4e64cc3e81967c1b53542f1565097c315fb288621762aaf4b754f4a5ddd03678

Analysis

max time kernel
150s
max time network
152s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
17/01/2025, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pecga.arm7.elf
Size

153KB
MD5

3c0bbcdb22865b5c0b86e9eb97015767
SHA1

b202e6a9c862234b2287b6df1664ca4769098630
SHA256

4e64cc3e81967c1b53542f1565097c315fb288621762aaf4b754f4a5ddd03678
SHA512

510b31de62ce9acd3112c2f683946f9ba06ea79192444a053289831512d567b547a1247dd6ba2dfdb4be0d624cf88c25a102168749b19fe97af1169006966b5f
SSDEEP

3072:xk12vV4vjOcwB7amn9l3L4BpLrAuS2CrrWWS4PRM/99nZ:xlvVWVO7amn9l3L8puPrWWnpM/99Z

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
649	pecga.arm7.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	pecga.arm7.elf
File opened for modification	/dev/misc/watchdog	pecga.arm7.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	pecga.arm7.elf
File opened for modification	/bin/watchdog	pecga.arm7.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	crus7l7o0kn1kagn	649	pecga.arm7.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/644/cmdline	pecga.arm7.elf
File opened for reading	/proc/697/cmdline	pecga.arm7.elf
File opened for reading	/proc/708/cmdline	pecga.arm7.elf
File opened for reading	/proc/131/cmdline	pecga.arm7.elf
File opened for reading	/proc/139/cmdline	pecga.arm7.elf
File opened for reading	/proc/267/cmdline	pecga.arm7.elf
File opened for reading	/proc/720/cmdline	pecga.arm7.elf
File opened for reading	/proc/722/cmdline	pecga.arm7.elf
File opened for reading	/proc/734/cmdline	pecga.arm7.elf
File opened for reading	/proc/5/cmdline	pecga.arm7.elf
File opened for reading	/proc/105/cmdline	pecga.arm7.elf
File opened for reading	/proc/646/cmdline	pecga.arm7.elf
File opened for reading	/proc/687/cmdline	pecga.arm7.elf
File opened for reading	/proc/723/cmdline	pecga.arm7.elf
File opened for reading	/proc/16/cmdline	pecga.arm7.elf
File opened for reading	/proc/671/cmdline	pecga.arm7.elf
File opened for reading	/proc/660/cmdline	pecga.arm7.elf
File opened for reading	/proc/729/cmdline	pecga.arm7.elf
File opened for reading	/proc/13/cmdline	pecga.arm7.elf
File opened for reading	/proc/20/cmdline	pecga.arm7.elf
File opened for reading	/proc/741/cmdline	pecga.arm7.elf
File opened for reading	/proc/22/cmdline	pecga.arm7.elf
File opened for reading	/proc/686/cmdline	pecga.arm7.elf
File opened for reading	/proc/28/cmdline	pecga.arm7.elf
File opened for reading	/proc/653/cmdline	pecga.arm7.elf
File opened for reading	/proc/280/cmdline	pecga.arm7.elf
File opened for reading	/proc/389/cmdline	pecga.arm7.elf
File opened for reading	/proc/701/cmdline	pecga.arm7.elf
File opened for reading	/proc/716/cmdline	pecga.arm7.elf
File opened for reading	/proc/735/cmdline	pecga.arm7.elf
File opened for reading	/proc/12/cmdline	pecga.arm7.elf
File opened for reading	/proc/24/cmdline	pecga.arm7.elf
File opened for reading	/proc/705/cmdline	pecga.arm7.elf
File opened for reading	/proc/75/cmdline	pecga.arm7.elf
File opened for reading	/proc/654/cmdline	pecga.arm7.elf
File opened for reading	/proc/25/cmdline	pecga.arm7.elf
File opened for reading	/proc/674/cmdline	pecga.arm7.elf
File opened for reading	/proc/1/cmdline	pecga.arm7.elf
File opened for reading	/proc/11/cmdline	pecga.arm7.elf
File opened for reading	/proc/282/cmdline	pecga.arm7.elf
File opened for reading	/proc/14/cmdline	pecga.arm7.elf
File opened for reading	/proc/165/cmdline	pecga.arm7.elf
File opened for reading	/proc/718/cmdline	pecga.arm7.elf
File opened for reading	/proc/731/cmdline	pecga.arm7.elf
File opened for reading	/proc/23/cmdline	pecga.arm7.elf
File opened for reading	/proc/652/cmdline	pecga.arm7.elf
File opened for reading	/proc/269/cmdline	pecga.arm7.elf
File opened for reading	/proc/635/cmdline	pecga.arm7.elf
File opened for reading	/proc/641/cmdline	pecga.arm7.elf
File opened for reading	/proc/678/cmdline	pecga.arm7.elf
File opened for reading	/proc/26/cmdline	pecga.arm7.elf
File opened for reading	/proc/43/cmdline	pecga.arm7.elf
File opened for reading	/proc/659/cmdline	pecga.arm7.elf
File opened for reading	/proc/681/cmdline	pecga.arm7.elf
File opened for reading	/proc/685/cmdline	pecga.arm7.elf
File opened for reading	/proc/717/cmdline	pecga.arm7.elf
File opened for reading	/proc/730/cmdline	pecga.arm7.elf
File opened for reading	/proc/740/cmdline	pecga.arm7.elf
File opened for reading	/proc/42/cmdline	pecga.arm7.elf
File opened for reading	/proc/647/cmdline	pecga.arm7.elf
File opened for reading	/proc/299/cmdline	pecga.arm7.elf
File opened for reading	/proc/648/cmdline	pecga.arm7.elf
File opened for reading	/proc/665/cmdline	pecga.arm7.elf
File opened for reading	/proc/6/cmdline	pecga.arm7.elf

/tmp/pecga.arm7.elf
/tmp/pecga.arm7.elf
1⤵
- Deletes itself
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
- Reads runtime system information
PID:649

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...