Analysis
-
max time kernel
148s -
max time network
150s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
17/10/2024, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
armv6l.elf
Resource
debian9-armhf-20240611-en
debian-9-armhf
10 signatures
150 seconds
General
-
Target
armv6l.elf
-
Size
259KB
-
MD5
074922d9c3bf6f9be14310ea548575bf
-
SHA1
a45d1e104f4a8aba1c59a444a5115e18cc2859d7
-
SHA256
366e98a9113a97168c187c6a8491ecc1e290c1320908d3df158d7c92d37333f6
-
SHA512
22b6f8be118e69f41fd12632c102393aa0199141a300b3fc89043be413d34d47412a1e142b08eecbf06c021a7516fbbfcafd1c1478d9cc7297e743be980c62b2
-
SSDEEP
3072:1kCiVhTjd+YKqFmaHaA/WUq+VrHaYDiGa54ic2r2iB7:WCkTBq+FnY12i
Score
9/10
Malware Config
Signatures
-
Contacts a large (73652) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
pid Process 648 armv6l.elf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog armv6l.elf File opened for modification /dev/watchdog armv6l.elf -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 194.36.144.87 Destination IP 9.9.9.9 -
Reads MAC address of network interface 2 TTPs 1 IoCs
Fetches the MAC address of active network interfaces. May be used to detect known values for hypervisors.
description ioc Process File opened for reading /sys/class/net/eth0/address armv6l.elf -
Reads network interface configuration 2 TTPs 2 IoCs
Fetches information about one or more active network interfaces.
description ioc Process File opened for reading /sys/class/net/eth0/flags armv6l.elf File opened for reading /sys/class/net/eth0/carrier armv6l.elf -
Changes its process name 64 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself -sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself -sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself -sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself kswapd0 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself -sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself daemon 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself kswapd0 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself daemon 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself kswapd0 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself daemon 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself watchdog 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself -sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself kswapd0 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself kswapd0 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself watchdog 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself kswapd0 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself watchdog 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself watchdog 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself daemon 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself daemon 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself kswapd0 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself watchdog 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself -sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself daemon 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself daemon 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself kswapd0 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself kswapd0 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself kswapd0 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself daemon 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself watchdog 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself kswapd0 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself daemon 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself watchdog 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself watchdog 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself -sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself -sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself daemon 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself daemon 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/busybox 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself -sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself kswapd0 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself watchdog 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself daemon 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself watchdog 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself /bin/sh 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself daemon 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself daemon 650 armv6l.elf Changes the process name, possibly in an attempt to hide itself -sh 650 armv6l.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/unix armv6l.elf -
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/class/net armv6l.elf