bfcc91b38de6b1d3c6c262f7e15fe897d9bc462fae4038c41582c5ee4396e0e9

Analysis

max time kernel
150s
max time network
139s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
21-04-2024 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c91de20d8e8d3c37a17814bd0b5477e7.elf
Size

85KB
MD5

c91de20d8e8d3c37a17814bd0b5477e7
SHA1

72a39caf8789e41685b3c4a3778f5d0d1c20e403
SHA256

bfcc91b38de6b1d3c6c262f7e15fe897d9bc462fae4038c41582c5ee4396e0e9
SHA512

941ef9374bce8ca053655d0cb89a4c9afed49e1a574834b0fc54eb3914100dbcbad91399a174a5e088d0dd01890755665e269eb0e4a9c3ac0550ff90ed2a4ede
SSDEEP

1536:vAEnPnW91Z8Ip/1xNeLT7H/5a7RCjwaW:vvnPneZNBDNET7HhaAEaW

Score

7^/10

evasion

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs

Deletes logs related to the Linux Audit framework.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/audit/audit.log	c91de20d8e8d3c37a17814bd0b5477e7.elf

Deletes itself 1 IoCs

pid	Process
1467	c91de20d8e8d3c37a17814bd0b5477e7.elf

Deletes journal logs 1 TTPs 1 IoCs

Deletes systemd journal logs. Likely to evade detection.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/journal/4816dd152e8c48ff97e9117d197c13d8/system.journal	c91de20d8e8d3c37a17814bd0b5477e7.elf

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/syslog	c91de20d8e8d3c37a17814bd0b5477e7.elf

Renames itself 1 IoCs

pid	Process
1467	c91de20d8e8d3c37a17814bd0b5477e7.elf

Deletes log files 1 TTPs 3 IoCs

Deletes log files on the system.

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/cups/access_log	c91de20d8e8d3c37a17814bd0b5477e7.elf
File deleted	/var/log/auth.log	c91de20d8e8d3c37a17814bd0b5477e7.elf
File deleted	/var/log/kern.log	c91de20d8e8d3c37a17814bd0b5477e7.elf

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/proc/net/tcp	c91de20d8e8d3c37a17814bd0b5477e7.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	a	1467	c91de20d8e8d3c37a17814bd0b5477e7.elf

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc	Process
File opened for reading	/proc/net/tcp	c91de20d8e8d3c37a17814bd0b5477e7.elf

/tmp/c91de20d8e8d3c37a17814bd0b5477e7.elf
/tmp/c91de20d8e8d3c37a17814bd0b5477e7.elf
1⤵
- Deletes Audit logs
- Deletes itself
- Deletes journal logs
- Deletes system logs
- Renames itself
- Deletes log files
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
PID:1467

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads