Analysis
-
max time kernel
4s -
max time network
149s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240221-en -
resource tags
-
submitted
25/04/2024, 01:27
General
-
Target
54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf
-
Size
274KB
-
MD5
28df757f694fefc6d25939e65348753b
-
SHA1
aa82f4a94ad10b29ac8540a4984032b686fe1632
-
SHA256
54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c
-
SHA512
fdd557b487f2730ac79dd2299bd203493fa40437c3da7b6cf0b6c8eb05535eee78fd5f124549feb65d2b5731bb42cbab2610c7ea879c006510aa8e3422c8ace8
-
SSDEEP
6144:Qt0eKnj/dQW/n3gGgzVHJl/44wrm9NrOIiMf4J+wvWMUxc:QtvUai3SrXdOIFgvuMR
Malware Config
Signatures
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Modifies Watchdog functionality 1 TTPs 1 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Reads EFI boot settings 3 IoCs
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
-
Unexpected DNS network traffic destination 11 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
-
Modifies systemd 1 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Writes file to system bin folder 1 TTPs 2 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 23 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf/tmp/54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf1⤵
- Modifies Watchdog functionality
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
-
/bin/shsh -c "mount -o bind /tmp/nginx_server /proc/1476/ > /dev/null 2>&1"2⤵
-
/usr/bin/mountmount -o bind /tmp/nginx_server /proc/1476/3⤵
- Reads runtime system information
-
-
-
/bin/cpcp -f /tmp/54bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c.elf /var/tmp/nginx_kel2⤵
- Reads runtime system information
-
-
/bin/shsh -c "mount -o bind /tmp/nginx_server /proc/1482/ > /dev/null 2>&1"2⤵
-
/usr/bin/mountmount -o bind /tmp/nginx_server /proc/1482/3⤵
- Reads runtime system information
-
-
-
/bin/shsh -c "crontab /var/tmp/.recoverys"2⤵
-
/usr/bin/crontabcrontab /var/tmp/.recoverys3⤵
- Creates/modifies Cron job
-
-
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/init.d/dnsconfig /etc/rcS.d/S99dnsconfig3⤵
-
-
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc.d/S99dnsconfig3⤵
-
-
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc0.d/S99dnsconfig3⤵
-
-
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc1.d/S99dnsconfig3⤵
-
-
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc2.d/S99dnsconfig3⤵
-
-
-
/bin/shsh -c "systemctl daemon-reload > /dev/null 2>&1"2⤵
-
/usr/bin/systemctlsystemctl daemon-reload3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc3.d/S99dnsconfig3⤵
-
-
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc4.d/S99dnsconfig3⤵
-
-
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc5.d/S99dnsconfig3⤵
-
-
-
/bin/shsh -c "ln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/init.d/dnsconfig /etc/rc6.d/S99dnsconfig3⤵
-
-
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc.d/S99dnsconfigs3⤵
-
-
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc0.d/S99dnsconfigs3⤵
-
-
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc1.d/S99dnsconfigs3⤵
-
-
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc2.d/S99dnsconfigs3⤵
-
-
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc3.d/S99dnsconfigs3⤵
-
-
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc4.d/S99dnsconfigs3⤵
-
-
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc5.d/S99dnsconfigs3⤵
-
-
-
/bin/shsh -c "ln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs > /dev/null 2>&1"2⤵
-
/usr/bin/lnln -sf /etc/rc.d/init.d/dnsconfigs /etc/rc6.d/S99dnsconfigs3⤵
-
-
-
/bin/shsh -c "systemctl enable dnsconfigs.service > /dev/null 2>&1"2⤵
-
/usr/bin/systemctlsystemctl enable dnsconfigs.service3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/bin/shsh -c "systemctl start dnsconfigs.service > /dev/null 2>&1"2⤵
-
/usr/bin/systemctlsystemctl start dnsconfigs.service3⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5df56ea52b8cee93884f3872d25a85db0
SHA12fd0c7407ed67253a807d1d01c6ffd3467edaf8e
SHA256a402d683e16519793b06f663163d750b4e82922cf3b18af5a655de41328b9bf5
SHA512e390943755721ba7f0210439f0fc8e5e3daaf98ba1df923464aa547c5a7c6f941240658c8fa59270d6f73539fd8b0a04d7bdc9c407f13d9301588d5cf9aa68da
-
Filesize
174B
MD5900f683b08977636b092fcbfa1ad8a42
SHA16d521f5c3e862f1106d9ac6a3a654e57e6814333
SHA25671d21310d1c7dbb935f3b61311403b0ec0fa32dc73f91720365416a646c2dfb3
SHA51250b5426500d8b5dccb7fd71fe9a448ae1c76770890ba86c37e7decbf2ca1f0e1cd20c50996260f37114ba2bdb16ae927e4afad241a51e3d22112ada8e25604b0
-
Filesize
5B
MD54a620052008b8d131feaf7c39a70cfab
SHA119342b2202266aeda37d494065fdb0ec4ccfce3f
SHA2565a4492b5dad4e66cf7d3cd47da24ab98a0f21b83e202c1bed6350888779e8255
SHA5124e805bf7fd5eddfc80efb0dab2fb3fdb0f54921749018d7fecb32004fd0088a344a8b9e7514264d6fdbbe7cda85be9ba607dbe626ccf2761d87035486ed716f7
-
Filesize
230B
MD5245dcd278b96af6ee3cf51b350f854e1
SHA1e0933fa7d01274f484e5a6eb03935f0196fa4202
SHA25679350d585e23c3acd65100b408ba549996076eab3eebaad87c81b9f4ef5d4198
SHA512f81193d4db19a2774cc13c4e890ad7dd24d77b7b2efdabf269ec7dba7d39f85ed578f0c2dfd6ade553fd1a5de802ddbb008ffcd7364da49176db204582b7751b
-
Filesize
37B
MD5abe9a0e06459d029e0f5183965dbbf3b
SHA17e79e16ea12fed960bcee8eb5a9c6384fa61a2d1
SHA256b2cfe7490d6dd2f81ede3ed9db30c78637f4a1e98ed746eaa00998e95d3de384
SHA512955aece23c24e5b1ce32a90fa014a8a6fac39b68707a13f56cd1bfb07c79dfc59806942732990aaf925db5724f381827e2c35eba21fe95ce9a760760527048cd
-
Filesize
274KB
MD528df757f694fefc6d25939e65348753b
SHA1aa82f4a94ad10b29ac8540a4984032b686fe1632
SHA25654bfe1a78064d443fb977ad79eab1dda0d4588dc7644882d7f16d04ab270745c
SHA512fdd557b487f2730ac79dd2299bd203493fa40437c3da7b6cf0b6c8eb05535eee78fd5f124549feb65d2b5731bb42cbab2610c7ea879c006510aa8e3422c8ace8