Analysis
-
max time kernel
149s -
max time network
5s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
09-11-2024 04:09
Behavioral task
behavioral1
Sample
fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf
Resource
debian9-armhf-20240418-en
General
-
Target
fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf
-
Size
45KB
-
MD5
f3a56db1706e690b850f58d055fb90ac
-
SHA1
54616d25ab81722602ff0bdee425d6578ad67957
-
SHA256
fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c
-
SHA512
26a9522cd413fa9316fa1d910ea775dc61ff0de3262a89cca9928e424fdc49e09217ffde644e46a57dec252032da72ffd97e9f02781361a074d6bd02a4423f1a
-
SSDEEP
768:D/TYCoIxdEk+AxoTZAZHFeq8b3Lo9q3UELbUXfi6nVMQHI4vcGpvw:DECFd+A6YHAxVLRQZw
Malware Config
Extracted
mirai
LZRD
Signatures
-
Mirai family
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elfdescription ioc process File opened for modification /dev/watchdog fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for modification /dev/misc/watchdog fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Writes file to system bin folder 2 IoCs
Processes:
fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elfdescription ioc process File opened for modification /sbin/watchdog fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for modification /bin/watchdog fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf -
Processes:
fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elfdescription ioc process File opened for reading /proc/600/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/764/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/774/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/777/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/775/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/783/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/self/exe fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/582/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/723/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/757/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/768/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/772/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/645/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/654/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/766/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/596/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/640/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/770/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/778/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/602/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/647/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/714/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/603/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/711/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/747/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/646/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/779/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/785/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/653/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/659/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/715/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/759/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf File opened for reading /proc/781/cmdline fc4933008b0b05d319c768deb7d3e21cc2a563285c57b4677a5b5fc740f29f1c.elf