Analysis
-
max time kernel
151s -
max time network
142s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240221-en -
resource tags
arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem -
submitted
25-04-2024 12:35
General
-
Target
SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf
-
Size
28KB
-
MD5
5fcf827521ca236e06e8de70b29f294b
-
SHA1
323ee4bc5f95705700f6d942d017f230f59de0fd
-
SHA256
87a060aa73b265bb4a4336636cb698bfbbb2816b102f4363412ec0ff12f272fc
-
SHA512
04324901cb24d9d83db6eb7a3fda5f37266099c67e1be66afe816890462a2a67946976eb25259ffd890e851f4df4381c474220260da9b853173ce7bda58cafbf
-
SSDEEP
384:lZafyAaXspkybkZwe3WKU7vUMiFTygskWwdn5ojl/Yx00b1GPVRzqjXrPpxy0XRn:l+y1XsBbd8Xy3jgoA5kl/glw9RopnBW6
Malware Config
Extracted
mirai
LZRD
www.sushiking.world
s.sushiking.world
Signatures
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elfdescription ioc process File opened for modification /dev/watchdog SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for modification /dev/misc/watchdog SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elfdescription ioc process File opened for reading /proc/net/tcp SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elfdescription ioc process File opened for reading /proc/net/tcp SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf -
Reads runtime system information 44 IoCs
Reads data from /proc virtual filesystem.
Processes:
SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elfdescription ioc process File opened for reading /proc/729/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/704/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/714/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/201/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/257/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/355/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/696/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/712/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/696/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/358/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/550/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/731/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/741/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/550/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/394/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/711/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/732/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/683/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/776/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/721/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/711/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/736/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/1/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/353/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/541/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/683/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/689/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/775/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/719/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/378/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/723/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/729/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/736/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/718/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/179/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/427/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/714/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/541/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/689/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/717/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/385/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/393/fd SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/755/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf File opened for reading /proc/777/exe SecuriteInfo.com.Linux.Siggen.9999.28176.3818.elf
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/726-1-0x00400000-0x00456ce8-memory.dmp