Overview

overview

10

Static

static

10

ea40ecec0b...73.elf

ubuntu-18.04-amd64

9

Resubmissions

20-04-2023 08:22

230420-j9z5esae8v 10

15-03-2023 12:26

230315-pmgbpadb22 10

15-03-2023 08:33

230315-kf11ascc93 10

14-03-2023 11:18

230314-nehzwafa87 10

26-12-2022 18:04

221226-wnmnesdc93 10

Analysis

  • max time kernel
    0s
  • max time network
    102s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    26-12-2022 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73.elf

  • Size

    549KB

  • MD5

    f9191bab1e834d4aef3380700639cee9

  • SHA1

    9c20269df6694260a24ac783de2e30d627a6928a

  • SHA256

    ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73

  • SHA512

    3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score
9/10
persistence

Malware Config

Signatures

  • Writes file to system bin folder 1 TTPs 25 IoCs
  • Modifies rc script 1 TTPs 5 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

    persistence
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Writes file to shm directory 1 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73.elf
    /tmp/ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73.elf
    1⤵
      PID:571
    • /bin/dyibyq
      /bin/dyibyq
      1⤵
        PID:575
      • /bin/jsvbtvprifpv
        /bin/jsvbtvprifpv -d 576
        1⤵
          PID:580
        • /bin/hjlpgduxvkmufb
          /bin/hjlpgduxvkmufb -d 576
          1⤵
            PID:587
          • /bin/cncdbiwhytejs
            /bin/cncdbiwhytejs -d 576
            1⤵
              PID:590
            • /bin/yzglqp
              /bin/yzglqp -d 576
              1⤵
                PID:593
              • /bin/lmmvbgdebxgqc
                /bin/lmmvbgdebxgqc -d 576
                1⤵
                  PID:596
                • /bin/kzmffvyevxmio
                  /bin/kzmffvyevxmio -d 576
                  1⤵
                    PID:600
                  • /bin/zbqmyru
                    /bin/zbqmyru -d 576
                    1⤵
                      PID:603
                    • /bin/vvbemdqgrchd
                      /bin/vvbemdqgrchd -d 576
                      1⤵
                        PID:606
                      • /bin/mafsvfedvgdwwr
                        /bin/mafsvfedvgdwwr -d 576
                        1⤵
                          PID:609
                        • /bin/nlykjz
                          /bin/nlykjz -d 576
                          1⤵
                            PID:612
                          • /bin/jxoubamshewwo
                            /bin/jxoubamshewwo -d 576
                            1⤵
                              PID:645
                            • /bin/lnuzotkyeyrvti
                              /bin/lnuzotkyeyrvti -d 576
                              1⤵
                                PID:648
                              • /bin/tipswltyylge
                                /bin/tipswltyylge -d 576
                                1⤵
                                  PID:651
                                • /bin/cuaphxqxq
                                  /bin/cuaphxqxq -d 576
                                  1⤵
                                    PID:654
                                  • /bin/xwapru
                                    /bin/xwapru -d 576
                                    1⤵
                                      PID:657

                                    Network

                                    MITRE ATT&CK Enterprise v6

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads