a861f22316198a3d223c9a612b510d5eb2177a6c11d2f081d4e7c8499b0edf26

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09/04/2024, 01:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a861f22316198a3d223c9a612b510d5eb2177a6c11d2f081d4e7c8499b0edf26.elf
Size

111KB
MD5

6ce18ef97dc28ad721bcb26d84178aca
SHA1

9af7348ce37b96cb262e4fc90920778d4af77d68
SHA256

a861f22316198a3d223c9a612b510d5eb2177a6c11d2f081d4e7c8499b0edf26
SHA512

4d4f926ae71756fbadb34c58cc3990e5f7245620fc6bfd705f19bc85da813d6f165a169fae8af3b6c0458635286eb50984c793be9d2098b5c24464287fa302d9
SSDEEP

1536:5tyBeAZDJCRBMjvG4FGV94lXkGLy+GB2NccmAx9HSUt2Q7xW3N:nPWDJaKpoQKGNGcNcayuI3N

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (37631) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	1548	a861f22316198a3d223c9a612b510d5eb2177a6c11d2f081d4e7c8499b0edf26.elf

Deletes itself 1 IoCs

pid	Process
1548	a861f22316198a3d223c9a612b510d5eb2177a6c11d2f081d4e7c8499b0edf26.elf

Traces itself 1 IoCs

Traces itself to prevent debugging attempts

pid	Process
1548	a861f22316198a3d223c9a612b510d5eb2177a6c11d2f081d4e7c8499b0edf26.elf

Unexpected DNS network traffic destination 19 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	178.254.22.166
Destination IP	195.10.195.195
Destination IP	1.0.0.1
Destination IP	195.10.195.195
Destination IP	195.10.195.195
Destination IP	1.0.0.1
Destination IP	194.36.144.87
Destination IP	194.36.144.87
Destination IP	194.36.144.87
Destination IP	195.10.195.195
Destination IP	178.254.22.166
Destination IP	1.0.0.1
Destination IP	194.36.144.87
Destination IP	194.36.144.87
Destination IP	1.0.0.1
Destination IP	195.10.195.195
Destination IP	81.169.136.222
Destination IP	1.0.0.1
Destination IP	195.10.195.195

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc
File opened for reading	/proc/1349/cmdline
File opened for reading	/proc/2047/cmdline
File opened for reading	/proc/2139/cmdline
File opened for reading	/proc/162/cmdline
File opened for reading	/proc/1091/cmdline
File opened for reading	/proc/1710/cmdline
File opened for reading	/proc/1806/cmdline
File opened for reading	/proc/495/cmdline
File opened for reading	/proc/956/cmdline
File opened for reading	/proc/1197/cmdline
File opened for reading	/proc/1240/cmdline
File opened for reading	/proc/1594/cmdline
File opened for reading	/proc/1840/cmdline
File opened for reading	/proc/2121/cmdline
File opened for reading	/proc/2143/cmdline
File opened for reading	/proc/258/cmdline
File opened for reading	/proc/1039/cmdline
File opened for reading	/proc/2059/cmdline
File opened for reading	/proc/663/cmdline
File opened for reading	/proc/1154/cmdline
File opened for reading	/proc/2072/cmdline
File opened for reading	/proc/24/cmdline
File opened for reading	/proc/1819/cmdline
File opened for reading	/proc/20/cmdline
File opened for reading	/proc/478/cmdline
File opened for reading	/proc/646/cmdline
File opened for reading	/proc/1072/cmdline
File opened for reading	/proc/1159/cmdline
File opened for reading	/proc/1870/cmdline
File opened for reading	/proc/2080/cmdline
File opened for reading	/proc/2096/cmdline
File opened for reading	/proc/2172/cmdline
File opened for reading	/proc/8/cmdline
File opened for reading	/proc/171/cmdline
File opened for reading	/proc/454/cmdline
File opened for reading	/proc/603/cmdline
File opened for reading	/proc/1473/cmdline
File opened for reading	/proc/1580/cmdline
File opened for reading	/proc/1836/cmdline
File opened for reading	/proc/2146/cmdline
File opened for reading	/proc/2194/cmdline
File opened for reading	/proc/1180/cmdline
File opened for reading	/proc/1902/cmdline
File opened for reading	/proc/2064/cmdline
File opened for reading	/proc/2166/cmdline
File opened for reading	/proc/12/cmdline
File opened for reading	/proc/174/cmdline
File opened for reading	/proc/498/cmdline
File opened for reading	/proc/1679/cmdline
File opened for reading	/proc/1791/cmdline
File opened for reading	/proc/2185/cmdline
File opened for reading	/proc/2195/cmdline
File opened for reading	/proc/30/cmdline
File opened for reading	/proc/31/cmdline
File opened for reading	/proc/417/cmdline
File opened for reading	/proc/1157/cmdline
File opened for reading	/proc/2141/cmdline
File opened for reading	/proc/13/cmdline
File opened for reading	/proc/167/cmdline
File opened for reading	/proc/1641/cmdline
File opened for reading	/proc/1689/cmdline
File opened for reading	/proc/2040/cmdline
File opened for reading	/proc/2055/cmdline
File opened for reading	/proc/2068/cmdline

/tmp/a861f22316198a3d223c9a612b510d5eb2177a6c11d2f081d4e7c8499b0edf26.elf
/tmp/a861f22316198a3d223c9a612b510d5eb2177a6c11d2f081d4e7c8499b0edf26.elf
1⤵
- Changes its process name
- Deletes itself
- Traces itself
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads