2c2e64279f80ba66cca2b61ccf1658eeb567b065ce8a13e662f6574dd05ac79f

Analysis

max time kernel
32605s
max time network
140s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21-12-2022 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[x86].elf
Size

286KB
MD5

27f525e4aff4300d32bdcab33475d26b
SHA1

bf9596084fe18a856e822b0bd28257d4576414ed
SHA256

2c2e64279f80ba66cca2b61ccf1658eeb567b065ce8a13e662f6574dd05ac79f
SHA512

84f4c281fb788da2148ca31cd7330822e503a51426705f3be145e4bc2bcc28b6223bb9c32a4af4d1d29a515c55fe34545b3768c4a133722591ed23d31bd0587b
SSDEEP

6144:HorAyiaWTfO7hBvPM4vRwRvSNZpzafhqDuplILtxSV:HorAyiaWTf8PM+ivSNZpzafhqDuplILs

Score

9^/10

persistence

Malware Config

Signatures

Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc
/bin/watchdog	/bin/watchdog

Modifies rc script 1 TTPs 1 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
/etc/rc.d/rc.local	/etc/rc.d/rc.local

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/331/cmdline	/proc/331/cmdline	Process not Found
/proc/17/cmdline	/proc/17/cmdline	Process not Found
/proc/422/cmdline	/proc/422/cmdline	Process not Found
/proc/82/cmdline	/proc/82/cmdline	[x86].elf
/proc/171/cmdline	/proc/171/cmdline	[x86].elf
/proc/409/cmdline	/proc/409/cmdline	[x86].elf
/proc/16/cmdline	/proc/16/cmdline	Process not Found
/proc/180/maps	/proc/180/maps	Process not Found
/proc/203/cmdline	/proc/203/cmdline	Process not Found
/proc/382/cmdline	/proc/382/cmdline	Process not Found
/proc/15/cmdline	/proc/15/cmdline	[x86].elf
/proc/89/cmdline	/proc/89/cmdline	[x86].elf
/proc/167/cmdline	/proc/167/cmdline	[x86].elf
/proc/7/cmdline	/proc/7/cmdline	Process not Found
/proc/262/cmdline	/proc/262/cmdline	Process not Found
/proc/333/cmdline	/proc/333/cmdline	Process not Found
/proc/367/maps	/proc/367/maps	Process not Found
/proc/11/cmdline	/proc/11/cmdline	[x86].elf
/proc/27/cmdline	/proc/27/cmdline	Process not Found
/proc/32/maps	/proc/32/maps	Process not Found
/proc/173/maps	/proc/173/maps	Process not Found
/proc/382/cmdline	/proc/382/cmdline	[x86].elf
/proc/3/cmdline	/proc/3/cmdline	Process not Found
/proc/4/maps	/proc/4/maps	Process not Found
/proc/167/maps	/proc/167/maps	Process not Found
/proc/366/maps	/proc/366/maps	Process not Found
/proc/460/cmdline	/proc/460/cmdline	Process not Found
/proc/616/maps	/proc/616/maps	Process not Found
/proc/367/cmdline	/proc/367/cmdline	[x86].elf
/proc/424/cmdline	/proc/424/cmdline	[x86].elf
/proc/34/cmdline	/proc/34/cmdline	Process not Found
/proc/250/maps	/proc/250/maps	Process not Found
/proc/4/cmdline	/proc/4/cmdline	[x86].elf
/proc/28/cmdline	/proc/28/cmdline	Process not Found
/proc/89/maps	/proc/89/maps	Process not Found
/proc/22/cmdline	/proc/22/cmdline	[x86].elf
/proc/17/maps	/proc/17/maps	Process not Found
/proc/27/maps	/proc/27/maps	Process not Found
/proc/79/cmdline	/proc/79/cmdline	Process not Found
/proc/81/cmdline	/proc/81/cmdline	Process not Found
/proc/596/cmdline	/proc/596/cmdline	Process not Found
/proc/85/cmdline	/proc/85/cmdline	[x86].elf
/proc/331/cmdline	/proc/331/cmdline	[x86].elf
/proc/358/cmdline	/proc/358/cmdline	[x86].elf
/proc/20/cmdline	/proc/20/cmdline	Process not Found
/proc/168/maps	/proc/168/maps	Process not Found
/proc/595/maps	/proc/595/maps	Process not Found
/proc/81/cmdline	/proc/81/cmdline	[x86].elf
/proc/6/maps	/proc/6/maps	Process not Found
/proc/8/maps	/proc/8/maps	Process not Found
/proc/34/maps	/proc/34/maps	Process not Found
/proc/9/cmdline	/proc/9/cmdline	[x86].elf
/proc/202/cmdline	/proc/202/cmdline	Process not Found
/proc/358/maps	/proc/358/maps	Process not Found
/proc/10/cmdline	/proc/10/cmdline	Process not Found
/proc/20/maps	/proc/20/maps	Process not Found
/proc/32/cmdline	/proc/32/cmdline	Process not Found
/proc/98/cmdline	/proc/98/cmdline	Process not Found
/proc/85/maps	/proc/85/maps	Process not Found
/proc/367/cmdline	/proc/367/cmdline	Process not Found
/proc/605/maps	/proc/605/maps	Process not Found
/proc/202/cmdline	/proc/202/cmdline	[x86].elf
/proc/565/cmdline	/proc/565/cmdline	[x86].elf
/proc/22/maps	/proc/22/maps	Process not Found

/tmp/[x86].elf
"/tmp/[x86].elf"
1⤵
- Reads runtime system information
PID:593

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads