Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20231215-en
  • resource tags

    arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    20-12-2023 15:05

General

  • Target

    d1a147e54c0dcff06963d09b0625bebb

  • Size

    105KB

  • MD5

    d1a147e54c0dcff06963d09b0625bebb

  • SHA1

    43e9d78cc0dbccd99c0b61ef80afd4b19cd26fda

  • SHA256

    780c51208b5deba82fc38c48545f4cd49af69f61570e01815299bd4e911de849

  • SHA512

    cd2ece61c160cd17c5957f0539be2c87f6ecf54dc70ef14dc1b3906114c7407b20167007a74075a1cdf3bfba40bffabd0a1ce1b2dab8edfa4578b01c5f35e378

  • SSDEEP

    3072:QhfMcBqJoNVu6K4M9p4V2SyHv0vM/9oiTX8:QhfMnUVu6K4Mj4IHvoM/958

Score
9/10

Malware Config

Signatures

  • Contacts a large (53973) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Writes file to system bin folder 1 TTPs 2 IoCs

Processes

  • /tmp/d1a147e54c0dcff06963d09b0625bebb
    /tmp/d1a147e54c0dcff06963d09b0625bebb
    1⤵
      PID:655

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Hijack Execution Flow

    1
    T1574

    Privilege Escalation

    Hijack Execution Flow

    1
    T1574

    Defense Evasion

    Impair Defenses

    1
    T1562

    Hijack Execution Flow

    1
    T1574

    Discovery

    Network Service Discovery

    2
    T1046

    Replay Monitor

    Loading Replay Monitor...

    Downloads