8e460ed622c72b5cdca4f7b0435aa1124cfb2ce31bb2960482377c2e17113d3b

Analysis

max time kernel
148s
max time network
152s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
26-12-2024 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

652-1-0x00008000-0x00025990-memory.dmp
Size

76KB
MD5

0417e943c7c4b715a9542d487ff2a8a6
SHA1

68651f10c97bec0bf0a6959f3d0b7e127de43a62
SHA256

8e460ed622c72b5cdca4f7b0435aa1124cfb2ce31bb2960482377c2e17113d3b
SHA512

2847601346ab07b891acc0a5137ea16361e6b2fc493e9c3592756573ab9342325d03ca4ab63922542e3ec7f7dd29aded595c95129891512698a4e8ad8cb1e5b5
SSDEEP

1536:FB/VU93ilj19ZBpCO72Rbu1U+qhxp8f8vN97:FB/VBBpCO72RDRZN97

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	652-1-0x00008000-0x00025990-memory.dmp
File opened for modification	/dev/misc/watchdog	652-1-0x00008000-0x00025990-memory.dmp

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	652-1-0x00008000-0x00025990-memory.dmp
File opened for modification	/bin/watchdog	652-1-0x00008000-0x00025990-memory.dmp

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/295/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/318/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/345/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/2/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/17/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/24/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/13/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/629/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/3/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/12/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/281/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/137/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/429/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/674/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/41/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/672/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/18/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/21/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/98/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/667/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/1/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/7/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/10/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/673/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/26/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/489/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/660/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/8/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/11/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/106/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/671/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/678/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/4/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/6/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/20/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/315/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/441/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/16/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/23/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/149/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/77/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/167/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/220/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/294/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/666/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/9/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/28/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/29/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/293/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/326/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/14/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/15/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/145/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/280/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/291/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/25/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/43/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/109/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/150/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/669/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/5/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/42/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/108/status	652-1-0x00008000-0x00025990-memory.dmp
File opened for reading	/proc/222/status	652-1-0x00008000-0x00025990-memory.dmp

/tmp/652-1-0x00008000-0x00025990-memory.dmp
/tmp/652-1-0x00008000-0x00025990-memory.dmp
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:674

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads