Analysis
-
max time kernel
149s -
max time network
153s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240226-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
15/03/2024, 13:32
Behavioral task
behavioral1
Sample
31dd438c323b07e86776ba7c69fb8444.elf
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
6 signatures
150 seconds
General
-
Target
31dd438c323b07e86776ba7c69fb8444.elf
-
Size
37KB
-
MD5
31dd438c323b07e86776ba7c69fb8444
-
SHA1
94bc81ca8b54fe8c26fcf5de553eac160352e3c8
-
SHA256
0e9029207f1f762275fa9d5bf88a547004ebbe8b430bc0fda325f8f7a88920c7
-
SHA512
e15d5697358691471213b83b976c2bd919a05060cfcabfe3f29a21b0df02eccbf941c149fb33ae9d3c70c733acec1d0a2210033cbdf7a205d22e753840be0cd2
-
SSDEEP
768:6ryDw+2jd+xIPTWri8wklJugN7V3NwXVAaceiV5og:7w+2j02PirrigN7jwXVxceivog
Score
9/10
Malware Config
Signatures
-
Contacts a large (76260) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /var/Sofia 1515 31dd438c323b07e86776ba7c69fb8444.elf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog 31dd438c323b07e86776ba7c69fb8444.elf File opened for modification /dev/watchdog 31dd438c323b07e86776ba7c69fb8444.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/5/cmdline File opened for reading /proc/25/cmdline File opened for reading /proc/154/cmdline File opened for reading /proc/157/cmdline File opened for reading /proc/1152/cmdline File opened for reading /proc/1528/cmdline File opened for reading /proc/8/cmdline File opened for reading /proc/17/cmdline File opened for reading /proc/162/cmdline File opened for reading /proc/667/cmdline File opened for reading /proc/1122/cmdline File opened for reading /proc/1143/cmdline File opened for reading /proc/16/cmdline File opened for reading /proc/161/cmdline File opened for reading /proc/932/cmdline File opened for reading /proc/1070/cmdline File opened for reading /proc/1085/cmdline File opened for reading /proc/79/cmdline File opened for reading /proc/126/cmdline File opened for reading /proc/233/cmdline File opened for reading /proc/640/cmdline File opened for reading /proc/1065/cmdline File opened for reading /proc/1134/cmdline File opened for reading /proc/165/cmdline File opened for reading /proc/1148/cmdline File opened for reading /proc/1287/cmdline File opened for reading /proc/7/cmdline File opened for reading /proc/19/cmdline File opened for reading /proc/588/cmdline File opened for reading /proc/1138/cmdline File opened for reading /proc/1151/cmdline File opened for reading /proc/1301/cmdline File opened for reading /proc/1164/cmdline File opened for reading /proc/1337/cmdline File opened for reading /proc/36/cmdline File opened for reading /proc/153/cmdline File opened for reading /proc/434/cmdline File opened for reading /proc/542/cmdline File opened for reading /proc/955/cmdline File opened for reading /proc/1111/cmdline File opened for reading /proc/35/cmdline File opened for reading /proc/264/cmdline File opened for reading /proc/511/cmdline File opened for reading /proc/963/cmdline File opened for reading /proc/1055/cmdline File opened for reading /proc/1126/cmdline File opened for reading /proc/1171/cmdline File opened for reading /proc/1355/cmdline File opened for reading /proc/26/cmdline File opened for reading /proc/629/cmdline File opened for reading /proc/661/cmdline File opened for reading /proc/876/cmdline File opened for reading /proc/1042/cmdline File opened for reading /proc/1162/cmdline File opened for reading /proc/12/cmdline File opened for reading /proc/545/cmdline File opened for reading /proc/1090/cmdline File opened for reading /proc/1147/cmdline File opened for reading /proc/1154/cmdline File opened for reading /proc/1512/cmdline File opened for reading /proc/15/cmdline File opened for reading /proc/81/cmdline File opened for reading /proc/466/cmdline File opened for reading /proc/1007/cmdline