Analysis
-
max time kernel
150s -
max time network
153s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
07/03/2025, 07:11
Behavioral task
behavioral1
Sample
cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf
Resource
debian9-armhf-20240611-en
debian-9-armhf
8 signatures
150 seconds
General
-
Target
cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf
-
Size
50KB
-
MD5
de9c31c51221e49819bc2497824ab005
-
SHA1
10217cf289d90e12d9c596fd39ec877af4d615d3
-
SHA256
cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002
-
SHA512
920718e260420630f1e53c85fd0187f998f428d7bb1b43f0c55606332d61579bbd57cfbe3501695411888ab1bd4309c691e0383a9d03e4c9506424f7cdd72bee
-
SSDEEP
768:BTrTBJlgQHkQ6yXO2HkU+cPjoT99clvkoSjrya5NPtBt5/Ns7SIy4hg:lrFJlgsNWcPorc1Erya5FLt5sX
Score
9/10
Malware Config
Signatures
-
Contacts a large (179675) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for modification /dev/watchdog cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf -
Renames itself 1 IoCs
pid Process 644 cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 51.158.108.203 Destination IP 51.158.108.203 Destination IP 51.158.108.203 Destination IP 202.61.197.122 Destination IP 51.158.108.203 Destination IP 51.158.108.203 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself login 644 cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf -
description ioc Process File opened for reading /proc/18/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/27/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/74/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/458/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/636/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/639/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/644/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/2/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/10/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/17/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/146/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/280/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/643/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/14/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/104/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/212/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/265/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/306/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/4/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/23/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/162/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/279/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/43/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/19/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/41/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/394/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/637/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/642/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/22/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/1/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/25/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/107/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/299/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/6/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/271/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/296/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/457/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/9/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/12/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/26/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/139/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/7/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/15/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/24/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/136/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/168/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/267/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/641/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/29/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/42/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/141/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/8/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/13/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/28/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/410/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/3/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/20/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/269/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/599/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/5/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/11/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/21/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/106/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf File opened for reading /proc/312/comm cccc02d982f739ee48e018d652b3a7812c6790aa7b3ddc2a5403fb2fe7d78002.elf