hive | 713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771

General

Target

713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
Size

2.3MB
MD5

171d2a50c6d7e69281d1c3ef98d510f2
SHA1

322db4ca435004a127acd4171cc52be9edaf5338
SHA256

713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771
SHA512

2226d1a5e9c8a2920fa8d327b53e10f135e9b30c8c3d1e7fbb3a59a51df782f106f41f60ad8140a1de4a81ef6b230418126ffb24bd75eab3c3a298ada2f58913
SSDEEP

49152:bC9tUNrb/T7vO90dL3BmAFd4A64nsfJcm9M3YJIpgfDVw0ksgg778GzvyKYUcTD1:bzcM4IyEWyKP

Score

10^/10

hive evasion persistence ransomware

Malware Config

Extracted

Path

/MEag_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: 5mX2Ja7tXTQd Password: 36VFJGoJ6t4qhgbHLXyJ To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.ndjmu files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Deletes itself 1 IoCs

Processes:

713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf

pid process

1478 713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
Deletes journal logs 1 TTPs 1 IoCs
Deletes systemd journal logs. Likely to evade detection.
evasion

Indicator Removal
T1070

Processes:

description ioc

File truncated /var/log/journal/4816dd152e8c48ff97e9117d197c13d8/MEag_HOW_TO_DECRYPT.txt
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

description ioc

File opened for modification /var/spool/cron/atjobs/MEag_HOW_TO_DECRYPT.txt

pid	process
1478	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf

description	ioc
File truncated	/var/log/journal/4816dd152e8c48ff97e9117d197c13d8/MEag_HOW_TO_DECRYPT.txt

description	ioc
File opened for modification	/var/spool/cron/atjobs/MEag_HOW_TO_DECRYPT.txt

Deletes log files 1 TTPs 7 IoCs

Deletes log files on the system.

Indicator Removal

T1070

Processes:

description	ioc
File truncated	/var/log/audit/MEag_HOW_TO_DECRYPT.txt
File truncated	/var/log/cups/MEag_HOW_TO_DECRYPT.txt
File truncated	/var/log/installer/cdebconf/MEag_HOW_TO_DECRYPT.txt
File truncated	/var/log/installer/MEag_HOW_TO_DECRYPT.txt
File truncated	/var/log/unattended-upgrades/MEag_HOW_TO_DECRYPT.txt
File truncated	/var/log/MEag_HOW_TO_DECRYPT.txt
File truncated	/var/log/apt/MEag_HOW_TO_DECRYPT.txt

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 15 IoCs

System Information Discovery

T1082

Processes:

713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf

description	ioc	process
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/system/cpu/cpu0/power	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/system/cpu/cpufreq	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/system/cpu/hotplug	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/system/cpu/smt	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/system/cpu/cpu0	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/system/cpu/cpu0/topology	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/system/cpu/power	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/system/cpu/vulnerabilities	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/system/cpu/cpuidle	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf

Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery
T1082

Processes:

713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf

description ioc process

File opened for reading /sys/devices/virtual/dmi/id/power 713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/power	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf

Reads network interface configuration 2 TTPs 12 IoCs

Fetches information about one or more active network interfaces.

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Processes:

713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf

description	ioc	process
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/virtual/net/lo/power	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/virtual/net/lo/queues	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/virtual/net/lo/statistics	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf

description	ioc	process
File opened for reading	/sys/fs/cgroup/pids/system.slice/ssh.service	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/bridge/br_fdb_external_learn_add	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/filemap/mm_filemap_delete_from_page_cache	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_syncfs	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/security/apparmor/features/signal	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/security/integrity/ima	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/slab/anon_vma/cgroup/anon_vma(1267:polkit.service)	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_dbg_quirks	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/slab/dentry/cgroup/dentry(593:cups-browsed.service)	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/slab/kmalloc-192/cgroup	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_capget	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/vmscan/mm_vmscan_lru_shrink_inactive	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_timer_settime	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/spi/spi_transfer_stop	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_renameat	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_acct	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/module/ehci_hcd/parameters	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/virtio0	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/fs/cgroup/devices/system.slice/anacron.service	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/fs/cgroup/devices/system.slice/apt-daily.service	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/slab/kmalloc-4k/cgroup/kmalloc-4k(767:dbus.service)	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/bus/pci/slots/27	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata3/ata_port	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/clk/clk_set_phase_complete	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/slab/dentry/cgroup/dentry(1117:fwupd-refresh.service)	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/slab/dentry/cgroup/dentry(417:avahi-daemon.service)	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/platform/eisa.0/power	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/fs/cgroup/unified/system.slice/acpid.service	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/slab/kmalloc-2k/cgroup/kmalloc-2k(723:[email protected])	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/slab/kmalloc-512/cgroup/kmalloc-512(1243:rsyslog.service)	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/slab/kmalloc-rcl-64/cgroup/kmalloc-rcl-64(761:session-1.scope)	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/virtual/block/loop1/integrity	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/regulator/regulator_enable_complete	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/xen/xen_mmu_set_pte	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/bus/xen	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/virtual/ppp/ppp	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata5/ata_port	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/slab/dentry/cgroup/dentry(457:dmesg.service)	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_setregid	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/module/ttm	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/skb/skb_copy_datagram_iovec	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_modify_ldt	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/virtual/misc/vfio	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_settimeofday	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/bus/event_source/drivers	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/class/ppp	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/platform/serial8250/tty/ttyS26/power	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/system/memory/memory5	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/bdi/7:3	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_truncate	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/slab/:a-0000104/cgroup/buffer_head(925:tracker-store.service)	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/slab/kmalloc-rcl-512/cgroup	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/slab/skbuff_head_cache	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/tracing/events/intel_iommu/map_single	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:01.1/ata2/link2/dev2.0/ata_device/dev2.0/power	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/intel_iommu/unmap_single	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_getpgrp	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/tracing/events/devlink/devlink_health_recover_aborted	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/module/rcupdate	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/huge_memory/mm_collapse_huge_page_isolate	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setattr	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/slab/:a-0000104/cgroup/buffer_head(177:swapfile.swap)	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/tracing/events/dma_fence/dma_fence_signaled	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_acct	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf

description	ioc	process
File opened for reading	/proc/1419/task/1419/net/dev_snmp6	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/438/map_files	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/93/task/93/fdinfo	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/1299/task/1300/fd	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/162/net/dev_snmp6	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/162/task/162/attr	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/89/attr/smack	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/1036/task/1038	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/685	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/5/net/netfilter	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/8/net/stat	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/8/ns	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/1028/task/1031/net	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/1415/map_files	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/163/net	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/300/task/300/ns	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/74/net/dev_snmp6	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/91/attr/smack	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/168/task/168/ns	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/173/task/173/attr/apparmor	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/804/task/805/ns	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/1023/task/1024/attr/apparmor	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/1478/net/stat	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/1629/attr	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/3/task/3	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/79/attr/apparmor	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/102/task/102/net/dev_snmp6	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/1416/task/1416/attr/smack	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/1478/task/1478/net/netfilter	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/436/task/436/net/dev_snmp6	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/975/ns	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/1534/attr	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/16/net/netfilter	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/436/fd	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/90/net/netfilter	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/11/attr/smack	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/954/task/955/attr/apparmor	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/102/task/102/net	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/12/task/12/attr/apparmor	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/17/task/17/net	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/90/net/dev_snmp6	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/1049/task/1050/attr	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/166/task/166/fd	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/84/fdinfo	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/88/task/88/attr/smack	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/11/net	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/242/attr	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/242/task/242/fdinfo	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/268/net/netfilter	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/1431	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/391/fdinfo	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/804/task/804/fd	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/943/task/943	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/sys/dev/parport/default	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/11/task	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/1413/fdinfo	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/163/attr	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/163/task/163/attr	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/436/task/436/net/netfilter	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/581/net/netfilter	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/6/task/6/attr/apparmor	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/943/task/944/attr/smack	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/572/attr	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
File opened for reading	/proc/685/task/685/net/stat	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf

description	ioc	process
File opened for modification	/tmp/config-err-Zc36cM.9A6ipfZGHZhCEbPmLrCLeKY_eoMoDjPd5ntObuEOtI7_3283fBIRBxo0.ndjmu	713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf

/tmp/713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
/tmp/713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771.elf
1⤵
- Deletes itself
- Reads CPU attributes
- Reads hardware information
- Reads network interface configuration
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1478

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Indicator Removal

2

T1070

Credential Access

Discovery

System Information Discovery

3

T1082

System Network Configuration Discovery

1

T1016

System Network Connections Discovery

1

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/9A6ipfZGHZhCEbPmLrCLeKY_eoMoDjPd5ntObuEOtI7_.key.ndjmu

Filesize
1.2MB

MD5
b96ea7e387b7b88daf42435f939e6c2b

SHA1
8bdf7ae7bf1a84ad4589779cfe7826eefe0a3f00

SHA256
f2644bb37b14c54267939f0fa3382c4fc465e89a2a1d567e6f123f7f266480a2

SHA512
9043303955913048a127107a5ed40b6e5b7346a685c5336083ef4cca2f4bda1bb4d7585e4acf58bb21f57018d174cd6120a24293aa6a2c963dd8e88f3e92609a

Download Submit
/MEag_HOW_TO_DECRYPT.txt

Filesize
1KB

MD5
24a4eff548b411e7716858ce77d60240

SHA1
757acc90bccf8dc11a1440015b4d02dcb7962d35

SHA256
9f3cb32b4ea42ee56ba952a09af75c5a180488d33945bb06f97df944183a46a0

SHA512
61abe02146c8a2d29c76f0625170cbcb903e8fc8bbf7f4fd4afcdcff70972f3042dc19a741fa5a3756ca0eb2f0e3dbf4fbb6a192e8897d952607f211177844be

Download Submit
/etc/motd

Filesize
1KB

MD5
af959dd8dd251e49b8ecc2c94ee306d8

SHA1
55a13ec8d00b81ed5a73c2207d0591ca7bb2aa9f

SHA256
af8849418fa17af34ee739120a69e904d2f25fabf248d6ce23b7509037ea8fcd

SHA512
e51ff3da32c9e59904c7e4ebf66f5d42f1cbab74f09f8acb51e55c1c610be1d23cb81f238a6818dd4193dfde5f9e7de0e0c828a659a66d325101f07258242b5f

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads