Analysis
-
max time kernel
152s -
max time network
130s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231221-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231221-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
13-02-2024 03:39
General
-
Target
a0587444b330396a655da01a7cc8405774da42b042a61812f884b95102273a70.elf
-
Size
20KB
-
MD5
ff6de7225359086e82701d3738bc68a8
-
SHA1
79cc64d6d0439f769a108f2b0e1e2fe9913a870d
-
SHA256
a0587444b330396a655da01a7cc8405774da42b042a61812f884b95102273a70
-
SHA512
79c5c81dd533fd843f030443be0ac05ec1569f18ebea1da4261c3d85e381d01fd5cc1538b1f5f0b842a30ef0d22e247395f1180d50e0a3e7ad4b1d53bb5efabe
-
SSDEEP
384:M0sLpj8s/qPui8uZxoIA57RWQjJiEVi+ZkJaQNAr8vcoBAvP+qNV+KLebRtu7SyQ:k98o08kxofBE+ZkJaT47C2EpitmQ
Malware Config
Extracted
Family
mirai
Botnet
LZRD
Signatures
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 1 TTPs 2 IoCs
description ioc File opened for modification /bin/watchdog File opened for modification /sbin/watchdog -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/1147/cmdline File opened for reading /proc/1617/cmdline File opened for reading /proc/722/cmdline File opened for reading /proc/741/cmdline File opened for reading /proc/974/cmdline File opened for reading /proc/1623/cmdline File opened for reading /proc/408/cmdline File opened for reading /proc/676/cmdline File opened for reading /proc/1201/cmdline File opened for reading /proc/450/cmdline File opened for reading /proc/1025/cmdline File opened for reading /proc/1352/cmdline File opened for reading /proc/558/cmdline File opened for reading /proc/1126/cmdline File opened for reading /proc/1310/cmdline File opened for reading /proc/1555/cmdline File opened for reading /proc/1572/cmdline File opened for reading /proc/1586/cmdline File opened for reading /proc/599/cmdline File opened for reading /proc/1044/cmdline File opened for reading /proc/1160/cmdline File opened for reading /proc/1553/cmdline File opened for reading /proc/1402/cmdline File opened for reading /proc/1560/cmdline File opened for reading /proc/1566/cmdline File opened for reading /proc/1143/cmdline File opened for reading /proc/1191/cmdline File opened for reading /proc/1326/cmdline File opened for reading /proc/1098/cmdline File opened for reading /proc/1130/cmdline File opened for reading /proc/1111/cmdline File opened for reading /proc/1151/cmdline File opened for reading /proc/1292/cmdline File opened for reading /proc/449/cmdline File opened for reading /proc/1078/cmdline File opened for reading /proc/1369/cmdline File opened for reading /proc/1578/cmdline File opened for reading /proc/525/cmdline File opened for reading /proc/1162/cmdline File opened for reading /proc/1074/cmdline File opened for reading /proc/1091/cmdline File opened for reading /proc/1179/cmdline File opened for reading /proc/1527/cmdline File opened for reading /proc/485/cmdline File opened for reading /proc/524/cmdline File opened for reading /proc/1139/cmdline File opened for reading /proc/1180/cmdline File opened for reading /proc/1554/cmdline File opened for reading /proc/406/cmdline File opened for reading /proc/672/cmdline File opened for reading /proc/1635/cmdline File opened for reading /proc/1275/cmdline File opened for reading /proc/1593/cmdline File opened for reading /proc/639/cmdline File opened for reading /proc/649/cmdline File opened for reading /proc/1251/cmdline File opened for reading /proc/1307/cmdline File opened for reading /proc/431/cmdline File opened for reading /proc/486/cmdline File opened for reading /proc/1081/cmdline File opened for reading /proc/1168/cmdline File opened for reading /proc/1599/cmdline File opened for reading /proc/674/cmdline File opened for reading /proc/978/cmdline