Analysis
-
max time kernel
149s -
max time network
150s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
13-12-2024 09:28
Behavioral task
behavioral1
Sample
byte.arm.elf
Resource
debian9-armhf-20240418-en
debian-9-armhf
3 signatures
150 seconds
General
-
Target
byte.arm.elf
-
Size
95KB
-
MD5
fe363139daa12950984a8648357bc40c
-
SHA1
918ca2cfa82a85a7efc5e18a2621c988a3432632
-
SHA256
1f0c30f8bd1a58d40375d4f35df1373dde52f04d26151d0ee6da9f71a8e5b8fa
-
SHA512
b84a0983294352a8d2d018ae168d4300930b659e124c0fcd464fbb45d2ea3e45038f27754dc04d503669a7b2e7383d6b3d839b20db8e0c9afd2b920f01659166
-
SSDEEP
1536:YWw2Gf7XL1OyEr0dQys019mjmgeKpQiYF9+4WYZrvJl61d6dI:3w207XLW01wSgeKEzrJ4eI
Score
7/10
Malware Config
Signatures
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog byte.arm.elf File opened for modification /dev/misc/watchdog byte.arm.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for reading /proc/746/net/tcp byte.arm.elf File opened for reading /proc/762/net/tcp byte.arm.elf File opened for reading /proc/767/net/tcp byte.arm.elf File opened for reading /proc/701/cmdline byte.arm.elf File opened for reading /proc/726/net/tcp byte.arm.elf File opened for reading /proc/766/cmdline byte.arm.elf File opened for reading /proc/271/net/tcp byte.arm.elf File opened for reading /proc/12/cmdline byte.arm.elf File opened for reading /proc/650/cmdline byte.arm.elf File opened for reading /proc/700/cmdline byte.arm.elf File opened for reading /proc/772/cmdline byte.arm.elf File opened for reading /proc/1/net/tcp byte.arm.elf File opened for reading /proc/599/cmdline byte.arm.elf File opened for reading /proc/671/cmdline byte.arm.elf File opened for reading /proc/699/net/tcp byte.arm.elf File opened for reading /proc/687/cmdline byte.arm.elf File opened for reading /proc/644/cmdline byte.arm.elf File opened for reading /proc/646/cmdline byte.arm.elf File opened for reading /proc/679/cmdline byte.arm.elf File opened for reading /proc/683/cmdline byte.arm.elf File opened for reading /proc/685/cmdline byte.arm.elf File opened for reading /proc/706/cmdline byte.arm.elf File opened for reading /proc/714/net/tcp byte.arm.elf File opened for reading /proc/732/net/tcp byte.arm.elf File opened for reading /proc/756/net/tcp byte.arm.elf File opened for reading /proc/640/net/tcp byte.arm.elf File opened for reading /proc/27/cmdline byte.arm.elf File opened for reading /proc/137/cmdline byte.arm.elf File opened for reading /proc/704/cmdline byte.arm.elf File opened for reading /proc/672/net/tcp byte.arm.elf File opened for reading /proc/724/cmdline byte.arm.elf File opened for reading /proc/729/net/tcp byte.arm.elf File opened for reading /proc/644/exe byte.arm.elf File opened for reading /proc/299/net/tcp byte.arm.elf File opened for reading /proc/25/cmdline byte.arm.elf File opened for reading /proc/737/cmdline byte.arm.elf File opened for reading /proc/759/cmdline byte.arm.elf File opened for reading /proc/208/net/tcp byte.arm.elf File opened for reading /proc/259/net/tcp byte.arm.elf File opened for reading /proc/4/cmdline byte.arm.elf File opened for reading /proc/740/cmdline byte.arm.elf File opened for reading /proc/686/cmdline byte.arm.elf File opened for reading /proc/698/net/tcp byte.arm.elf File opened for reading /proc/752/net/tcp byte.arm.elf File opened for reading /proc/665/net/tcp byte.arm.elf File opened for reading /proc/710/net/tcp byte.arm.elf File opened for reading /proc/737/net/tcp byte.arm.elf File opened for reading /proc/752/cmdline byte.arm.elf File opened for reading /proc/690/cmdline byte.arm.elf File opened for reading /proc/725/cmdline byte.arm.elf File opened for reading /proc/754/net/tcp byte.arm.elf File opened for reading /proc/741/cmdline byte.arm.elf File opened for reading /proc/297/net/tcp byte.arm.elf File opened for reading /proc/663/net/tcp byte.arm.elf File opened for reading /proc/5/cmdline byte.arm.elf File opened for reading /proc/107/cmdline byte.arm.elf File opened for reading /proc/679/net/tcp byte.arm.elf File opened for reading /proc/725/net/tcp byte.arm.elf File opened for reading /proc/643/exe byte.arm.elf File opened for reading /proc/773/cmdline byte.arm.elf File opened for reading /proc/169/net/tcp byte.arm.elf File opened for reading /proc/665/cmdline byte.arm.elf File opened for reading /proc/688/net/tcp byte.arm.elf File opened for reading /proc/753/net/tcp byte.arm.elf