898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787

Analysis

max time kernel
0s
max time network
58s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
14/01/2025, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
Size

73KB
MD5

a2451f6bd0eb6b177d5f40d71e0e4059
SHA1

fc3baa30b559b41ce64fef7eda787f37bb43077e
SHA256

898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787
SHA512

8ed3383b471ccad5c5919e2c4aac64573d12decee13b6d25a643c4e2b48701952a462647247d657fa22a941eeff6b4b97695ddd77c00445df27dd75ee45d07cb
SSDEEP

1536:6SYXBbpKbF+5AQZKOtRDXVFxKbgMj+B3bEKoui0QOo/Y0TB3:SbobF+5QOth3AbgMj+xbyuPXopt3

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for modification	/dev/misc/watchdog	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/222/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/693/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1145/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1202/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/10/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/81/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/645/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1046/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1409/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1469/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/2/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/17/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/21/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/209/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/223/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/307/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/843/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1302/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/76/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/983/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1479/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1590/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/79/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/80/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/83/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/160/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/214/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/971/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1192/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/91/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/425/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/7/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/24/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/75/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/956/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1114/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/25/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/600/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/756/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/781/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/12/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/92/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/410/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/590/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1035/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1588/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/11/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/525/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/836/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/97/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/109/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/118/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/841/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1160/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1182/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1197/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/409/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/635/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1143/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/406/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/412/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1056/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/1184/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
File opened for reading	/proc/19/cmdline	898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf

/tmp/898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
/tmp/898aabc9633231e530c8a5ce539c80b11535aacbc9f28740cf42016eee0fc787.elf
1⤵
- Modifies Watchdog functionality
- Reads runtime system information
PID:1587

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...