e3e136d2adf979b6a10acdc6f897a1531ed36aa25a8b31b55d6f17638e1b515a

Analysis

max time kernel
147s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
21-11-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

anarchy.arm.elf
Size

54KB
MD5

7630793c748482bc6ece5a6ab21a27e5
SHA1

99dfad27c3fda13775e1620051e15d7e1a80e99d
SHA256

e3e136d2adf979b6a10acdc6f897a1531ed36aa25a8b31b55d6f17638e1b515a
SHA512

d99991973830f95a9b809e7ac33342348540858b3ffac32f4cd0cb481c6645fecd589a0287899fdac26ee34e6997bbaa88d6cc4af8b8e81af402b631f3099963
SSDEEP

1536:myOl/Ry4OOcUV89GXChSDvAXIaHNIPtv3:myAPQ9GX1DFatC3

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

anarchy.arm.elf

description	ioc	Process
File opened for modification	/dev/watchdog	anarchy.arm.elf
File opened for modification	/dev/misc/watchdog	anarchy.arm.elf

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

Processes:

anarchy.arm.elf

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	i03a1ch4cgei2k2f10hf	658	anarchy.arm.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

anarchy.arm.elf

description	ioc	Process
File opened for reading	/proc/812/cmdline	anarchy.arm.elf
File opened for reading	/proc/886/cmdline	anarchy.arm.elf
File opened for reading	/proc/1210/cmdline	anarchy.arm.elf
File opened for reading	/proc/1085/cmdline	anarchy.arm.elf
File opened for reading	/proc/1628/cmdline	anarchy.arm.elf
File opened for reading	/proc/1653/cmdline	anarchy.arm.elf
File opened for reading	/proc/754/cmdline	anarchy.arm.elf
File opened for reading	/proc/862/cmdline	anarchy.arm.elf
File opened for reading	/proc/993/cmdline	anarchy.arm.elf
File opened for reading	/proc/1319/cmdline	anarchy.arm.elf
File opened for reading	/proc/1736/cmdline	anarchy.arm.elf
File opened for reading	/proc/651/cmdline	anarchy.arm.elf
File opened for reading	/proc/1174/cmdline	anarchy.arm.elf
File opened for reading	/proc/1334/cmdline	anarchy.arm.elf
File opened for reading	/proc/688/cmdline	anarchy.arm.elf
File opened for reading	/proc/1412/cmdline	anarchy.arm.elf
File opened for reading	/proc/1428/cmdline	anarchy.arm.elf
File opened for reading	/proc/1516/cmdline	anarchy.arm.elf
File opened for reading	/proc/1522/cmdline	anarchy.arm.elf
File opened for reading	/proc/644/cmdline	anarchy.arm.elf
File opened for reading	/proc/672/cmdline	anarchy.arm.elf
File opened for reading	/proc/1103/cmdline	anarchy.arm.elf
File opened for reading	/proc/1067/cmdline	anarchy.arm.elf
File opened for reading	/proc/1195/cmdline	anarchy.arm.elf
File opened for reading	/proc/1284/cmdline	anarchy.arm.elf
File opened for reading	/proc/885/cmdline	anarchy.arm.elf
File opened for reading	/proc/1464/cmdline	anarchy.arm.elf
File opened for reading	/proc/1651/cmdline	anarchy.arm.elf
File opened for reading	/proc/974/cmdline	anarchy.arm.elf
File opened for reading	/proc/1250/cmdline	anarchy.arm.elf
File opened for reading	/proc/1543/cmdline	anarchy.arm.elf
File opened for reading	/proc/1669/cmdline	anarchy.arm.elf
File opened for reading	/proc/1670/cmdline	anarchy.arm.elf
File opened for reading	/proc/1225/cmdline	anarchy.arm.elf
File opened for reading	/proc/1504/cmdline	anarchy.arm.elf
File opened for reading	/proc/655/cmdline	anarchy.arm.elf
File opened for reading	/proc/1031/cmdline	anarchy.arm.elf
File opened for reading	/proc/1158/cmdline	anarchy.arm.elf
File opened for reading	/proc/1394/cmdline	anarchy.arm.elf
File opened for reading	/proc/1443/cmdline	anarchy.arm.elf
File opened for reading	/proc/1086/cmdline	anarchy.arm.elf
File opened for reading	/proc/1650/cmdline	anarchy.arm.elf
File opened for reading	/proc/810/cmdline	anarchy.arm.elf
File opened for reading	/proc/1008/cmdline	anarchy.arm.elf
File opened for reading	/proc/1155/cmdline	anarchy.arm.elf
File opened for reading	/proc/1340/cmdline	anarchy.arm.elf
File opened for reading	/proc/758/cmdline	anarchy.arm.elf
File opened for reading	/proc/813/cmdline	anarchy.arm.elf
File opened for reading	/proc/848/cmdline	anarchy.arm.elf
File opened for reading	/proc/1102/cmdline	anarchy.arm.elf
File opened for reading	/proc/1702/cmdline	anarchy.arm.elf
File opened for reading	/proc/663/cmdline	anarchy.arm.elf
File opened for reading	/proc/1230/cmdline	anarchy.arm.elf
File opened for reading	/proc/1721/cmdline	anarchy.arm.elf
File opened for reading	/proc/1371/cmdline	anarchy.arm.elf
File opened for reading	/proc/1403/cmdline	anarchy.arm.elf
File opened for reading	/proc/608/cmdline	anarchy.arm.elf
File opened for reading	/proc/863/cmdline	anarchy.arm.elf
File opened for reading	/proc/868/cmdline	anarchy.arm.elf
File opened for reading	/proc/903/cmdline	anarchy.arm.elf
File opened for reading	/proc/1321/cmdline	anarchy.arm.elf
File opened for reading	/proc/740/cmdline	anarchy.arm.elf
File opened for reading	/proc/1375/cmdline	anarchy.arm.elf
File opened for reading	/proc/994/cmdline	anarchy.arm.elf

/tmp/anarchy.arm.elf
/tmp/anarchy.arm.elf
1⤵
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:658
- /bin/sh
  sh -c "echo \"/tmp/anarchy.arm.elf &\" >> /etc/rc.local"
  2⤵
  PID:663

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads