-en -
resource tags
arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
20-12-2023 11:55
Behavioral task
behavioral1
Sample
aed0bf84c27ecc25d01925110c66283e
Resource
debian9-armhf-20231215-en
General
-
Target
aed0bf84c27ecc25d01925110c66283e
-
Size
50KB
-
MD5
aed0bf84c27ecc25d01925110c66283e
-
SHA1
c4ba75ffef3a09a9fa7d952813a7186650c83725
-
SHA256
3724d0b6a26f03f37a05545e05df437e34aae7984e439cde0bc70b54b4cb6898
-
SHA512
4c7035bfb79480c4d136f84d23f57d59a1be6ebcfff36225b4285e431b2a707b2ac5187b9c5c56d6775437c29941f396e80ce584fab79694d7616034a0783088
-
SSDEEP
768:ZQHXml16Wjl1DC059OOZ6/7wBJ4Yp2BWKk51WdrPBONsjyKo4kNLkGeQTcEKTcMx:bfMBWBWdrBvIeDJTEDGhtrHvux4nA
Malware Config
Signatures
-
Contacts a large (10077) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
Processes:
aed0bf84c27ecc25d01925110c66283edescription ioc pid process Changes the process name, possibly in an attempt to hide itself Sofia 655 aed0bf84c27ecc25d01925110c66283e -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/tcp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
description ioc File opened for modification /sbin/watchdog File opened for modification /bin/watchdog -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
description ioc File opened for reading /proc/net/tcp -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/763/exe File opened for reading /proc/776/exe File opened for reading /proc/781/maps File opened for reading /proc/810/exe File opened for reading /proc/814/maps File opened for reading /proc/824/exe File opened for reading /proc/872/exe File opened for reading /proc/576/maps File opened for reading /proc/975/maps File opened for reading /proc/922/exe File opened for reading /proc/637/exe File opened for reading /proc/799/exe File opened for reading /proc/854/exe File opened for reading /proc/863/exe File opened for reading /proc/956/exe File opened for reading /proc/574/maps File opened for reading /proc/872/maps File opened for reading /proc/793/maps File opened for reading /proc/659/maps File opened for reading /proc/836/exe File opened for reading /proc/850/exe File opened for reading /proc/859/exe File opened for reading /proc/881/exe File opened for reading /proc/952/exe File opened for reading /proc/637/maps File opened for reading /proc/632/maps File opened for reading /proc/635/exe File opened for reading /proc/661/exe File opened for reading /proc/672/exe File opened for reading /proc/948/exe File opened for reading /proc/593/maps File opened for reading /proc/580/maps File opened for reading /proc/763/maps File opened for reading /proc/785/exe File opened for reading /proc/802/exe File opened for reading /proc/832/maps File opened for reading /proc/894/maps File opened for reading /proc/576/exe File opened for reading /proc/638/exe File opened for reading /proc/749/exe File opened for reading /proc/771/exe File opened for reading /proc/818/maps File opened for reading /proc/828/maps File opened for reading /proc/841/maps File opened for reading /proc/962/exe File opened for reading /proc/635/maps File opened for reading /proc/658/maps File opened for reading /proc/767/exe File opened for reading /proc/574/exe File opened for reading /proc/960/exe File opened for reading /proc/966/exe File opened for reading /proc/820/exe File opened for reading /proc/759/maps File opened for reading /proc/777/maps File opened for reading /proc/798/exe File opened for reading /proc/934/exe File opened for reading /proc/657/maps File opened for reading /proc/777/exe File opened for reading /proc/793/exe File opened for reading /proc/798/maps File opened for reading /proc/930/exe File opened for reading /proc/944/exe File opened for reading /proc/966/maps File opened for reading /proc/657/exe