Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
20-10-2024 05:34
Behavioral task
behavioral1
Sample
609c1238af802ede246b1bb55d355dc5_JaffaCakes118
Resource
debian9-armhf-20240729-en
General
-
Target
609c1238af802ede246b1bb55d355dc5_JaffaCakes118
-
Size
52KB
-
MD5
609c1238af802ede246b1bb55d355dc5
-
SHA1
74f2ced35a758f572e1c070e438d2056cdb16acc
-
SHA256
64adef1e782de63ce018d9dfb619f1c98c1bc4ec67380b9b1a4d7cb929977e40
-
SHA512
2c8555de4477cce4f1b84a5813ce0c727e04bac3a2472fd1e2b0944bee4c2653ef63c3ba7e1a2f233073ed3f0bd31f7f9ea83b0363b1a0d361bb63e6e711d54d
-
SSDEEP
1536:Yo2kkuHsKrYyn+rOXxt2oNuL6eAvFR4pH:/S2Bakz5uLkuN
Malware Config
Extracted
mirai
UNSTABLE
scanmaccas.duckdns.org
Signatures
-
Contacts a large (81635) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog 609c1238af802ede246b1bb55d355dc5_JaffaCakes118 File opened for modification /dev/misc/watchdog 609c1238af802ede246b1bb55d355dc5_JaffaCakes118 -
Writes file to system bin folder 2 IoCs
description ioc Process File opened for modification /sbin/watchdog 609c1238af802ede246b1bb55d355dc5_JaffaCakes118 File opened for modification /bin/watchdog 609c1238af802ede246b1bb55d355dc5_JaffaCakes118 -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself a 646 609c1238af802ede246b1bb55d355dc5_JaffaCakes118 -
description ioc Process File opened for reading /proc/self/exe 609c1238af802ede246b1bb55d355dc5_JaffaCakes118