96d0b2ae7f57ee69b30870481a5a2bc820e818945b88ce1183f3e185be7a59b4

Analysis

max time kernel
151s
max time network
8s
platform
debian-9_armhf
resource
debian9-armhf-20231222-en
resource tags

arch:armhfimage:debian9-armhf-20231222-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
12-02-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96d0b2ae7f57ee69b30870481a5a2bc820e818945b88ce1183f3e185be7a59b4.elf
Size

54KB
MD5

2e3c3da156c331de90cd5de6eff18f33
SHA1

7a7c93f62325c9ba5420e1ae5aed02c2333c25ee
SHA256

96d0b2ae7f57ee69b30870481a5a2bc820e818945b88ce1183f3e185be7a59b4
SHA512

66aa4281b83118c0e50cb913e54f79819b1a32a6bef525f9130e687ec485358a21b9cfb661106edf837edcdccca381534a170c751c20eeed626edee006a96a9a
SSDEEP

1536:/M99jmL8BZp9IFUoWKdYuvQ54wIqkypZ:/M9VrmypZ

Score

7^/10

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/bin/watchdog
File opened for modification	/sbin/watchdog

Reads runtime system information 31 IoCs

Reads data from /proc virtual filesystem.

description	ioc
File opened for reading	/proc/660/cmdline
File opened for reading	/proc/784/cmdline
File opened for reading	/proc/790/cmdline
File opened for reading	/proc/786/cmdline
File opened for reading	/proc/788/cmdline
File opened for reading	/proc/584/cmdline
File opened for reading	/proc/615/cmdline
File opened for reading	/proc/648/cmdline
File opened for reading	/proc/780/cmdline
File opened for reading	/proc/794/cmdline
File opened for reading	/proc/661/cmdline
File opened for reading	/proc/682/cmdline
File opened for reading	/proc/734/cmdline
File opened for reading	/proc/777/cmdline
File opened for reading	/proc/579/cmdline
File opened for reading	/proc/658/cmdline
File opened for reading	/proc/685/cmdline
File opened for reading	/proc/798/cmdline
File opened for reading	/proc/654/cmdline
File opened for reading	/proc/766/cmdline
File opened for reading	/proc/770/cmdline
File opened for reading	/proc/796/cmdline
File opened for reading	/proc/583/cmdline
File opened for reading	/proc/726/cmdline
File opened for reading	/proc/738/cmdline
File opened for reading	/proc/782/cmdline
File opened for reading	/proc/792/cmdline
File opened for reading	/proc/581/cmdline
File opened for reading	/proc/722/cmdline
File opened for reading	/proc/775/cmdline
File opened for reading	/proc/778/cmdline

/tmp/96d0b2ae7f57ee69b30870481a5a2bc820e818945b88ce1183f3e185be7a59b4.elf
/tmp/96d0b2ae7f57ee69b30870481a5a2bc820e818945b88ce1183f3e185be7a59b4.elf
1⤵
PID:678

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads