83f452bf5080dc0f68fe760742099fe012240c0743bc52bedbd4f8311ca1db0a

Analysis

max time kernel
149s
max time network
151s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11-03-2024 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ad22a06b06ea861f73cf07c3e5ae88d.elf
Size

63KB
MD5

6ad22a06b06ea861f73cf07c3e5ae88d
SHA1

ee67abd91a64eeca616d04e16c3bac1f1255f91f
SHA256

83f452bf5080dc0f68fe760742099fe012240c0743bc52bedbd4f8311ca1db0a
SHA512

597a3f8a79668d13449699fa76a9ac3e571a68b4e0f4e79e1d21dcd6103cf197b9f6b1a4e768e98b91314dff7b545ce9b1519a5e003ed3e0fd5f5f8ddc00e9b2
SSDEEP

1536:af2JIv7Dc/4a9sRjchE7Ebz/UI+eeIeWNvb:af2JIeFsn7Ebz/mIb

Score

7^/10

discovery

Malware Config

Signatures

Changes its process name 1 IoCs

Processes:

6ad22a06b06ea861f73cf07c3e5ae88d.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself telnetd 638 6ad22a06b06ea861f73cf07c3e5ae88d.elf
Deletes itself 1 IoCs

Processes:

6ad22a06b06ea861f73cf07c3e5ae88d.elf

pid process

638 6ad22a06b06ea861f73cf07c3e5ae88d.elf
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 195.10.195.195
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	telnetd	638	6ad22a06b06ea861f73cf07c3e5ae88d.elf

pid	process
638	6ad22a06b06ea861f73cf07c3e5ae88d.elf

description	ioc
Destination IP	195.10.195.195

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/729/cmdline
File opened for reading	/proc/737/cmdline
File opened for reading	/proc/747/cmdline
File opened for reading	/proc/763/cmdline
File opened for reading	/proc/186/cmdline
File opened for reading	/proc/275/cmdline
File opened for reading	/proc/661/cmdline
File opened for reading	/proc/702/cmdline
File opened for reading	/proc/743/cmdline
File opened for reading	/proc/29/cmdline
File opened for reading	/proc/640/cmdline
File opened for reading	/proc/646/cmdline
File opened for reading	/proc/721/cmdline
File opened for reading	/proc/723/cmdline
File opened for reading	/proc/727/cmdline
File opened for reading	/proc/756/cmdline
File opened for reading	/proc/41/cmdline
File opened for reading	/proc/591/cmdline
File opened for reading	/proc/675/cmdline
File opened for reading	/proc/719/cmdline
File opened for reading	/proc/775/cmdline
File opened for reading	/proc/776/cmdline
File opened for reading	/proc/14/cmdline
File opened for reading	/proc/15/cmdline
File opened for reading	/proc/733/cmdline
File opened for reading	/proc/766/cmdline
File opened for reading	/proc/770/cmdline
File opened for reading	/proc/631/cmdline
File opened for reading	/proc/663/cmdline
File opened for reading	/proc/672/cmdline
File opened for reading	/proc/674/cmdline
File opened for reading	/proc/43/cmdline
File opened for reading	/proc/715/cmdline
File opened for reading	/proc/754/cmdline
File opened for reading	/proc/7/cmdline
File opened for reading	/proc/10/cmdline
File opened for reading	/proc/12/cmdline
File opened for reading	/proc/573/cmdline
File opened for reading	/proc/625/cmdline
File opened for reading	/proc/636/cmdline
File opened for reading	/proc/676/cmdline
File opened for reading	/proc/767/cmdline
File opened for reading	/proc/768/cmdline
File opened for reading	/proc/771/cmdline
File opened for reading	/proc/18/cmdline
File opened for reading	/proc/653/cmdline
File opened for reading	/proc/682/cmdline
File opened for reading	/proc/694/cmdline
File opened for reading	/proc/760/cmdline
File opened for reading	/proc/761/cmdline
File opened for reading	/proc/11/cmdline
File opened for reading	/proc/741/cmdline
File opened for reading	/proc/753/cmdline
File opened for reading	/proc/755/cmdline
File opened for reading	/proc/762/cmdline
File opened for reading	/proc/774/cmdline
File opened for reading	/proc/2/cmdline
File opened for reading	/proc/140/cmdline
File opened for reading	/proc/680/cmdline
File opened for reading	/proc/690/cmdline
File opened for reading	/proc/746/cmdline
File opened for reading	/proc/709/cmdline
File opened for reading	/proc/1/cmdline
File opened for reading	/proc/309/cmdline

/tmp/6ad22a06b06ea861f73cf07c3e5ae88d.elf
/tmp/6ad22a06b06ea861f73cf07c3e5ae88d.elf
1⤵
- Changes its process name
- Deletes itself
PID:638

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads