Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
30/06/2023, 13:02
230630-p9sm8sch54 1030/06/2023, 13:01
230630-p9agnach53 1003/06/2023, 13:11
230603-qeyfnsgg87 1003/06/2023, 11:04
230603-m59d3sgh6y 10Analysis
-
max time kernel
1802s -
max time network
1802s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20230621-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20230621-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
30/06/2023, 13:01
Behavioral task
behavioral1
Sample
x86.elf
Resource
ubuntu1804-amd64-20230621-en
ubuntu-18.04-amd64
4 signatures
1800 seconds
General
-
Target
x86.elf
-
Size
62KB
-
MD5
6d408f7b4024fbc36d46750929dfaa73
-
SHA1
deda79e105655a636775baa693b29662c4f013af
-
SHA256
8f5d60f0e71b599b733a27d5a5ba0ff91206f3e75eba8bd385ab825e714e7958
-
SHA512
eaeb3d9a94e9d6fdd57a0a1ca5cc3c33f4780a0eb60ff16d61dda6da29ffdecdb1ccb80b3b3368cb53ebbb6b63dc993d41055f47047a39364a05b733ee210cd5
-
SSDEEP
1536:dafqyXRXIa1/S663fyQDY8LUFN/s1VFmf2OixBrG:dO1XRXI+P6vyuY8LU7/sRk2+
Score
7/10
Malware Config
Signatures
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /bin/bash 624 x86.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/638/status File opened for reading /proc/654/status File opened for reading /proc/656/status File opened for reading /proc/768/status File opened for reading /proc/790/status File opened for reading /proc/819/status File opened for reading /proc/831/status File opened for reading /proc/621/status File opened for reading /proc/870/status File opened for reading /proc/916/status File opened for reading /proc/24/status File opened for reading /proc/787/status File opened for reading /proc/815/status File opened for reading /proc/834/status File opened for reading /proc/879/status File opened for reading /proc/902/status File opened for reading /proc/915/status File opened for reading /proc/649/status File opened for reading /proc/20/status File opened for reading /proc/174/status File opened for reading /proc/368/status File opened for reading /proc/792/status File opened for reading /proc/894/status File opened for reading /proc/6/status File opened for reading /proc/828/status File opened for reading /proc/788/status File opened for reading /proc/808/status File opened for reading /proc/816/status File opened for reading /proc/78/status File opened for reading /proc/829/status File opened for reading /proc/868/status File opened for reading /proc/898/status File opened for reading /proc/31/status File opened for reading /proc/772/status File opened for reading /proc/857/status File opened for reading /proc/878/status File opened for reading /proc/770/status File opened for reading /proc/127/status File opened for reading /proc/182/status File opened for reading /proc/851/status File opened for reading /proc/856/status File opened for reading /proc/886/status File opened for reading /proc/914/status File opened for reading /proc/9/status File opened for reading /proc/810/status File opened for reading /proc/827/status File opened for reading /proc/874/status File opened for reading /proc/648/status File opened for reading /proc/803/status File opened for reading /proc/884/status File opened for reading /proc/917/status File opened for reading /proc/167/status File opened for reading /proc/777/status File opened for reading /proc/837/status File opened for reading /proc/181/status File opened for reading /proc/801/status File opened for reading /proc/832/status File opened for reading /proc/847/status File opened for reading /proc/911/status File opened for reading /proc/924/status File opened for reading /proc/34/status File opened for reading /proc/16/status File opened for reading /proc/643/status File opened for reading /proc/885/status -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/bin/bash sh
Processes
-
/tmp/x86.elf/tmp/x86.elf1⤵
- Changes its process name
PID:624 -
/bin/shsh -c "rm -rf bin/bash && mkdir bin; >bin/bash && mv /tmp/x86.elf bin/bash; chmod 777 bin/bash"2⤵
- Writes file to tmp directory
PID:625 -
/bin/rmrm -rf bin/bash3⤵PID:626
-
-
/bin/mkdirmkdir bin3⤵PID:627
-
-
/bin/mvmv /tmp/x86.elf bin/bash3⤵PID:628
-
-
/bin/chmodchmod 777 bin/bash3⤵PID:629
-
-