31b8395874d65fe35d873e436d224fc5c309d50b4324bdb7c8b8bb21f0de6e62

Analysis

max time kernel
149s
max time network
130s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
07-04-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1543-1-0x0000000000400000-0x000000000050de48-memory.dmp
Size

52KB
MD5

082d7cf906979acce0a2e9cacb44aa68
SHA1

c42c1c5d943376a8b10cf2563d5963b6d88c2daa
SHA256

31b8395874d65fe35d873e436d224fc5c309d50b4324bdb7c8b8bb21f0de6e62
SHA512

a454f3c1a4746a7564b506dbab5ef306cca20ef8a4b7e9781a66ab7e52d93265a4cc8689a5b0f1c764d39e8629943ad778ce24514b5ab081b537ac92204afee8
SSDEEP

1536:+fHlPDdJaEcLAeF9TUDWog1HHJYC0QkiuVn4Pq:IHlPZMEcTFZ2A1HHJp0hVn4Pq

Score

7^/10

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

description ioc

File opened for modification /dev/watchdog
File opened for modification /dev/misc/watchdog
Enumerates running processes
Discovers information about currently running processes on the system
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /sbin/watchdog
File opened for modification /bin/watchdog

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/428/cmdline
File opened for reading	/proc/1342/cmdline
File opened for reading	/proc/1576/cmdline
File opened for reading	/proc/495/cmdline
File opened for reading	/proc/1274/cmdline
File opened for reading	/proc/1295/cmdline
File opened for reading	/proc/488/cmdline
File opened for reading	/proc/1148/cmdline
File opened for reading	/proc/1556/cmdline
File opened for reading	/proc/1624/cmdline
File opened for reading	/proc/650/cmdline
File opened for reading	/proc/707/cmdline
File opened for reading	/proc/923/cmdline
File opened for reading	/proc/1464/cmdline
File opened for reading	/proc/1523/cmdline
File opened for reading	/proc/415/cmdline
File opened for reading	/proc/1113/cmdline
File opened for reading	/proc/1149/cmdline
File opened for reading	/proc/932/cmdline
File opened for reading	/proc/1049/cmdline
File opened for reading	/proc/441/cmdline
File opened for reading	/proc/476/cmdline
File opened for reading	/proc/1184/cmdline
File opened for reading	/proc/1173/cmdline
File opened for reading	/proc/1630/cmdline
File opened for reading	/proc/1135/cmdline
File opened for reading	/proc/1218/cmdline
File opened for reading	/proc/525/cmdline
File opened for reading	/proc/597/cmdline
File opened for reading	/proc/640/cmdline
File opened for reading	/proc/1568/cmdline
File opened for reading	/proc/520/cmdline
File opened for reading	/proc/1187/cmdline
File opened for reading	/proc/1525/cmdline
File opened for reading	/proc/1152/cmdline
File opened for reading	/proc/1527/cmdline
File opened for reading	/proc/1294/cmdline
File opened for reading	/proc/1382/cmdline
File opened for reading	/proc/1441/cmdline
File opened for reading	/proc/1131/cmdline
File opened for reading	/proc/1167/cmdline
File opened for reading	/proc/1185/cmdline
File opened for reading	/proc/1181/cmdline
File opened for reading	/proc/1243/cmdline
File opened for reading	/proc/1066/cmdline
File opened for reading	/proc/1333/cmdline
File opened for reading	/proc/413/cmdline
File opened for reading	/proc/461/cmdline
File opened for reading	/proc/861/cmdline
File opened for reading	/proc/1166/cmdline
File opened for reading	/proc/459/cmdline
File opened for reading	/proc/482/cmdline
File opened for reading	/proc/1153/cmdline
File opened for reading	/proc/1359/cmdline
File opened for reading	/proc/1127/cmdline
File opened for reading	/proc/1144/cmdline
File opened for reading	/proc/1156/cmdline
File opened for reading	/proc/1069/cmdline
File opened for reading	/proc/1139/cmdline
File opened for reading	/proc/1533/cmdline
File opened for reading	/proc/599/cmdline
File opened for reading	/proc/1313/cmdline
File opened for reading	/proc/1612/cmdline
File opened for reading	/proc/1191/cmdline

/tmp/1543-1-0x0000000000400000-0x000000000050de48-memory.dmp
/tmp/1543-1-0x0000000000400000-0x000000000050de48-memory.dmp
1⤵
PID:1529

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Impair Defenses

T1562

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads