39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8

General

Target

39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
Size

45KB
MD5

1ca380662c9ca375f453b797dca7c230
SHA1

724b9fc6060d239c8be3a67734222a158099e1ef
SHA256

39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8
SHA512

73ca7923b6657d98134954c9db8d3e73b1cb9c41a54583914a1733e41fb495d46dde7b131fb6aa51324429793fffe68b2024523da283c841ff7749eebd2f3c43
SSDEEP

768:maMd0PgGLhqtP3GOTVTbO/CX53fudNfGHiaWB8bcBq62xhHwsAM:mac/GUPpqNfkSYcBqnxhHn/

Score

7^/10

credential_access defense_evasion discovery

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf

description	ioc	process
File opened for modification	/dev/watchdog	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for modification	/dev/misc/watchdog	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf

Enumerates running processes
Discovers information about currently running processes on the system

Reads process memory 1 TTPs 50 IoCs

Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

credential_access

Proc Filesystem

T1003.007

Processes:

39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf

description	ioc	process
File opened for reading	/proc/636/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/867/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/408/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/427/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/592/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/616/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/733/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/759/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/991/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/410/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/452/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/514/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/633/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/664/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/706/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/414/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/556/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/593/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/715/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/983/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/612/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/632/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/956/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/990/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/413/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/587/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/588/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/585/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/648/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/679/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/690/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/714/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/406/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/417/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/558/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/842/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/863/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/971/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/699/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/723/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/729/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/758/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/832/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/512/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/608/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/658/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/840/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/634/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/635/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/962/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf

Changes its process name 1 IoCs

Processes:

39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	a	1549	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf

Reads runtime system information 63 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf

description	ioc	process
File opened for reading	/proc/1058/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1085/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1178/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1259/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1408/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1531/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1174/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1204/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1229/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1233/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1271/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1554/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1558/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1113/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1146/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1241/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1305/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1200/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1318/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1041/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1049/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1080/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1137/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1180/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1122/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1190/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1375/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1432/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1546/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1551/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1069/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1148/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1203/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1162/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1163/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1169/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1173/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1074/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1102/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1116/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1449/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1087/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1198/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1371/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1436/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1184/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1267/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1268/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1343/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1547/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1036/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1099/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1238/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1374/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1553/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1053/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1189/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1016/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1161/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1172/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1166/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1179/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
File opened for reading	/proc/1260/maps	39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf

/tmp/39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
/tmp/39964833437fed0f7d35c2972c72700f5893efa77ffcfa77306c96b7f4954ff8.elf
1⤵
- Modifies Watchdog functionality
- Reads process memory
- Changes its process name
- Reads runtime system information
PID:1549

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

OS Credential Dumping

1

T1003

Proc Filesystem

1

T1003.007

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads