Analysis
-
max time kernel
149s -
max time network
153s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240221-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
23/02/2024, 12:17
Behavioral task
behavioral1
Sample
x86-20240223-1216.elf
Resource
ubuntu2004-amd64-20240221-en
General
-
Target
x86-20240223-1216.elf
-
Size
54KB
-
MD5
1dfaf1138ccf0385dd5fc6a3fabdfe78
-
SHA1
069b322a5a9fd3cc518c91de06a8486a574d3e08
-
SHA256
ee312ebe9f57feb3fd77f00c809313e75ef652e52631569b991d9391d408f469
-
SHA512
d2f0bf97dd14e48a92e0877f31ccc3ec3c0337306c0e3eacff6381c8b65cfe4c99690aba4f96651b723e435163f9e23ba79dc6c328f7cb19c54b4d4a49fb4bc5
-
SSDEEP
1536:lEytfbaM12r8ZBG6X+cHaBuhTT2OoaEDrKQVM:lEytfbaM1zAl5whnN3ESy
Malware Config
Signatures
-
Contacts a large (36861) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /bin/watchdog 1460 x86-20240223-1216.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/201/cmdline File opened for reading /proc/165/cmdline File opened for reading /proc/475/cmdline File opened for reading /proc/1501/cmdline File opened for reading /proc/270/cmdline File opened for reading /proc/1104/cmdline File opened for reading /proc/2069/cmdline File opened for reading /proc/18/cmdline File opened for reading /proc/135/cmdline File opened for reading /proc/164/cmdline File opened for reading /proc/1154/cmdline File opened for reading /proc/1414/cmdline File opened for reading /proc/1436/cmdline File opened for reading /proc/272/cmdline File opened for reading /proc/505/cmdline File opened for reading /proc/975/cmdline File opened for reading /proc/1148/cmdline File opened for reading /proc/71/cmdline File opened for reading /proc/170/cmdline File opened for reading /proc/401/cmdline File opened for reading /proc/834/cmdline File opened for reading /proc/1093/cmdline File opened for reading /proc/1404/cmdline File opened for reading /proc/2066/cmdline File opened for reading /proc/1605/cmdline File opened for reading /proc/70/cmdline File opened for reading /proc/696/cmdline File opened for reading /proc/952/cmdline File opened for reading /proc/1126/cmdline File opened for reading /proc/1233/cmdline File opened for reading /proc/1412/cmdline File opened for reading /proc/1472/cmdline File opened for reading /proc/460/cmdline File opened for reading /proc/929/cmdline File opened for reading /proc/1423/cmdline File opened for reading /proc/459/cmdline File opened for reading /proc/680/cmdline File opened for reading /proc/969/cmdline File opened for reading /proc/1931/cmdline File opened for reading /proc/77/cmdline File opened for reading /proc/171/cmdline File opened for reading /proc/906/cmdline File opened for reading /proc/5/cmdline File opened for reading /proc/81/cmdline File opened for reading /proc/991/cmdline File opened for reading /proc/1192/cmdline File opened for reading /proc/15/cmdline File opened for reading /proc/20/cmdline File opened for reading /proc/84/cmdline File opened for reading /proc/564/cmdline File opened for reading /proc/617/cmdline File opened for reading /proc/2057/cmdline File opened for reading /proc/1319/cmdline File opened for reading /proc/1432/cmdline File opened for reading /proc/1442/cmdline File opened for reading /proc/76/cmdline File opened for reading /proc/675/cmdline File opened for reading /proc/85/cmdline File opened for reading /proc/159/cmdline File opened for reading /proc/200/cmdline File opened for reading /proc/452/cmdline File opened for reading /proc/538/cmdline File opened for reading /proc/1086/cmdline File opened for reading /proc/1445/cmdline -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/bin/watchdog����/����� sh
Processes
-
/tmp/x86-20240223-1216.elf/tmp/x86-20240223-1216.elf1⤵
- Changes its process name
PID:1460 -
/bin/shsh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog����/����� && mv /tmp/x86-20240223-1216.elf bin/watchdog; chmod 777 bin/watchdog"2⤵
- Writes file to tmp directory
PID:1461 -
/usr/bin/rmrm -rf bin/watchdog3⤵PID:1462
-
-
/usr/bin/mkdirmkdir bin3⤵PID:1464
-
-
/usr/bin/chmodchmod 777 "bin/watchdog"3⤵PID:1467
-
-