Analysis
-
max time kernel
150s -
max time network
152s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240226-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
19/04/2024, 08:23
Static task
static1
General
-
Target
f9e6866838b742d7cee02fb3b4717436_JaffaCakes118
-
Size
38KB
-
MD5
f9e6866838b742d7cee02fb3b4717436
-
SHA1
4fbde8207e2ca9499fbc4f0d8cf54b70315e0012
-
SHA256
381ed94988acc932d33ab5cef93f85b31df2bc352c9538415811de040945225d
-
SHA512
ccb59a2b92adb2ef610fdd7ca2c950bcf7c2bf43e42f05fd98090ca9d2abc6de9894ceaf385de70674321916dae0da317e960507ea0268b208783d1d9e1de59c
-
SSDEEP
768:tkRdVMqfF6yk6e83nlcZXAiKFLZBphBf5+sqy2uaN9JgGlzDpxYs2:C76qfF6oe8OwjLzphBf5+sgXVrYh
Malware Config
Extracted
mirai
KYTON
Signatures
-
Contacts a large (110808) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself qcCHU7FCF6UgVAsH 696 f9e6866838b742d7cee02fb3b4717436_JaffaCakes118 -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc File opened for reading /proc/net/tcp -
Writes file to system bin folder 1 TTPs 1 IoCs
description ioc File opened for modification /bin/watchdog -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc File opened for reading /proc/net/tcp -
Reads runtime system information 2 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/self/exe f9e6866838b742d7cee02fb3b4717436_JaffaCakes118 File opened for reading /proc/699/exe Process not Found