3c6536fc22e67a606f9301f8e1b0c2c8b072e9cb16ee41dc027da43c84ce755f

Analysis

max time kernel
149s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21-01-2025 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
Size

68KB
MD5

b1d5bdfe80d62f5b5104be126bb50012
SHA1

ce706c2dfef2d0dd5ed0f2f2dc1044212f267f8f
SHA256

3c6536fc22e67a606f9301f8e1b0c2c8b072e9cb16ee41dc027da43c84ce755f
SHA512

118c0040fb161d2566da5aba1e83d7f456b94108f117ed188545f9c639a50705f8281bc5ba6d30f1aa38174dfc111a58b1845a8ebe2b0a252e42f82cd62d7db2
SSDEEP

1536:IbL+2CfPSc8wfBbrKAEtm7GHD9i/0Sb3nyuafg7cLkSo:it0Sc8wfBbmAEtm7KA/3yuaIQLkSo

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for modification	/dev/misc/watchdog	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/watchdog	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for modification	/sbin/watchdog	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1570/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1528/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/460/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/539/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1049/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1182/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1187/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1514/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/482/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1487/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/470/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1043/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1149/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1151/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1172/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/668/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1290/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1063/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1564/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1256/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/655/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1177/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1552/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1594/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/453/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1306/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1091/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1322/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1588/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/970/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1129/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1193/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/558/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1087/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1160/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1482/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1488/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1508/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1558/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/473/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1343/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1376/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1481/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1582/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/604/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1222/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1073/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1154/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/426/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1111/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1124/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1014/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/717/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1137/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1164/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1479/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/545/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1080/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1298/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1576/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/959/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/652/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/710/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
File opened for reading	/proc/1196/cmdline	1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp

/tmp/1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
/tmp/1552-1-0x0000000008048000-0x000000000805a9a0-memory.dmp
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads