Overview

overview

10

Static

static

10

arm7.elf

debian-9-armhf

7

Analysis

  • max time kernel
    137s
  • max time network
    138s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240418-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    01/01/2025, 16:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    arm7.elf

  • Size

    168KB

  • MD5

    ef90af569e453a92b2c8eb37ac23a2af

  • SHA1

    8e943eaf470af530503694488208a551aa86f515

  • SHA256

    c834b13a679d369fbd24886bfd6232c895627ebb1c63e7c8642b568e1f7ffffe

  • SHA512

    bab4294612a0f5690ae465af1aefcbc8992ff0590d6a15068095b9e36dbfd731c3fbe1f0840185f185f5caea127d97f75077572f289b9d278f83576b38852d4a

  • SSDEEP

    3072:8qwG+C1QT6mXRfDUnhaRkZzOQEfcl/lawSosRMDh7WOagM/9regU9:8qwG1mBf4haRkZzOQE0l/Qw0qh7WOhMA

Score
7/10
defense_evasiondiscoveryexecutionpersistenceprivilege_escalation

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Modifies systemd 2 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

    persistenceprivilege_escalation
  • Changes its process name 1 IoCs
  • Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs

    Execute scripts via Unix Shell.

    execution
  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/arm7.elf
    /tmp/arm7.elf
    1⤵
    • Deletes itself
    • Modifies Watchdog functionality
    • Modifies systemd
    • Changes its process name
    • Reads runtime system information
    PID:638
    • /bin/sh
      /bin/sh -c "systemctl daemon-reload"
      2⤵
      • Command and Scripting Interpreter: Unix Shell
      PID:644
      • /bin/systemctl
        systemctl daemon-reload
        3⤵
        • Enumerates kernel/hardware configuration
        • Reads runtime system information
        PID:645
    • /bin/sh
      /bin/sh -c "systemctl enable startup_command.service"
      2⤵
      • Command and Scripting Interpreter: Unix Shell
      PID:651
      • /bin/systemctl
        systemctl enable startup_command.service
        3⤵
        • Enumerates kernel/hardware configuration
        • Reads runtime system information
        PID:655

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /etc/systemd/system/startup_command.service
    Filesize

    361B

    MD5

    4d2c868f454b6c55731485cf0f886dc0

    SHA1

    032b125de0a28dcee8d8d25fbeeb56db7f403f04

    SHA256

    8c4ae1b82477698f3a8c273b439cb9079794afb8fc33cd4def854936ba37ea2c

    SHA512

    060b2413a0cb2dec0db059c190467b5cb0d76209effea4ae3de2701fa71429b811a6f7e11e813b26806cf72578d1f32b608a02a4ce670ec58b5b65433e3cf11d

    Download Submit