Analysis
-
max time kernel
149s -
max time network
149s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240221-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
15-04-2024 10:23
Behavioral task
behavioral1
Sample
20d263bd6e0552cad17ec45eeff1844b.elf
Resource
ubuntu2004-amd64-20240221-en
General
-
Target
20d263bd6e0552cad17ec45eeff1844b.elf
-
Size
74KB
-
MD5
20d263bd6e0552cad17ec45eeff1844b
-
SHA1
67a23901d5f3276ba4e8c95c21aeb79ca584a36a
-
SHA256
648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b
-
SHA512
f721ddcbcb19d22057d8a4b7402fa8d852872b3df3de18a13b8c983407fb29cd06ef7b9c35c4c50a179ac98fd2e70296806487fc59d4a9e291fa248662ac5eef
-
SSDEEP
1536:EUPldq0TJFnqXKvdo7DYZXjs56tbWuhyN/XemIdRI1R+5vY1SLq7wTVVi:9NdDznqoK7D4s5UWxem0I1R+JeSOcTf
Malware Config
Signatures
-
Changes its process name 1 IoCs
Processes:
20d263bd6e0552cad17ec45eeff1844b.elfdescription ioc pid process Changes the process name, possibly in an attempt to hide itself brqwqakcp0qq 1461 20d263bd6e0552cad17ec45eeff1844b.elf -
Deletes itself 1 IoCs
Processes:
20d263bd6e0552cad17ec45eeff1844b.elfpid process 1461 20d263bd6e0552cad17ec45eeff1844b.elf -
Processes:
description ioc File deleted /var/log/journal/4816dd152e8c48ff97e9117d197c13d8/system.journal -
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
20d263bd6e0552cad17ec45eeff1844b.elfdescription ioc process File opened for modification /dev/watchdog 20d263bd6e0552cad17ec45eeff1844b.elf File opened for modification /dev/misc/watchdog 20d263bd6e0552cad17ec45eeff1844b.elf -
Deletes log files 1 TTPs 4 IoCs
Deletes log files on the system.
Processes:
description ioc File deleted /var/log/kern.log File deleted /var/log/apport.log File deleted /var/log/auth.log File deleted /var/log/ubuntu-advantage.log -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 10 IoCs
Processes:
pkillpkillpkillpkillpkillpkillpkillpkillpkillpkilldescription ioc process File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pkillpkillpkillpkillpkillpkillpkillpkillpkillpkilldescription ioc process File opened for reading /proc/140/status pkill File opened for reading /proc/172/cmdline pkill File opened for reading /proc/201/status pkill File opened for reading /proc/482/cmdline pkill File opened for reading /proc/10/cmdline pkill File opened for reading /proc/9/status pkill File opened for reading /proc/792/cmdline pkill File opened for reading /proc/1679/cmdline File opened for reading /proc/17/cmdline pkill File opened for reading /proc/452/cmdline pkill File opened for reading /proc/118/status pkill File opened for reading /proc/1441/status pkill File opened for reading /proc/1077/status pkill File opened for reading /proc/1596/cmdline File opened for reading /proc/7/cmdline pkill File opened for reading /proc/71/cmdline pkill File opened for reading /proc/1469/status pkill File opened for reading /proc/580/cmdline File opened for reading /proc/15/cmdline pkill File opened for reading /proc/932/cmdline pkill File opened for reading /proc/1462/cmdline pkill File opened for reading /proc/1478/status pkill File opened for reading /proc/670/status pkill File opened for reading /proc/1406/status pkill File opened for reading /proc/71/cmdline pkill File opened for reading /proc/392/cmdline File opened for reading /proc/161/status pkill File opened for reading /proc/932/status pkill File opened for reading /proc/1119/cmdline pkill File opened for reading /proc/1381/cmdline pkill File opened for reading /proc/1438/cmdline pkill File opened for reading /proc/437/status pkill File opened for reading /proc/516/cmdline pkill File opened for reading /proc/172/cmdline pkill File opened for reading /proc/536/status pkill File opened for reading /proc/830/cmdline pkill File opened for reading /proc/1045/cmdline pkill File opened for reading /proc/1079/cmdline pkill File opened for reading /proc/1417/status pkill File opened for reading /proc/15/status pkill File opened for reading /proc/177/cmdline pkill File opened for reading /proc/924/cmdline pkill File opened for reading /proc/1184/status pkill File opened for reading /proc/1466/status pkill File opened for reading /proc/1417/cmdline pkill File opened for reading /proc/6/status pkill File opened for reading /proc/166/status pkill File opened for reading /proc/87/status pkill File opened for reading /proc/172/status pkill File opened for reading /proc/1420/status pkill File opened for reading /proc/503/cmdline pkill File opened for reading /proc/82/status pkill File opened for reading /proc/1471/cmdline pkill File opened for reading /proc/924/cmdline pkill File opened for reading /proc/1398/status pkill File opened for reading /proc/166/cmdline pkill File opened for reading /proc/692/status pkill File opened for reading /proc/4/status pkill File opened for reading /proc/14/cmdline pkill File opened for reading /proc/18/status pkill File opened for reading /proc/394/cmdline pkill File opened for reading /proc/1434/cmdline pkill File opened for reading /proc/1082/status pkill File opened for reading /proc/1398/cmdline pkill
Processes
-
/tmp/20d263bd6e0552cad17ec45eeff1844b.elf/tmp/20d263bd6e0552cad17ec45eeff1844b.elf1⤵
- Changes its process name
- Deletes itself
- Modifies Watchdog functionality
-
/usr/local/sbin/pkillpkill wireshark1⤵
-
/usr/local/bin/pkillpkill wireshark1⤵
-
/usr/sbin/pkillpkill wireshark1⤵
-
/usr/bin/pkillpkill wireshark1⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/local/sbin/pkillpkill tshark1⤵
-
/usr/local/bin/pkillpkill tshark1⤵
-
/usr/sbin/pkillpkill tshark1⤵
-
/usr/bin/pkillpkill tshark1⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/local/sbin/pkillpkill dumpcap1⤵
-
/usr/local/bin/pkillpkill dumpcap1⤵
-
/usr/sbin/pkillpkill dumpcap1⤵
-
/usr/bin/pkillpkill dumpcap1⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/local/sbin/pkillpkill ettercap1⤵
-
/usr/local/sbin/pkillpkill tcpdump1⤵
-
/usr/local/bin/pkillpkill ettercap1⤵
-
/usr/sbin/pkillpkill ettercap1⤵
-
/usr/local/bin/pkillpkill tcpdump1⤵
-
/usr/local/sbin/pkillpkill dsniff1⤵
-
/usr/bin/pkillpkill ettercap1⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/sbin/pkillpkill tcpdump1⤵
-
/usr/local/sbin/pkillpkill ngrep1⤵
-
/usr/local/sbin/pkillpkill tcpflow1⤵
-
/usr/bin/pkillpkill tcpdump1⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/local/bin/pkillpkill dsniff1⤵
-
/usr/local/bin/pkillpkill ngrep1⤵
-
/usr/local/bin/pkillpkill tcpflow1⤵
-
/usr/sbin/pkillpkill dsniff1⤵
-
/usr/sbin/pkillpkill tcpflow1⤵
-
/usr/bin/pkillpkill dsniff1⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/sbin/pkillpkill ngrep1⤵
-
/usr/bin/pkillpkill tcpflow1⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/pkillpkill ngrep1⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/local/sbin/pkillpkill windump1⤵
-
/usr/local/bin/pkillpkill windump1⤵
-
/usr/sbin/pkillpkill windump1⤵
-
/usr/bin/pkillpkill windump1⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/local/sbin/pkillpkill netsniff-ng1⤵
-
/usr/local/bin/pkillpkill netsniff-ng1⤵
-
/usr/sbin/pkillpkill netsniff-ng1⤵
-
/usr/bin/pkillpkill netsniff-ng1⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/local/sbin/rmrm -rf /usr/sbin/ngrep1⤵
-
/usr/local/sbin/rmrm -rf /usr/sbin/tcpflow1⤵
-
/usr/local/sbin/rmrm -rf /usr/sbin/windump1⤵
-
/usr/local/sbin/rmrm -rf /usr/sbin/netsniff-ng1⤵
-
/usr/local/sbin/rmrm -rf /usr/bin/tcpdump1⤵
-
/usr/local/sbin/rmrm -rf /usr/bin/tshark1⤵
-
/usr/local/sbin/rmrm -rf /usr/bin/wireshark1⤵
-
/usr/local/sbin/rmrm -rf /usr/bin/dumpcap1⤵
-
/usr/local/sbin/rmrm -rf /usr/bin/ettercap1⤵
-
/usr/local/sbin/rmrm -rf /usr/bin/dsniff1⤵
-
/usr/local/sbin/rmrm -rf /usr/bin/ngrep1⤵
-
/usr/local/sbin/rmrm -rf /usr/bin/tcpflow1⤵
-
/usr/local/sbin/rmrm -rf /usr/bin/windump1⤵
-
/usr/local/sbin/rmrm -rf /usr/bin/netsniff-ng1⤵
-
/usr/local/bin/rmrm -rf /usr/bin/netsniff-ng1⤵
-
/usr/local/bin/rmrm -rf /usr/bin/tcpflow1⤵
-
/usr/local/bin/rmrm -rf /usr/bin/dumpcap1⤵
-
/usr/local/bin/rmrm -rf /usr/bin/tcpdump1⤵
-
/usr/local/bin/rmrm -rf /usr/sbin/netsniff-ng1⤵
-
/usr/local/bin/rmrm -rf /usr/bin/ngrep1⤵
-
/usr/local/bin/rmrm -rf /usr/bin/wireshark1⤵
-
/usr/local/bin/rmrm -rf /usr/sbin/tcpflow1⤵
-
/usr/local/bin/rmrm -rf /usr/bin/windump1⤵
-
/usr/local/bin/rmrm -rf /usr/bin/dsniff1⤵
-
/usr/local/bin/rmrm -rf /usr/bin/ettercap1⤵
-
/usr/local/bin/rmrm -rf /usr/bin/tshark1⤵
-
/usr/local/bin/rmrm -rf /usr/sbin/windump1⤵
-
/usr/local/bin/rmrm -rf /usr/sbin/ngrep1⤵
-
/usr/local/sbin/rmrm -rf /usr/sbin/dsniff1⤵
-
/usr/sbin/rmrm -rf /usr/bin/tcpflow1⤵
-
/usr/sbin/rmrm -rf /usr/bin/ngrep1⤵
-
/usr/sbin/rmrm -rf /usr/sbin/netsniff-ng1⤵
-
/usr/sbin/rmrm -rf /usr/bin/dumpcap1⤵
-
/usr/sbin/rmrm -rf /usr/bin/tcpdump1⤵
-
/usr/sbin/rmrm -rf /usr/bin/windump1⤵
-
/usr/sbin/rmrm -rf /usr/bin/wireshark1⤵
-
/usr/sbin/rmrm -rf /usr/bin/dsniff1⤵
-
/usr/sbin/rmrm -rf /usr/sbin/tcpflow1⤵
-
/usr/sbin/rmrm -rf /usr/bin/ettercap1⤵
-
/usr/sbin/rmrm -rf /usr/sbin/windump1⤵
-
/usr/sbin/rmrm -rf /usr/bin/netsniff-ng1⤵
-
/usr/sbin/rmrm -rf /usr/bin/tshark1⤵
-
/usr/sbin/rmrm -rf /usr/sbin/ngrep1⤵
-
/usr/bin/rmrm -rf /usr/bin/tcpflow1⤵
-
/usr/bin/rmrm -rf /usr/bin/ngrep1⤵
-
/usr/bin/rmrm -rf /usr/bin/windump1⤵
-
/usr/bin/rmrm -rf /usr/bin/wireshark1⤵
-
/usr/bin/rmrm -rf /usr/bin/dumpcap1⤵
-
/usr/bin/rmrm -rf /usr/bin/tcpdump1⤵
-
/usr/bin/rmrm -rf /usr/bin/dsniff1⤵
-
/usr/bin/rmrm -rf /usr/sbin/tcpflow1⤵
-
/usr/bin/rmrm -rf /usr/bin/netsniff-ng1⤵
-
/usr/bin/rmrm -rf /usr/bin/ettercap1⤵
-
/usr/bin/rmrm -rf /usr/sbin/windump1⤵
-
/usr/bin/rmrm -rf /usr/bin/tshark1⤵
-
/usr/local/bin/rmrm -rf /usr/sbin/dsniff1⤵
-
/usr/bin/rmrm -rf /usr/sbin/ngrep1⤵
-
/usr/bin/rmrm -rf /usr/sbin/netsniff-ng1⤵
-
/usr/sbin/rmrm -rf /usr/sbin/dsniff1⤵
-
/usr/local/sbin/rmrm -rf /usr/sbin/ettercap1⤵
-
/usr/bin/rmrm -rf /usr/sbin/dsniff1⤵
-
/usr/local/bin/rmrm -rf /usr/sbin/ettercap1⤵
-
/usr/sbin/rmrm -rf /usr/sbin/ettercap1⤵
-
/usr/bin/rmrm -rf /usr/sbin/ettercap1⤵
-
/usr/local/sbin/rmrm -rf /usr/sbin/dumpcap1⤵
-
/usr/local/bin/rmrm -rf /usr/sbin/dumpcap1⤵
-
/usr/sbin/rmrm -rf /usr/sbin/dumpcap1⤵
-
/usr/bin/rmrm -rf /usr/sbin/dumpcap1⤵
-
/usr/local/sbin/rmrm -rf /usr/sbin/wireshark1⤵
-
/usr/local/bin/rmrm -rf /usr/sbin/wireshark1⤵
-
/usr/sbin/rmrm -rf /usr/sbin/wireshark1⤵
-
/usr/bin/rmrm -rf /usr/sbin/wireshark1⤵
-
/usr/local/sbin/rmrm -rf /usr/sbin/tshark1⤵
-
/usr/local/bin/rmrm -rf /usr/sbin/tshark1⤵
-
/usr/sbin/rmrm -rf /usr/sbin/tshark1⤵
-
/usr/bin/rmrm -rf /usr/sbin/tshark1⤵
-
/usr/local/sbin/rmrm -rf /usr/sbin/tcpdump1⤵
-
/usr/local/bin/rmrm -rf /usr/sbin/tcpdump1⤵
-
/usr/sbin/rmrm -rf /usr/sbin/tcpdump1⤵
-
/usr/bin/rmrm -rf /usr/sbin/tcpdump1⤵