Analysis
-
max time kernel
0s -
max time network
154s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
28/12/2022, 07:19
Behavioral task
behavioral1
Sample
e7212fb45bf7e9219407a04cb746c69d.elf
Resource
ubuntu1804-amd64-en-20211208
ubuntu-18.04-amd64
2 signatures
150 seconds
General
-
Target
e7212fb45bf7e9219407a04cb746c69d.elf
-
Size
61KB
-
MD5
e7212fb45bf7e9219407a04cb746c69d
-
SHA1
54b59d50d3bf85ad95bcae2508d09e3c3c434ef9
-
SHA256
ead7aa2c3f4e671af4de708d13734695a0ebb78504178bff749231647d5c5dac
-
SHA512
0d07e96f5ea7443d88b9897dfd2695b46db04b77fcaff58fb9f4915d65c9ae1fc1b50aeda4519ca66144a1cc45f0d8348fc8399c2decfcd6cd9c2ebea2d5550d
-
SSDEEP
1536:dpmbSQ6U3q7cCBT/lZsK/0DiQlLiKimfFoktCe3fYRMt:WShU3q7cEDlCK/0Dt9i8Fok06fYRG
Score
9/10
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc /proc/19/cmdline /proc/19/cmdline /proc/25/cmdline /proc/25/cmdline /proc/310/cmdline /proc/310/cmdline /proc/169/cmdline /proc/169/cmdline /proc/391/cmdline /proc/391/cmdline /proc/393/cmdline /proc/393/cmdline /proc/31/cmdline /proc/31/cmdline /proc/36/cmdline /proc/36/cmdline /proc/168/cmdline /proc/168/cmdline /proc/155/cmdline /proc/155/cmdline /proc/161/cmdline /proc/161/cmdline /proc/342/cmdline /proc/342/cmdline /proc/7/cmdline /proc/7/cmdline /proc/11/cmdline /proc/11/cmdline /proc/80/cmdline /proc/80/cmdline /proc/32/cmdline /proc/32/cmdline /proc/82/cmdline /proc/82/cmdline /proc/ /proc/ /proc/8/cmdline /proc/8/cmdline /proc/21/cmdline /proc/21/cmdline /proc/578/cmdline /proc/578/cmdline /proc/9/cmdline /proc/9/cmdline /proc/18/cmdline /proc/18/cmdline /proc/568/cmdline /proc/568/cmdline /proc/166/cmdline /proc/166/cmdline /proc/334/cmdline /proc/334/cmdline /proc/79/cmdline /proc/79/cmdline /proc/156/cmdline /proc/156/cmdline /proc/164/cmdline /proc/164/cmdline /proc/167/cmdline /proc/167/cmdline /proc/251/cmdline /proc/251/cmdline /proc/252/cmdline /proc/252/cmdline /proc/350/cmdline /proc/350/cmdline /proc/394/cmdline /proc/394/cmdline /proc/84/cmdline /proc/84/cmdline /proc/153/cmdline /proc/153/cmdline /proc/154/cmdline /proc/154/cmdline /proc/422/cmdline /proc/422/cmdline /proc/347/cmdline /proc/347/cmdline /proc/370/cmdline /proc/370/cmdline /proc/10/cmdline /proc/10/cmdline /proc/23/cmdline /proc/23/cmdline /proc/332/cmdline /proc/332/cmdline /proc/165/cmdline /proc/165/cmdline /proc/193/cmdline /proc/193/cmdline /proc/238/cmdline /proc/238/cmdline /proc/541/cmdline /proc/541/cmdline /proc/577/cmdline /proc/577/cmdline /proc/2/cmdline /proc/2/cmdline /proc/81/cmdline /proc/81/cmdline /proc/115/cmdline /proc/115/cmdline /proc/29/cmdline /proc/29/cmdline /proc/157/cmdline /proc/157/cmdline /proc/363/cmdline /proc/363/cmdline /proc/4/cmdline /proc/4/cmdline /proc/14/cmdline /proc/14/cmdline /proc/28/cmdline /proc/28/cmdline /proc/26/cmdline /proc/26/cmdline /proc/83/cmdline /proc/83/cmdline /proc/192/cmdline /proc/192/cmdline /proc/349/cmdline /proc/349/cmdline /proc/1/cmdline /proc/1/cmdline /proc/6/cmdline /proc/6/cmdline /proc/17/cmdline /proc/17/cmdline
Processes
-
/tmp/e7212fb45bf7e9219407a04cb746c69d.elf/tmp/e7212fb45bf7e9219407a04cb746c69d.elf1⤵PID:569
-
/bin/shsh -c "rm -rf bin/busybox && mkdir bin; >.��bin/busybox && mv /tmp/e7212fb45bf7e9219407a04cb746c69d.elf bin/busybox; chmod 777 bin/busybox"1⤵PID:571
-
/bin/rmrm -rf bin/busybox2⤵PID:572
-
-
/bin/mkdirmkdir bin2⤵PID:573
-
-
/bin/chmodchmod 777 bin/busybox2⤵PID:574
-