032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499

Analysis

max time kernel
150s
max time network
150s
platform
debian-9_mips
resource
debian9-mipsbe-20240729-en
resource tags

arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
02/01/2025, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
Size

103KB
MD5

da68cb651d48d11bf83a598925a6ed52
SHA1

c262e4c03601cc039c4671c2da5f9339c5c8fd16
SHA256

032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499
SHA512

c4d83a2250f4244afe30f55be5e740c2b47f68adfc358ebd686e5a4e994e6b015c630511df90998153cfd94c89bacefd200fcb2c1bedf3616dc390a087a856c7
SSDEEP

1536:zO9Bm/RtCZiqr33Dc48uuwr7CFKygt6c9e8WDC1ieMbFXIg:yBm/zCZiyn448uuPRgt6c9e8YC1GFXP

Score

7^/10

defense_evasion discovery evasion persistence privilege_escalation

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs

Deletes logs related to the Linux Audit framework.

evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/audit/audit.log	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf

Deletes itself 1 IoCs

pid	Process
720	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf

Deletes system logs 1 TTPs 2 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/syslog	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File deleted	/var/log/messages	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for modification	/dev/misc/watchdog	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf

Deletes log files 1 TTPs 2 IoCs

Deletes log files on the system.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/kern.log	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File deleted	/var/log/daemon.log	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf

Enumerates running processes
Discovers information about currently running processes on the system

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence privilege_escalation

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/etc/systemd/system/startup_command.service	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	6wh07vs2qtr18iuikbpbf55p	720	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/766/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/855/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/856/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/21/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/737/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/738/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/779/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/813/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/19/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/70/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/75/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/82/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/777/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/834/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/5/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/852/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/881/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/174/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/735/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/825/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/7/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/739/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/756/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/815/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/816/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/826/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/854/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/849/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/397/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/755/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/769/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/807/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/809/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/847/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/864/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/865/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/10/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/69/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/694/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/794/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/822/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/832/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/843/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/812/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/2/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/244/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/340/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/375/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/715/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/747/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/758/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/77/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/718/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/811/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/824/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/839/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/876/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/22/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/158/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
File opened for reading	/proc/749/cmdline	032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf

/tmp/032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
/tmp/032cf8eb1b8ef8bbae9d5a68aca6221cc92f344fe1e81ba47d506d85dc9c1499.elf
1⤵
- Deletes Audit logs
- Deletes itself
- Deletes system logs
- Modifies Watchdog functionality
- Deletes log files
- Modifies systemd
- Changes its process name
- Reads runtime system information
PID:720
- /bin/sh
  sh -c "systemctl daemon-reload"
  2⤵
  PID:724
- - /bin/systemctl
    systemctl daemon-reload
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:734
- /bin/sh
  sh -c "systemctl enable startup_command.service"
  2⤵
  PID:746
- - /bin/systemctl
    systemctl enable startup_command.service
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Privilege Escalation

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/systemd/system/startup_command.service

Filesize
361B

MD5
4d2c868f454b6c55731485cf0f886dc0

SHA1
032b125de0a28dcee8d8d25fbeeb56db7f403f04

SHA256
8c4ae1b82477698f3a8c273b439cb9079794afb8fc33cd4def854936ba37ea2c

SHA512
060b2413a0cb2dec0db059c190467b5cb0d76209effea4ae3de2701fa71429b811a6f7e11e813b26806cf72578d1f32b608a02a4ce670ec58b5b65433e3cf11d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads