Analysis
-
max time kernel
150s -
max time network
156s -
platform
debian-12_armhf -
resource
debian12-armhf-20240221-en -
resource tags
-
submitted
23-11-2024 07:27
General
-
Target
la.bot.arm7.elf
-
Size
95KB
-
MD5
7acb725a191be0d1ed3cc4ee6a9cc59e
-
SHA1
306c2583a3cd338c9dc2f6a24ae057af01b281a2
-
SHA256
b19a9320675c0ab1c0e988e11d78ec6e5b5f8d26c4e310c003554a9942619a82
-
SHA512
11dfdb33b4792be1aff52ba88d5551154b199db997a324ba9e2a3554cc02ce3e076309bb628f85b2c8cec75fa50e682ea17e406516d8ff71e8323ba815df3a1f
-
SSDEEP
1536:1XnGMkE8Irbjty4Rjo6t8fcuRPbl+rn1lkdxOEG3G49LMmw3nPXr2+lWyiatqMQt:0MkzIrbjtyKjo8uRPbls1lkGp3G49LMN
Malware Config
Signatures
-
Contacts a large (19484) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Renames itself 1 IoCs
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Reads process memory 1 TTPs 12 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
-
Changes its process name 1 IoCs
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/la.bot.arm7.elf/tmp/la.bot.arm7.elf1⤵
- Modifies Watchdog functionality
- Renames itself
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information