Analysis
-
max time kernel
150s -
max time network
157s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
06-07-2024 03:17
General
-
Target
arm4-20240706-0316.elf
-
Size
65KB
-
MD5
8eb3f9fd0821ec7676448d4e5c417df3
-
SHA1
2dac2708cbdc188ef3cfa881f02c1467825fe0d9
-
SHA256
f3d8bc4b5c3dc2b7bd4df079aad66f146c73b34dbfca3412be17016aeeea547e
-
SHA512
f256b4a506e2dee9310eaa466a1432378a1819b3043d6af7829217d079ba55ec092e048d85a82d037bf1b3103150aa087c2db87688014afcb605f68cba9cf630
-
SSDEEP
1536:t5akHBIPK02c2+u7tqd+CE39QXfUR3Lpga9UnDeuDyl+faXz2UURCyZQQkjBbti:3Hyn23+uRqEC5fELSa9CWPaUURx1kjFg
Malware Config
Extracted
mirai
BOTNET
scan.yerco.xyz
Signatures
-
Contacts a large (209670) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
arm4-20240706-0316.elfdescription ioc process File opened for modification /dev/misc/watchdog arm4-20240706-0316.elf File opened for modification /dev/watchdog arm4-20240706-0316.elf -
Unexpected DNS network traffic destination 44 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 81.169.136.222 Destination IP 194.36.144.87 Destination IP 134.195.4.2 Destination IP 194.36.144.87 Destination IP 178.254.22.166 Destination IP 178.254.22.166 Destination IP 194.36.144.87 Destination IP 81.169.136.222 Destination IP 134.195.4.2 Destination IP 195.10.195.195 Destination IP 194.36.144.87 Destination IP 195.10.195.195 Destination IP 51.254.162.59 Destination IP 178.254.22.166 Destination IP 51.158.108.203 Destination IP 195.10.195.195 Destination IP 194.36.144.87 Destination IP 51.158.108.203 Destination IP 194.36.144.87 Destination IP 178.254.22.166 Destination IP 81.169.136.222 Destination IP 134.195.4.2 Destination IP 194.36.144.87 Destination IP 51.254.162.59 Destination IP 194.36.144.87 Destination IP 134.195.4.2 Destination IP 51.158.108.203 Destination IP 81.169.136.222 Destination IP 195.10.195.195 Destination IP 51.254.162.59 Destination IP 51.254.162.59 Destination IP 51.254.162.59 Destination IP 51.158.108.203 Destination IP 51.254.162.59 Destination IP 51.254.162.59 Destination IP 51.158.108.203 Destination IP 194.36.144.87 Destination IP 195.10.195.195 Destination IP 51.254.162.59 Destination IP 194.36.144.87 Destination IP 134.195.4.2 Destination IP 81.169.136.222 Destination IP 178.254.22.166 Destination IP 51.254.162.59 -
Writes file to system bin folder 1 TTPs 1 IoCs
Processes:
arm4-20240706-0316.elfdescription ioc process File opened for modification /sbin/watchdog arm4-20240706-0316.elf -
Changes its process name 1 IoCs
Processes:
arm4-20240706-0316.elfdescription ioc pid process Changes the process name, possibly in an attempt to hide itself /bin/sh /etc/init.d/rcS 661 arm4-20240706-0316.elf -
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
arm4-20240706-0316.elfdescription ioc process File opened for reading /sys/class/watchdog arm4-20240706-0316.elf File opened for reading /sys/devices/virtual/misc/watchdog arm4-20240706-0316.elf File opened for reading /sys/class/misc/watchdog arm4-20240706-0316.elf -
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.
Processes:
arm4-20240706-0316.elfdescription ioc process File opened for reading /proc/self/exe arm4-20240706-0316.elf
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/661-1-0x00008000-0x00031f38-memory.dmp