Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
67s -
max time network
158s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
11/12/2024, 03:26
Behavioral task
behavioral1
Sample
c551c9b232e01e120cea46d2276f3f92d5cfd492596eebf73fc6db9be119f27b.elf
Resource
debian9-armhf-20240611-en
General
-
Target
c551c9b232e01e120cea46d2276f3f92d5cfd492596eebf73fc6db9be119f27b.elf
-
Size
185KB
-
MD5
0803a1adcda8496063056fff664b52c5
-
SHA1
9360e5aaf48c5ca30d19758ed84fb080720a0825
-
SHA256
c551c9b232e01e120cea46d2276f3f92d5cfd492596eebf73fc6db9be119f27b
-
SHA512
200cc962430df1ae704dd0199ea426a9ea6fb36e16283194c07f1a75e4f778e74a92a8469a5166a80d082c10f4f2c523acb99c265e86e8823b1ec71164aeb7bd
-
SSDEEP
3072:aCwnsURFvwaN2q2PxGREb4cywoNKcayU9HlSgu4+wbZno:aC0tmbPkSb4cnoNKuU9HlPu/wRo
Malware Config
Signatures
-
Contacts a large (118125) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 650 sh 663 chmod -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog c551c9b232e01e120cea46d2276f3f92d5cfd492596eebf73fc6db9be119f27b.elf File opened for modification /dev/misc/watchdog c551c9b232e01e120cea46d2276f3f92d5cfd492596eebf73fc6db9be119f27b.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /bin/busybox 649 c551c9b232e01e120cea46d2276f3f92d5cfd492596eebf73fc6db9be119f27b.elf -
description ioc Process File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mv File opened for reading /proc/self/maps c551c9b232e01e120cea46d2276f3f92d5cfd492596eebf73fc6db9be119f27b.elf -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/bin/busybox sh
Processes
-
/tmp/c551c9b232e01e120cea46d2276f3f92d5cfd492596eebf73fc6db9be119f27b.elf/tmp/c551c9b232e01e120cea46d2276f3f92d5cfd492596eebf73fc6db9be119f27b.elf1⤵
- Modifies Watchdog functionality
- Changes its process name
- Reads runtime system information
PID:649 -
/bin/shsh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox && mv /tmp/c551c9b232e01e120cea46d2276f3f92d5cfd492596eebf73fc6db9be119f27b.elf bin/busybox; chmod 777 bin/busybox"2⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
PID:650 -
/bin/rmrm -rf bin/busybox3⤵PID:651
-
-
/bin/mkdirmkdir bin3⤵
- Reads runtime system information
PID:657
-
-
/bin/mvmv /tmp/c551c9b232e01e120cea46d2276f3f92d5cfd492596eebf73fc6db9be119f27b.elf bin/busybox3⤵
- Reads runtime system information
PID:659
-
-
/bin/chmodchmod 777 bin/busybox3⤵
- File and Directory Permissions Modification
PID:663
-
-