6f047154e60b7bb0c18b593fddf51676120ca957552440159b3d4e853be15366

General

Target

7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
Size

97KB
MD5

f3f909238b26928d0587e272fc702866
SHA1

aa2a80dc9db8553ea5e17958130662955ade4e10
SHA256

7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1
SHA512

2b09a7fd4391dd9bc48314eaaa75a40eabe8b7332099da2525193cb5f79a0b8d654de0d668fc35806f8fe45bdfa21095f1411c9fe29cbf85eb605bee6d154085
SSDEEP

1536:8wPBYpO2CUIO2/M+LIjrqr1oNgfR34b7ZZ/myEhmJ:8yBYpO2rI/u2R3C7gcJ

Score

7^/10

evasion

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs
Deletes logs related to the Linux Audit framework.
evasion

Indicator Removal
T1070

Processes:

7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf

description ioc process

File deleted /var/log/audit/audit.log 7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
Deletes itself 1 IoCs

Processes:

7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf

pid process

725 7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf

description	ioc	process
File deleted	/var/log/audit/audit.log	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf

pid	process
725	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf

Deletes journal logs 1 TTPs 1 IoCs

Deletes systemd journal logs. Likely to evade detection.

evasion

Indicator Removal

T1070

Processes:

7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf

description	ioc	process
File deleted	/var/log/journal/edeb2f80f756429c9aae366fe5ab23dd/system.journal	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf

description	ioc	process
File opened for modification	/dev/watchdog	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for modification	/dev/misc/watchdog	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf

Deletes log files 1 TTPs 1 IoCs
Deletes log files on the system.

Indicator Removal
T1070

Processes:

7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf

description ioc process

File deleted /var/log/wtmp 7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc	process
File deleted	/var/log/wtmp	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf

Changes its process name 1 IoCs

Processes:

7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	5jheec3risw7bib2umucrh5g	725	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf

description	ioc	process
File opened for reading	/proc/1137/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1284/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/372/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/774/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1042/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1104/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/793/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/968/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1292/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1161/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1261/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/809/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/965/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1141/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1255/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1324/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/2/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/4/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/930/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/964/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1065/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1207/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1294/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1393/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/5/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/845/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1062/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1069/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1115/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1160/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1313/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/967/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/995/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1077/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1394/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/832/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/877/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1107/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1130/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/736/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/815/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1117/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1170/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1234/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/984/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1004/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/928/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1026/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1081/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1304/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/15/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/896/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/941/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1359/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/920/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/922/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/921/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/942/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1166/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/974/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1218/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1237/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1127/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
File opened for reading	/proc/1203/cmdline	7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf

/tmp/7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
/tmp/7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1.elf
1⤵
- Deletes Audit logs
- Deletes itself
- Deletes journal logs
- Modifies Watchdog functionality
- Deletes log files
- Changes its process name
- Reads runtime system information
PID:725

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

3

T1070

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads