Analysis
-
max time kernel
151s -
max time network
154s -
platform
debian-9_armhf -
resource
debian9-armhf-20231215-en -
resource tags
arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
20-12-2023 13:53
Behavioral task
behavioral1
Sample
bdf1cab65204ccae1530d529e75b2ea4
Resource
debian9-armhf-20231215-en
General
-
Target
bdf1cab65204ccae1530d529e75b2ea4
-
Size
37KB
-
MD5
bdf1cab65204ccae1530d529e75b2ea4
-
SHA1
44fdabacf6290d2a9f39cccb56762d55cdd9324e
-
SHA256
7cdfd82ecbe11a5a767272f84ad8b23060018daea192ab37b7d67241f297c850
-
SHA512
4402c1981cb9769ba3fad25ace23b5cbf0b9f372262432b7cb117677128c3ba8e57164a06b850c8ba6b5c80a5dc1820e7ad7f94ffc7879adde8d07694fbbf36c
-
SSDEEP
768:7ddJesB5t8/2tO3FsgA8khW81/TYPPAqsrtA1RvxyN2aQyxO3Mkqx4n1hEW:PJBt8U8kb1/TYnAqYU8Vx4n
Malware Config
Signatures
-
Contacts a large (53625) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
Processes:
bdf1cab65204ccae1530d529e75b2ea4description ioc pid process Changes the process name, possibly in an attempt to hide itself [procManager] 650 bdf1cab65204ccae1530d529e75b2ea4 -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/tcp -
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
description ioc File opened for modification /sbin/watchdog File opened for modification /bin/watchdog -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
description ioc File opened for reading /proc/net/tcp -
Reads runtime system information 21 IoCs
Reads data from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/263/fd File opened for reading /proc/1/fd File opened for reading /proc/302/fd File opened for reading /proc/336/fd File opened for reading /proc/572/fd File opened for reading /proc/627/fd File opened for reading /proc/568/fd File opened for reading /proc/652/fd File opened for reading /proc/653/fd File opened for reading /proc/143/fd File opened for reading /proc/261/fd File opened for reading /proc/262/fd File opened for reading /proc/267/fd File opened for reading /proc/300/fd File opened for reading /proc/575/fd File opened for reading /proc/588/fd File opened for reading /proc/165/fd File opened for reading /proc/207/fd File opened for reading /proc/279/fd File opened for reading /proc/298/fd File opened for reading /proc/574/fd