Analysis
-
max time kernel
150s -
max time network
157s -
platform
debian-12_armhf -
resource
debian12-armhf-20240221-en -
resource tags
arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
08-07-2024 15:16
Behavioral task
behavioral1
Sample
3858ec56dc7c28252b1d09eddc418b5bfc24c3b8f6fa7165e3469f6ffaecc42e.elf
Resource
debian12-armhf-20240221-en
General
-
Target
3858ec56dc7c28252b1d09eddc418b5bfc24c3b8f6fa7165e3469f6ffaecc42e.elf
-
Size
159KB
-
MD5
e3ea41bbbed27a1f7e7563f6c72802ca
-
SHA1
edc5d1176182856049843b1530fb8b3b8e24a8cc
-
SHA256
3858ec56dc7c28252b1d09eddc418b5bfc24c3b8f6fa7165e3469f6ffaecc42e
-
SHA512
5c5c0c22099b7068331a214d38aaaa3520bbfcd1c6d253da70d9df31dc4bbe2cae5ec0db0def027757c81d5418ce11501feb6342f8ea56fdb2e86cf3b4225241
-
SSDEEP
3072:J+qESLgbxYaHaOufrRIjKE//RBNzQwTHKlM/9RwnrP:JXR0tYaHaOufrqjfBqwTH4M/9CnrP
Malware Config
Signatures
-
Contacts a large (226142) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
3858ec56dc7c28252b1d09eddc418b5bfc24c3b8f6fa7165e3469f6ffaecc42e.elfdescription ioc process File opened for modification /dev/watchdog 3858ec56dc7c28252b1d09eddc418b5bfc24c3b8f6fa7165e3469f6ffaecc42e.elf File opened for modification /dev/misc/watchdog 3858ec56dc7c28252b1d09eddc418b5bfc24c3b8f6fa7165e3469f6ffaecc42e.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 51.77.149.139 -
Writes file to system bin folder 1 TTPs 1 IoCs
Processes:
3858ec56dc7c28252b1d09eddc418b5bfc24c3b8f6fa7165e3469f6ffaecc42e.elfdescription ioc process File opened for modification /sbin/watchdog 3858ec56dc7c28252b1d09eddc418b5bfc24c3b8f6fa7165e3469f6ffaecc42e.elf -
Changes its process name 1 IoCs
Processes:
3858ec56dc7c28252b1d09eddc418b5bfc24c3b8f6fa7165e3469f6ffaecc42e.elfdescription ioc pid process Changes the process name, possibly in an attempt to hide itself [watchdog/0] 707 3858ec56dc7c28252b1d09eddc418b5bfc24c3b8f6fa7165e3469f6ffaecc42e.elf -
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
3858ec56dc7c28252b1d09eddc418b5bfc24c3b8f6fa7165e3469f6ffaecc42e.elfdescription ioc process File opened for reading /sys/devices/virtual/misc/watchdog 3858ec56dc7c28252b1d09eddc418b5bfc24c3b8f6fa7165e3469f6ffaecc42e.elf File opened for reading /sys/class/misc/watchdog 3858ec56dc7c28252b1d09eddc418b5bfc24c3b8f6fa7165e3469f6ffaecc42e.elf File opened for reading /sys/class/watchdog 3858ec56dc7c28252b1d09eddc418b5bfc24c3b8f6fa7165e3469f6ffaecc42e.elf