d819f82d931f9e5fcff275b88c7849d737595f75f34ba60d92d68d16e68b0ea4

Analysis

max time kernel
149s
max time network
153s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
01-02-2025 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arm.elf
Size

62KB
MD5

c2f5e37fcc5fc43075d85883e0eb11e7
SHA1

4805a2a2e28ccdd41028c5d27bd8b0f39eba08e7
SHA256

d819f82d931f9e5fcff275b88c7849d737595f75f34ba60d92d68d16e68b0ea4
SHA512

ce79338637bdf78ad04dd93688a4f90b91933a04e1d583bf47a7bf33fe76df9b8a25f9b00d18161bfffbb9e96370214e477da8bfafdf96047bc39b8581d12c77
SSDEEP

1536:uGCfRTFptQ3SSYTB/s/VqaC9JaBO1Jd2:uGCfRp9TxgmJd

Score

7^/10

credential_access defense_evasion

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	arm.elf
File opened for modification	/dev/watchdog	arm.elf

Enumerates running processes
Discovers information about currently running processes on the system

Reads process memory 1 TTPs 34 IoCs

Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

credential_access

Proc Filesystem

T1003.007

description	ioc	Process
File opened for reading	/proc/783/maps	arm.elf
File opened for reading	/proc/790/maps	arm.elf
File opened for reading	/proc/451/maps	arm.elf
File opened for reading	/proc/611/maps	arm.elf
File opened for reading	/proc/655/maps	arm.elf
File opened for reading	/proc/656/maps	arm.elf
File opened for reading	/proc/657/maps	arm.elf
File opened for reading	/proc/779/maps	arm.elf
File opened for reading	/proc/781/maps	arm.elf
File opened for reading	/proc/788/maps	arm.elf
File opened for reading	/proc/406/maps	arm.elf
File opened for reading	/proc/720/maps	arm.elf
File opened for reading	/proc/669/maps	arm.elf
File opened for reading	/proc/785/maps	arm.elf
File opened for reading	/proc/792/maps	arm.elf
File opened for reading	/proc/649/maps	arm.elf
File opened for reading	/proc/653/maps	arm.elf
File opened for reading	/proc/662/maps	arm.elf
File opened for reading	/proc/762/maps	arm.elf
File opened for reading	/proc/777/maps	arm.elf
File opened for reading	/proc/411/maps	arm.elf
File opened for reading	/proc/456/maps	arm.elf
File opened for reading	/proc/703/maps	arm.elf
File opened for reading	/proc/775/maps	arm.elf
File opened for reading	/proc/787/maps	arm.elf
File opened for reading	/proc/648/maps	arm.elf
File opened for reading	/proc/724/maps	arm.elf
File opened for reading	/proc/763/maps	arm.elf
File opened for reading	/proc/771/maps	arm.elf
File opened for reading	/proc/773/maps	arm.elf
File opened for reading	/proc/660/maps	arm.elf
File opened for reading	/proc/664/maps	arm.elf
File opened for reading	/proc/736/maps	arm.elf
File opened for reading	/proc/794/maps	arm.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	a	658	arm.elf

/tmp/arm.elf
/tmp/arm.elf
1⤵
- Modifies Watchdog functionality
- Reads process memory
- Changes its process name
PID:658

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

OS Credential Dumping

T1003

Proc Filesystem

T1003.007

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads