Overview

overview

10

Static

static

7

96a47e74c4...1a.elf

ubuntu-20.04-amd64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1184bf04877dec9a4bbb24acd30c8d49.bin

  • Size

    3.8MB

  • Sample

    240226-bdc11she2x

  • MD5

    0b4657616265117f3ce8c771d88d3e97

  • SHA1

    083132ac5f6c2a9a656678aa9f25319cde3d4d5e

  • SHA256

    0dadc6709aed7d9a9d03796f919a13095fe4de8e09d5378704e5c0feadd91a6a

  • SHA512

    b2d7987167ae8ec3f43e552fd1366eaf00839b0ffbd87ec3fa5bd192761021f34efc79814596447e6d401ac60de9d0eaeb970dca8682cacdbeb3759f54a54943

  • SSDEEP

    98304:r+o7dOI1kqqIveqFVmQx09XbbMX+6j2pBbTkJ8:r+a4ys4Pw3MXn2r+8

Score
10/10
kaitenantivmbotnetinfostealerlinuxpersistenceupx

Malware Config

Targets

    • Target

      96a47e74c42f7cb2799ef064f413aeaeaf667662a3983b4e66556a827aa2481a.elf

    • Size

      3.8MB

    • MD5

      1184bf04877dec9a4bbb24acd30c8d49

    • SHA1

      e68649a61a173c93775580ec0e975a3a87250e9d

    • SHA256

      96a47e74c42f7cb2799ef064f413aeaeaf667662a3983b4e66556a827aa2481a

    • SHA512

      25917099b31a0bd7b3fab4600c318c3a3acab5bb1c2dc8d7fbccfc22046fb7a551747065ad9016dba26d8de16a0782d4a7279a5b644c7802f4151c4d3184d104

    • SSDEEP

      98304:e6M0JGEyxYXQKOscf3j3/DaNAq//XxsdQDYpexnaG4oDhAJ:i0JZ8yysw3zDuTXqQD+exawDhY

    Score
    10/10
    kaitenantivmbotnetinfostealerpersistenceupx

    • Detects Kaiten/Tsunami Payload

    • Detects Kaiten/Tsunami payload

    • Kaiten/Tsunami

      Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.

      botnetkaiten

    • Executes dropped EXE

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

      infostealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

      antivm

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

      antivm

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

      persistence

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Writes file to system bin folder

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks