Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
11/03/2025, 05:32
Behavioral task
behavioral1
Sample
ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf
Resource
debian9-mipsbe-20240611-en
debian-9-mips
11 signatures
150 seconds
General
-
Target
ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf
-
Size
78KB
-
MD5
ce4bd94ea8cbc021bf79e11f1f734c25
-
SHA1
f562c88119484f3e92be6e95cb0a435836ca6362
-
SHA256
ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab
-
SHA512
d0a85bbbf02f85e445856cced0f7942652ca8c2d748f17a25129b5fa2982df148d5b2580d4c7512d579e4e666ec62700233802a145bbeb38715e77f847f26d29
-
SSDEEP
1536:974r3wfm9s/eqjGGYNsl5R5bonpp2uq7y1txzu2cS3zXbBR9:Or3j96zENg5R5bonf2up1/u2F3zXB
Score
9/10
Malware Config
Signatures
-
Contacts a large (100883) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for modification /dev/misc/watchdog ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf -
Renames itself 1 IoCs
pid Process 694 ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 194.36.144.87 -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 54 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/748/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/771/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/783/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/786/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/799/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/744/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/749/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/793/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/795/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/797/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/756/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/759/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/762/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/764/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/781/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/788/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/725/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/746/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/750/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/770/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/773/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/775/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/792/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/732/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/736/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/737/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/742/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/754/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/767/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/776/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/789/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/723/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/734/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/745/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/755/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/765/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/768/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/772/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/777/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/738/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/740/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/741/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/753/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/779/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/787/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/794/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/798/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/728/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/752/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/785/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/790/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/791/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/726/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/730/maps ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself jbd2/sda1-8 694 ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf -
description ioc Process File opened for reading /proc/72/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/741/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/767/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/792/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/15/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/354/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/749/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/19/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/23/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/79/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/723/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/795/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/4/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/9/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/111/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/154/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/374/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/689/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/726/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/768/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/150/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/381/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/665/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/693/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/730/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/744/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/790/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/745/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/786/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/791/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/357/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/662/status ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/736/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/692/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/328/status ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/384/status ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/759/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/787/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/73/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/667/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/150/status ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/659/status ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/665/status ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/686/status ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/21/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/396/status ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/779/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/788/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/798/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/6/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/381/status ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/742/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/755/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/764/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/732/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/750/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/24/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/356/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/734/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/754/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/785/cmdline ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/37/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/171/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf File opened for reading /proc/11/comm ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf
Processes
-
/tmp/ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf/tmp/ef931d8ba4966260112b7ed31a1e0b5cd4423becc0397e8eeaee345de903a1ab.elf1⤵
- Modifies Watchdog functionality
- Renames itself
- Enumerates active TCP sockets
- Reads process memory
- Changes its process name
- Reads system network configuration
- Reads runtime system information
PID:694