fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821

Analysis

max time kernel
150s
max time network
152s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
05/07/2024, 02:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
Size

82KB
MD5

e1450b416b3a3fb706a87c53fb9b2131
SHA1

1c4069927188b9be4af76b2fc7b460bcc9ff0ef1
SHA256

fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821
SHA512

3de2a4174ffdd1091825f18734082e92e21927780c8c04c7aa3e679497c402f11d538e2c67303b1b7d89855e13ed981a66f9c77c19e2dc30eda45a2cdce34e60
SSDEEP

1536:OyNJNx+Y2NNsaDmmZ1oFxkGsPbw4q3xIb25DgnI8sRf:Oy7zj2NWaDkjk1CgnIF

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (83469) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for modification	/dev/misc/watchdog	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf

Renames itself 1 IoCs

pid	Process
701	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf

Unexpected DNS network traffic destination 30 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	81.169.136.222
Destination IP	51.254.162.59
Destination IP	185.232.68.212
Destination IP	64.176.6.48
Destination IP	51.158.108.203
Destination IP	51.254.162.59
Destination IP	51.158.108.203
Destination IP	137.220.55.93
Destination IP	51.158.108.203
Destination IP	65.21.1.106
Destination IP	81.169.136.222
Destination IP	139.84.165.176
Destination IP	178.254.22.166
Destination IP	137.220.55.93
Destination IP	137.220.55.93
Destination IP	64.176.6.48
Destination IP	178.254.22.166
Destination IP	178.254.22.166
Destination IP	5.161.109.23
Destination IP	65.21.1.106
Destination IP	185.232.68.212
Destination IP	5.161.109.23
Destination IP	65.21.1.106
Destination IP	137.220.55.93
Destination IP	81.169.136.222
Destination IP	217.160.70.42
Destination IP	95.216.99.249
Destination IP	139.84.165.176
Destination IP	95.216.99.249
Destination IP	5.161.109.23

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	701	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc	Process
File opened for reading	/proc/net/tcp	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/741/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/752/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/850/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/786/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/764/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/808/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/754/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/805/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/315/status	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/788/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/829/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/761/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/763/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/798/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/840/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/841/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/844/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/146/status	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/738/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/791/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/828/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/319/status	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/694/status	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/754/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/783/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/831/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/849/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/169/status	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/733/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/734/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/742/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/837/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/853/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/864/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/736/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/785/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/812/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/831/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/857/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/673/status	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/736/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/796/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/825/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/756/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/775/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/806/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/826/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/312/status	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/772/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/805/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/814/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/803/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/226/status	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/670/status	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/746/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/757/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/735/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/750/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/760/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/780/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/730/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/742/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/810/maps	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
File opened for reading	/proc/812/cmdline	fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf

/tmp/fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
/tmp/fc2ea2079c8a634d033ba3b763471d33dc679a13942e8a549fea2b1d16eb3821.elf
1⤵
- Modifies Watchdog functionality
- Renames itself
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:701

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads