c0e125c31b9883cf738858419269387bfadbc533abcdbc4188787c5501d62335

Analysis

max time kernel
153s
max time network
158s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
11/01/2024, 17:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c0e125c31b9883cf738858419269387bfadbc533abcdbc4188787c5501d62335elf.elf
Size

62KB
MD5

5774b98696fdd0c2797a2e7ecfcf722e
SHA1

ee6d7be216da462321bcfd7074acdb548937a02c
SHA256

c0e125c31b9883cf738858419269387bfadbc533abcdbc4188787c5501d62335
SHA512

b7aba6499c42a2d9ab5c05dea1f47b329b0730fc4096017c5c906ded6de2a0710431ab489771c3c25cfe82f750c2706dfd71b46fed65ece1d5c4f645e73589b1
SSDEEP

1536:qyA6nhA0hy8ysIZ9TrNMEUHCQNufU4gVlE+HaxmxNtTonSCs:qy/hA0hy8gZ3ME0NUUNE+aWN6s

Score

7^/10

Malware Config

Signatures

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	1543	c0e125c31b9883cf738858419269387bfadbc533abcdbc4188787c5501d62335elf.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	c0e125c31b9883cf738858419269387bfadbc533abcdbc4188787c5501d62335elf.elf
File opened for modification	/dev/misc/watchdog	c0e125c31b9883cf738858419269387bfadbc533abcdbc4188787c5501d62335elf.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/sbin/watchdog	c0e125c31b9883cf738858419269387bfadbc533abcdbc4188787c5501d62335elf.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc
File opened for reading	/proc/558cmdline
File opened for reading	/proc/709cmdline
File opened for reading	/proc/678/cmdline
File opened for reading	/proc/486cmdline
File opened for reading	/proc/177cmdline
File opened for reading	/proc/83/cmdline
File opened for reading	/proc/172cmdline
File opened for reading	/proc/599cmdline
File opened for reading	/proc/13/stat
File opened for reading	/proc/1259/stat
File opened for reading	/proc/209cmdline
File opened for reading	/proc/1276cmdline
File opened for reading	/proc/78/stat
File opened for reading	/proc/9/cmdline
File opened for reading	/proc/85/cmdline
File opened for reading	/proc/716/cmdline
File opened for reading	/proc/16/stat
File opened for reading	/proc/1201cmdline
File opened for reading	/proc/1260cmdline
File opened for reading	/proc/1358cmdline
File opened for reading	/proc/517/cmdline
File opened for reading	/proc/19cmdline
File opened for reading	/proc/208/stat
File opened for reading	/proc/972/stat
File opened for reading	/proc/1120/stat
File opened for reading	/proc/1532/stat
File opened for reading	/proc/82cmdline
File opened for reading	/proc/469/stat
File opened for reading	/proc/1533/stat
File opened for reading	/proc/1531/cmdline
File opened for reading	/proc/1297cmdline
File opened for reading	/proc/961/stat
File opened for reading	/proc/1201/cmdline
File opened for reading	/proc/901/stat
File opened for reading	/proc/670cmdline
File opened for reading	/proc/183/stat
File opened for reading	/proc/709/stat
File opened for reading	/proc/1031/stat
File opened for reading	/proc/16cmdline
File opened for reading	/proc/17/stat
File opened for reading	/proc/83/stat
File opened for reading	/proc/115/stat
File opened for reading	/proc/164/stat
File opened for reading	/proc/1174/stat
File opened for reading	/proc/1315/cmdline
File opened for reading	/proc/1cmdline
File opened for reading	/proc/1384/stat
File opened for reading	/proc/1120/cmdline
File opened for reading	/proc/517cmdline
File opened for reading	/proc/972cmdline
File opened for reading	/proc/454/stat
File opened for reading	/proc/23/cmdline
File opened for reading	/proc/1133/cmdline
File opened for reading	/proc/1178/cmdline
File opened for reading	/proc/1196/cmdline
File opened for reading	/proc/173cmdline
File opened for reading	/proc/174cmdline
File opened for reading	/proc/1335/stat
File opened for reading	/proc/129/cmdline
File opened for reading	/proc/167cmdline
File opened for reading	/proc/28/stat
File opened for reading	/proc/209/stat
File opened for reading	/proc/173/cmdline
File opened for reading	/proc/1155cmdline

/tmp/c0e125c31b9883cf738858419269387bfadbc533abcdbc4188787c5501d62335elf.elf
/tmp/c0e125c31b9883cf738858419269387bfadbc533abcdbc4188787c5501d62335elf.elf
1⤵
- Changes its process name
- Modifies Watchdog functionality
- Writes file to system bin folder
PID:1543

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads