4f78767c86f0714dfcb39d6b90af663277ed6fb60f3fcd8415d84c5e659cd915

General

Target

la.bot.arm6.elf
Size

82KB
MD5

18e3b6c44321a244852ec122d7e9a3ff
SHA1

06c253e3d29b2e4053c674031c90997f8a70bd85
SHA256

4f78767c86f0714dfcb39d6b90af663277ed6fb60f3fcd8415d84c5e659cd915
SHA512

95d55033ea1a8dd2e93654060780978bb1336685802dc807a3151f4632160969f3eb485d903ada39814e2e605877bc26c968ccfe584ddf967cadd8e4c71c4403
SSDEEP

1536:R7nF1w3yMDwuotJIFcZt8HPDxiT9LLSmIdZS7yb/rV3X4M+izLT9kGAwknCnzsTa:71w37DpotmFcgDxiT9vSmIfaG/hLT9k6

Score

9^/10

credential_access defense_evasion discovery

Malware Config

Signatures

Contacts a large (28348) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
defense_evasion

Impair Defenses
T1562

Processes:

la.bot.arm6.elf

description ioc process

File opened for modification /dev/watchdog la.bot.arm6.elf
File opened for modification /dev/misc/watchdog la.bot.arm6.elf
Renames itself 1 IoCs

Processes:

la.bot.arm6.elf

pid process

701 la.bot.arm6.elf
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
discovery

System Network Connections Discovery
T1049

Processes:

la.bot.arm6.elf

description ioc process

File opened for reading /proc/net/tcp la.bot.arm6.elf

description	ioc	process
File opened for modification	/dev/watchdog	la.bot.arm6.elf
File opened for modification	/dev/misc/watchdog	la.bot.arm6.elf

pid	process
701	la.bot.arm6.elf

description	ioc	process
File opened for reading	/proc/net/tcp	la.bot.arm6.elf

Reads process memory 1 TTPs 13 IoCs

Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

credential_access

Proc Filesystem

T1003.007

Processes:

la.bot.arm6.elf

description	ioc	process
File opened for reading	/proc/33/maps	la.bot.arm6.elf
File opened for reading	/proc/77/maps	la.bot.arm6.elf
File opened for reading	/proc/88/maps	la.bot.arm6.elf
File opened for reading	/proc/444/maps	la.bot.arm6.elf
File opened for reading	/proc/111/maps	la.bot.arm6.elf
File opened for reading	/proc/222/maps	la.bot.arm6.elf
File opened for reading	/proc/333/maps	la.bot.arm6.elf
File opened for reading	/proc/11/maps	la.bot.arm6.elf
File opened for reading	/proc/22/maps	la.bot.arm6.elf
File opened for reading	/proc/44/maps	la.bot.arm6.elf
File opened for reading	/proc/55/maps	la.bot.arm6.elf
File opened for reading	/proc/66/maps	la.bot.arm6.elf
File opened for reading	/proc/555/maps	la.bot.arm6.elf

Changes its process name 1 IoCs

Processes:

la.bot.arm6.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	uchttpd	701	la.bot.arm6.elf

Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
discovery

Internet Connection Discovery
T1016.001

Processes:

la.bot.arm6.elf

description ioc process

File opened for reading /proc/net/tcp la.bot.arm6.elf

description	ioc	process
File opened for reading	/proc/net/tcp	la.bot.arm6.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

la.bot.arm6.elf

description	ioc	process
File opened for reading	/proc/1111a;/maps	la.bot.arm6.elf
File opened for reading	/proc/2222Q4/maps	la.bot.arm6.elf
File opened for reading	/proc/6666v;/maps	la.bot.arm6.elf
File opened for reading	/proc/444/fd	la.bot.arm6.elf
File opened for reading	/proc/3333fffffff/fd	la.bot.arm6.elf
File opened for reading	/proc/7777�J/fd	la.bot.arm6.elf
File opened for reading	/proc/2222�2/maps	la.bot.arm6.elf
File opened for reading	/proc/6666�7/maps	la.bot.arm6.elf
File opened for reading	/proc/6666�8/maps	la.bot.arm6.elf
File opened for reading	/proc/6666u;/maps	la.bot.arm6.elf
File opened for reading	/proc/3333K5/fd	la.bot.arm6.elf
File opened for reading	/proc/222�/maps	la.bot.arm6.elf
File opened for reading	/proc/777k�/maps	la.bot.arm6.elf
File opened for reading	/proc/3333fffffff/maps	la.bot.arm6.elf
File opened for reading	/proc/6666Y;/maps	la.bot.arm6.elf
File opened for reading	/proc/222y/fd	la.bot.arm6.elf
File opened for reading	/proc/444d�/maps	la.bot.arm6.elf
File opened for reading	/proc/3333&5/maps	la.bot.arm6.elf
File opened for reading	/proc/99ssc/fd	la.bot.arm6.elf
File opened for reading	/proc/2222Q4/fd	la.bot.arm6.elf
File opened for reading	/proc/3333�4/fd	la.bot.arm6.elf
File opened for reading	/proc/3333r;/fd	la.bot.arm6.elf
File opened for reading	/proc/7777�;/fd	la.bot.arm6.elf
File opened for reading	/proc/555/fd	la.bot.arm6.elf
File opened for reading	/proc/333�/maps	la.bot.arm6.elf
File opened for reading	/proc/111cw/fd	la.bot.arm6.elf
File opened for reading	/proc/222l/fd	la.bot.arm6.elf
File opened for reading	/proc/1111b;/fd	la.bot.arm6.elf
File opened for reading	/proc/6666s;/maps	la.bot.arm6.elf
File opened for reading	/proc/222�/fd	la.bot.arm6.elf
File opened for reading	/proc/777k�/fd	la.bot.arm6.elf
File opened for reading	/proc/7777;/fd	la.bot.arm6.elf
File opened for reading	/proc/7777�;/fd	la.bot.arm6.elf
File opened for reading	/proc/1111S0/maps	la.bot.arm6.elf
File opened for reading	/proc/444d�/fd	la.bot.arm6.elf
File opened for reading	/proc/6666;/fd	la.bot.arm6.elf
File opened for reading	/proc/222y/maps	la.bot.arm6.elf
File opened for reading	/proc/11/fd	la.bot.arm6.elf
File opened for reading	/proc/222m�/fd	la.bot.arm6.elf
File opened for reading	/proc/2222�3/fd	la.bot.arm6.elf
File opened for reading	/proc/33335/fd	la.bot.arm6.elf
File opened for reading	/proc/3333&5/fd	la.bot.arm6.elf
File opened for reading	/proc/111cu/maps	la.bot.arm6.elf
File opened for reading	/proc/222v�/maps	la.bot.arm6.elf
File opened for reading	/proc/333s�/maps	la.bot.arm6.elf
File opened for reading	/proc/1111b;/maps	la.bot.arm6.elf
File opened for reading	/proc/2222�3/maps	la.bot.arm6.elf
File opened for reading	/proc/3333�4/maps	la.bot.arm6.elf
File opened for reading	/proc/3333t5/maps	la.bot.arm6.elf
File opened for reading	/proc/6666�7/fd	la.bot.arm6.elf
File opened for reading	/proc/7777�J/fd	la.bot.arm6.elf
File opened for reading	/proc/99ssc/maps	la.bot.arm6.elf
File opened for reading	/proc/3333t5/fd	la.bot.arm6.elf
File opened for reading	/proc/7777/fd	la.bot.arm6.elf
File opened for reading	/proc/111e/maps	la.bot.arm6.elf
File opened for reading	/proc/3333�4/fd	la.bot.arm6.elf
File opened for reading	/proc/33/fd	la.bot.arm6.elf
File opened for reading	/proc/333�/fd	la.bot.arm6.elf
File opened for reading	/proc/111o/maps	la.bot.arm6.elf
File opened for reading	/proc/7777w;/maps	la.bot.arm6.elf
File opened for reading	/proc/111/fd	la.bot.arm6.elf
File opened for reading	/proc/6666�8/maps	la.bot.arm6.elf
File opened for reading	/proc/6666t;/fd	la.bot.arm6.elf
File opened for reading	/proc/111um/maps	la.bot.arm6.elf

/tmp/la.bot.arm6.elf
/tmp/la.bot.arm6.elf
1⤵
- Modifies Watchdog functionality
- Renames itself
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:701