6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831

General

Target

6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
Size

77KB
MD5

012993befbbb2c6e67c072e732952520
SHA1

c2cd6a58f489e302c710f58c351f634ee1fac1d3
SHA256

6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831
SHA512

900f0d55519ee3a553cdb84487b6e2aabe49910a1dbe4fca6b9ffe70c30862daa911a7b9aed03b8449d341f1955aad9e96275f8afed0525b923077989604640d
SSDEEP

1536:cnHjqwuX4WS0RZk/VHtP3nOWHZKnVGnfqPC3vcp:cnHxZb3nOWHZKnPacp

Score

7^/10

evasion

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs
Deletes logs related to the Linux Audit framework.
evasion

Indicator Removal
T1070

Processes:

6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf

description ioc process

File deleted /var/log/audit/audit.log 6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
Deletes itself 1 IoCs

Processes:

6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf

pid process

655 6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Indicator Removal
T1070

Processes:

6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf

description ioc process

File deleted /var/log/syslog 6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf

description	ioc	process
File deleted	/var/log/audit/audit.log	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf

pid	process
655	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf

description	ioc	process
File deleted	/var/log/syslog	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf

description	ioc	process
File opened for modification	/dev/watchdog	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for modification	/dev/misc/watchdog	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf

Deletes log files 1 TTPs 4 IoCs

Deletes log files on the system.

Indicator Removal

T1070

Processes:

6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf

description	ioc	process
File deleted	/var/log/lastlog	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File deleted	/var/log/wtmp	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File deleted	/var/log/auth.log	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File deleted	/var/log/daemon.log	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

Processes:

6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	c02bq37sqcec84mmj3hg1ppcn74h	655	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf

description	ioc	process
File opened for reading	/proc/814/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/896/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/5/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/677/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/12/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/135/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/725/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/820/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/884/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/14/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/690/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/739/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/796/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/825/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/827/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/846/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/165/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/671/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/24/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/786/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/18/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/712/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/743/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/853/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/894/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/4/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/104/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/840/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/847/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/873/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/277/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/659/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/641/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/654/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/698/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/848/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/859/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/11/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/279/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/900/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/738/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/855/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/682/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/817/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/838/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/890/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/913/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/3/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/275/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/26/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/807/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/819/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/821/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/861/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/13/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/106/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/704/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/788/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/833/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/8/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/15/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/719/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/801/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
File opened for reading	/proc/892/cmdline	6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf

/tmp/6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
/tmp/6505817926dec0a60b2615bc0588794775579b3ffbca26096036ad6b9756c831.elf
1⤵
- Deletes Audit logs
- Deletes itself
- Deletes system logs
- Modifies Watchdog functionality
- Deletes log files
- Changes its process name
- Reads runtime system information
PID:655

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

3

T1070

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads