Analysis
-
max time kernel
300s -
max time network
291s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
03/09/2024, 13:35
Behavioral task
behavioral1
Sample
arm
Resource
debian9-armhf-20240611-en
debian-9-armhf
Behavioral task
behavioral2
Sample
arm5
Resource
debian12-armhf-20240729-en
debian-12-armhf
Behavioral task
behavioral3
Sample
arm6
Resource
debian12-armhf-20240221-en
debian-12-armhf
Behavioral task
behavioral4
Sample
arm7
Resource
debian9-armhf-20240418-en
debian-9-armhf
Behavioral task
behavioral5
Sample
mips
Resource
debian9-mipsbe-20240611-en
debian-9-mips
Behavioral task
behavioral6
Sample
mpsl
Resource
debian12-mipsel-20240729-en
debian-12-mipsel
Behavioral task
behavioral7
Sample
x86_64
Resource
ubuntu2204-amd64-20240611-en
ubuntu-22.04-amd64
General
-
Target
arm
-
Size
158KB
-
MD5
2c024968256b3931670986b159f934bc
-
SHA1
2bfe089d1220e976aab6f367fb77d448a21c3941
-
SHA256
35747818c8b849ec82e99ac6c4fbc5da661590fc52b7fedd1a6027f7837ae0d7
-
SHA512
ad2abe5d092ae8f5a42f3b42b465b5d8c8706d40a2a37da9242e616f6b1b7316e7c202c50c2b098a6dddea91410047700fede0fe5050c7e0a86477aad58d6141
-
SSDEEP
1536:V7baHQuHMwfBLxyc4AJgbACzlQAdDHAD3PNTTDGZkY5oXKs8XO2qATAOiYl6YAwC:tuHTswfB1LslQKAzNTXGK8oX1ofyN1
Malware Config
Signatures
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog arm File opened for modification /dev/misc/watchdog arm -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 134.195.4.2 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 1 TTPs 1 IoCs
description ioc Process File opened for modification /sbin/watchdog arm -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /bin/sh /etc/init.d/rcS 650 arm -
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/devices/virtual/misc/watchdog arm File opened for reading /sys/class/misc/watchdog arm File opened for reading /sys/class/watchdog arm -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/705/status arm File opened for reading /proc/711/status arm File opened for reading /proc/719/status arm File opened for reading /proc/704/status arm File opened for reading /proc/722/status arm File opened for reading /proc/657/status arm File opened for reading /proc/676/status arm File opened for reading /proc/682/status arm File opened for reading /proc/689/status arm File opened for reading /proc/698/status arm File opened for reading /proc/718/status arm File opened for reading /proc/658/status arm File opened for reading /proc/670/status arm File opened for reading /proc/685/status arm File opened for reading /proc/701/status arm File opened for reading /proc/716/status arm File opened for reading /proc/697/status arm File opened for reading /proc/702/status arm File opened for reading /proc/703/status arm File opened for reading /proc/709/status arm File opened for reading /proc/715/status arm File opened for reading /proc/675/status arm File opened for reading /proc/686/status arm File opened for reading /proc/706/status arm File opened for reading /proc/664/status arm File opened for reading /proc/700/status arm File opened for reading /proc/720/status arm File opened for reading /proc/660/status arm File opened for reading /proc/668/status arm File opened for reading /proc/677/status arm File opened for reading /proc/665/status arm File opened for reading /proc/669/status arm File opened for reading /proc/674/status arm File opened for reading /proc/712/status arm File opened for reading /proc/660/cmdline arm File opened for reading /proc/681/status arm File opened for reading /proc/708/status arm File opened for reading /proc/723/status arm File opened for reading /proc/1/cmdline arm File opened for reading /proc/684/status arm File opened for reading /proc/687/status arm File opened for reading /proc/695/status arm File opened for reading /proc/710/status arm File opened for reading /proc/659/status arm File opened for reading /proc/678/status arm File opened for reading /proc/714/status arm File opened for reading /proc/717/status arm File opened for reading /proc/679/status arm File opened for reading /proc/699/status arm File opened for reading /proc/2/cmdline arm File opened for reading /proc/663/status arm File opened for reading /proc/690/status arm File opened for reading /proc/696/status arm File opened for reading /proc/666/status arm File opened for reading /proc/671/status arm File opened for reading /proc/680/status arm File opened for reading /proc/692/status arm File opened for reading /proc/725/status arm File opened for reading /proc/721/status arm File opened for reading /proc/644/cmdline arm File opened for reading /proc/683/status arm File opened for reading /proc/693/status arm File opened for reading /proc/694/status arm File opened for reading /proc/713/status arm