Analysis
-
max time kernel
150s -
max time network
150s -
platform
debian-9_armhf -
resource
debian9-armhf-20240226-en -
resource tags
arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
19-04-2024 15:31
Behavioral task
behavioral1
Sample
arm
Resource
debian9-armhf-20240226-en
General
-
Target
arm
-
Size
77KB
-
MD5
8236382015d64f53bb7bf407dafc0892
-
SHA1
06fa7cd799751a8b6970f7a3954652e84978d970
-
SHA256
66645f119cbaa36252f66cb8722d746a473373fbd2b950820eae410fba51e069
-
SHA512
cd5cd9ffae4cff12ed9727fc85705802f3f7ed41c6b7fc60809afeea2410de1708ea01bf19eb558ac60e1f143c5aa8a2b999b5c98f32f09af3335ea80e166fd6
-
SSDEEP
1536:y4D7ee8e0vbIOu0dms/pLF+O3X7GTZNcNWtzqqPe3vM8:y4D7me0LnHp3X7GTZNcmGM8
Malware Config
Signatures
-
Changes its process name 1 IoCs
Processes:
armdescription ioc pid process Changes the process name, possibly in an attempt to hide itself dsov8mp2pt0e28glhn7j 660 arm -
Deletes itself 1 IoCs
Processes:
armpid process 660 arm -
Deletes system logs 1 TTPs 2 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
Processes:
description ioc File deleted /var/log/syslog File deleted /var/log/messages -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
armdescription ioc process File opened for modification /dev/misc/watchdog arm File opened for modification /dev/watchdog arm -
Deletes log files 1 TTPs 5 IoCs
Deletes log files on the system.
Processes:
description ioc File deleted /var/log/lastlog File deleted /var/log/auth.log File deleted /var/log/wtmp File deleted /var/log/daemon.log File deleted /var/log/kern.log -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/663/cmdline File opened for reading /proc/700/cmdline File opened for reading /proc/723/cmdline File opened for reading /proc/724/cmdline File opened for reading /proc/753/cmdline File opened for reading /proc/8/cmdline File opened for reading /proc/26/cmdline File opened for reading /proc/652/cmdline File opened for reading /proc/842/cmdline File opened for reading /proc/857/cmdline File opened for reading /proc/839/cmdline File opened for reading /proc/888/cmdline File opened for reading /proc/13/cmdline File opened for reading /proc/745/cmdline File opened for reading /proc/781/cmdline File opened for reading /proc/794/cmdline File opened for reading /proc/799/cmdline File opened for reading /proc/836/cmdline File opened for reading /proc/859/cmdline File opened for reading /proc/886/cmdline File opened for reading /proc/22/cmdline File opened for reading /proc/23/cmdline File opened for reading /proc/691/cmdline File opened for reading /proc/796/cmdline File opened for reading /proc/814/cmdline File opened for reading /proc/818/cmdline File opened for reading /proc/832/cmdline File opened for reading /proc/871/cmdline File opened for reading /proc/17/cmdline File opened for reading /proc/24/cmdline File opened for reading /proc/710/cmdline File opened for reading /proc/806/cmdline File opened for reading /proc/837/cmdline File opened for reading /proc/12/cmdline File opened for reading /proc/27/cmdline File opened for reading /proc/213/cmdline File opened for reading /proc/659/cmdline File opened for reading /proc/683/cmdline File opened for reading /proc/707/cmdline File opened for reading /proc/811/cmdline File opened for reading /proc/41/cmdline File opened for reading /proc/136/cmdline File opened for reading /proc/646/cmdline File opened for reading /proc/752/cmdline File opened for reading /proc/760/cmdline File opened for reading /proc/815/cmdline File opened for reading /proc/7/cmdline File opened for reading /proc/10/cmdline File opened for reading /proc/721/cmdline File opened for reading /proc/737/cmdline File opened for reading /proc/276/cmdline File opened for reading /proc/651/cmdline File opened for reading /proc/716/cmdline File opened for reading /proc/277/cmdline File opened for reading /proc/809/cmdline File opened for reading /proc/813/cmdline File opened for reading /proc/828/cmdline File opened for reading /proc/829/cmdline File opened for reading /proc/2/cmdline File opened for reading /proc/28/cmdline File opened for reading /proc/74/cmdline File opened for reading /proc/793/cmdline File opened for reading /proc/835/cmdline File opened for reading /proc/685/cmdline