89b6f53ae64610a22e9b0188d0f515ad55ba7d8861764b43030127e52de8617e

Analysis

max time kernel
149s
max time network
153s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
04/07/2024, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06bcfce41d363c4c6466c1f38c8a1d15.elf
Size

79KB
MD5

06bcfce41d363c4c6466c1f38c8a1d15
SHA1

1f9cc3b3f62db3f85feb4039f33bc31b37af5a13
SHA256

89b6f53ae64610a22e9b0188d0f515ad55ba7d8861764b43030127e52de8617e
SHA512

9158d7f58b07361ddadfaf878c86b6d226b23056418b421d91364f24728e4e784d0abd9c49393a1bdcaf2bef38baaf97d250405914fb480f3db8a56b80ab1be7
SSDEEP

1536:Kxncaw8eZnX538PUy2cbX9NrhEoNeLMxme3eNlffivZexIJnI8sR:2ZehJEX9NrhEoNeLMxmBSZeWJnI

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (62128) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	06bcfce41d363c4c6466c1f38c8a1d15.elf
File opened for modification	/dev/misc/watchdog	06bcfce41d363c4c6466c1f38c8a1d15.elf

Renames itself 1 IoCs

pid	Process
655	06bcfce41d363c4c6466c1f38c8a1d15.elf

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.254.162.59
Destination IP	178.254.22.166
Destination IP	178.254.22.166
Destination IP	51.158.108.203
Destination IP	95.216.99.249
Destination IP	65.21.1.106
Destination IP	5.161.109.23
Destination IP	168.235.111.72
Destination IP	95.216.99.249
Destination IP	185.232.68.212
Destination IP	217.160.70.42

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	655	06bcfce41d363c4c6466c1f38c8a1d15.elf

/tmp/06bcfce41d363c4c6466c1f38c8a1d15.elf
/tmp/06bcfce41d363c4c6466c1f38c8a1d15.elf
1⤵
- Modifies Watchdog functionality
- Renames itself
- Changes its process name
PID:655

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...