8459dcccc75f3a5ee56579ffdc93c8fb31c4b724e462163818a35f4f11bebcfc

Analysis

max time kernel
152s
max time network
150s
platform
debian-9_armhf
resource
debian9-armhf-20231215-en
resource tags

arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
01-02-2024 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71c7ff9c4d21858392ae494849f4cb74.elf
Size

42KB
MD5

71c7ff9c4d21858392ae494849f4cb74
SHA1

77e89964b08a928f59598f02cdb5117d21509e63
SHA256

8459dcccc75f3a5ee56579ffdc93c8fb31c4b724e462163818a35f4f11bebcfc
SHA512

8f911520791daaeb41d12d2f0e5f0a3a13b136f302c3aa9d3a7eb42168ee9427e9956230591d4b63f7e9b813d42ea330f4d41921b224fdd7a38f4d432eaae492
SSDEEP

768:i5g4AoHmzoEFm0wDkKEt732AMlQrD8PBjV3IQQBF55h94bedLWnQLvrn1G8WfO7:2bNmo0x1MtPBhYQQBv5IQzDXV7

Score

7^/10

Malware Config

Signatures

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/busybox	649	71c7ff9c4d21858392ae494849f4cb74.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	71c7ff9c4d21858392ae494849f4cb74.elf
File opened for modification	/dev/misc/watchdog	71c7ff9c4d21858392ae494849f4cb74.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/sbin/watchdog	71c7ff9c4d21858392ae494849f4cb74.elf

Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/misc/watchdog	71c7ff9c4d21858392ae494849f4cb74.elf
File opened for reading	/sys/class/misc/watchdog	71c7ff9c4d21858392ae494849f4cb74.elf
File opened for reading	/sys/class/watchdog	71c7ff9c4d21858392ae494849f4cb74.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc
File opened for reading	/proc/778/maps
File opened for reading	/proc/274/exe
File opened for reading	/proc/657/exe
File opened for reading	/proc/707/maps
File opened for reading	/proc/768/exe
File opened for reading	/proc/777/maps
File opened for reading	/proc/316/exe
File opened for reading	/proc/582/maps
File opened for reading	/proc/682/exe
File opened for reading	/proc/748/maps
File opened for reading	/proc/695/exe
File opened for reading	/proc/162/exe
File opened for reading	/proc/627/exe
File opened for reading	/proc/667/maps
File opened for reading	/proc/691/exe
File opened for reading	/proc/785/maps
File opened for reading	/proc/789/maps
File opened for reading	/proc/579/maps
File opened for reading	/proc/747/maps
File opened for reading	/proc/774/maps
File opened for reading	/proc/779/exe
File opened for reading	/proc/650/exe
File opened for reading	/proc/674/maps
File opened for reading	/proc/756/maps
File opened for reading	/proc/636/exe
File opened for reading	/proc/267/maps
File opened for reading	/proc/290/maps
File opened for reading	/proc/311/maps
File opened for reading	/proc/636/maps
File opened for reading	/proc/790/exe
File opened for reading	/proc/755/maps
File opened for reading	/proc/786/exe
File opened for reading	/proc/795/maps
File opened for reading	/proc/795/exe
File opened for reading	/proc/687/maps
File opened for reading	/proc/761/exe
File opened for reading	/proc/769/maps
File opened for reading	/proc/776/exe
File opened for reading	/proc/270/exe
File opened for reading	/proc/272/exe
File opened for reading	/proc/577/maps
File opened for reading	/proc/650/maps
File opened for reading	/proc/781/exe
File opened for reading	/proc/792/exe
File opened for reading	/proc/674/exe
File opened for reading	/proc/730/exe
File opened for reading	/proc/272/maps
File opened for reading	/proc/658/exe
File opened for reading	/proc/793/exe
File opened for reading	/proc/794/maps
File opened for reading	/proc/720/maps
File opened for reading	/proc/765/exe
File opened for reading	/proc/776/maps
File opened for reading	/proc/274/maps
File opened for reading	/proc/625/maps
File opened for reading	/proc/625/exe
File opened for reading	/proc/672/maps
File opened for reading	/proc/778/exe
File opened for reading	/proc/313/exe
File opened for reading	/proc/574/maps
File opened for reading	/proc/662/maps
File opened for reading	/proc/747/exe
File opened for reading	/proc/794/exe
File opened for reading	/proc/727/maps

/tmp/71c7ff9c4d21858392ae494849f4cb74.elf
/tmp/71c7ff9c4d21858392ae494849f4cb74.elf
1⤵
- Changes its process name
- Modifies Watchdog functionality
- Writes file to system bin folder
- Enumerates kernel/hardware configuration
PID:649

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads