6f062123d1fa8fb843406f71d2bf782017dad159aea3e23fc98543923c0c2bad

Analysis

max time kernel
131s
max time network
155s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11/12/2024, 08:57 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jwwofba5.elf
Size

154KB
MD5

f54eef0f2a2b3d1b95d027e2f9fc075b
SHA1

9808f95f07348a1e62b9986ed35ff332f60010b6
SHA256

6f062123d1fa8fb843406f71d2bf782017dad159aea3e23fc98543923c0c2bad
SHA512

d382986c74a44bd247f3c51d45a1fee5d13746500662e5dbca6d30cd113f89deb1c391b4855e233b645c1690a8d10b09acde0e4b63580b1c8c695be8bdaffa8e
SSDEEP

3072:xNKs58C55mYNMRN04VhF6s9RjQnHA86VFTs:nKs58LBX04Vj6sPjQng863Ts

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
659	jwwofba5.elf

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	httpd	658	jwwofba5.elf

Reads runtime system information 55 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/296/cmdline	jwwofba5.elf
File opened for reading	/proc/298/cmdline	jwwofba5.elf
File opened for reading	/proc/29/cmdline	jwwofba5.elf
File opened for reading	/proc/43/cmdline	jwwofba5.elf
File opened for reading	/proc/212/cmdline	jwwofba5.elf
File opened for reading	/proc/266/cmdline	jwwofba5.elf
File opened for reading	/proc/8/cmdline	jwwofba5.elf
File opened for reading	/proc/10/cmdline	jwwofba5.elf
File opened for reading	/proc/25/cmdline	jwwofba5.elf
File opened for reading	/proc/26/cmdline	jwwofba5.elf
File opened for reading	/proc/21/cmdline	jwwofba5.elf
File opened for reading	/proc/135/cmdline	jwwofba5.elf
File opened for reading	/proc/279/cmdline	jwwofba5.elf
File opened for reading	/proc/5/cmdline	jwwofba5.elf
File opened for reading	/proc/11/cmdline	jwwofba5.elf
File opened for reading	/proc/28/cmdline	jwwofba5.elf
File opened for reading	/proc/110/cmdline	jwwofba5.elf
File opened for reading	/proc/141/cmdline	jwwofba5.elf
File opened for reading	/proc/100/cmdline	jwwofba5.elf
File opened for reading	/proc/307/cmdline	jwwofba5.elf
File opened for reading	/proc/265/cmdline	jwwofba5.elf
File opened for reading	/proc/280/cmdline	jwwofba5.elf
File opened for reading	/proc/411/cmdline	jwwofba5.elf
File opened for reading	/proc/12/cmdline	jwwofba5.elf
File opened for reading	/proc/17/cmdline	jwwofba5.elf
File opened for reading	/proc/19/cmdline	jwwofba5.elf
File opened for reading	/proc/42/cmdline	jwwofba5.elf
File opened for reading	/proc/108/cmdline	jwwofba5.elf
File opened for reading	/proc/6/cmdline	jwwofba5.elf
File opened for reading	/proc/18/cmdline	jwwofba5.elf
File opened for reading	/proc/111/cmdline	jwwofba5.elf
File opened for reading	/proc/149/cmdline	jwwofba5.elf
File opened for reading	/proc/451/cmdline	jwwofba5.elf
File opened for reading	/proc/13/cmdline	jwwofba5.elf
File opened for reading	/proc/20/cmdline	jwwofba5.elf
File opened for reading	/proc/24/cmdline	jwwofba5.elf
File opened for reading	/proc/41/cmdline	jwwofba5.elf
File opened for reading	/proc/7/cmdline	jwwofba5.elf
File opened for reading	/proc/78/cmdline	jwwofba5.elf
File opened for reading	/proc/263/cmdline	jwwofba5.elf
File opened for reading	/proc/264/cmdline	jwwofba5.elf
File opened for reading	/proc/323/cmdline	jwwofba5.elf
File opened for reading	/proc/406/cmdline	jwwofba5.elf
File opened for reading	/proc/155/cmdline	jwwofba5.elf
File opened for reading	/proc/15/cmdline	jwwofba5.elf
File opened for reading	/proc/169/cmdline	jwwofba5.elf
File opened for reading	/proc/2/cmdline	jwwofba5.elf
File opened for reading	/proc/4/cmdline	jwwofba5.elf
File opened for reading	/proc/9/cmdline	jwwofba5.elf
File opened for reading	/proc/22/cmdline	jwwofba5.elf
File opened for reading	/proc/23/cmdline	jwwofba5.elf
File opened for reading	/proc/3/cmdline	jwwofba5.elf
File opened for reading	/proc/14/cmdline	jwwofba5.elf
File opened for reading	/proc/16/cmdline	jwwofba5.elf
File opened for reading	/proc/27/cmdline	jwwofba5.elf

/tmp/jwwofba5.elf
/tmp/jwwofba5.elf
1⤵
- Deletes itself
- Changes its process name
- Reads runtime system information
PID:658

Network

DNS

raw.cardiacpure.ru

Remote address:

8.8.8.8:53

Request

raw.cardiacpure.ru

IN A

Response

raw.cardiacpure.ru

IN A

178.215.238.4
DNS

Remote address:

8.8.8.8:53

Response
DNS

Remote address:

8.8.8.8:53

Response
DNS

Remote address:

8.8.8.8:53

Response
DNS

Remote address:

8.8.8.8:53

Response
DNS

Remote address:

8.8.8.8:53

Response
DNS

Remote address:

8.8.8.8:53

Response
DNS

Remote address:

8.8.8.8:53

Response
DNS

Remote address:

8.8.8.8:53

Response
DNS

Remote address:

8.8.8.8:53

Response
DNS

Remote address:

8.8.8.8:53

Response
DNS

Remote address:

8.8.8.8:53

Response
DNS

Remote address:

8.8.8.8:53

Response
DNS

Remote address:

8.8.8.8:53

Response
DNS

Remote address:

8.8.8.8:53

Response
DNS

Remote address:

8.8.8.8:53

Response

89.190.156.145:7733

420 B
7
178.215.238.4:33966

raw.cardiacpure.ru

589 B
580 B
11
11
178.215.238.4:33966

raw.cardiacpure.ru

377 B
320 B
7
6

8.8.8.8:53

raw.cardiacpure.ru

dns

64 B
80 B
1
1

DNS Request

raw.cardiacpure.ru

DNS Response

178.215.238.4
8.8.8.8:53

dns

65 B
40 B
1
1
8.8.8.8:53

dns

65 B
40 B
1
1
8.8.8.8:53

dns

65 B
40 B
1
1
8.8.8.8:53

dns

65 B
40 B
1
1
8.8.8.8:53

dns

65 B
40 B
1
1
8.8.8.8:53

dns

64 B
40 B
1
1
8.8.8.8:53

dns

64 B
40 B
1
1
8.8.8.8:53

dns

64 B
40 B
1
1
8.8.8.8:53

dns

64 B
40 B
1
1
8.8.8.8:53

dns

64 B
40 B
1
1
8.8.8.8:53

dns

65 B
40 B
1
1
8.8.8.8:53

dns

65 B
40 B
1
1
8.8.8.8:53

dns

65 B
40 B
1
1
8.8.8.8:53

dns

65 B
40 B
1
1
8.8.8.8:53

dns

65 B
40 B
1
1

Windows 7 deprecation

DNS Request

DNS Response

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.