3ba36ff89bf99503099c951409a0f9d0a357629768cb8f801f1336ff5452db11

Analysis

max time kernel
150s
max time network
154s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
04/03/2024, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b26095fe4bf9280184486ad20f28f968
Size

78KB
MD5

b26095fe4bf9280184486ad20f28f968
SHA1

d62e5245e857dfd57fbfb3a40795b41e038990c8
SHA256

3ba36ff89bf99503099c951409a0f9d0a357629768cb8f801f1336ff5452db11
SHA512

e060ddf2e1f6f1acca5d970f3ad706f092137f357c88d2207ac746286ab7bff94e9b13f5dd16af6e33115cfd6d5d9f570288257f6914b7026e8d8401ac110d75
SSDEEP

1536:Bg9bxyWp6hbJd+KzK7h8nh4ftjKUPPOy1u5j3vcy3mY:BMk9JdWpftjKUPGyyj3P

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (102127) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
1484	iptables

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc
File opened for modification	/dev/watchdog
File opened for modification	/dev/misc/watchdog

Enumerates running processes
Discovers information about currently running processes on the system

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	bot.whatismyipaddress.com
6	bot.whatismyipaddress.com
2	bot.whatismyipaddress.com
3	bot.whatismyipaddress.com
4	bot.whatismyipaddress.com

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/sbin/watchdog

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc
File opened for reading	/proc/1039/fd
File opened for reading	/proc/1047/status
File opened for reading	/proc/1141/status
File opened for reading	/proc/1421/cmdline
File opened for reading	/proc/1422/status
File opened for reading	/proc/1485/exe
File opened for reading	/proc/1478/exe
File opened for reading	/proc/804/status
File opened for reading	/proc/1411/exe
File opened for reading	/proc/1415/cmdline
File opened for reading	/proc/1417/exe
File opened for reading	/proc/1421/exe
File opened for reading	/proc/1422/cmdline
File opened for reading	/proc/1445/exe
File opened for reading	/proc/948/exe
File opened for reading	/proc/979/exe
File opened for reading	/proc/990/exe
File opened for reading	/proc/1006/status
File opened for reading	/proc/1198/fd
File opened for reading	/proc/1414/fd
File opened for reading	/proc/962/cmdline
File opened for reading	/proc/1029/exe
File opened for reading	/proc/1092/cmdline
File opened for reading	/proc/1318/status
File opened for reading	/proc/1412/cmdline
File opened for reading	/proc/974/status
File opened for reading	/proc/1074/fd
File opened for reading	/proc/1103/fd
File opened for reading	/proc/1445/cmdline
File opened for reading	/proc/804/cmdline
File opened for reading	/proc/1412/fd
File opened for reading	/proc/1420/status
File opened for reading	/proc/1478/status
File opened for reading	/proc/1485/cmdline
File opened for reading	/proc/906/fd
File opened for reading	/proc/1198/exe
File opened for reading	/proc/1305/exe
File opened for reading	/proc/1428/cmdline
File opened for reading	/proc/916/cmdline
File opened for reading	/proc/948/status
File opened for reading	/proc/1141/cmdline
File opened for reading	/proc/1413/status
File opened for reading	/proc/911/status
File opened for reading	/proc/1043/status
File opened for reading	/proc/1051/cmdline
File opened for reading	/proc/1103/status
File opened for reading	/proc/1432/exe
File opened for reading	/proc/907/exe
File opened for reading	/proc/968/cmdline
File opened for reading	/proc/1108/cmdline
File opened for reading	/proc/1456/fd
File opened for reading	/proc/1039/status
File opened for reading	/proc/1060/cmdline
File opened for reading	/proc/1424/cmdline
File opened for reading	/proc/1424/exe
File opened for reading	/proc/1432/status
File opened for reading	/proc/906/status
File opened for reading	/proc/990/cmdline
File opened for reading	/proc/1155/cmdline
File opened for reading	/proc/1428/exe
File opened for reading	/proc/908/cmdline
File opened for reading	/proc/911/fd
File opened for reading	/proc/990/fd
File opened for reading	/proc/1134/exe

/tmp/b26095fe4bf9280184486ad20f28f968
/tmp/b26095fe4bf9280184486ad20f28f968
1⤵
PID:1470

/bin/sh
sh -c "iptables -F"
1⤵
PID:1482
- /usr/sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads