Analysis
-
max time kernel
149s -
max time network
144s -
platform
debian-12_armhf -
resource
debian12-armhf-20240418-en -
resource tags
arch:armhfimage:debian12-armhf-20240418-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
09-11-2024 03:30
Behavioral task
behavioral1
Sample
ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf
Resource
debian12-armhf-20240418-en
5 signatures
150 seconds
General
-
Target
ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf
-
Size
45KB
-
MD5
8b71f668a7370f7cac67dcc5dc2a2d6e
-
SHA1
86fa99a2fceb144d995d981095de7347d4c8f797
-
SHA256
ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb
-
SHA512
1e323af3c9c6c9d266cdd26d62ef07a0b9cbbae886b1ef8f9a2de0d9dd7eeffa158f610e82fce2025516dd417ae8ff7d60d4cd776863f81d7cd08902c4ee4cb8
-
SSDEEP
768:g/TYCoIxdEk+AxoTZAZHFeq8b3G9q3UELbUXfi6nVMQHI4vcGpvM:gECFd+A6YHAxrLRQZM
Score
10/10
Malware Config
Extracted
Family
mirai
Botnet
LZRD
Signatures
-
Mirai family
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elfdescription ioc process File opened for modification /dev/watchdog ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf File opened for modification /dev/misc/watchdog ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf -
Writes file to system bin folder 2 IoCs
Processes:
ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elfdescription ioc process File opened for modification /sbin/watchdog ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf File opened for modification /bin/watchdog ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf -
Processes:
ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elfdescription ioc process File opened for reading /proc/723/cmdline ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf File opened for reading /proc/645/cmdline ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf File opened for reading /proc/661/cmdline ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf File opened for reading /proc/663/cmdline ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf File opened for reading /proc/680/cmdline ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf File opened for reading /proc/703/cmdline ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf File opened for reading /proc/704/cmdline ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf File opened for reading /proc/710/cmdline ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf File opened for reading /proc/self/exe ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf File opened for reading /proc/629/cmdline ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf File opened for reading /proc/646/cmdline ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf File opened for reading /proc/698/cmdline ba149587eed6ccdeaa6a76d2b6ac00b005987ae43d408efbb3ca90ce64356fdb.elf