Analysis
-
max time kernel
152s -
max time network
159s -
platform
debian-12_mipsel -
resource
debian12-mipsel-20240221-en -
resource tags
arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem -
submitted
12-11-2024 02:47
Behavioral task
behavioral1
Sample
a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf
Resource
debian12-mipsel-20240221-en
General
-
Target
a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf
-
Size
82KB
-
MD5
61081d459e84451c3eb0c9a4d6556475
-
SHA1
a623136e67f090224fd316a11e098279d1bbe6cf
-
SHA256
a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b
-
SHA512
05c31bef1cfaf7a79500a7fc465aedacb8bc83f754f94b6f52b7eeffdba667fdc5633471f3854f88cecd48ba2f40b69cb6a191470f359193fb1dd4b5459a9d96
-
SSDEEP
1536:gNKax4EP01b/fH5QGkdzhzsDAleP7a7ZGh+VXt:gKax4EPi/fH5rkI7C5
Malware Config
Signatures
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elfdescription ioc Process File opened for modification /dev/watchdog a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for modification /dev/misc/watchdog a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf -
Reads process memory 1 TTPs 22 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
Processes:
a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elfdescription ioc Process File opened for reading /proc/655/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/690/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/704/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/732/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/756/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/412/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/692/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/744/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/414/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/688/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/714/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/717/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/721/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/775/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/776/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/430/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/642/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/711/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/733/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/746/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/750/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf File opened for reading /proc/774/maps a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf -
Changes its process name 1 IoCs
Processes:
a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elfdescription ioc pid Process Changes the process name, possibly in an attempt to hide itself a 741 a82110cbe11fd10f36d9d33a95596715d0a91a203eaf37d7e971df060dc73f4b.elf