a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e

General

Target

0cfcc8b1438300100879682b60b9035b.elf
Size

95KB
MD5

0cfcc8b1438300100879682b60b9035b
SHA1

ba09d45381539287aadb51176b0484e787e5d3d6
SHA256

a1e1dca5ae87516c59f114b1ab914ac85b147781db055d795c4d016642d49c4e
SHA512

bf299c27fff04f0f9d8aa890bd1323abc78d542588d2deb16c6db1baac9c1c2d94e9689948b8113cb7cd93a2a94872435a8dfacc345bcce79c7a46a4216d1114
SSDEEP

1536:0Bb1bb/M3kV7DgDqnmX2OjxPqC3tXqmB0gXmxTJmc3Be4ipHQ:61bbU3kVw2ndmPN7B0gQT93YpHQ

Score

7^/10

evasion

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs
Deletes logs related to the Linux Audit framework.
evasion

Indicator Removal
T1070

Processes:

0cfcc8b1438300100879682b60b9035b.elf

description ioc process

File deleted /var/log/audit/audit.log 0cfcc8b1438300100879682b60b9035b.elf
Deletes itself 1 IoCs

Processes:

0cfcc8b1438300100879682b60b9035b.elf

pid process

710 0cfcc8b1438300100879682b60b9035b.elf
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Indicator Removal
T1070

Processes:

0cfcc8b1438300100879682b60b9035b.elf

description ioc process

File deleted /var/log/syslog 0cfcc8b1438300100879682b60b9035b.elf

description	ioc	process
File deleted	/var/log/audit/audit.log	0cfcc8b1438300100879682b60b9035b.elf

pid	process
710	0cfcc8b1438300100879682b60b9035b.elf

description	ioc	process
File deleted	/var/log/syslog	0cfcc8b1438300100879682b60b9035b.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

0cfcc8b1438300100879682b60b9035b.elf

description	ioc	process
File opened for modification	/dev/watchdog	0cfcc8b1438300100879682b60b9035b.elf
File opened for modification	/dev/misc/watchdog	0cfcc8b1438300100879682b60b9035b.elf

Deletes log files 1 TTPs 1 IoCs
Deletes log files on the system.

Indicator Removal
T1070

Processes:

0cfcc8b1438300100879682b60b9035b.elf

description ioc process

File deleted /var/log/daemon.log 0cfcc8b1438300100879682b60b9035b.elf
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc	process
File deleted	/var/log/daemon.log	0cfcc8b1438300100879682b60b9035b.elf

Changes its process name 1 IoCs

Processes:

0cfcc8b1438300100879682b60b9035b.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	vhjh8uqimtde44o3rdurh7l7wwpbfa0o	710	0cfcc8b1438300100879682b60b9035b.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

0cfcc8b1438300100879682b60b9035b.elf

description	ioc	process
File opened for reading	/proc/72/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/721/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/37/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/918/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/926/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/109/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/792/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/799/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/839/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/907/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/773/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/755/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/761/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/763/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/834/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/419/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/772/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/832/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/842/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/858/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/888/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/949/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/758/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/745/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/703/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/154/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/15/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/904/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/17/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/856/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/802/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/823/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/824/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/22/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/825/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/855/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/811/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/833/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/866/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/898/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/676/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/906/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/913/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/810/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/730/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/819/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/897/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/258/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/957/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/748/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/757/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/912/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/82/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/841/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/714/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/725/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/816/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/830/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/242/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/828/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/854/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/869/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/887/cmdline	0cfcc8b1438300100879682b60b9035b.elf
File opened for reading	/proc/951/cmdline	0cfcc8b1438300100879682b60b9035b.elf

/tmp/0cfcc8b1438300100879682b60b9035b.elf
/tmp/0cfcc8b1438300100879682b60b9035b.elf
1⤵
- Deletes Audit logs
- Deletes itself
- Deletes system logs
- Modifies Watchdog functionality
- Deletes log files
- Changes its process name
- Reads runtime system information
PID:710

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

3

T1070

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads