b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812

Analysis

max time kernel
2s
max time network
7s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
14/01/2025, 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
Size

86KB
MD5

7d0558a4ebbf32f197cefeab3c84937b
SHA1

ffacce0570fa9acb2960b82147ee280065972584
SHA256

b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812
SHA512

858cf48b606e71c13fde72c6f2e4b8d25844d4585ae0f409a6f003c0d13c73984f3b1fad6d144ff473ee9b8947d9f4feb265f292c0ab53fd64f17fc0ae41a04d
SSDEEP

1536:idYcSX1j4q2as9LQjIlaVlkhNYnFPzY2uBteVMwvLvRl61d6KIjW+:idjSXt4qls9xYnF7Y2uUqwR41IjW

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for modification	/dev/misc/watchdog	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/658/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/664/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/29/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/96/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/105/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/265/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/616/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/659/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/3/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/8/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/13/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/266/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/6/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/14/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/20/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/508/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/270/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/1/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/9/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/19/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/75/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/142/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/204/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/4/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/11/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/15/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/18/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/2/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/269/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/660/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/17/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/140/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/309/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/465/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/656/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/16/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/22/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/27/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/454/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/7/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/26/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/5/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/43/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/108/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/10/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/654/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/42/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/168/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/28/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/653/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/662/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/665/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/283/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/353/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/12/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/24/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/25/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/41/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/647/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/21/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/136/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/301/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/509/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
File opened for reading	/proc/23/cmdline	b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf

/tmp/b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
/tmp/b0312721b78f79108078c8dbc25cecb9ed618e3ab833908d189b4c590e39d812.elf
1⤵
- Modifies Watchdog functionality
- Reads runtime system information
PID:661

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...