29988f877c82dbe27b9322f462af2a742e90073a262a57eaa37d6bed4f310d0a

Analysis

max time kernel
10887s
max time network
134s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221111-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
17-03-2023 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

630a21057c70a10fcf1162846d05e245.elf
Size

1.9MB
MD5

630a21057c70a10fcf1162846d05e245
SHA1

4644672a3b834ba7674c9528757c415eccc1ac27
SHA256

29988f877c82dbe27b9322f462af2a742e90073a262a57eaa37d6bed4f310d0a
SHA512

36d5cddaa10850bf18cf7704d0a845addd2677f68a7cb68e1b5cc8cf8d29bd717344cae70c3b03c41419afb87e8dd395b1a94d3730965ef1d1c67a69bec21dfd
SSDEEP

49152:XXPVKrbvGOQLeS7rb/TCvO90d7HjmAFd4A64nsfJrkaani38q4B+g2vUqHOErz1:tPXZz

Score

9^/10

persistence

Malware Config

Signatures

Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Modifies hosts file 1 IoCs

Adds to hosts file used for mapping hosts to IP addresses.

description	ioc
/etc/hosts	/etc/hosts

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc
/etc/resolv.conf	/etc/resolv.conf

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task

T1053

description	ioc	Process
/etc/crontab	/etc/crontab	sh

Modifies Bash startup script 1 TTPs 6 IoCs

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
/etc/profile.d/linux.sh	/etc/profile.d/linux.sh
/etc/profile.d/bash_config.sh	/etc/profile.d/bash_config.sh
/etc/profile.d/bash_config	/etc/profile.d/bash_config
/etc/profile.d/bash_cfg	/etc/profile.d/bash_cfg
/etc/profile.d/bash_cfg.sh	/etc/profile.d/bash_cfg.sh
/etc/profile.d/gateway.sh	/etc/profile.d/gateway.sh

Modifies init.d 1 TTPs 19 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
/etc/init.d/keyboard-setup.sh	/etc/init.d/keyboard-setup.sh
/etc/init.d/plymouth-log	/etc/init.d/plymouth-log
/etc/init.d/rsyslog	/etc/init.d/rsyslog
/etc/init.d/ufw	/etc/init.d/ufw
/etc/init.d/apparmor	/etc/init.d/apparmor
/etc/init.d/dbus	/etc/init.d/dbus
/etc/init.d/grub-common	/etc/init.d/grub-common
/etc/init.d/hwclock.sh	/etc/init.d/hwclock.sh
/etc/init.d/cron	/etc/init.d/cron
/etc/init.d/irqbalance	/etc/init.d/irqbalance
/etc/init.d/procps	/etc/init.d/procps
/etc/init.d/udev	/etc/init.d/udev
/etc/init.d/linux_kill	/etc/init.d/linux_kill
/etc/init.d/kmod	/etc/init.d/kmod
/etc/init.d/rsync	/etc/init.d/rsync
/etc/init.d/ssh	/etc/init.d/ssh
/etc/init.d/console-setup.sh	/etc/init.d/console-setup.sh
/etc/init.d/plymouth	/etc/init.d/plymouth
/etc/init.d/uuidd	/etc/init.d/uuidd

Write file to user bin folder 1 TTPs 7 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/usr/bin/find	/usr/bin/find	Process not Found
/usr/bin/include/find	/usr/bin/include/find	Process not Found
/usr/bin/lsof	/usr/bin/lsof	Process not Found
/usr/bin/include/lsof	/usr/bin/include/lsof	Process not Found
/usr/sbin/service	/usr/sbin/service	service
/usr/sbin/ifconfig.conf	/usr/sbin/ifconfig.conf	Process not Found
/usr/sbin/service	/usr/sbin/service	service

Enumerates kernel/hardware configuration 1 TTPs 6 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	opt.services.cfg
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	opt.services.cfg
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	opt.services.cfg
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	opt.services.cfg
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	630a21057c70a10fcf1162846d05e245.elf
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	630a21057c70a10fcf1162846d05e245.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/5/stat	/proc/5/stat	Process not Found
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/231/stat	/proc/231/stat	Process not Found
/proc/583/stat	/proc/583/stat	Process not Found
/proc/self/stat	/proc/self/stat	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/14/stat	/proc/14/stat	Process not Found
/proc/352/stat	/proc/352/stat	Process not Found
/proc/589/stat	/proc/589/stat	Process not Found
/proc/cmdline	/proc/cmdline	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/115/stat	/proc/115/stat	Process not Found
/proc/155/stat	/proc/155/stat	Process not Found
/proc/self/stat	/proc/self/stat	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/85/stat	/proc/85/stat	Process not Found
/proc/371/stat	/proc/371/stat	Process not Found
/proc/1/sched	/proc/1/sched	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/165/stat	/proc/165/stat	Process not Found
/proc/253/stat	/proc/253/stat	Process not Found
/proc/cmdline	/proc/cmdline	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/31/stat	/proc/31/stat	Process not Found
/proc/1/sched	/proc/1/sched	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/26/stat	/proc/26/stat	Process not Found
/proc/1/environ	/proc/1/environ	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/129/stat	/proc/129/stat	Process not Found
/proc/self/stat	/proc/self/stat	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/163/stat	/proc/163/stat	Process not Found
/proc/filesystems	/proc/filesystems	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/filesystems	/proc/filesystems	systemctl

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
/tmp/630a21057c70a10fcf1162846d05e245.elf	/tmp/630a21057c70a10fcf1162846d05e245.elf
/tmp/seeintlog	/tmp/seeintlog

