Analysis
-
max time kernel
149s -
max time network
147s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240729-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
12-11-2024 03:04
Behavioral task
behavioral1
Sample
df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf
Resource
debian9-mipsbe-20240729-en
General
-
Target
df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf
-
Size
78KB
-
MD5
3a93a22ca7af128a7068b81f971d56d8
-
SHA1
8a73f9740e7fa24edbe597c9f0b0c8e9adf577e6
-
SHA256
df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5
-
SHA512
ae2a79f7d518db1f88a7e7e8964c0de3667866cfbe70906dd628ac055adea1c9069a2d42b1005b98cd057565d405b3df5dc43c61eac3e93a33797900e7ee9ffc
-
SSDEEP
1536:N0Y9JXX1nJvpxyHJtOJHn8VQ9hWOUEXvVWf6a/x72rpnYBu:mGJtJvbyDOJ1UEfYf66KdYBu
Malware Config
Signatures
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elfdescription ioc Process File opened for modification /dev/watchdog df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for modification /dev/misc/watchdog df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf -
Reads process memory 1 TTPs 16 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
Processes:
df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elfdescription ioc Process File opened for reading /proc/673/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for reading /proc/693/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for reading /proc/713/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for reading /proc/678/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for reading /proc/679/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for reading /proc/706/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for reading /proc/711/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for reading /proc/716/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for reading /proc/777/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for reading /proc/778/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for reading /proc/434/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for reading /proc/675/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for reading /proc/712/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for reading /proc/719/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for reading /proc/725/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf File opened for reading /proc/776/maps df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf -
Changes its process name 1 IoCs
Processes:
df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elfdescription ioc pid Process Changes the process name, possibly in an attempt to hide itself a 714 df4e26700e94c19cde573a8971787f0f4eb28fa315c4f59eb60d3587dda00af5.elf