Analysis
-
max time kernel
16s -
max time network
18s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
08-01-2025 22:57
Behavioral task
behavioral1
Sample
army6.elf
Resource
debian9-armhf-20240418-en
debian-9-armhf
6 signatures
150 seconds
General
-
Target
army6.elf
-
Size
259KB
-
MD5
f5766e54f5df87a84bb3cb507140f983
-
SHA1
92809fb7294d6e15a4ed75af713c34209a78c289
-
SHA256
2941cbc75ad488a27b993dbd439e21b0ee6335cc95872559f46c56aadf4c7bc5
-
SHA512
ad77af96f0ddca58db25e49d7e025c6cff7964742ca261c9096fe46957b97295a4d9303780c883dc704f4d1df11963de9a4f2f542ce96bc5972112b24f639900
-
SSDEEP
6144:MargtN+467jhcaVogahXGAm20Q7tJPjNS:MJN165cayFIAm20ItJPjNS
Score
7/10
Malware Config
Signatures
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog army6.elf File opened for modification /dev/misc/watchdog army6.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route army6.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself sshd 652 army6.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/route army6.elf -
description ioc Process File opened for reading /proc/753/cmdline army6.elf File opened for reading /proc/765/cmdline army6.elf File opened for reading /proc/21/cmdline army6.elf File opened for reading /proc/102/cmdline army6.elf File opened for reading /proc/638/cmdline army6.elf File opened for reading /proc/670/cmdline army6.elf File opened for reading /proc/741/cmdline army6.elf File opened for reading /proc/656/cmdline army6.elf File opened for reading /proc/682/cmdline army6.elf File opened for reading /proc/736/cmdline army6.elf File opened for reading /proc/18/cmdline army6.elf File opened for reading /proc/689/cmdline army6.elf File opened for reading /proc/721/cmdline army6.elf File opened for reading /proc/748/cmdline army6.elf File opened for reading /proc/759/cmdline army6.elf File opened for reading /proc/607/cmdline army6.elf File opened for reading /proc/695/cmdline army6.elf File opened for reading /proc/697/cmdline army6.elf File opened for reading /proc/700/cmdline army6.elf File opened for reading /proc/708/cmdline army6.elf File opened for reading /proc/22/cmdline army6.elf File opened for reading /proc/29/cmdline army6.elf File opened for reading /proc/674/cmdline army6.elf File opened for reading /proc/760/cmdline army6.elf File opened for reading /proc/751/cmdline army6.elf File opened for reading /proc/4/cmdline army6.elf File opened for reading /proc/25/cmdline army6.elf File opened for reading /proc/663/cmdline army6.elf File opened for reading /proc/687/cmdline army6.elf File opened for reading /proc/718/cmdline army6.elf File opened for reading /proc/710/cmdline army6.elf File opened for reading /proc/729/cmdline army6.elf File opened for reading /proc/742/cmdline army6.elf File opened for reading /proc/5/cmdline army6.elf File opened for reading /proc/24/cmdline army6.elf File opened for reading /proc/109/cmdline army6.elf File opened for reading /proc/164/cmdline army6.elf File opened for reading /proc/216/cmdline army6.elf File opened for reading /proc/762/cmdline army6.elf File opened for reading /proc/14/cmdline army6.elf File opened for reading /proc/26/cmdline army6.elf File opened for reading /proc/135/cmdline army6.elf File opened for reading /proc/685/cmdline army6.elf File opened for reading /proc/704/cmdline army6.elf File opened for reading /proc/713/cmdline army6.elf File opened for reading /proc/300/cmdline army6.elf File opened for reading /proc/604/cmdline army6.elf File opened for reading /proc/606/cmdline army6.elf File opened for reading /proc/680/cmdline army6.elf File opened for reading /proc/683/cmdline army6.elf File opened for reading /proc/730/cmdline army6.elf File opened for reading /proc/746/cmdline army6.elf File opened for reading /proc/20/cmdline army6.elf File opened for reading /proc/12/cmdline army6.elf File opened for reading /proc/647/cmdline army6.elf File opened for reading /proc/679/cmdline army6.elf File opened for reading /proc/686/cmdline army6.elf File opened for reading /proc/3/cmdline army6.elf File opened for reading /proc/19/cmdline army6.elf File opened for reading /proc/669/cmdline army6.elf File opened for reading /proc/705/cmdline army6.elf File opened for reading /proc/752/cmdline army6.elf File opened for reading /proc/284/cmdline army6.elf File opened for reading /proc/671/cmdline army6.elf