a1e06c7ebe7252f79cbb57e8afd1ab4f1b91c62beb63f815756d088f1f1d3062

Analysis

max time kernel
149s
max time network
142s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
20/11/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

boatnet.arm7.elf
Size

39KB
MD5

c5ed1e22521999c3bcdeded13afa5823
SHA1

853cf2dc1cb441974d92265613de5b4e145dbd48
SHA256

a1e06c7ebe7252f79cbb57e8afd1ab4f1b91c62beb63f815756d088f1f1d3062
SHA512

1ad11ee0657b7562fcf81df2de336833e9222d4ced6b9896463df77854c055ecb55603da9ae55d3a3b24400da7cdeb7d6b8cd324eed9a93e1c24c8d545ec4aa0
SSDEEP

768:BEdtEa4fEKPxCKo3zjE6QPnde9r0J9q3UELxZhe5CiO6qxr0tMYu7y4DgBMEs:BEdGdGKofE6QvYh08L1e9O6iunBG

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	boatnet.arm7.elf
File opened for modification	/dev/misc/watchdog	boatnet.arm7.elf

Renames itself 1 IoCs

pid	Process
659	boatnet.arm7.elf

Unexpected DNS network traffic destination 25 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	137.220.55.93
Destination IP	81.169.136.222
Destination IP	51.158.108.203
Destination IP	168.235.111.72
Destination IP	51.254.162.59
Destination IP	51.254.162.59
Destination IP	139.84.165.176
Destination IP	51.158.108.203
Destination IP	65.21.1.106
Destination IP	95.216.99.249
Destination IP	65.21.1.106
Destination IP	65.21.1.106
Destination IP	5.161.109.23
Destination IP	178.254.22.166
Destination IP	65.21.1.106
Destination IP	5.161.109.23
Destination IP	217.160.70.42
Destination IP	139.84.165.176
Destination IP	217.160.70.42
Destination IP	64.176.6.48
Destination IP	178.254.22.166
Destination IP	139.84.165.176
Destination IP	64.176.6.48
Destination IP	139.84.165.176
Destination IP	194.36.144.87

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	659	boatnet.arm7.elf

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/exe	boatnet.arm7.elf

/tmp/boatnet.arm7.elf
/tmp/boatnet.arm7.elf
1⤵
- Modifies Watchdog functionality
- Renames itself
- Changes its process name
- Reads runtime system information
PID:659

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads