Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
-
submitted
08/10/2024, 16:59
General
-
Target
nullnet_load.arm.elf
-
Size
81KB
-
MD5
3427eb0374873f1695dd9feb0e5db1ea
-
SHA1
0165c5435b93c90206095e3eb5c28a8cdff0303c
-
SHA256
7ed7cbf064b2d49295a28931f8a95258acad0596ef5dea61713e58abafee2a8e
-
SHA512
af210294609a23c28ed667c184cc2ed2e65c0302319f8f9da891a36143018ef94b02da1909e8e5631edab4832c2eec568665231db3483145c7c430f07471c1e4
-
SSDEEP
1536:nPD2dG+bsLPfn2hpej3lzVM9D52c0wIXhkB8t46/foOy3JWpY:PD2dTXeTQJIRE84wfo53JW
Malware Config
Signatures
-
Contacts a large (70369) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 32 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
-
Changes its process name 1 IoCs
Processes
-
/tmp/nullnet_load.arm.elf/tmp/nullnet_load.arm.elf1⤵
- Modifies Watchdog functionality
- Reads process memory
- Changes its process name