Analysis
-
max time kernel
151s -
max time network
155s -
platform
debian-9_armhf -
resource
debian9-armhf-20231215-en -
resource tags
arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
20-12-2023 15:05
Behavioral task
behavioral1
Sample
d1a6abf2766bfa165828fa5b26ce06b7
Resource
debian9-armhf-20231215-en
General
-
Target
d1a6abf2766bfa165828fa5b26ce06b7
-
Size
107KB
-
MD5
d1a6abf2766bfa165828fa5b26ce06b7
-
SHA1
61c32cd7e9f64d0bce402c11540e8bbab44492fc
-
SHA256
570446a84f151173578455067b6abff9d20fbd20530c5e8277b3c1c4ebc6a0a7
-
SHA512
7359e3b9d831b910efc62a2ab5520b1548f1f81d69214f88cc5072ec19ac38caef2061b37cde3042d2ee8d625dd1cb2b9941c8ed83a3a022b6911232586e9526
-
SSDEEP
3072:ReNX2SozVJb+WgzX16CfRaQIkQCxuM+XD/M/9ARmqXO7:ReNX2SeyFF6CfRaQINCV+XLM/9uDO7
Malware Config
Signatures
-
Contacts a large (53619) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/tcp -
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
description ioc File opened for modification /sbin/watchdog File opened for modification /bin/watchdog -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
description ioc File opened for reading /proc/net/tcp