60de06460220194c61ea0796cf34274334b0c33fd2ad399dd38f03b1c3652284

General

Target

1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
Size

69KB
MD5

1ee487e4bb8d22d8d89e5aec0ac82e7b
SHA1

9c1d38c64e7518dedec41973ebb834b2ff003099
SHA256

60de06460220194c61ea0796cf34274334b0c33fd2ad399dd38f03b1c3652284
SHA512

6684786746236958c8385f96a8eaa747dc3d5d5ec083f1dd0d1767a2442afcb286626084187bca42402c263bdd8875b9ac45ec9dde7208811bb7e9619bf75543
SSDEEP

1536:n5wCO0IEO1ZIvZgfZW4jwDSoBwiegTPUW0aLpXPkbnPtRn:n5wCO/EO1Gv2U4jMSqMKB3LpXPAPT

Score

7^/10

evasion

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs
Deletes logs related to the Linux Audit framework.
evasion

Indicator Removal
T1070

Processes:

1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

description ioc process

File deleted /var/log/audit/audit.log 1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
Deletes itself 1 IoCs

Processes:

1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

pid process

1478 1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
Deletes journal logs 1 TTPs 1 IoCs
Deletes systemd journal logs. Likely to evade detection.
evasion

Indicator Removal
T1070

Processes:

1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

description ioc process

File deleted /var/log/journal/4816dd152e8c48ff97e9117d197c13d8/system.journal 1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Indicator Removal
T1070

Processes:

1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

description ioc process

File deleted /var/log/syslog 1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

description	ioc	process
File deleted	/var/log/audit/audit.log	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

pid	process
1478	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

description	ioc	process
File deleted	/var/log/journal/4816dd152e8c48ff97e9117d197c13d8/system.journal	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

description	ioc	process
File deleted	/var/log/syslog	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

description	ioc	process
File opened for modification	/dev/watchdog	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for modification	/dev/misc/watchdog	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

Deletes log files 1 TTPs 2 IoCs

Deletes log files on the system.

Indicator Removal

T1070

Processes:

1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

description	ioc	process
File deleted	/var/log/apport.log	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File deleted	/var/log/kern.log	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

Enumerates running processes
Discovers information about currently running processes on the system
Changes its process name 1 IoCs

Processes:

1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

description pid process

Changes the process name, possibly in an attempt to hide itself 1478 1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

description	pid	process
Changes the process name, possibly in an attempt to hide itself	1478	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

description	ioc	process
File opened for reading	/proc/17/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/496/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1541/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/162/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/167/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1572/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1573/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1612/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/612/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1621/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1632/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/19/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/982/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1080/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1413/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1689/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/16/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/439/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/455/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/560/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1604/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1683/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1738/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/7/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/75/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1669/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1676/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/585/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1108/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1033/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1419/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1482/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/671/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1119/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1752/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/91/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/92/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1643/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1650/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1742/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/567/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1475/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1631/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/3/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/443/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1045/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1651/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/793/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1558/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/84/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/506/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1580/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1636/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1737/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/163/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1655/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1727/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/169/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1300/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1714/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/642/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1607/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/1666/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
File opened for reading	/proc/440/cmdline	1ee487e4bb8d22d8d89e5aec0ac82e7b.elf

/tmp/1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
/tmp/1ee487e4bb8d22d8d89e5aec0ac82e7b.elf
1⤵
- Deletes Audit logs
- Deletes itself
- Deletes journal logs
- Deletes system logs
- Modifies Watchdog functionality
- Deletes log files
- Changes its process name
- Reads runtime system information
PID:1478

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

4

T1070

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads