Analysis Overview
SHA256
46372c7f8f7d4659006efd1ef9e614b063e59cc1deb616aee962c2931785e8f5
Threat Level: Shows suspicious behavior
The file ce006232d9983334aead018d7ae064de.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies Watchdog functionality
Changes its process name
Enumerates active TCP sockets
Enumerates running processes
Reads system network configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-08 03:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-08 03:42
Reported
2024-01-08 03:44
Platform
debian9-mipsbe-20231222-en
Max time kernel
1s
Max time network
28s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | /var/Sofia | /tmp/1e813727174a3135165ef0fa74664f5305527c64a5a52da61bcfa30f8053373d.elf | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/1e813727174a3135165ef0fa74664f5305527c64a5a52da61bcfa30f8053373d.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/1e813727174a3135165ef0fa74664f5305527c64a5a52da61bcfa30f8053373d.elf | N/A |
Enumerates active TCP sockets
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/tcp | N/A | N/A |
Enumerates running processes
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/tcp | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/10/stat | N/A | N/A |
| File opened for reading | /proc/6/stat | N/A | N/A |
| File opened for reading | /proc/8/cmdline | N/A | N/A |
| File opened for reading | /proc/12/cmdline | N/A | N/A |
| File opened for reading | /proc/16/fd | N/A | N/A |
| File opened for reading | /proc/17/cmdline | N/A | N/A |
| File opened for reading | /proc/36/fd | N/A | N/A |
| File opened for reading | /proc/80/stat | N/A | N/A |
| File opened for reading | /proc/3/fd | N/A | N/A |
| File opened for reading | /proc/20/stat | N/A | N/A |
| File opened for reading | /proc/36/cmdline | N/A | N/A |
| File opened for reading | /proc/9/fd | N/A | N/A |
| File opened for reading | /proc/72/stat | N/A | N/A |
| File opened for reading | /proc/20/cmdline | N/A | N/A |
| File opened for reading | /proc/79/cmdline | N/A | N/A |
| File opened for reading | /proc/12/fd | N/A | N/A |
| File opened for reading | /proc/21/stat | N/A | N/A |
| File opened for reading | /proc/24/cmdline | N/A | N/A |
| File opened for reading | /proc/18/fd | N/A | N/A |
| File opened for reading | /proc/17/fd | N/A | N/A |
| File opened for reading | /proc/19/cmdline | N/A | N/A |
| File opened for reading | /proc/21/fd | N/A | N/A |
| File opened for reading | /proc/37/cmdline | N/A | N/A |
| File opened for reading | /proc/70/stat | N/A | N/A |
| File opened for reading | /proc/74/cmdline | N/A | N/A |
| File opened for reading | /proc/16/stat | N/A | N/A |
| File opened for reading | /proc/22/fd | N/A | N/A |
| File opened for reading | /proc/74/stat | N/A | N/A |
| File opened for reading | /proc/81/fd | N/A | N/A |
| File opened for reading | /proc/4/fd | N/A | N/A |
| File opened for reading | /proc/2/cmdline | N/A | N/A |
| File opened for reading | /proc/6/fd | N/A | N/A |
| File opened for reading | /proc/7/stat | N/A | N/A |
| File opened for reading | /proc/7/fd | N/A | N/A |
| File opened for reading | /proc/18/cmdline | N/A | N/A |
| File opened for reading | /proc/37/fd | N/A | N/A |
| File opened for reading | /proc/70/fd | N/A | N/A |
| File opened for reading | /proc/75/stat | N/A | N/A |
| File opened for reading | /proc/5/cmdline | N/A | N/A |
| File opened for reading | /proc/23/fd | N/A | N/A |
| File opened for reading | /proc/77/fd | N/A | N/A |
| File opened for reading | /proc/5/stat | N/A | N/A |
| File opened for reading | /proc/11/fd | N/A | N/A |
| File opened for reading | /proc/15/cmdline | N/A | N/A |
| File opened for reading | /proc/75/fd | N/A | N/A |
| File opened for reading | /proc/76/stat | N/A | N/A |
| File opened for reading | /proc/105/cmdline | N/A | N/A |
| File opened for reading | /proc/9/stat | N/A | N/A |
| File opened for reading | /proc/80/fd | N/A | N/A |
| File opened for reading | /proc/81/stat | N/A | N/A |
| File opened for reading | /proc/14/cmdline | N/A | N/A |
| File opened for reading | /proc/18/stat | N/A | N/A |
| File opened for reading | /proc/22/stat | N/A | N/A |
| File opened for reading | /proc/23/cmdline | N/A | N/A |
| File opened for reading | /proc/74/fd | N/A | N/A |
| File opened for reading | /proc/76/fd | N/A | N/A |
| File opened for reading | /proc/77/stat | N/A | N/A |
| File opened for reading | /proc/8/stat | N/A | N/A |
| File opened for reading | /proc/6/cmdline | N/A | N/A |
| File opened for reading | /proc/19/fd | N/A | N/A |
| File opened for reading | /proc/4/stat | N/A | N/A |
| File opened for reading | /proc/24/stat | N/A | N/A |
| File opened for reading | /proc/71/stat | N/A | N/A |
| File opened for reading | /proc/71/cmdline | N/A | N/A |
Processes
/tmp/1e813727174a3135165ef0fa74664f5305527c64a5a52da61bcfa30f8053373d.elf
[/tmp/1e813727174a3135165ef0fa74664f5305527c64a5a52da61bcfa30f8053373d.elf]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | apple.bbos.ink | udp |
| LT | 176.223.133.62:1290 | apple.bbos.ink | tcp |