Analysis
-
max time kernel
148s -
max time network
150s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240226-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
22-04-2024 01:46
Behavioral task
behavioral1
Sample
a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf
Resource
debian9-mipsbe-20240226-en
General
-
Target
a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf
-
Size
95KB
-
MD5
0cfcc8b1438300100879682b60b9035b
-
SHA1
ba09d45381539287aadb51176b0484e787e5d3d6
-
SHA256
a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e
-
SHA512
bf299c27fff04f0f9d8aa890bd1323abc78d542588d2deb16c6db1baac9c1c2d94e9689948b8113cb7cd93a2a94872435a8dfacc345bcce79c7a46a4216d1114
-
SSDEEP
1536:0Bb1bb/M3kV7DgDqnmX2OjxPqC3tXqmB0gXmxTJmc3Be4ipHQ:61bbU3kVw2ndmPN7B0gQT93YpHQ
Malware Config
Signatures
-
Processes:
a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elfdescription ioc process File deleted /var/log/audit/audit.log a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf -
Deletes itself 1 IoCs
Processes:
a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elfpid process 720 a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf -
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
Processes:
a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elfdescription ioc process File deleted /var/log/syslog a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elfdescription ioc process File opened for modification /dev/misc/watchdog a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for modification /dev/watchdog a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf -
Deletes log files 1 TTPs 2 IoCs
Deletes log files on the system.
Processes:
a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elfdescription ioc process File deleted /var/log/daemon.log a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File deleted /var/log/auth.log a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
Processes:
a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elfdescription ioc pid process Changes the process name, possibly in an attempt to hide itself w4j8wnmedmij 720 a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elfdescription ioc process File opened for reading /proc/15/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/350/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/690/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/695/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/851/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/878/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/8/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/813/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/713/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/781/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/853/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/933/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/937/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/939/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/393/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/768/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/787/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/794/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/7/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/745/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/865/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/972/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/73/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/761/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/938/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/734/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/808/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/860/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/892/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/903/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/739/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/992/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/70/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/895/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/896/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/397/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/72/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/788/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/836/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/841/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/852/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/945/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/71/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/826/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/936/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/19/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/856/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/864/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/12/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/747/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/861/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/867/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/79/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/833/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/888/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/6/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/764/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/819/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/976/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/75/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/22/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/834/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/859/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf File opened for reading /proc/18/cmdline a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf
Processes
-
/tmp/a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf/tmp/a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e.elf1⤵
- Deletes Audit logs
- Deletes itself
- Deletes system logs
- Modifies Watchdog functionality
- Deletes log files
- Changes its process name
- Reads runtime system information