/tmp/630a21057c70a10fcf1162846d05e245.elf
/tmp/630a21057c70a10fcf1162846d05e245.elf
1⤵
- Enumerates kernel/hardware configuration
PID:585
- /tmp/630a21057c70a10fcf1162846d05e245.elf
  /tmp/630a21057c70a10fcf1162846d05e245.elf " "
  2⤵
  - Enumerates kernel/hardware configuration
  PID:589

/bin/sh
/bin/sh -c "/etc/32676&"
1⤵
PID:598
- /etc/32676
  /etc/32676
  2⤵
  PID:599
- - /bin/sleep
    sleep 60
    3⤵
    PID:601
- - /etc/opt.services.cfg
    /etc/opt.services.cfg
    3⤵
    - Enumerates kernel/hardware configuration
    PID:772
  - - /etc/opt.services.cfg
      /etc/opt.services.cfg " "
      4⤵
      Enumerates kernel/hardware configuration
      PID:776
- - /bin/sleep
    sleep 60
    3⤵
    PID:777
- - /etc/opt.services.cfg
    /etc/opt.services.cfg
    3⤵
    - Enumerates kernel/hardware configuration
    PID:792
  - - /etc/opt.services.cfg
      /etc/opt.services.cfg " "
      4⤵
      Enumerates kernel/hardware configuration
      PID:796
- - /bin/sleep
    sleep 60
    3⤵
    PID:797

/usr/sbin/service
service crond start
1⤵
- Write file to user bin folder
PID:600
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:602
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:603
- /bin/systemctl
  systemctl --quiet is-active multi-user.target
  2⤵
  - Reads runtime system information
  PID:604
- /bin/systemctl
  systemctl -p Triggers show dbus.socket
  2⤵
  - Reads runtime system information
  PID:608
- /bin/systemctl
  systemctl -p Triggers show ssh.socket
  2⤵
  - Reads runtime system information
  PID:609
- /bin/systemctl
  systemctl -p Triggers show syslog.socket
  2⤵
  PID:610
- /bin/systemctl
  systemctl -p Triggers show systemd-fsckd.socket
  2⤵
  - Reads runtime system information
  PID:611
- /bin/systemctl
  systemctl -p Triggers show systemd-initctl.socket
  2⤵
  PID:612
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-audit.socket
  2⤵
  - Reads runtime system information
  PID:613
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-dev-log.socket
  2⤵
  - Reads runtime system information
  PID:614
- /bin/systemctl
  systemctl -p Triggers show systemd-journald.socket
  2⤵
  - Reads runtime system information
  PID:615
- /bin/systemctl
  systemctl -p Triggers show systemd-networkd.socket
  2⤵
  - Reads runtime system information
  PID:616
- /bin/systemctl
  systemctl -p Triggers show systemd-rfkill.socket
  2⤵
  - Reads runtime system information
  PID:617
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-control.socket
  2⤵
  - Reads runtime system information
  PID:618
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-kernel.socket
  2⤵
  - Reads runtime system information
  PID:619
- /bin/systemctl
  systemctl -p Triggers show uuidd.socket
  2⤵
  - Reads runtime system information
  PID:620

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Reads runtime system information
PID:606

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:607

/usr/local/sbin/systemctl
systemctl start crond.service
1⤵
PID:600

/usr/local/bin/systemctl
systemctl start crond.service
1⤵
PID:600

/usr/sbin/systemctl
systemctl start crond.service
1⤵
PID:600

/usr/bin/systemctl
systemctl start crond.service
1⤵
PID:600

/sbin/systemctl
systemctl start crond.service
1⤵
PID:600

/bin/systemctl
systemctl start crond.service
1⤵
- Reads runtime system information
PID:600

/bin/sh
/bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:621

/usr/bin/renice
renice -20 589
1⤵
PID:622

/bin/mount
mount -o bind /tmp/ /proc/589
1⤵
PID:623

/usr/sbin/service
service cron start
1⤵
- Write file to user bin folder
PID:624
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:625
- /usr/bin/basename
  basename /usr/sbin/service
  2⤵
  PID:626
- /bin/systemctl
  systemctl --quiet is-active multi-user.target
  2⤵
  - Reads runtime system information
  PID:627
- /bin/systemctl
  systemctl -p Triggers show dbus.socket
  2⤵
  - Reads runtime system information
  PID:631
- /bin/systemctl
  systemctl -p Triggers show ssh.socket
  2⤵
  - Reads runtime system information
  PID:632
- /bin/systemctl
  systemctl -p Triggers show syslog.socket
  2⤵
  - Reads runtime system information
  PID:633
- /bin/systemctl
  systemctl -p Triggers show systemd-fsckd.socket
  2⤵
  - Reads runtime system information
  PID:634
- /bin/systemctl
  systemctl -p Triggers show systemd-initctl.socket
  2⤵
  PID:635
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-audit.socket
  2⤵
  PID:636
- /bin/systemctl
  systemctl -p Triggers show systemd-journald-dev-log.socket
  2⤵
  - Reads runtime system information
  PID:637
- /bin/systemctl
  systemctl -p Triggers show systemd-journald.socket
  2⤵
  - Reads runtime system information
  PID:638
- /bin/systemctl
  systemctl -p Triggers show systemd-networkd.socket
  2⤵
  - Reads runtime system information
  PID:639
- /bin/systemctl
  systemctl -p Triggers show systemd-rfkill.socket
  2⤵
  - Reads runtime system information
  PID:640
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-control.socket
  2⤵
  - Reads runtime system information
  PID:641
- /bin/systemctl
  systemctl -p Triggers show systemd-udevd-kernel.socket
  2⤵
  - Reads runtime system information
  PID:642
- /bin/systemctl
  systemctl -p Triggers show uuidd.socket
  2⤵
  - Reads runtime system information
  PID:643