Analysis
-
max time kernel
152s -
max time network
155s -
platform
debian-9_armhf -
resource
debian9-armhf-20231215-en -
resource tags
arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
20-12-2023 16:02
Behavioral task
behavioral1
Sample
e1160bcab7906b0777f8e925a601da3f
Resource
debian9-armhf-20231215-en
General
-
Target
e1160bcab7906b0777f8e925a601da3f
-
Size
109KB
-
MD5
e1160bcab7906b0777f8e925a601da3f
-
SHA1
cf680c912f19e73943da91c80b406f8ef55bde19
-
SHA256
9499a321ffe0cc8ebc309265ce36673b4fdb9af8f254c68a4dd11cf30bd214c7
-
SHA512
c68d9a1f9bb2a5be7b7d75f2ff0c61fea0e79798536a8acfc66bc92be1c2d1470bc3fa1cf7bcadab8dddca518a6b85ee7f66b504202676d679e5847245a4d493
-
SSDEEP
3072:YEgW8kgSv89f+xJzhMVuviVxk3M/9MNO7:YEgWf89f+xJ9M+iVxiM/9MNO7
Malware Config
Signatures
-
Contacts a large (54333) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
Processes:
e1160bcab7906b0777f8e925a601da3fdescription ioc pid process Changes the process name, possibly in an attempt to hide itself [NetworkSwitch] 654 e1160bcab7906b0777f8e925a601da3f -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/tcp -
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
description ioc File opened for modification /sbin/watchdog File opened for modification /bin/watchdog -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
description ioc File opened for reading /proc/net/tcp -
Reads runtime system information 24 IoCs
Reads data from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/578/fd File opened for reading /proc/170/fd File opened for reading /proc/273/fd File opened for reading /proc/278/fd File opened for reading /proc/311/fd File opened for reading /proc/575/fd File opened for reading /proc/583/fd File opened for reading /proc/594/fd File opened for reading /proc/627/fd File opened for reading /proc/1/fd File opened for reading /proc/274/fd File opened for reading /proc/280/fd File opened for reading /proc/312/fd File opened for reading /proc/318/fd File opened for reading /proc/584/fd File opened for reading /proc/633/fd File opened for reading /proc/658/fd File opened for reading /proc/659/fd File opened for reading /proc/143/fd File opened for reading /proc/218/fd File opened for reading /proc/279/fd File opened for reading /proc/296/fd File opened for reading /proc/632/fd File opened for reading /proc/642/fd