d3c2fb9ba2b21aeb8605d6997e8a0520723294e49df3718e3affa10b744879bb

Analysis

max time kernel
61s
max time network
62s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
12-11-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meerkat.arm
Size

85KB
MD5

6692e37013bfe2b7ef6264cb7f4cdc2c
SHA1

bd0c76d971d900dec846904a75a254bd2a651abd
SHA256

d3c2fb9ba2b21aeb8605d6997e8a0520723294e49df3718e3affa10b744879bb
SHA512

7793f1768ce3fc26597a74281f0655bd9f5dbf0a4ff3312e747759fb8eab8e9525b97398bc7201ff6090643d68592023792b0c21c26bcd1d3a1b70786083a053
SSDEEP

1536:x1O0ykyDy+AHLrP+zjdbYnLsQT7Lp2V259ATz4WbLuOWXcqU1lLH8hP6juJ5QB2G:xI0zyDy+A18WX74FchCjuiIuH

Score

9^/10

defense_evasion discovery

Malware Config

Signatures

Contacts a large (9591) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

meerkat.arm

description	ioc	Process
File opened for modification	/dev/watchdog	meerkat.arm
File opened for modification	/dev/misc/watchdog	meerkat.arm

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Reads runtime system information 22 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

meerkat.arm

description	ioc	Process
File opened for reading	/proc/594/smaps	meerkat.arm
File opened for reading	/proc/638/smaps	meerkat.arm
File opened for reading	/proc/644/smaps	meerkat.arm
File opened for reading	/proc/655/smaps	meerkat.arm
File opened for reading	/proc/709/smaps	meerkat.arm
File opened for reading	/proc/732/smaps	meerkat.arm
File opened for reading	/proc/757/smaps	meerkat.arm
File opened for reading	/proc/579/smaps	meerkat.arm
File opened for reading	/proc/643/smaps	meerkat.arm
File opened for reading	/proc/645/smaps	meerkat.arm
File opened for reading	/proc/650/smaps	meerkat.arm
File opened for reading	/proc/762/smaps	meerkat.arm
File opened for reading	/proc/600/smaps	meerkat.arm
File opened for reading	/proc/601/smaps	meerkat.arm
File opened for reading	/proc/661/smaps	meerkat.arm
File opened for reading	/proc/713/smaps	meerkat.arm
File opened for reading	/proc/731/smaps	meerkat.arm
File opened for reading	/proc/755/smaps	meerkat.arm
File opened for reading	/proc/766/smaps	meerkat.arm
File opened for reading	/proc/597/smaps	meerkat.arm
File opened for reading	/proc/648/smaps	meerkat.arm
File opened for reading	/proc/764/smaps	meerkat.arm

/tmp/meerkat.arm
/tmp/meerkat.arm
1⤵
- Modifies Watchdog functionality
- Reads runtime system information
PID:646

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads