Analysis
-
max time kernel
118s -
max time network
159s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
31-12-2024 02:41
Behavioral task
behavioral1
Sample
959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf
Resource
debian9-armhf-20240611-en
debian-9-armhf
8 signatures
150 seconds
General
-
Target
959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf
-
Size
128KB
-
MD5
f89c58a614a3bf3ec16f7016d09d6111
-
SHA1
b481be23aaf7e2606c98d336d17dd803cf853f0a
-
SHA256
959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393
-
SHA512
3bb4067351b366a8e746dc269612ed83ddf47d376df77f741d9c01996a3643e4589d705214165cb6efcfcb75ebe4dab855bf83f9f458e66df58607732b474d02
-
SSDEEP
3072:BXv8ZkG9EqpIj6H6dXxf08hE+DOYS/SQvPyiiXNg:H5qpAwaXxfS+DOYS/SQvPyiiXNg
Score
9/10
Malware Config
Signatures
-
Contacts a large (23516) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for modification /dev/misc/watchdog 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf -
Reads process memory 1 TTPs 12 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/573/maps 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/589/maps 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/633/maps 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/634/maps 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/643/maps 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/591/maps 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/593/maps 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/594/maps 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/627/maps 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/638/maps 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/639/maps 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/640/maps 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself sshd 641 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/route 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf -
description ioc Process File opened for reading /proc/400 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/476 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/620 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/478 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/479 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/496 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/527 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/584 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/497 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/533 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/573 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/485 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/510 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/541 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/447 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/571 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/615 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/643/exe 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/413 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/445 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/450 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/508 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/595 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/610 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/607 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/436 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/526 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/573/exe 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/589 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/591 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/597 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/448 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/507 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/553 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/565 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/599 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/639 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/465 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/623 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/401 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/449 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/635 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/416 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/483 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/574 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/512 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/405 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/407 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/409 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/423 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/424 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/499 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/442 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/539 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/551 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/587 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/611 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/624 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/440 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/453 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/517 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/438 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/537 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf File opened for reading /proc/544 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf
Processes
-
/tmp/959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf/tmp/959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf1⤵
- Modifies Watchdog functionality
- Reads system routing table
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:641