Analysis
-
max time kernel
149s -
max time network
129s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231221-en -
resource tags
-
submitted
20-02-2024 05:39
General
-
Target
5e3ee5b0e30e13c3d3c6c2bef60fc12fbac929948e7b17cc2382ceea158116a5.elf
-
Size
1.8MB
-
MD5
0fec8e69d3f0c2ed1e277862ae11920a
-
SHA1
03ebe706b4db40f162a067faef9ae807a9a47112
-
SHA256
5e3ee5b0e30e13c3d3c6c2bef60fc12fbac929948e7b17cc2382ceea158116a5
-
SHA512
15ff2439683ca1139c47ab3a95dc610ae75777304a1236e2a070da25054ae86ef519f85b8ddf19fc68d1cd52e824c25d8b42442c74034ca5130edb81a54f807c
-
SSDEEP
24576:ae9ufJvk4gQjMNRfktnsIXvZFyD9i+MPCIxyuzNqssZXJj1bdYVVMtIwWz1v:WYMnwRO4ssPVd5Wz1
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Creates/modifies environment variables 1 TTPs 3 IoCs
Creating/modifying environment variables is a common persistence mechanism.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d 1 TTPs 34 IoCs
Adds/modifies system service, likely for persistence.
-
Write file to user bin folder 1 TTPs 4 IoCs
-
Modifies Bash startup script 1 TTPs 3 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 6 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/5e3ee5b0e30e13c3d3c6c2bef60fc12fbac929948e7b17cc2382ceea158116a5.elf/tmp/5e3ee5b0e30e13c3d3c6c2bef60fc12fbac929948e7b17cc2382ceea158116a5.elf1⤵
- Enumerates kernel/hardware configuration
-
/tmp/5e3ee5b0e30e13c3d3c6c2bef60fc12fbac929948e7b17cc2382ceea158116a5.elf/tmp/5e3ee5b0e30e13c3d3c6c2bef60fc12fbac929948e7b17cc2382ceea158116a5.elf " "2⤵
- Creates/modifies environment variables
- Modifies init.d
- Write file to user bin folder
- Modifies Bash startup script
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/bin/sh/bin/sh -c "/etc/32676&"3⤵
-
-
/usr/sbin/serviceservice crond start3⤵
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show acpid.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show apport-forward.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show avahi-daemon.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show cups.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show saned.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show snapd.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show uuidd.socket4⤵
- Reads runtime system information
-
-
-
/usr/local/sbin/systemctlsystemctl start crond.service3⤵
-
-
/usr/local/bin/systemctlsystemctl start crond.service3⤵
-
-
/usr/sbin/systemctlsystemctl start crond.service3⤵
-
-
/usr/bin/systemctlsystemctl start crond.service3⤵
-
-
/sbin/systemctlsystemctl start crond.service3⤵
-
-
/bin/systemctlsystemctl start crond.service3⤵
- Reads runtime system information
-
-
/bin/sh/bin/sh -c "echo \"*/1 * * * * root /.mod \" >> /etc/crontab"3⤵
- Creates/modifies Cron job
-
-
/usr/bin/renicerenice -20 15403⤵
-
-
/bin/mountmount -o bind /tmp/ /proc/15403⤵
-
-
/usr/sbin/serviceservice cron start3⤵
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/usr/bin/basenamebasename /usr/sbin/service4⤵
-
-
/bin/systemctlsystemctl --quiet is-active multi-user.target4⤵
-
-
/bin/systemctlsystemctl -p Triggers show acpid.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show apport-forward.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show avahi-daemon.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show cups.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show dbus.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show saned.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show snapd.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show ssh.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show syslog.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show systemd-fsckd.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show systemd-initctl.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-audit.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald-dev-log.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show systemd-journald.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show systemd-networkd.socket4⤵
-
-
/bin/systemctlsystemctl -p Triggers show systemd-rfkill.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-control.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show systemd-udevd-kernel.socket4⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl -p Triggers show uuidd.socket4⤵
- Reads runtime system information
-
-
-
/usr/local/sbin/systemctlsystemctl start cron.service3⤵
-
-
/usr/local/bin/systemctlsystemctl start cron.service3⤵
-
-
/usr/sbin/systemctlsystemctl start cron.service3⤵
-
-
/usr/bin/systemctlsystemctl start cron.service3⤵
-
-
/sbin/systemctlsystemctl start cron.service3⤵
-
-
/bin/systemctlsystemctl start cron.service3⤵
-
-
/bin/systemctlsystemctl start crond.service3⤵
-
-
-
/etc/32676/etc/326761⤵
- Executes dropped EXE
-
/bin/sleepsleep 602⤵
-
-
/etc/opt.services.cfg/etc/opt.services.cfg2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
-
/etc/opt.services.cfg/etc/opt.services.cfg " "3⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
-
-
-
/bin/sleepsleep 602⤵
-
-
/etc/opt.services.cfg/etc/opt.services.cfg2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
-
/etc/opt.services.cfg/etc/opt.services.cfg " "3⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
-
-
-
/bin/sleepsleep 602⤵
-
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"1⤵
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"1⤵
- Reads runtime system information
-
/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"1⤵
-
/bin/systemctlsystemctl list-unit-files --full "--type=socket"1⤵
- Reads runtime system information
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5f5a3713282e43c200f30342f5ff5e2ea
SHA12b2ce1a207e2b691a074c6f78f71c4785aae426a
SHA2566ab64e727571458d4884fb2fe82c27c467db0699cb8f648b3f0217c35d2b7511
SHA5125bcb8cd360409147a486755f90e0cdd97183af02ce8de5135b7c6a8a010deb9ef12dcd5ee9a2a8fd2e159347f68e72d6b7fd75e943b4fcd928d7a74b97476013
-
Filesize
49B
MD554e6bd476c47b1a8f717f9fe77672c10
SHA1f6f3cb9c57c5d8c62fada80b3fcf04797de6f45e
SHA2562538d4094a17e503dfe2163a975ac55ca478ccd5e044b22587fd0427a202e1fb
SHA51238f781fd6e9b149c5bb234ab75ea0658a2fa6b1f0cffb3f7c33d453001459828f2f4f17538a4a48120140566b9743ad7449cc1f38982cfc1b1110d8c65a92465
-
Filesize
98B
MD5647a666c51eba93aa3ecb288d199b4d7
SHA14a83202ebb84a0642f4edde33539e249d0bf0e35
SHA256da9273b5f3192c1ebe9e59144db3d5240b938b7fd13176a9a37642eb3f9b52cc
SHA512043d7981cd08552d8c1f835b4a03eb8bc3663efed0972128a2d503f0216e7f105f9b85af757b680151adf16b27bf5847cf20c5cd5876b1c2ec84d119f1d7653d
-
Filesize
61B
MD547684525bfdf26f49fd1cf742b17c015
SHA1c4ab14ba22420ff9acadfc698a38d0cd99e9fbfa
SHA256b7ce294613dd2c237a4a50548bfcd5c14d166107f2d2e965499bc78695300d5b
SHA512948f9c519ae9afe1c821c5d58da2e584e50356dabef597ccd408853a9038560b9fb1c5894900e2725b48977ffd49d18a439436bb4946e2164ac9fcf2a8637621
-
Filesize
1.8MB
MD50fec8e69d3f0c2ed1e277862ae11920a
SHA103ebe706b4db40f162a067faef9ae807a9a47112
SHA2565e3ee5b0e30e13c3d3c6c2bef60fc12fbac929948e7b17cc2382ceea158116a5
SHA51215ff2439683ca1139c47ab3a95dc610ae75777304a1236e2a070da25054ae86ef519f85b8ddf19fc68d1cd52e824c25d8b42442c74034ca5130edb81a54f807c
-
Filesize
1KB
MD5fc5a2d602aa56dc9e63f1b105906f8cb
SHA1b76d0e8a96654203030a36e66c66c668b8b64169
SHA2561bced58d2009f2f570ec9711367c7efd3b9566f93943f211342f7c95c9403555
SHA51208eccde7869be9a444db9e8a7a8d8f04a7fef9440e00b173fed4cf1bfa6916624919e286ce90529adb36c6ca86e9eff715dc7b6bc4b3172e879bd95362c764bf
-
Filesize
232KB
MD5f11b2b59639b1edcb46026472786c747
SHA1a6fe59e11456bc7f19e28b38aa9c1f9c1a13b70d
SHA256189fbf2416c8205430d8eaa85e2947bc15504ca335ad4a77ec668ff3cbf9c84a
SHA5121967f43b4b274e2afbc30e8e1bad314085e488066b22233e6ec033dbae10ae111320296b9d429e94cb3079636a37e433aeac928b4ef23a56dedae1741815416b
-
Filesize
159KB
MD5e093dc78225e2a0a25e3b137c1c1e442
SHA1c29497cfaae729eb576875e4fdfa400640ab16be
SHA2561190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e
SHA512fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0