648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b

General

Target

648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf
Size

74KB
MD5

20d263bd6e0552cad17ec45eeff1844b
SHA1

67a23901d5f3276ba4e8c95c21aeb79ca584a36a
SHA256

648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b
SHA512

f721ddcbcb19d22057d8a4b7402fa8d852872b3df3de18a13b8c983407fb29cd06ef7b9c35c4c50a179ac98fd2e70296806487fc59d4a9e291fa248662ac5eef
SSDEEP

1536:EUPldq0TJFnqXKvdo7DYZXjs56tbWuhyN/XemIdRI1R+5vY1SLq7wTVVi:9NdDznqoK7D4s5UWxem0I1R+JeSOcTf

Score

7^/10

evasion

Malware Config

Signatures

Changes its process name 1 IoCs

Processes:

648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	5awto8gpm0ftqfwr60cwiafpkigt7u5t	1518	648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf

Deletes Audit logs 1 TTPs 1 IoCs
Deletes logs related to the Linux Audit framework.
evasion

Indicator Removal
T1070

Processes:

description ioc

File deleted /var/log/audit/audit.log
Deletes itself 1 IoCs

Processes:

648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf

pid process

1518 648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf
Deletes journal logs 1 TTPs 1 IoCs
Deletes systemd journal logs. Likely to evade detection.
evasion

Indicator Removal
T1070

Processes:

description ioc

File deleted /var/log/journal/11c67417355f45d397f6be11f62e85a6/system.journal
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Indicator Removal
T1070

Processes:

description ioc

File deleted /var/log/syslog

description	ioc
File deleted	/var/log/audit/audit.log

pid	process
1518	648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf

description	ioc
File deleted	/var/log/journal/11c67417355f45d397f6be11f62e85a6/system.journal

description	ioc
File deleted	/var/log/syslog

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf

description	ioc	process
File opened for modification	/dev/watchdog	648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf
File opened for modification	/dev/misc/watchdog	648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 10 IoCs

System Information Discovery

T1082

Processes:

pkillpkillpkillpkillpkillpkillpkillpkillpkillpkill

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pkillpkillpkillpkillpkillpkillpkillpkillpkillpkill

description	ioc	process
File opened for reading	/proc/83/cmdline	pkill
File opened for reading	/proc/466/status	pkill
File opened for reading	/proc/1043/status	pkill
File opened for reading	/proc/1113/cmdline	pkill
File opened for reading	/proc/6/cmdline	pkill
File opened for reading	/proc/408/status	pkill
File opened for reading	/proc/1318/cmdline	pkill
File opened for reading	/proc/13/cmdline	pkill
File opened for reading	/proc/653/status	pkill
File opened for reading	/proc/722/cmdline	pkill
File opened for reading	/proc/155/status	pkill
File opened for reading	/proc/1127/cmdline	pkill
File opened for reading	/proc/1161/status	pkill
File opened for reading	/proc/26/cmdline
File opened for reading	/proc/414/status	pkill
File opened for reading	/proc/13/status	pkill
File opened for reading	/proc/666/status	pkill
File opened for reading	/proc/722/status	pkill
File opened for reading	/proc/19/status	pkill
File opened for reading	/proc/472/cmdline
File opened for reading	/proc/162/status	pkill
File opened for reading	/proc/653/cmdline	pkill
File opened for reading	/proc/1523/status	pkill
File opened for reading	/proc/1567/cmdline
File opened for reading	/proc/547/cmdline	pkill
File opened for reading	/proc/466/cmdline	pkill
File opened for reading	/proc/947/cmdline	pkill
File opened for reading	/proc/1169/cmdline	pkill
File opened for reading	/proc/1191/status	pkill
File opened for reading	/proc/156/status	pkill
File opened for reading	/proc/30/cmdline	pkill
File opened for reading	/proc/411/cmdline	pkill
File opened for reading	/proc/1512/cmdline	pkill
File opened for reading	/proc/1513/cmdline	pkill
File opened for reading	/proc/30/cmdline	pkill
File opened for reading	/proc/1191/status	pkill
File opened for reading	/proc/165/status	pkill
File opened for reading	/proc/248/status	pkill
File opened for reading	/proc/1099/status	pkill
File opened for reading	/proc/1154/cmdline	pkill
File opened for reading	/proc/1182/cmdline	pkill
File opened for reading	/proc/547/cmdline
File opened for reading	/proc/157/status	pkill
File opened for reading	/proc/1115/cmdline	pkill
File opened for reading	/proc/1525/cmdline	pkill
File opened for reading	/proc/78/cmdline	pkill
File opened for reading	/proc/1295/status	pkill
File opened for reading	/proc/1288/cmdline	pkill
File opened for reading	/proc/1512/cmdline	pkill
File opened for reading	/proc/958/cmdline	pkill
File opened for reading	/proc/165/cmdline	pkill
File opened for reading	/proc/268/cmdline	pkill
File opened for reading	/proc/1288/cmdline	pkill
File opened for reading	/proc/161/cmdline	pkill
File opened for reading	/proc/1244/cmdline	pkill
File opened for reading	/proc/1431/cmdline
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/167/cmdline	pkill
File opened for reading	/proc/509/status	pkill
File opened for reading	/proc/1191/status	pkill
File opened for reading	/proc/1/status	pkill
File opened for reading	/proc/1318/status	pkill
File opened for reading	/proc/248/cmdline	pkill
File opened for reading	/proc/2/cmdline	pkill

/tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf
/tmp/648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b.elf
1⤵
- Changes its process name
- Deletes itself
- Modifies Watchdog functionality
PID:1518

/usr/local/sbin/pkill
pkill dumpcap
1⤵
PID:1523

/usr/local/bin/pkill
pkill dumpcap
1⤵
PID:1523

/usr/sbin/pkill
pkill dumpcap
1⤵
PID:1523

/usr/bin/pkill
pkill dumpcap
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1523

/usr/local/sbin/pkill
pkill ettercap
1⤵
PID:1524

/usr/local/bin/pkill
pkill ettercap
1⤵
PID:1524

/usr/sbin/pkill
pkill ettercap
1⤵
PID:1524

/usr/bin/pkill
pkill ettercap
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1524

/usr/local/sbin/pkill
pkill wireshark
1⤵
PID:1522

/usr/local/bin/pkill
pkill wireshark
1⤵
PID:1522

/usr/sbin/pkill
pkill wireshark
1⤵
PID:1522

/usr/bin/pkill
pkill wireshark
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1522

/usr/local/sbin/pkill
pkill dsniff
1⤵
PID:1525

/usr/local/bin/pkill
pkill dsniff
1⤵
PID:1525

/usr/sbin/pkill
pkill dsniff
1⤵
PID:1525

/usr/bin/pkill
pkill dsniff
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1525

/usr/local/sbin/pkill
pkill ngrep
1⤵
PID:1526

/usr/local/bin/pkill
pkill ngrep
1⤵
PID:1526

/usr/sbin/pkill
pkill ngrep
1⤵
PID:1526

/usr/bin/pkill
pkill ngrep
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1526

/usr/local/sbin/pkill
pkill tshark
1⤵
PID:1521

/usr/local/bin/pkill
pkill tshark
1⤵
PID:1521

/usr/sbin/pkill
pkill tshark
1⤵
PID:1521

/usr/bin/pkill
pkill tshark
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1521

/usr/local/sbin/pkill
pkill tcpflow
1⤵
PID:1527

/usr/local/bin/pkill
pkill tcpflow
1⤵
PID:1527

/usr/sbin/pkill
pkill tcpflow
1⤵
PID:1527

/usr/local/sbin/pkill
pkill windump
1⤵
PID:1528

/usr/local/sbin/pkill
pkill netsniff-ng
1⤵
PID:1529

/usr/bin/pkill
pkill tcpflow
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1527

/usr/local/bin/pkill
pkill windump
1⤵
PID:1528

/usr/local/bin/pkill
pkill netsniff-ng
1⤵
PID:1529

/usr/sbin/pkill
pkill windump
1⤵
PID:1528

/usr/sbin/pkill
pkill netsniff-ng
1⤵
PID:1529

/usr/bin/pkill
pkill windump
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1528

/usr/bin/pkill
pkill netsniff-ng
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1529

/usr/local/sbin/pkill
pkill tcpdump
1⤵
PID:1520

/usr/local/bin/pkill
pkill tcpdump
1⤵
PID:1520

/usr/sbin/pkill
pkill tcpdump
1⤵
PID:1520

/usr/bin/pkill
pkill tcpdump
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1520

/usr/local/sbin/rm
rm -rf /usr/bin/ettercap
1⤵
PID:1547

/usr/local/bin/rm
rm -rf /usr/bin/ettercap
1⤵
PID:1547

/usr/sbin/rm
rm -rf /usr/bin/ettercap
1⤵
PID:1547

/usr/bin/rm
rm -rf /usr/bin/ettercap
1⤵
PID:1547

/sbin/rm
rm -rf /usr/bin/ettercap
1⤵
PID:1547

/bin/rm
rm -rf /usr/bin/ettercap
1⤵
PID:1547

/usr/local/sbin/rm
rm -rf /usr/bin/dsniff
1⤵
PID:1548

/usr/local/bin/rm
rm -rf /usr/bin/dsniff
1⤵
PID:1548

/usr/sbin/rm
rm -rf /usr/bin/dsniff
1⤵
PID:1548

/usr/bin/rm
rm -rf /usr/bin/dsniff
1⤵
PID:1548

/sbin/rm
rm -rf /usr/bin/dsniff
1⤵
PID:1548

/bin/rm
rm -rf /usr/bin/dsniff
1⤵
PID:1548

/usr/local/sbin/rm
rm -rf /usr/bin/ngrep
1⤵
PID:1549

/usr/local/bin/rm
rm -rf /usr/bin/ngrep
1⤵
PID:1549

/usr/sbin/rm
rm -rf /usr/bin/ngrep
1⤵
PID:1549

/usr/bin/rm
rm -rf /usr/bin/ngrep
1⤵
PID:1549

/sbin/rm
rm -rf /usr/bin/ngrep
1⤵
PID:1549

/bin/rm
rm -rf /usr/bin/ngrep
1⤵
PID:1549

/usr/local/sbin/rm
rm -rf /usr/bin/tcpflow
1⤵
PID:1550

/usr/local/bin/rm
rm -rf /usr/bin/tcpflow
1⤵
PID:1550

/usr/sbin/rm
rm -rf /usr/bin/tcpflow
1⤵
PID:1550

/usr/bin/rm
rm -rf /usr/bin/tcpflow
1⤵
PID:1550

/sbin/rm
rm -rf /usr/bin/tcpflow
1⤵
PID:1550

/bin/rm
rm -rf /usr/bin/tcpflow
1⤵
PID:1550

/usr/local/sbin/rm
rm -rf /usr/bin/netsniff-ng
1⤵
PID:1552

/usr/local/bin/rm
rm -rf /usr/bin/netsniff-ng
1⤵
PID:1552

/usr/sbin/rm
rm -rf /usr/bin/netsniff-ng
1⤵
PID:1552

/usr/bin/rm
rm -rf /usr/bin/netsniff-ng
1⤵
PID:1552

/sbin/rm
rm -rf /usr/bin/netsniff-ng
1⤵
PID:1552

/bin/rm
rm -rf /usr/bin/netsniff-ng
1⤵
PID:1552

/usr/local/sbin/rm
rm -rf /usr/sbin/ngrep
1⤵
PID:1539

/usr/local/bin/rm
rm -rf /usr/sbin/ngrep
1⤵
PID:1539

/usr/sbin/rm
rm -rf /usr/sbin/ngrep
1⤵
PID:1539

/usr/bin/rm
rm -rf /usr/sbin/ngrep
1⤵
PID:1539

/sbin/rm
rm -rf /usr/sbin/ngrep
1⤵
PID:1539

/bin/rm
rm -rf /usr/sbin/ngrep
1⤵
PID:1539

/usr/local/sbin/rm
rm -rf /usr/sbin/tcpflow
1⤵
PID:1540

/usr/local/bin/rm
rm -rf /usr/sbin/tcpflow
1⤵
PID:1540

/usr/sbin/rm
rm -rf /usr/sbin/tcpflow
1⤵
PID:1540

/usr/bin/rm
rm -rf /usr/sbin/tcpflow
1⤵
PID:1540

/sbin/rm
rm -rf /usr/sbin/tcpflow
1⤵
PID:1540

/bin/rm
rm -rf /usr/sbin/tcpflow
1⤵
PID:1540

/usr/local/sbin/rm
rm -rf /usr/sbin/windump
1⤵
PID:1541

/usr/local/bin/rm
rm -rf /usr/sbin/windump
1⤵
PID:1541

/usr/sbin/rm
rm -rf /usr/sbin/windump
1⤵
PID:1541

/usr/bin/rm
rm -rf /usr/sbin/windump
1⤵
PID:1541

/sbin/rm
rm -rf /usr/sbin/windump
1⤵
PID:1541

/bin/rm
rm -rf /usr/sbin/windump
1⤵
PID:1541

/usr/local/sbin/rm
rm -rf /usr/sbin/netsniff-ng
1⤵
PID:1542

/usr/local/bin/rm
rm -rf /usr/sbin/netsniff-ng
1⤵
PID:1542

/usr/sbin/rm
rm -rf /usr/sbin/netsniff-ng
1⤵
PID:1542

/usr/bin/rm
rm -rf /usr/sbin/netsniff-ng
1⤵
PID:1542

/sbin/rm
rm -rf /usr/sbin/netsniff-ng
1⤵
PID:1542

/bin/rm
rm -rf /usr/sbin/netsniff-ng
1⤵
PID:1542

/usr/local/sbin/rm
rm -rf /usr/bin/tcpdump
1⤵
PID:1543

/usr/local/bin/rm
rm -rf /usr/bin/tcpdump
1⤵
PID:1543

/usr/sbin/rm
rm -rf /usr/bin/tcpdump
1⤵
PID:1543

/usr/bin/rm
rm -rf /usr/bin/tcpdump
1⤵
PID:1543

/sbin/rm
rm -rf /usr/bin/tcpdump
1⤵
PID:1543

/bin/rm
rm -rf /usr/bin/tcpdump
1⤵
PID:1543

/usr/local/sbin/rm
rm -rf /usr/bin/tshark
1⤵
PID:1544

/usr/local/bin/rm
rm -rf /usr/bin/tshark
1⤵
PID:1544

/usr/sbin/rm
rm -rf /usr/bin/tshark
1⤵
PID:1544

/usr/bin/rm
rm -rf /usr/bin/tshark
1⤵
PID:1544

/sbin/rm
rm -rf /usr/bin/tshark
1⤵
PID:1544

/bin/rm
rm -rf /usr/bin/tshark
1⤵
PID:1544

/usr/local/sbin/rm
rm -rf /usr/bin/wireshark
1⤵
PID:1545

/usr/local/bin/rm
rm -rf /usr/bin/wireshark
1⤵
PID:1545

/usr/sbin/rm
rm -rf /usr/bin/wireshark
1⤵
PID:1545

/usr/bin/rm
rm -rf /usr/bin/wireshark
1⤵
PID:1545

/sbin/rm
rm -rf /usr/bin/wireshark
1⤵
PID:1545

/bin/rm
rm -rf /usr/bin/wireshark
1⤵
PID:1545

/usr/local/sbin/rm
rm -rf /usr/bin/dumpcap
1⤵
PID:1546

/usr/local/bin/rm
rm -rf /usr/bin/dumpcap
1⤵
PID:1546

/usr/sbin/rm
rm -rf /usr/bin/dumpcap
1⤵
PID:1546

/usr/bin/rm
rm -rf /usr/bin/dumpcap
1⤵
PID:1546

/sbin/rm
rm -rf /usr/bin/dumpcap
1⤵
PID:1546

/bin/rm
rm -rf /usr/bin/dumpcap
1⤵
PID:1546

/usr/local/sbin/rm
rm -rf /usr/bin/windump
1⤵
PID:1551

/usr/local/bin/rm
rm -rf /usr/bin/windump
1⤵
PID:1551

/usr/sbin/rm
rm -rf /usr/bin/windump
1⤵
PID:1551

/usr/bin/rm
rm -rf /usr/bin/windump
1⤵
PID:1551

/sbin/rm
rm -rf /usr/bin/windump
1⤵
PID:1551

/bin/rm
rm -rf /usr/bin/windump
1⤵
PID:1551

/usr/local/sbin/rm
rm -rf /usr/sbin/dsniff
1⤵
PID:1538

/usr/local/bin/rm
rm -rf /usr/sbin/dsniff
1⤵
PID:1538

/usr/sbin/rm
rm -rf /usr/sbin/dsniff
1⤵
PID:1538

/usr/bin/rm
rm -rf /usr/sbin/dsniff
1⤵
PID:1538

/sbin/rm
rm -rf /usr/sbin/dsniff
1⤵
PID:1538

/bin/rm
rm -rf /usr/sbin/dsniff
1⤵
PID:1538

/usr/local/sbin/rm
rm -rf /usr/sbin/ettercap
1⤵
PID:1537

/usr/local/bin/rm
rm -rf /usr/sbin/ettercap
1⤵
PID:1537

/usr/sbin/rm
rm -rf /usr/sbin/ettercap
1⤵
PID:1537

/usr/bin/rm
rm -rf /usr/sbin/ettercap
1⤵
PID:1537

/sbin/rm
rm -rf /usr/sbin/ettercap
1⤵
PID:1537

/bin/rm
rm -rf /usr/sbin/ettercap
1⤵
PID:1537

/usr/local/sbin/rm
rm -rf /usr/sbin/dumpcap
1⤵
PID:1536

/usr/local/bin/rm
rm -rf /usr/sbin/dumpcap
1⤵
PID:1536

/usr/sbin/rm
rm -rf /usr/sbin/dumpcap
1⤵
PID:1536

/usr/bin/rm
rm -rf /usr/sbin/dumpcap
1⤵
PID:1536

/sbin/rm
rm -rf /usr/sbin/dumpcap
1⤵
PID:1536

/bin/rm
rm -rf /usr/sbin/dumpcap
1⤵
PID:1536

/usr/local/sbin/rm
rm -rf /usr/sbin/wireshark
1⤵
PID:1535

/usr/local/bin/rm
rm -rf /usr/sbin/wireshark
1⤵
PID:1535

/usr/sbin/rm
rm -rf /usr/sbin/wireshark
1⤵
PID:1535

/usr/bin/rm
rm -rf /usr/sbin/wireshark
1⤵
PID:1535

/sbin/rm
rm -rf /usr/sbin/wireshark
1⤵
PID:1535

/bin/rm
rm -rf /usr/sbin/wireshark
1⤵
PID:1535

/usr/local/sbin/rm
rm -rf /usr/sbin/tshark
1⤵
PID:1534

/usr/local/bin/rm
rm -rf /usr/sbin/tshark
1⤵
PID:1534

/usr/sbin/rm
rm -rf /usr/sbin/tshark
1⤵
PID:1534

/usr/bin/rm
rm -rf /usr/sbin/tshark
1⤵
PID:1534

/sbin/rm
rm -rf /usr/sbin/tshark
1⤵
PID:1534

/bin/rm
rm -rf /usr/sbin/tshark
1⤵
PID:1534

/usr/local/sbin/rm
rm -rf /usr/sbin/tcpdump
1⤵
PID:1533

/usr/local/bin/rm
rm -rf /usr/sbin/tcpdump
1⤵
PID:1533

/usr/sbin/rm
rm -rf /usr/sbin/tcpdump
1⤵
PID:1533

/usr/bin/rm
rm -rf /usr/sbin/tcpdump
1⤵
PID:1533

/sbin/rm
rm -rf /usr/sbin/tcpdump
1⤵
PID:1533

/bin/rm
rm -rf /usr/sbin/tcpdump
1⤵
PID:1533

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

3

T1070

Impair Defenses

1

T1562

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads