56f9f81acb4735ab3a4e0652ded76b3d4fffc1382fad16b9a89d86f2b018fef4

Analysis

max time kernel
131s
max time network
157s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
01/01/2025, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arm5.elf
Size

77KB
MD5

4b09887a801d61eabb31032837d0ddd4
SHA1

61adff60110349551db664dd786c0d7d9fb5b14a
SHA256

56f9f81acb4735ab3a4e0652ded76b3d4fffc1382fad16b9a89d86f2b018fef4
SHA512

210a18ad7bea9e0c1f5fcb4c83fa18fb9d9a36cb0c7615976e827ee3c89cf4dec9147336c0f017fe7c0546b34f5b7053dd9df058d5ce77432451caa471d691cc
SSDEEP

1536:hjeYkWygyvrPuXxf/e0/rWsJgNy2bs4xn3WmWcb:hjeAHVrCsJg02bsaGmTb

Score

7^/10

defense_evasion evasion

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs

Deletes logs related to the Linux Audit framework.

evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/audit/audit.log	arm5.elf

Deletes itself 1 IoCs

pid	Process
651	arm5.elf

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/syslog	arm5.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	arm5.elf
File opened for modification	/dev/misc/watchdog	arm5.elf

Deletes log files 1 TTPs 3 IoCs

Deletes log files on the system.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/wtmp	arm5.elf
File deleted	/var/log/daemon.log	arm5.elf
File deleted	/var/log/auth.log	arm5.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	k28t8rrlsv0fas0v	651	arm5.elf

/tmp/arm5.elf
/tmp/arm5.elf
1⤵
- Deletes Audit logs
- Deletes itself
- Deletes system logs
- Modifies Watchdog functionality
- Deletes log files
- Changes its process name
PID:651

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads