af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d

Analysis

max time kernel
153s
max time network
163s
platform
debian-12_mipsel
resource
debian12-mipsel-20240221-en
resource tags

arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
11-08-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
Size

97KB
MD5

6a8af93bfff12c98c50bb406e2d8dfb8
SHA1

e4feebee8f7e7b6f99c2ad61663714ab544552f1
SHA256

af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d
SHA512

dbb53151e3286521fc8b481af88b1e5427e8121fefc080f733b67048e89836b14cc2676b7ec643546b1b7a4470b5332ad490bd2c9b0a43a6aeb7fa6377f4c360
SSDEEP

1536:HoYZkmscJZZYAeH8yqBy9znkNN9ZEbYzAqJl:HoYZkmscJZZY/8IBc9ZEbYzVJl

Score

7^/10

evasion

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs

Deletes logs related to the Linux Audit framework.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/audit/audit.log	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf

Deletes journal logs 1 TTPs 1 IoCs

Deletes systemd journal logs. Likely to evade detection.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/journal/edeb2f80f756429c9aae366fe5ab23dd/system.journal	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for modification	/dev/misc/watchdog	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/var/Cyber	740	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/201/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/380/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/609/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/731/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/732/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/748/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/4/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/10/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/22/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/111/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/180/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/32/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/35/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/136/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/376/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/744/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/756/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/3/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/25/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/350/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/409/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/690/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/693/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/713/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/26/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/30/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/42/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/47/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/58/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/407/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/765/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/1/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/9/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/19/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/28/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/45/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/689/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/15/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/378/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/701/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/2/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/7/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/13/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/24/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/48/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/53/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/325/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/390/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/733/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/33/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/112/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/118/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/749/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/767/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/11/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/14/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/710/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/711/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/721/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/750/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/5/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/8/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/18/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
File opened for reading	/proc/59/cmdline	af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf

/tmp/af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
/tmp/af4a705ff8a6b54f60a1dd450fb56f99199b16bd0eb64e1710591a80ffe7cb1d.elf
1⤵
- Deletes Audit logs
- Deletes journal logs
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads