Analysis
-
max time kernel
149s -
max time network
151s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240221-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
09/04/2024, 01:42
Static task
static1
Behavioral task
behavioral1
Sample
adefd6b37ee3dc189916368a6070f1e6cc1480b4564c8ffcbc23d714cfeabc54.elf
Resource
ubuntu2004-amd64-20240221-en
ubuntu-20.04-amd64
General
-
Target
adefd6b37ee3dc189916368a6070f1e6cc1480b4564c8ffcbc23d714cfeabc54.elf
-
Size
109KB
-
MD5
8cc0cdf62fc99a47b520924c39b869ab
-
SHA1
f822213efb7a389ccff9e24d5120eb9555693c54
-
SHA256
adefd6b37ee3dc189916368a6070f1e6cc1480b4564c8ffcbc23d714cfeabc54
-
SHA512
dcbd8fbf8274308555b1806ca496490c9b05d43069e1ae0f0c2ba0a6cb2d9ab2c83f49d6fc5dcc2cb5ca4118fc2b3678613ffd9513a34a3ba8b359575fe3c8f5
-
SSDEEP
1536:MDT1HnGuT9ZplJsQd6T1kRezWxNTnMGAZPHIFbsSPrg7x83zR:MDMC9Zj5i1aPxhnMNZfIJg63zR
Malware Config
Signatures
-
Contacts a large (38144) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Changes its process name 1 IoCs
description pid Process Changes the process name, possibly in an attempt to hide itself 1489 adefd6b37ee3dc189916368a6070f1e6cc1480b4564c8ffcbc23d714cfeabc54.elf -
Deletes itself 1 IoCs
pid Process 1489 adefd6b37ee3dc189916368a6070f1e6cc1480b4564c8ffcbc23d714cfeabc54.elf -
Traces itself 1 IoCs
Traces itself to prevent debugging attempts
pid Process 1489 adefd6b37ee3dc189916368a6070f1e6cc1480b4564c8ffcbc23d714cfeabc54.elf -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 91.217.137.37 Destination IP 91.217.137.37 Destination IP 178.254.22.166 Destination IP 91.217.137.37 Destination IP 91.217.137.37 Destination IP 91.217.137.37 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/576/cmdline File opened for reading /proc/1258/cmdline File opened for reading /proc/781/cmdline File opened for reading /proc/1423/cmdline File opened for reading /proc/1083/cmdline File opened for reading /proc/1424/cmdline File opened for reading /proc/12/cmdline File opened for reading /proc/242/cmdline File opened for reading /proc/961/cmdline File opened for reading /proc/982/cmdline File opened for reading /proc/1030/cmdline File opened for reading /proc/1068/cmdline File opened for reading /proc/1491/cmdline File opened for reading /proc/11/cmdline File opened for reading /proc/74/cmdline File opened for reading /proc/174/cmdline File opened for reading /proc/500/cmdline File opened for reading /proc/14/cmdline File opened for reading /proc/169/cmdline File opened for reading /proc/1081/cmdline File opened for reading /proc/1479/cmdline File opened for reading /proc/13/cmdline File opened for reading /proc/79/cmdline File opened for reading /proc/454/cmdline File opened for reading /proc/1078/cmdline File opened for reading /proc/22/cmdline File opened for reading /proc/173/cmdline File opened for reading /proc/453/cmdline File opened for reading /proc/88/cmdline File opened for reading /proc/1440/cmdline File opened for reading /proc/86/cmdline File opened for reading /proc/786/cmdline File opened for reading /proc/73/cmdline File opened for reading /proc/448/cmdline File opened for reading /proc/867/cmdline File opened for reading /proc/1025/cmdline File opened for reading /proc/1056/cmdline File opened for reading /proc/1422/cmdline File opened for reading /proc/20/cmdline File opened for reading /proc/24/cmdline File opened for reading /proc/542/cmdline File opened for reading /proc/615/cmdline File opened for reading /proc/9/cmdline File opened for reading /proc/1003/cmdline File opened for reading /proc/15/cmdline File opened for reading /proc/89/cmdline File opened for reading /proc/177/cmdline File opened for reading /proc/1496/cmdline File opened for reading /proc/764/cmdline File opened for reading /proc/1035/cmdline File opened for reading /proc/396/cmdline File opened for reading /proc/1121/cmdline File opened for reading /proc/1141/cmdline File opened for reading /proc/3/cmdline File opened for reading /proc/4/cmdline File opened for reading /proc/10/cmdline File opened for reading /proc/90/cmdline File opened for reading /proc/1428/cmdline File opened for reading /proc/1480/cmdline File opened for reading /proc/23/cmdline File opened for reading /proc/440/cmdline File opened for reading /proc/864/cmdline File opened for reading /proc/1145/cmdline File opened for reading /proc/1524/cmdline