5a37c449a2783a80c3f29ed2a3a9586b08b30d8890477894f3c82dc113c85f0e

Analysis

max time kernel
1s
platform
debian-12_mipsel
resource
debian12-mipsel-20240221-en
resource tags

arch:mipselimage:debian12-mipsel-20240221-enkernel:6.1.0-17-4kc-maltalocale:en-usos:debian-12-mipselsystem
submitted
19-01-2025 14:17

Sharing

Copy URL

Twitter E-mail

Reason

Reading agent response: unexpected EOF

Report Analysis Logs

General

Target

hold.mpsl.elf
Size

99KB
MD5

2e00f583eb0cac5d3106c661805d8681
SHA1

e4c66f8441bcc17406c0f0f275cbe3dcb1a97071
SHA256

5a37c449a2783a80c3f29ed2a3a9586b08b30d8890477894f3c82dc113c85f0e
SHA512

8156789ae5290d0454cd1be33015170e5de313e03d39d5f239807bebd55737ba2c48473895697513ae361432e3c499fba3655a04e1e10cf4adbd676886b6acc1
SSDEEP

1536:4T0NbtFd367tQ4vtrYIXkCMfCgVFxpxcL7qZiLb+zt3gO47:4T0NbtFdq7tuukNTx4qD1gv7

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
742	hold.mpsl.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	hold.mpsl.elf
File opened for modification	/dev/misc/watchdog	hold.mpsl.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	hold.mpsl.elf
File opened for modification	/bin/watchdog	hold.mpsl.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	i4n1fkmsrh1g2fkw	742	hold.mpsl.elf

Reads runtime system information 27 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/2/cmdline	hold.mpsl.elf
File opened for reading	/proc/15/cmdline	hold.mpsl.elf
File opened for reading	/proc/17/cmdline	hold.mpsl.elf
File opened for reading	/proc/4/cmdline	hold.mpsl.elf
File opened for reading	/proc/6/cmdline	hold.mpsl.elf
File opened for reading	/proc/14/cmdline	hold.mpsl.elf
File opened for reading	/proc/25/cmdline	hold.mpsl.elf
File opened for reading	/proc/1/cmdline	hold.mpsl.elf
File opened for reading	/proc/24/cmdline	hold.mpsl.elf
File opened for reading	/proc/11/cmdline	hold.mpsl.elf
File opened for reading	/proc/22/cmdline	hold.mpsl.elf
File opened for reading	/proc/23/cmdline	hold.mpsl.elf
File opened for reading	/proc/18/cmdline	hold.mpsl.elf
File opened for reading	/proc/21/cmdline	hold.mpsl.elf
File opened for reading	/proc/8/cmdline	hold.mpsl.elf
File opened for reading	/proc/9/cmdline	hold.mpsl.elf
File opened for reading	/proc/10/cmdline	hold.mpsl.elf
File opened for reading	/proc/19/cmdline	hold.mpsl.elf
File opened for reading	/proc/3/cmdline	hold.mpsl.elf
File opened for reading	/proc/26/cmdline	hold.mpsl.elf
File opened for reading	/proc/12/cmdline	hold.mpsl.elf
File opened for reading	/proc/13/cmdline	hold.mpsl.elf
File opened for reading	/proc/16/cmdline	hold.mpsl.elf
File opened for reading	/proc/20/cmdline	hold.mpsl.elf
File opened for reading	/proc/27/cmdline	hold.mpsl.elf
File opened for reading	/proc/5/cmdline	hold.mpsl.elf
File opened for reading	/proc/7/cmdline	hold.mpsl.elf

/tmp/hold.mpsl.elf
/tmp/hold.mpsl.elf
1⤵
- Deletes itself
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
- Reads runtime system information
PID:742

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads