Analysis
-
max time kernel
150s -
max time network
151s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240729-en -
resource tags
arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
31-12-2024 02:59
Behavioral task
behavioral1
Sample
d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf
Resource
debian9-mipsel-20240729-en
debian-9-mipsel
8 signatures
150 seconds
General
-
Target
d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf
-
Size
161KB
-
MD5
1b0406420db984c2cbb6ee3aad698637
-
SHA1
a7ee0caf351694ddfbe3f7bc92210e4ee0b759df
-
SHA256
d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7
-
SHA512
538d60ab70f0308bedd3daf9b05353179ba9543ba58c8fd9eca26c3f6e3ad99784f87f55b5e7be9387e8af4153fe1ff4d6117a03ac7a48bec26aa31d39a9e431
-
SSDEEP
1536:CQWeTCeoEVT/UCVlF3G9a2yydAZF7bZBFAKlP/Ua8xliPQsiDDTlm8WDEqO+rKNg:tedE2yqAzbrSl+iDDTljWDET+rKNg
Score
9/10
Malware Config
Signatures
-
Contacts a large (23357) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for modification /dev/misc/watchdog d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf -
Reads process memory 1 TTPs 1 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/445/maps d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself sshd 741 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/route d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf -
description ioc Process File opened for reading /proc/400 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/404 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/407 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/414 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/419 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/423 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/427 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/429 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/434 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/744/exe d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/406 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/409 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/413 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/416 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/420 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/435 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/436 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/437 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/444 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/401 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/412 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/417 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/430 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/445 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/403 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/418 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/421 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/422 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/433 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/440 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/445/exe d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/402 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/405 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/408 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/410 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/411 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/438 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/424 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/428 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/431 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/432 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/443 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/415 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/425 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/439 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/442 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/426 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf File opened for reading /proc/441 d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf
Processes
-
/tmp/d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf/tmp/d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7.elf1⤵
- Modifies Watchdog functionality
- Reads system routing table
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:741