a0feca0dbf4af01c2e2d646017f723aef72b137c7da17b329d6e6886aa073071

Analysis

max time kernel
153s
max time network
145s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20230831-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20230831-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
04-09-2023 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0feca0dbf4af01c2e2d646017f723aef72b137c7da17b329d6e6886aa073071_JC.elf
Size

136KB
MD5

afaef9d9f4d8ef445009fcc41c1ac4e9
SHA1

9b4a4d45b45c843623fe9b6624d970c2ab78a3dc
SHA256

a0feca0dbf4af01c2e2d646017f723aef72b137c7da17b329d6e6886aa073071
SHA512

02d8928a34956dc46443acc9bccc3d6168fc4538ead435cbd643ef8d89f4a72597d5e96c5fe426d520480cca71efe87d31187c6216091771dcf5a122033ddddc
SSDEEP

3072:pGtwnNiaOnUTKFiPT9OSQ7AOaogjV2iZlBWCgPiAJWPdL:pGtwnNiaOnUTwuLyNJWPd

Score

9^/10

discovery

Malware Config

Signatures

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Changes its process name 1 IoCs

Processes:

a0feca0dbf4af01c2e2d646017f723aef72b137c7da17b329d6e6886aa073071_JC.elf

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	a- M}!	617	a0feca0dbf4af01c2e2d646017f723aef72b137c7da17b329d6e6886aa073071_JC.elf

Unexpected DNS network traffic destination 13 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	145.40.93.33
Destination IP	145.40.93.33
Destination IP	145.40.93.33
Destination IP	145.40.93.33
Destination IP	145.40.93.33
Destination IP	145.40.93.33
Destination IP	145.40.93.33
Destination IP	145.40.93.33
Destination IP	145.40.93.33
Destination IP	145.40.93.33
Destination IP	145.40.93.33
Destination IP	145.40.93.33
Destination IP	145.40.93.33

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/15/cmdline
File opened for reading	/proc/32/cmdline
File opened for reading	/proc/177/cmdline
File opened for reading	/proc/358/cmdline
File opened for reading	/proc/627/cmdline
File opened for reading	/proc/3/cmdline
File opened for reading	/proc/173/cmdline
File opened for reading	/proc/305/cmdline
File opened for reading	/proc/612/cmdline
File opened for reading	/proc/23/cmdline
File opened for reading	/proc/20/cmdline
File opened for reading	/proc/17/cmdline
File opened for reading	/proc/35/cmdline
File opened for reading	/proc/357/cmdline
File opened for reading	/proc/168/cmdline
File opened for reading	/proc/376/cmdline
File opened for reading	/proc/641/cmdline
File opened for reading	/proc/643/cmdline
File opened for reading	/proc/18/cmdline
File opened for reading	/proc/726/cmdline
File opened for reading	/proc/203/cmdline
File opened for reading	/proc/8/cmdline
File opened for reading	/proc/466/cmdline
File opened for reading	/proc/614/cmdline
File opened for reading	/proc/654/cmdline
File opened for reading	/proc/722/cmdline
File opened for reading	/proc/166/cmdline
File opened for reading	/proc/620/cmdline
File opened for reading	/proc/645/cmdline
File opened for reading	/proc/751/cmdline
File opened for reading	/proc/84/cmdline
File opened for reading	/proc/98/cmdline
File opened for reading	/proc/236/cmdline
File opened for reading	/proc/348/cmdline
File opened for reading	/proc/648/cmdline
File opened for reading	/proc/78/cmdline
File opened for reading	/proc/79/cmdline
File opened for reading	/proc/164/cmdline
File opened for reading	/proc/262/cmdline
File opened for reading	/proc/4/cmdline
File opened for reading	/proc/175/cmdline
File opened for reading	/proc/180/cmdline
File opened for reading	/proc/401/cmdline
File opened for reading	/proc/638/cmdline
File opened for reading	/proc/639/cmdline
File opened for reading	/proc/736/cmdline
File opened for reading	/proc/613/cmdline
File opened for reading	/proc/637/cmdline
File opened for reading	/proc/646/cmdline
File opened for reading	/proc/171/cmdline
File opened for reading	/proc/11/cmdline
File opened for reading	/proc/82/cmdline
File opened for reading	/proc/89/cmdline
File opened for reading	/proc/174/cmdline
File opened for reading	/proc/353/cmdline
File opened for reading	/proc/372/cmdline
File opened for reading	/proc/642/cmdline
File opened for reading	/proc/7/cmdline
File opened for reading	/proc/10/cmdline
File opened for reading	/proc/165/cmdline
File opened for reading	/proc/628/cmdline
File opened for reading	/proc/631/cmdline
File opened for reading	/proc/635/cmdline
File opened for reading	/proc/663/cmdline

/tmp/a0feca0dbf4af01c2e2d646017f723aef72b137c7da17b329d6e6886aa073071_JC.elf
/tmp/a0feca0dbf4af01c2e2d646017f723aef72b137c7da17b329d6e6886aa073071_JC.elf
1⤵
- Changes its process name
PID:617

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads