8b0ac00f2d3378a745118d937e7d53cb52ccb16884492f5a599f021b67194461

Analysis

max time kernel
148s
max time network
139s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20230831-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20230831-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
03-09-2023 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

765f908ecf5f70b005df7685668ea042.elf
Size

113KB
MD5

765f908ecf5f70b005df7685668ea042
SHA1

af2b6fcf4ab06f95701ee5aa84a954270eb012c2
SHA256

8b0ac00f2d3378a745118d937e7d53cb52ccb16884492f5a599f021b67194461
SHA512

4d0e18a46e0ef8a0731d8bac3278a8b4716641e412b3fa24b0438cdbf5c5ac0d51ad76ad281f4f35f880b551434e772d600ef9b874f00ae084057bf451084cb9
SSDEEP

3072:kiry859a2ADJf9wHYqbgFFo8+HeA8+TRCm7FnVqfJXFWbNb:T9a2aLqkrMTsm7FnVqfJXFWbNb

Score

7^/10

Malware Config

Signatures

Changes its process name 1 IoCs

Processes:

765f908ecf5f70b005df7685668ea042.elf

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/usr/sbin/dropbear	593	765f908ecf5f70b005df7685668ea042.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery

T1016

Processes:

765f908ecf5f70b005df7685668ea042.elf

description	ioc	Process
File opened for reading	/proc/net/route	765f908ecf5f70b005df7685668ea042.elf

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

Processes:

765f908ecf5f70b005df7685668ea042.elf

description	ioc	Process
File opened for reading	/proc/net/route	765f908ecf5f70b005df7685668ea042.elf

/tmp/765f908ecf5f70b005df7685668ea042.elf
/tmp/765f908ecf5f70b005df7685668ea042.elf
1⤵
- Changes its process name
- Reads system routing table
- Reads system network configuration
PID:593

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads