219f9b6973c92dfe86b1018344b2113fd79d138509204dda6a5b5839de4b2de6 | Triage

Analysis

max time kernel
149s
max time network
169s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
23-11-2024 18:27

Sharing

Report Analysis Logs

General

Target

cve_2024_6387/arm6
Size

5.0MB
MD5

f01b45a5bea298b837db3af8c5bad744
SHA1

79ae24874af457cfd95b5c34f95ecf5ab6ececb5
SHA256

77adc73b97c25352eee23fdf52b8b663d606a56a494a2ab1498ba20e7c770327
SHA512

4e13687c78344ffcc17d88a49d00c05bb96cf3e1d2c2bc4026cd3fab2dfcd7ce93cab06241f804ffd5e3ce0407f474738a1a47dde1960e5157bfb1dc2ef2b7c0
SSDEEP

24576:uMNirxGnmSHuvTEkaxEa8C8L9NNtr3Fr4DEO2W37yWRO2FkNeuV7pbifUXHB7tEF:DbXZshQYTIQRXGxBdZMoA7en2Gd

Score

7^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

description	ioc	Process
File opened for modification	/dev/watchdog	arm6
File opened for modification	/dev/misc/watchdog	arm6

Creates/modifies environment variables 1 TTPs 3 IoCs

Creating/modifying environment variables is a common persistence mechanism.

persistence privilege_escalation defense_evasion

Path Interception by PATH Environment Variable

description	ioc	Process
File opened for modification	/etc/profile.d/bash.cfg	arm6
File opened for modification	/etc/profile.d/bash.cfg.sh	arm6
File opened for modification	/etc/profile.d/gateway.sh	arm6

Modifies init.d 2 TTPs 18 IoCs

Adds/modifies system service, likely for persistence.

Boot or Logon Autostart Execution

RC Scripts

description	ioc	Process
File opened for modification	/etc/init.d/console-setup.sh	arm6
File opened for modification	/etc/init.d/dbus	arm6
File opened for modification	/etc/init.d/hwclock.sh	arm6
File opened for modification	/etc/init.d/ssh	arm6
File opened for modification	/etc/init.d/x11-common	arm6
File opened for modification	/etc/init.d/selinux-autorelabel	arm6
File opened for modification	/etc/init.d/udev	arm6
File opened for modification	/etc/init.d/auditd	arm6
File opened for modification	/etc/init.d/cron	arm6
File opened for modification	/etc/init.d/exim4	arm6
File opened for modification	/etc/init.d/keyboard-setup.sh	arm6
File opened for modification	/etc/init.d/procps	arm6
File opened for modification	/etc/init.d/rsyslog	arm6
File opened for modification	/etc/init.d/networking	arm6
File opened for modification	/etc/init.d/alsa-utils	arm6
File opened for modification	/etc/init.d/kmod	arm6
File opened for modification	/etc/init.d/sudo	arm6
File opened for modification	/etc/init.d/dns-udp4	arm6

Modifies Bash startup script 2 TTPs 3 IoCs

Boot or Logon Autostart Execution

Unix Shell Configuration Modification

description	ioc	Process
File opened for modification	/etc/profile.d/bash.cfg	arm6
File opened for modification	/etc/profile.d/bash.cfg.sh	arm6
File opened for modification	/etc/profile.d/gateway.sh	arm6

Enumerates kernel/hardware configuration 1 TTPs 7 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	arm6
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	arm6
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 22 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	mount
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/cmdline	systemctl

/tmp/cve_2024_6387/arm6
/tmp/cve_2024_6387/arm6
1⤵
- Enumerates kernel/hardware configuration
PID:739
- /tmp/cve_2024_6387/arm6
  /tmp/cve_2024_6387/arm6 " "
  2⤵
  - Modifies Watchdog functionality
  - Creates/modifies environment variables
  - Modifies init.d
  - Modifies Bash startup script
  - Enumerates kernel/hardware configuration
  PID:745
- - /usr/sbin/update-rc.d
    update-rc.d dns-udp4 defaults
    3⤵
    PID:760
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:761
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:761
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:761
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:761
  - - /sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:761
  - - /bin/systemctl
      systemctl daemon-reload
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:761
- - /bin/mount
    mount -o bind /tmp/ /proc/745
    3⤵
    - Reads runtime system information
    PID:762
- - /usr/sbin/service
    service cron start
    3⤵
    PID:763
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:764
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:765
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:766
  - - /bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      Reads runtime system information
      PID:769
  - - /bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:768
- - /usr/local/sbin/systemctl
    systemctl "--job-mode=ignore-dependencies" start cron.service
    3⤵
    PID:763
- - /usr/local/bin/systemctl
    systemctl "--job-mode=ignore-dependencies" start cron.service
    3⤵
    PID:763
- - /usr/sbin/systemctl
    systemctl "--job-mode=ignore-dependencies" start cron.service
    3⤵
    PID:763
- - /usr/bin/systemctl
    systemctl "--job-mode=ignore-dependencies" start cron.service
    3⤵
    PID:763
- - /sbin/systemctl
    systemctl "--job-mode=ignore-dependencies" start cron.service
    3⤵
    PID:763
- - /bin/systemctl
    systemctl "--job-mode=ignore-dependencies" start cron.service
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:763
- - /bin/systemctl
    systemctl start crond.service
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:770

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Boot or Logon Initialization Scripts

RC Scripts

Event Triggered Execution

Unix Shell Configuration Modification

Hijack Execution Flow

Path Interception by PATH Environment Variable

Privilege Escalation

Boot or Logon Autostart Execution

Boot or Logon Initialization Scripts

RC Scripts

Event Triggered Execution

Unix Shell Configuration Modification

Hijack Execution Flow

Path Interception by PATH Environment Variable

Defense Evasion

Hijack Execution Flow

Path Interception by PATH Environment Variable

Impair Defenses

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.mod

Filesize
27B

MD5
f449ef47c4f79ab4ecfe3d11022333d5

SHA1
61ebb524cee5a049cc96bf2cbf339a47dcb1b622

SHA256
503dffa20530956c5f61187e00935f20fe508c35dbb1fcf665b5d28d07d3d704

SHA512
a7015de8bd582dbf7ce6df708a58a725e1b1cd472c6616fbb89a9738c533c042ac39c071ca0cf2fc5df8e56f33bf8a28b1ebd3076570f5028cff773af89031f6

Download Submit
/boot/system.pub

Filesize
5.0MB

MD5
f01b45a5bea298b837db3af8c5bad744

SHA1
79ae24874af457cfd95b5c34f95ecf5ab6ececb5

SHA256
77adc73b97c25352eee23fdf52b8b663d606a56a494a2ab1498ba20e7c770327

SHA512
4e13687c78344ffcc17d88a49d00c05bb96cf3e1d2c2bc4026cd3fab2dfcd7ce93cab06241f804ffd5e3ce0407f474738a1a47dde1960e5157bfb1dc2ef2b7c0

Download Submit
/etc/.cfg

Filesize
57B

MD5
25bfc97b9241077f7ee65c9d5831c0ae

SHA1
4d1e84cfe6f0619642400cbcc77ee008d452f622

SHA256
7e18da2137e9453fd98ed61aa79420a173383b2f7a5fe6538b70fbb560f9b3f6

SHA512
e3686c1fe664e67fc503275c6c0fa831ee43c1b081d8f826a616314505e3f952f98a8697911d1799e3f8c1957cd3a1bb5f888766877e5081b32942a6f2d8bff3

Download Submit
/etc/.cfg

Filesize
106B

MD5
8b5fa5c6720f34211590be9e4381211e

SHA1
6747f1c9405fe23a3a003d5a2ba89872c62fb180

SHA256
dda4036fbf9ad979af96e972eafba2a713f3f2dd1773c865b8d22e25d56c6bd2

SHA512
cc4b7b6bf732a7706a79ec097ff7b30cfcf4866b0a991c8c2bee68216ee1af3b10c3cec4772a636b973afcf4c6f1ce23adf20b431ba38167fce309382237d2d3

Download Submit
/etc/init.d/dns-udp4

Filesize
159B

MD5
79f1a0bf1a838c817142e43a5818733a

SHA1
768ed04a737dbdc969165092694e0e977321ca19

SHA256
a3f7d4499b03a14ff2de76122b6a61c221151f59daa6a63a78ae5a805c95a482

SHA512
b6d6f76f3e5b768a6670e05276724b70609259c856ba90ad34f8a782ac40134b9cf5cdabebb4aa55f076a786cedf8491adda9835f9d4aee90bd1820a45b2fbce

Download Submit
/etc/profile.d/gateway.sh

Filesize
693B

MD5
79a8ef6b2da04d008dbd93ee18d05ff3

SHA1
d3b763e602ee85b241c4fa3d9b16b5cd6a5bffd8

SHA256
457d0ee9cde306ab80fbab0b04bd2b157f95b10da753072b3aaca16f3e1fad0d

SHA512
10ce11b27d8ad50440c658700814cfff42feed586e8312157ed1685441440398a0255c1cd467f2dfdc446033c70a3bcedfe7495b534cd41cdf495d59587bcfc6

Download Submit