Analysis
-
max time kernel
152s -
max time network
154s -
platform
debian-9_armhf -
resource
debian9-armhf-20231215-en -
resource tags
arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
20-12-2023 13:52
Behavioral task
behavioral1
Sample
bd81d8a2f8678b523e950743c5500629
Resource
debian9-armhf-20231215-en
General
-
Target
bd81d8a2f8678b523e950743c5500629
-
Size
57KB
-
MD5
bd81d8a2f8678b523e950743c5500629
-
SHA1
eefe6ad7a2709f007cd30b8081eb0932827bfa2f
-
SHA256
4e4bfa4cea81408116ae77e7d8d6926a8fec0a902dc258b3a75128a6034548fe
-
SHA512
cca422b2ce17e7c8dc8249ff93f59e2ccc9df2bcc08d5114bc9881e43dddc996c0df67c3681828817dfd4423a649d0140f237fb614336735fa4dd986cdc09e00
-
SSDEEP
1536:tCrZuHG3Dh5Wm3umFRQwPBeagftBuHYvAxRni:tC5DVemFqMeagfXd
Malware Config
Signatures
-
Contacts a large (52892) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
Processes:
bd81d8a2f8678b523e950743c5500629description ioc pid process Changes the process name, possibly in an attempt to hide itself telnetd 657 bd81d8a2f8678b523e950743c5500629 -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/tcp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
description ioc File opened for modification /sbin/watchdog File opened for modification /bin/watchdog -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
description ioc File opened for reading /proc/net/tcp -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/673/maps File opened for reading /proc/765/maps File opened for reading /proc/772/exe File opened for reading /proc/662/exe File opened for reading /proc/664/exe File opened for reading /proc/579/exe File opened for reading /proc/757/maps File opened for reading /proc/640/exe File opened for reading /proc/772/maps File opened for reading /proc/777/exe File opened for reading /proc/755/exe File opened for reading /proc/766/maps File opened for reading /proc/776/maps File opened for reading /proc/661/maps File opened for reading /proc/763/maps File opened for reading /proc/664/maps File opened for reading /proc/754/exe File opened for reading /proc/773/exe File opened for reading /proc/584/maps File opened for reading /proc/662/maps File opened for reading /proc/775/exe File opened for reading /proc/579/maps File opened for reading /proc/584/exe File opened for reading /proc/767/exe File opened for reading /proc/634/exe File opened for reading /proc/659/exe File opened for reading /proc/757/exe File opened for reading /proc/759/maps File opened for reading /proc/761/exe File opened for reading /proc/763/exe File opened for reading /proc/765/exe File opened for reading /proc/769/exe File opened for reading /proc/585/exe File opened for reading /proc/673/exe File opened for reading /proc/640/maps File opened for reading /proc/767/maps File opened for reading /proc/595/maps File opened for reading /proc/634/maps File opened for reading /proc/637/maps File opened for reading /proc/771/exe File opened for reading /proc/778/maps File opened for reading /proc/577/exe File opened for reading /proc/595/exe File opened for reading /proc/759/exe File opened for reading /proc/766/exe File opened for reading /proc/639/exe File opened for reading /proc/755/maps File opened for reading /proc/769/maps File opened for reading /proc/773/maps File opened for reading /proc/585/maps File opened for reading /proc/754/maps File opened for reading /proc/761/maps File opened for reading /proc/775/maps File opened for reading /proc/781/exe File opened for reading /proc/637/exe File opened for reading /proc/659/maps File opened for reading /proc/781/maps File opened for reading /proc/639/maps File opened for reading /proc/777/maps File opened for reading /proc/760/maps File opened for reading /proc/771/maps File opened for reading /proc/776/exe File opened for reading /proc/778/exe File opened for reading /proc/577/maps