78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1

Analysis

max time kernel
45s
max time network
136s
platform
debian-12_mipsel
resource
debian12-mipsel-20240418-en
resource tags

arch:mipselimage:debian12-mipsel-20240418-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
12/10/2024, 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
Size

5.6MB
MD5

e7832e0074f1afe1362f1e8d5d55bec3
SHA1

6b3720bd59c8729210153b9e5360f5e7f9be73b0
SHA256

78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1
SHA512

0aa8179617ad0ac5528517bd04ecc9f43c828ffe9389e9d081d2f6b50c2b5bd9ae35c50211f20a7aed475dd678a741f0e825db7477705dc2266a4daa131b82ee
SSDEEP

98304:yC91hAFxvW6WGVqq7g3JDCg76dAuE8iW5ay5mIOX+aaNcc8pNkxXkz8xBs3K4HUe:yC91hAFxvW6WGVqq7g3JDCg76dAuE8i5

Score

7^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Executes dropped EXE 1 IoCs

ioc	pid	Process
/etc/32678	772	32678

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for modification	/dev/misc/watchdog	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 2 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/linux_kill	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence privilege_escalation

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/usr/lib/systemd/system/linux.service	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf

Reads runtime system information 62 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/756/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/909/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/334/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/696/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/698/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/712/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/839/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/915/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/sys/kernel/cap_last_cap	journalctl
File opened for reading	/proc/681/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/782/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/912/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/918/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/919/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/202/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/426/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/907/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/668/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/823/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/789/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/411/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/770/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/718/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/738/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/913/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/923/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/350/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/711/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/714/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/737/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/784/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/922/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/796/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/380/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/769/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/783/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/787/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/920/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/772/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/908/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/410/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/680/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/774/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/393/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/914/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/910/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/911/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/917/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/379/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/389/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/722/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/904/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/924/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/916/stat	78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
File opened for reading	/proc/filesystems	journalctl

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	8	Go-http-client/1.1

/tmp/78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
/tmp/78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
1⤵
- Enumerates kernel/hardware configuration
PID:746
- /usr/bin/sh
  sh -c "/etc/32678&"
  2⤵
  PID:768
- - /etc/32678
    /etc/32678
    3⤵
    - Executes dropped EXE
    PID:772
  - - /usr/bin/sleep
      sleep 60
      4⤵
      PID:774
- /usr/sbin/service
  service crond start
  2⤵
  PID:769
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:773
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:780
- - /usr/bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    - Reads runtime system information
    PID:784
- - /usr/bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    - Reads runtime system information
    PID:783
- /tmp/78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf
  /tmp/78e31c6e830ed62a38c210114ef5d3be2c13965e04affda1cc8c73d8646670d1.elf " "
  2⤵
  - Modifies Watchdog functionality
  - Modifies init.d
  - Modifies systemd
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:770
- - /usr/sbin/update-rc.d
    update-rc.d linux_kill defaults
    3⤵
    PID:796
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:823
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:823
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:823
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads runtime system information
      PID:823
- - /usr/bin/sh
    sh -c "cd /boot;systemctl daemon-reload;systemctl enable linux.service;systemctl start linux.service;journalctl -xe --no-pager"
    3⤵
    PID:923
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      Reads runtime system information
      PID:924
  - - /usr/bin/systemctl
      systemctl enable linux.service
      4⤵
      Reads runtime system information
      PID:942
  - - /usr/bin/systemctl
      systemctl start linux.service
      4⤵
      Reads runtime system information
      PID:960
  - - /usr/bin/journalctl
      journalctl -xe --no-pager
      4⤵
      Reads runtime system information
      PID:986

/usr/local/sbin/systemctl
systemctl start crond.service
1⤵
PID:769

/usr/local/bin/systemctl
systemctl start crond.service
1⤵
PID:769

/usr/sbin/systemctl
systemctl start crond.service
1⤵
PID:769

/usr/bin/systemctl
systemctl start crond.service
1⤵
- Reads runtime system information
PID:769

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Create or Modify System Process

T1543

Systemd Service

T1543.002

Privilege Escalation

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Create or Modify System Process

T1543

Systemd Service

T1543.002

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/32678

Filesize
61B

MD5
768eaf287796da19e1cf5e0b2fb1b161

SHA1
6a1ce2ee5ccc86d1f33806feb14547b35290df2a

SHA256
1d22620dfb2a6715e5d745aed5cf841ede0e75e1747f12b9b925a2d346bc7ecb

SHA512
e6af30c9df4f7f47696069511e64ecbc8e841629d692ee4056503df3533fb7a7a74960698826260355e1dba7b6c562482a27a39bb51a4237473ce4b68472d620

Download Submit
/etc/init.d/linux_kill

Filesize
189B

MD5
3909975f7cc0d1121c1819b800069f31

SHA1
3e68de708c2e6c40fab6794afdee3104e5590189

SHA256
6876dac71f13a068afb863d257134275f2edba43b2acaf4924fabf97c079070b

SHA512
50600cceeb03b05f45ae61d890caee9f51ff390b6776930866e527e071d65d08241fc66673fd9b99d62fbc77d3c00fc3de4d7378cbc42f5daba5d83072b0906e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads