857a212b0821f0ab9b723911d4cad313cf919355eecdba02190bee296bff2fdc

Analysis

max time kernel
149s
max time network
152s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
12/03/2024, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b5d6ec7e3cd2902a51736b3bc5b5a4d.elf
Size

196KB
MD5

3b5d6ec7e3cd2902a51736b3bc5b5a4d
SHA1

a715febfbd5c4e806abc85a5e536199d934bbe91
SHA256

857a212b0821f0ab9b723911d4cad313cf919355eecdba02190bee296bff2fdc
SHA512

f5d29b12ebba045919742cc26552fb8a140dffd042f73f401723fa0dd222d4d9defb966e99f3e21f837cb896f5fe64786aa3872dc256d1c0b167e14d965d5c79
SSDEEP

6144:mTyUqJZk4au2ROU82nY1PRiKreX4M/RkWZrX:mTyhZk4au2ROU8q2EPXt/CGrX

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (93075) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	MC	643	3b5d6ec7e3cd2902a51736b3bc5b5a4d.elf

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc
File opened for reading	/proc/28/status
File opened for reading	/proc/295/status
File opened for reading	/proc/9/status
File opened for reading	/proc/28/cmdline
File opened for reading	/proc/767/status
File opened for reading	/proc/217/cmdline
File opened for reading	/proc/7/status
File opened for reading	/proc/20/status
File opened for reading	/proc/543/status
File opened for reading	/proc/41/cmdline
File opened for reading	/proc/778/status
File opened for reading	/proc/75/status
File opened for reading	/proc/147/status
File opened for reading	/proc/5/cmdline
File opened for reading	/proc/273/cmdline
File opened for reading	/proc/644/cmdline
File opened for reading	/proc/646/cmdline
File opened for reading	/proc/676/cmdline
File opened for reading	/proc/759/cmdline
File opened for reading	/proc/5/status
File opened for reading	/proc/75/cmdline
File opened for reading	/proc/307/cmdline
File opened for reading	/proc/742/status
File opened for reading	/proc/779/cmdline
File opened for reading	/proc/767/cmdline
File opened for reading	/proc/19/status
File opened for reading	/proc/637/status
File opened for reading	/proc/583/cmdline
File opened for reading	/proc/642/cmdline
File opened for reading	/proc/274/status
File opened for reading	/proc/630/status
File opened for reading	/proc/42/cmdline
File opened for reading	/proc/583/status
File opened for reading	/proc/14/cmdline
File opened for reading	/proc/106/cmdline
File opened for reading	/proc/781/status
File opened for reading	/proc/8/status
File opened for reading	/proc/10/status
File opened for reading	/proc/13/status
File opened for reading	/proc/644/status
File opened for reading	/proc/26/cmdline
File opened for reading	/proc/24/status
File opened for reading	/proc/305/status
File opened for reading	/proc/641/status
File opened for reading	/proc/274/cmdline
File opened for reading	/proc/754/cmdline
File opened for reading	/proc/14/status
File opened for reading	/proc/15/cmdline
File opened for reading	/proc/774/cmdline
File opened for reading	/proc/27/cmdline
File opened for reading	/proc/133/cmdline
File opened for reading	/proc/556/cmdline
File opened for reading	/proc/582/cmdline
File opened for reading	/proc/647/cmdline
File opened for reading	/proc/638/status
File opened for reading	/proc/25/cmdline
File opened for reading	/proc/639/cmdline
File opened for reading	/proc/fs/cmdline
File opened for reading	/proc/269/cmdline
File opened for reading	/proc/637/cmdline
File opened for reading	/proc/707/status
File opened for reading	/proc/16/cmdline
File opened for reading	/proc/543/cmdline
File opened for reading	/proc/771/cmdline

/tmp/3b5d6ec7e3cd2902a51736b3bc5b5a4d.elf
/tmp/3b5d6ec7e3cd2902a51736b3bc5b5a4d.elf
1⤵
- Changes its process name
PID:643

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...