Analysis
-
max time kernel
155s -
max time network
160s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
20-12-2023 15:09
Behavioral task
behavioral1
Sample
d2b09064b486bce8885444c18f48ebdb
Resource
ubuntu1804-amd64-20231215-en
General
-
Target
d2b09064b486bce8885444c18f48ebdb
-
Size
34KB
-
MD5
d2b09064b486bce8885444c18f48ebdb
-
SHA1
45baffd30135757affa73779a1434fc59e5750a4
-
SHA256
3b542dcfe0030dd1e2a9b1dd0499b7cf6c12391af2e09b39bc37d1ba6da30bf4
-
SHA512
21c2acd8b4436e828213157c002a3c49aa4bfd608f66f1c66df0c291ce3285af89066dc381f80ef12f89cf26ca3dd4052cccd7de9f902a62cff26587a6b08ffb
-
SSDEEP
768:kuB0X2VT51qAiEsCRAiSTwE3Hk9+yq3IjYb:9B0X2V11qdiS8aE9+y2Ij
Malware Config
Signatures
-
Contacts a large (53627) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
description ioc File opened for reading /proc/net/tcp -
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
description ioc File opened for modification /sbin/watchdog File opened for modification /bin/watchdog -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
description ioc File opened for reading /proc/net/tcp