36b766ba4c98660905ef7e3e6d22a07576c48017e0df39102ae28148ac2a7fdd

Analysis

max time kernel
146s
max time network
149s
platform
debian-12_armhf
resource
debian12-armhf-20240729-en
resource tags

arch:armhfimage:debian12-armhf-20240729-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
03-01-2025 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
Size

168KB
MD5

f7c7141d081cddf63d71eb722d0ef2ca
SHA1

78b8bf89c41558dc3bc3778cc553604b99b4e958
SHA256

e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce
SHA512

ab8c683d8f1eca439593a697705879612b6d8c03f06a97f49b90db4e2a5be6d292d519407f2180c9429f1cdf476857921c36c4e8fdb7fb7733b7ee25a7583ceb
SSDEEP

3072:UqwG+C1QTlrI1fXUjtaBkZzOQEPox/la4OosRMDjjWOagM/9QegU9:UqwGKrwfkpaBkZzOQEQx/Q4AqjjWOhMV

Score

7^/10

defense_evasion discovery execution persistence privilege_escalation

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
706	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for modification	/dev/misc/watchdog	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence privilege_escalation

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/etc/systemd/system/startup_command.service	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	8t1mkfb46rvm5kjtice3b34n	706	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf

Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
712	sh
782	sh

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/111c�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/1111b2/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/6666�8/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/22/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/111c�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/3333�4/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/44/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/88/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/1111#;/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/3333�5/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/222m�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/333�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/3333)5/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/33334;/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/6666�7/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/7777/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/33/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/222l�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/444d�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/555/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/777k�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/1111�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/333395/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/7777 ;/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/111u\|/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/555s�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/55/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/222�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/333/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/444/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/222c�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/333�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/6666�:/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/1111";/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/3333�4/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/6666�:/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/111t/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/66666;/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/2222�3/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/2222O4/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/77778;/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/3333�4/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/3333Z5/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/6666�8/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/66/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/77/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/111~/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/3333fffffff/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/6666�7/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/66665;/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/77772;/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/222/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/222v�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/333s�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/1111e0/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/2222$;/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/11/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/99ssr/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/222�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/77779;/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/111/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
File opened for reading	/proc/333s�/cmdline	e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf

/tmp/e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
/tmp/e3e0e99c4d08f0af5becc66530373e636ddcf01cf9c37bfe3e79a45caf902bce.elf
1⤵
- Deletes itself
- Modifies Watchdog functionality
- Modifies systemd
- Changes its process name
- Reads runtime system information
PID:706
- /bin/sh
  /bin/sh -c "systemctl daemon-reload"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:712
- - /usr/bin/systemctl
    systemctl daemon-reload
    3⤵
    - Reads runtime system information
    PID:716
- /bin/sh
  /bin/sh -c "systemctl enable startup_command.service"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:782
- - /usr/bin/systemctl
    systemctl enable startup_command.service
    3⤵
    - Reads runtime system information
    PID:786

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Privilege Escalation

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/systemd/system/startup_command.service

Filesize
361B

MD5
4d2c868f454b6c55731485cf0f886dc0

SHA1
032b125de0a28dcee8d8d25fbeeb56db7f403f04

SHA256
8c4ae1b82477698f3a8c273b439cb9079794afb8fc33cd4def854936ba37ea2c

SHA512
060b2413a0cb2dec0db059c190467b5cb0d76209effea4ae3de2701fa71429b811a6f7e11e813b26806cf72578d1f32b608a02a4ce670ec58b5b65433e3cf11d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads