33005fe295103efaf40b92c94f9987dcd389b2797edbb1ed95b8289e21ceeac8

Analysis

max time kernel
0s
max time network
54s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
27-12-2024 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
Size

72KB
MD5

fcbde632b2abe400f90c3a14931b2593
SHA1

fd08e8d67c20ccc27adb75ab982857a6a0d97c9c
SHA256

33005fe295103efaf40b92c94f9987dcd389b2797edbb1ed95b8289e21ceeac8
SHA512

e531772855a9264739dade1fc72c1f9e1f2c7f9737f0d41cc5dadfe661a366c54e93baf25815382b80aa82850bad3a898e33c4ebce9d1b28e1cee5194397a717
SSDEEP

1536:FSYXBbpKbF+5AQZKOtRDXVFx4bgMj+B3bEKoui0QOo/Y0TB3F:VbobF+5QOth3+bgMj+xbyuPXopt3F

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for modification	/dev/misc/watchdog	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1127/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1434/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1556/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/93/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/203/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/521/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/12/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/91/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/962/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/224/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/740/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/984/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1039/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1205/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/23/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/77/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/212/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1106/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/16/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/411/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1034/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/739/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1054/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/2/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/5/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/377/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/722/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1068/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/9/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/97/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/634/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/794/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1085/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1257/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/15/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/27/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/94/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/761/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1166/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1493/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/78/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/226/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/229/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/796/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/973/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1014/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1160/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/220/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/223/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/225/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1389/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/13/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/90/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/214/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/845/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/956/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1198/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/163/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/682/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/427/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/585/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/772/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
File opened for reading	/proc/1057/cmdline	1563-1-0x0000000008048000-0x000000000805db80-memory.dmp

/tmp/1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
/tmp/1563-1-0x0000000008048000-0x000000000805db80-memory.dmp
1⤵
- Modifies Watchdog functionality
- Reads runtime system information
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads