Overview

overview

9

Static

static

7

6abe4b95f1...0b.elf

ubuntu-18.04-amd64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    89fe382c8842bddaead4c2d51e82f6dd.bin

  • Size

    1.8MB

  • Sample

    240419-bz3hssea6y

  • MD5

    413df80aabe9823c06776290a345d744

  • SHA1

    5121ae54b5ed8e623e993d2f1d5a67fd6c7670ae

  • SHA256

    bd4274bb0d766ff21372eb9ce674082e468889a030b43a5341a4f6e380fbaa2f

  • SHA512

    811fbe0f58df5b93ca432e125b2d5806e8477b154a8c03e1728dadc7f468e9bebc4ea4fb5450af7b0313096ddda1ea81154fba5b0cc13a92e2ed165c9526b998

  • SSDEEP

    49152:GhNFWtgAVKQBFdpinHAQrt448dCi+JEX74ubs/YZNO4:GLECAIsdpinHAQrcAi+JE8uuGc4

Score
9/10
antivmdiscoverylinuxpersistenceupx

Malware Config

Targets

    • Target

      6abe4b95f1bf4a2bb03468eba8eb72fb7ff3f339cfa1a226dd0ca22e6997b30b.elf

    • Size

      1.8MB

    • MD5

      89fe382c8842bddaead4c2d51e82f6dd

    • SHA1

      6459b07ac70ec643ab4b585170a16914991b8686

    • SHA256

      6abe4b95f1bf4a2bb03468eba8eb72fb7ff3f339cfa1a226dd0ca22e6997b30b

    • SHA512

      f86a4ba581520c5325a66d1934ca4c054a5815850879b47d70d03954c15e588a62445c9bc270e4c6217a784972e518470c59ff5a2f27a56d5fb0dda24a661163

    • SSDEEP

      49152:T/LqKFCQyDi8ee/zmCLa4yyrChkwl+3r6+Mziv2UaPfz:XzWDaeLmvmWYJaiu1fz

    Score
    9/10
    antivmdiscoverypersistence

    • Contacts a large (1318288) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Changes its process name

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

      antivm

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

      antivm

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Network Service Discovery

2
T1046

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks