648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b

General

Target

20d263bd6e0552cad17ec45eeff1844b.elf
Size

74KB
MD5

20d263bd6e0552cad17ec45eeff1844b
SHA1

67a23901d5f3276ba4e8c95c21aeb79ca584a36a
SHA256

648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b
SHA512

f721ddcbcb19d22057d8a4b7402fa8d852872b3df3de18a13b8c983407fb29cd06ef7b9c35c4c50a179ac98fd2e70296806487fc59d4a9e291fa248662ac5eef
SSDEEP

1536:EUPldq0TJFnqXKvdo7DYZXjs56tbWuhyN/XemIdRI1R+5vY1SLq7wTVVi:9NdDznqoK7D4s5UWxem0I1R+JeSOcTf

Score

7^/10

evasion

Malware Config

Signatures

Changes its process name 1 IoCs

Processes:

20d263bd6e0552cad17ec45eeff1844b.elf

description ioc pid process

Changes the process name, possibly in an attempt to hide itself brqwqakcp0qq 1461 20d263bd6e0552cad17ec45eeff1844b.elf
Deletes Audit logs 1 TTPs 1 IoCs
Deletes logs related to the Linux Audit framework.
evasion

Indicator Removal
T1070

Processes:

description ioc

File deleted /var/log/audit/audit.log
Deletes itself 1 IoCs

Processes:

20d263bd6e0552cad17ec45eeff1844b.elf

pid process

1461 20d263bd6e0552cad17ec45eeff1844b.elf
Deletes journal logs 1 TTPs 1 IoCs
Deletes systemd journal logs. Likely to evade detection.
evasion

Indicator Removal
T1070

Processes:

description ioc

File deleted /var/log/journal/4816dd152e8c48ff97e9117d197c13d8/system.journal
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Indicator Removal
T1070

Processes:

description ioc

File deleted /var/log/syslog

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	brqwqakcp0qq	1461	20d263bd6e0552cad17ec45eeff1844b.elf

description	ioc
File deleted	/var/log/audit/audit.log

pid	process
1461	20d263bd6e0552cad17ec45eeff1844b.elf

description	ioc
File deleted	/var/log/journal/4816dd152e8c48ff97e9117d197c13d8/system.journal

description	ioc
File deleted	/var/log/syslog

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

20d263bd6e0552cad17ec45eeff1844b.elf

description	ioc	process
File opened for modification	/dev/watchdog	20d263bd6e0552cad17ec45eeff1844b.elf
File opened for modification	/dev/misc/watchdog	20d263bd6e0552cad17ec45eeff1844b.elf

Deletes log files 1 TTPs 4 IoCs
Deletes log files on the system.

Indicator Removal
T1070

Processes:

description ioc

File deleted /var/log/kern.log
File deleted /var/log/apport.log
File deleted /var/log/auth.log
File deleted /var/log/ubuntu-advantage.log
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc
File deleted	/var/log/kern.log
File deleted	/var/log/apport.log
File deleted	/var/log/auth.log
File deleted	/var/log/ubuntu-advantage.log

Reads CPU attributes 1 TTPs 10 IoCs

System Information Discovery

T1082

Processes:

pkillpkillpkillpkillpkillpkillpkillpkillpkillpkill

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pkillpkillpkillpkillpkillpkillpkillpkillpkillpkill

description	ioc	process
File opened for reading	/proc/140/status	pkill
File opened for reading	/proc/172/cmdline	pkill
File opened for reading	/proc/201/status	pkill
File opened for reading	/proc/482/cmdline	pkill
File opened for reading	/proc/10/cmdline	pkill
File opened for reading	/proc/9/status	pkill
File opened for reading	/proc/792/cmdline	pkill
File opened for reading	/proc/1679/cmdline
File opened for reading	/proc/17/cmdline	pkill
File opened for reading	/proc/452/cmdline	pkill
File opened for reading	/proc/118/status	pkill
File opened for reading	/proc/1441/status	pkill
File opened for reading	/proc/1077/status	pkill
File opened for reading	/proc/1596/cmdline
File opened for reading	/proc/7/cmdline	pkill
File opened for reading	/proc/71/cmdline	pkill
File opened for reading	/proc/1469/status	pkill
File opened for reading	/proc/580/cmdline
File opened for reading	/proc/15/cmdline	pkill
File opened for reading	/proc/932/cmdline	pkill
File opened for reading	/proc/1462/cmdline	pkill
File opened for reading	/proc/1478/status	pkill
File opened for reading	/proc/670/status	pkill
File opened for reading	/proc/1406/status	pkill
File opened for reading	/proc/71/cmdline	pkill
File opened for reading	/proc/392/cmdline
File opened for reading	/proc/161/status	pkill
File opened for reading	/proc/932/status	pkill
File opened for reading	/proc/1119/cmdline	pkill
File opened for reading	/proc/1381/cmdline	pkill
File opened for reading	/proc/1438/cmdline	pkill
File opened for reading	/proc/437/status	pkill
File opened for reading	/proc/516/cmdline	pkill
File opened for reading	/proc/172/cmdline	pkill
File opened for reading	/proc/536/status	pkill
File opened for reading	/proc/830/cmdline	pkill
File opened for reading	/proc/1045/cmdline	pkill
File opened for reading	/proc/1079/cmdline	pkill
File opened for reading	/proc/1417/status	pkill
File opened for reading	/proc/15/status	pkill
File opened for reading	/proc/177/cmdline	pkill
File opened for reading	/proc/924/cmdline	pkill
File opened for reading	/proc/1184/status	pkill
File opened for reading	/proc/1466/status	pkill
File opened for reading	/proc/1417/cmdline	pkill
File opened for reading	/proc/6/status	pkill
File opened for reading	/proc/166/status	pkill
File opened for reading	/proc/87/status	pkill
File opened for reading	/proc/172/status	pkill
File opened for reading	/proc/1420/status	pkill
File opened for reading	/proc/503/cmdline	pkill
File opened for reading	/proc/82/status	pkill
File opened for reading	/proc/1471/cmdline	pkill
File opened for reading	/proc/924/cmdline	pkill
File opened for reading	/proc/1398/status	pkill
File opened for reading	/proc/166/cmdline	pkill
File opened for reading	/proc/692/status	pkill
File opened for reading	/proc/4/status	pkill
File opened for reading	/proc/14/cmdline	pkill
File opened for reading	/proc/18/status	pkill
File opened for reading	/proc/394/cmdline	pkill
File opened for reading	/proc/1434/cmdline	pkill
File opened for reading	/proc/1082/status	pkill
File opened for reading	/proc/1398/cmdline	pkill

/tmp/20d263bd6e0552cad17ec45eeff1844b.elf
/tmp/20d263bd6e0552cad17ec45eeff1844b.elf
1⤵
- Changes its process name
- Deletes itself
- Modifies Watchdog functionality
PID:1461

/usr/local/sbin/pkill
pkill wireshark
1⤵
PID:1465

/usr/local/bin/pkill
pkill wireshark
1⤵
PID:1465

/usr/sbin/pkill
pkill wireshark
1⤵
PID:1465

/usr/bin/pkill
pkill wireshark
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1465

/usr/local/sbin/pkill
pkill tshark
1⤵
PID:1464

/usr/local/bin/pkill
pkill tshark
1⤵
PID:1464

/usr/sbin/pkill
pkill tshark
1⤵
PID:1464

/usr/bin/pkill
pkill tshark
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1464

/usr/local/sbin/pkill
pkill dumpcap
1⤵
PID:1466

/usr/local/bin/pkill
pkill dumpcap
1⤵
PID:1466

/usr/sbin/pkill
pkill dumpcap
1⤵
PID:1466

/usr/bin/pkill
pkill dumpcap
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1466

/usr/local/sbin/pkill
pkill ettercap
1⤵
PID:1467

/usr/local/sbin/pkill
pkill tcpdump
1⤵
PID:1463

/usr/local/bin/pkill
pkill ettercap
1⤵
PID:1467

/usr/sbin/pkill
pkill ettercap
1⤵
PID:1467

/usr/local/bin/pkill
pkill tcpdump
1⤵
PID:1463

/usr/local/sbin/pkill
pkill dsniff
1⤵
PID:1468

/usr/bin/pkill
pkill ettercap
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1467

/usr/sbin/pkill
pkill tcpdump
1⤵
PID:1463

/usr/local/sbin/pkill
pkill ngrep
1⤵
PID:1469

/usr/local/sbin/pkill
pkill tcpflow
1⤵
PID:1470

/usr/bin/pkill
pkill tcpdump
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1463

/usr/local/bin/pkill
pkill dsniff
1⤵
PID:1468

/usr/local/bin/pkill
pkill ngrep
1⤵
PID:1469

/usr/local/bin/pkill
pkill tcpflow
1⤵
PID:1470

/usr/sbin/pkill
pkill dsniff
1⤵
PID:1468

/usr/sbin/pkill
pkill tcpflow
1⤵
PID:1470

/usr/bin/pkill
pkill dsniff
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1468

/usr/sbin/pkill
pkill ngrep
1⤵
PID:1469

/usr/bin/pkill
pkill tcpflow
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1470

/usr/bin/pkill
pkill ngrep
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1469

/usr/local/sbin/pkill
pkill windump
1⤵
PID:1471

/usr/local/bin/pkill
pkill windump
1⤵
PID:1471

/usr/sbin/pkill
pkill windump
1⤵
PID:1471

/usr/bin/pkill
pkill windump
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1471

/usr/local/sbin/pkill
pkill netsniff-ng
1⤵
PID:1472

/usr/local/bin/pkill
pkill netsniff-ng
1⤵
PID:1472

/usr/sbin/pkill
pkill netsniff-ng
1⤵
PID:1472

/usr/bin/pkill
pkill netsniff-ng
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1472

/usr/local/sbin/rm
rm -rf /usr/sbin/ngrep
1⤵
PID:1494

/usr/local/sbin/rm
rm -rf /usr/sbin/tcpflow
1⤵
PID:1495

/usr/local/sbin/rm
rm -rf /usr/sbin/windump
1⤵
PID:1496

/usr/local/sbin/rm
rm -rf /usr/sbin/netsniff-ng
1⤵
PID:1497

/usr/local/sbin/rm
rm -rf /usr/bin/tcpdump
1⤵
PID:1498

/usr/local/sbin/rm
rm -rf /usr/bin/tshark
1⤵
PID:1499

/usr/local/sbin/rm
rm -rf /usr/bin/wireshark
1⤵
PID:1500

/usr/local/sbin/rm
rm -rf /usr/bin/dumpcap
1⤵
PID:1501

/usr/local/sbin/rm
rm -rf /usr/bin/ettercap
1⤵
PID:1502

/usr/local/sbin/rm
rm -rf /usr/bin/dsniff
1⤵
PID:1503

/usr/local/sbin/rm
rm -rf /usr/bin/ngrep
1⤵
PID:1504

/usr/local/sbin/rm
rm -rf /usr/bin/tcpflow
1⤵
PID:1505

/usr/local/sbin/rm
rm -rf /usr/bin/windump
1⤵
PID:1506

/usr/local/sbin/rm
rm -rf /usr/bin/netsniff-ng
1⤵
PID:1507

/usr/local/bin/rm
rm -rf /usr/bin/netsniff-ng
1⤵
PID:1507

/usr/local/bin/rm
rm -rf /usr/bin/tcpflow
1⤵
PID:1505

/usr/local/bin/rm
rm -rf /usr/bin/dumpcap
1⤵
PID:1501

/usr/local/bin/rm
rm -rf /usr/bin/tcpdump
1⤵
PID:1498

/usr/local/bin/rm
rm -rf /usr/sbin/netsniff-ng
1⤵
PID:1497

/usr/local/bin/rm
rm -rf /usr/bin/ngrep
1⤵
PID:1504

/usr/local/bin/rm
rm -rf /usr/bin/wireshark
1⤵
PID:1500

/usr/local/bin/rm
rm -rf /usr/sbin/tcpflow
1⤵
PID:1495

/usr/local/bin/rm
rm -rf /usr/bin/windump
1⤵
PID:1506

/usr/local/bin/rm
rm -rf /usr/bin/dsniff
1⤵
PID:1503

/usr/local/bin/rm
rm -rf /usr/bin/ettercap
1⤵
PID:1502

/usr/local/bin/rm
rm -rf /usr/bin/tshark
1⤵
PID:1499

/usr/local/bin/rm
rm -rf /usr/sbin/windump
1⤵
PID:1496

/usr/local/bin/rm
rm -rf /usr/sbin/ngrep
1⤵
PID:1494

/usr/local/sbin/rm
rm -rf /usr/sbin/dsniff
1⤵
PID:1493

/usr/sbin/rm
rm -rf /usr/bin/tcpflow
1⤵
PID:1505

/usr/sbin/rm
rm -rf /usr/bin/ngrep
1⤵
PID:1504

/usr/sbin/rm
rm -rf /usr/sbin/netsniff-ng
1⤵
PID:1497

/usr/sbin/rm
rm -rf /usr/bin/dumpcap
1⤵
PID:1501

/usr/sbin/rm
rm -rf /usr/bin/tcpdump
1⤵
PID:1498

/usr/sbin/rm
rm -rf /usr/bin/windump
1⤵
PID:1506

/usr/sbin/rm
rm -rf /usr/bin/wireshark
1⤵
PID:1500

/usr/sbin/rm
rm -rf /usr/bin/dsniff
1⤵
PID:1503

/usr/sbin/rm
rm -rf /usr/sbin/tcpflow
1⤵
PID:1495

/usr/sbin/rm
rm -rf /usr/bin/ettercap
1⤵
PID:1502

/usr/sbin/rm
rm -rf /usr/sbin/windump
1⤵
PID:1496

/usr/sbin/rm
rm -rf /usr/bin/netsniff-ng
1⤵
PID:1507

/usr/sbin/rm
rm -rf /usr/bin/tshark
1⤵
PID:1499

/usr/sbin/rm
rm -rf /usr/sbin/ngrep
1⤵
PID:1494

/usr/bin/rm
rm -rf /usr/bin/tcpflow
1⤵
PID:1505

/usr/bin/rm
rm -rf /usr/bin/ngrep
1⤵
PID:1504

/usr/bin/rm
rm -rf /usr/bin/windump
1⤵
PID:1506

/usr/bin/rm
rm -rf /usr/bin/wireshark
1⤵
PID:1500

/usr/bin/rm
rm -rf /usr/bin/dumpcap
1⤵
PID:1501

/usr/bin/rm
rm -rf /usr/bin/tcpdump
1⤵
PID:1498

/usr/bin/rm
rm -rf /usr/bin/dsniff
1⤵
PID:1503

/usr/bin/rm
rm -rf /usr/sbin/tcpflow
1⤵
PID:1495

/usr/bin/rm
rm -rf /usr/bin/netsniff-ng
1⤵
PID:1507

/usr/bin/rm
rm -rf /usr/bin/ettercap
1⤵
PID:1502

/usr/bin/rm
rm -rf /usr/sbin/windump
1⤵
PID:1496

/usr/bin/rm
rm -rf /usr/bin/tshark
1⤵
PID:1499

/usr/local/bin/rm
rm -rf /usr/sbin/dsniff
1⤵
PID:1493

/usr/bin/rm
rm -rf /usr/sbin/ngrep
1⤵
PID:1494

/usr/bin/rm
rm -rf /usr/sbin/netsniff-ng
1⤵
PID:1497

/usr/sbin/rm
rm -rf /usr/sbin/dsniff
1⤵
PID:1493

/usr/local/sbin/rm
rm -rf /usr/sbin/ettercap
1⤵
PID:1492

/usr/bin/rm
rm -rf /usr/sbin/dsniff
1⤵
PID:1493

/usr/local/bin/rm
rm -rf /usr/sbin/ettercap
1⤵
PID:1492

/usr/sbin/rm
rm -rf /usr/sbin/ettercap
1⤵
PID:1492

/usr/bin/rm
rm -rf /usr/sbin/ettercap
1⤵
PID:1492

/usr/local/sbin/rm
rm -rf /usr/sbin/dumpcap
1⤵
PID:1491

/usr/local/bin/rm
rm -rf /usr/sbin/dumpcap
1⤵
PID:1491

/usr/sbin/rm
rm -rf /usr/sbin/dumpcap
1⤵
PID:1491

/usr/bin/rm
rm -rf /usr/sbin/dumpcap
1⤵
PID:1491

/usr/local/sbin/rm
rm -rf /usr/sbin/wireshark
1⤵
PID:1490

/usr/local/bin/rm
rm -rf /usr/sbin/wireshark
1⤵
PID:1490

/usr/sbin/rm
rm -rf /usr/sbin/wireshark
1⤵
PID:1490

/usr/bin/rm
rm -rf /usr/sbin/wireshark
1⤵
PID:1490

/usr/local/sbin/rm
rm -rf /usr/sbin/tshark
1⤵
PID:1489

/usr/local/bin/rm
rm -rf /usr/sbin/tshark
1⤵
PID:1489

/usr/sbin/rm
rm -rf /usr/sbin/tshark
1⤵
PID:1489

/usr/bin/rm
rm -rf /usr/sbin/tshark
1⤵
PID:1489

/usr/local/sbin/rm
rm -rf /usr/sbin/tcpdump
1⤵
PID:1488

/usr/local/bin/rm
rm -rf /usr/sbin/tcpdump
1⤵
PID:1488

/usr/sbin/rm
rm -rf /usr/sbin/tcpdump
1⤵
PID:1488

/usr/bin/rm
rm -rf /usr/sbin/tcpdump
1⤵
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

4

T1070

Impair Defenses

1

T1562

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads