5dcfac410a8ac5371ec25cbf19002209f1d52c7429ea992e2efd965ff55d4fa9

Resubmissions

23-02-2024 03:45

240223-ea6qpsaf9t 10

23-02-2024 02:03

240223-cg4htahg5x 10

Analysis

max time kernel
151s
max time network
151s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240221-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
23-02-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

016005310b52d074fae59ca6682bd047ffe909f2849122ea0181c26ad2da41cb.elf
Size

72KB
MD5

ff2986c0ae9f76f395a03eb041d3f736
SHA1

cd72af507c7d47b5765d94028e8b1284010f4a24
SHA256

016005310b52d074fae59ca6682bd047ffe909f2849122ea0181c26ad2da41cb
SHA512

e4bbcc096bc3eccc094f700937844fd0f0d29054368b41c9041841ef7c6255e72b1c5be5c3d67668cdfd965babc2ac56a9cb1e33d0eb9afb2a16bd99dda6fefc
SSDEEP

1536:XNQb3EPdjmfX41gPEe/yWhxwZcJebovZ9AsUmJ:X+EVKfXlp/ynZOebmZ9AsJ

Score

7^/10

Malware Config

Signatures

Changes its process name 1 IoCs

Processes:

016005310b52d074fae59ca6682bd047ffe909f2849122ea0181c26ad2da41cb.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	a	1550	016005310b52d074fae59ca6682bd047ffe909f2849122ea0181c26ad2da41cb.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

description ioc

File opened for modification /dev/watchdog
File opened for modification /dev/misc/watchdog
Enumerates running processes
Discovers information about currently running processes on the system
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /sbin/watchdog
File opened for modification /bin/watchdog

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

description	ioc
File opened for modification	/sbin/watchdog
File opened for modification	/bin/watchdog

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/1202/mnt
File opened for reading	/proc/1303/mnt
File opened for reading	/proc/9/mnt
File opened for reading	/proc/22/mnt
File opened for reading	/proc/30/mnt
File opened for reading	/proc/553/mnt
File opened for reading	/proc/664/mnt
File opened for reading	/proc/1159/mnt
File opened for reading	/proc/1547/mnt
File opened for reading	/proc/1548/mnt
File opened for reading	/proc/6/mnt
File opened for reading	/proc/15/mnt
File opened for reading	/proc/441/mnt
File opened for reading	/proc/615/mnt
File opened for reading	/proc/1183/mnt
File opened for reading	/proc/1206/mnt
File opened for reading	/proc/1265/mnt
File opened for reading	/proc/36/mnt
File opened for reading	/proc/135/mnt
File opened for reading	/proc/253/mnt
File opened for reading	/proc/974/mnt
File opened for reading	/proc/1203/mnt
File opened for reading	/proc/1208/mnt
File opened for reading	/proc/78/mnt
File opened for reading	/proc/84/mnt
File opened for reading	/proc/187/mnt
File opened for reading	/proc/4/mnt
File opened for reading	/proc/5/mnt
File opened for reading	/proc/11/mnt
File opened for reading	/proc/177/mnt
File opened for reading	/proc/675/mnt
File opened for reading	/proc/1168/mnt
File opened for reading	/proc/34/mnt
File opened for reading	/proc/89/mnt
File opened for reading	/proc/651/mnt
File opened for reading	/proc/1042/mnt
File opened for reading	/proc/1072/mnt
File opened for reading	/proc/1076/mnt
File opened for reading	/proc/1128/mnt
File opened for reading	/proc/1/mnt
File opened for reading	/proc/2/mnt
File opened for reading	/proc/179/mnt
File opened for reading	/proc/1023/mnt
File opened for reading	/proc/1086/mnt
File opened for reading	/proc/1355/mnt
File opened for reading	/proc/1249/mnt
File opened for reading	/proc/35/mnt
File opened for reading	/proc/85/mnt
File opened for reading	/proc/471/mnt
File opened for reading	/proc/536/mnt
File opened for reading	/proc/740/mnt
File opened for reading	/proc/1149/mnt
File opened for reading	/proc/20/mnt
File opened for reading	/proc/79/mnt
File opened for reading	/proc/27/mnt
File opened for reading	/proc/180/mnt
File opened for reading	/proc/1137/mnt
File opened for reading	/proc/1319/mnt
File opened for reading	/proc/25/mnt
File opened for reading	/proc/484/mnt
File opened for reading	/proc/1546/mnt
File opened for reading	/proc/1163/mnt
File opened for reading	/proc/32/mnt
File opened for reading	/proc/83/mnt

/tmp/016005310b52d074fae59ca6682bd047ffe909f2849122ea0181c26ad2da41cb.elf
/tmp/016005310b52d074fae59ca6682bd047ffe909f2849122ea0181c26ad2da41cb.elf
1⤵
- Changes its process name
PID:1550

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Impair Defenses

T1562

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads