General

  • Target

    2b3c4f43c888ccb4d6edf582bbfafa3d.elf

  • Size

    86KB

  • Sample

    240505-cg91labb7w

  • MD5

    2b3c4f43c888ccb4d6edf582bbfafa3d

  • SHA1

    55977ad42ce727dd5099558efec74adf5ce61eb7

  • SHA256

    6851cf3d49c61aca0813e6242eb086b15fa454a6953acafb4dc400f868890315

  • SHA512

    17475686ed01dd4ce48e351ece9c062a8d309d2ba297c9bcb579bee165a0b1f53080026ad78d0210c3b9bee2373331bf233f88e61f10e7fb0a483274f8760629

  • SSDEEP

    1536:N4gz2yjt+uO6XBX+9lRt7iLZ6yy4swKX+lJuMNRkVxNwj:N4gayjt+76XdONgdy41KX+nfgxuj

Malware Config

Targets

    • Target

      2b3c4f43c888ccb4d6edf582bbfafa3d.elf

    • Size

      86KB

    • MD5

      2b3c4f43c888ccb4d6edf582bbfafa3d

    • SHA1

      55977ad42ce727dd5099558efec74adf5ce61eb7

    • SHA256

      6851cf3d49c61aca0813e6242eb086b15fa454a6953acafb4dc400f868890315

    • SHA512

      17475686ed01dd4ce48e351ece9c062a8d309d2ba297c9bcb579bee165a0b1f53080026ad78d0210c3b9bee2373331bf233f88e61f10e7fb0a483274f8760629

    • SSDEEP

      1536:N4gz2yjt+uO6XBX+9lRt7iLZ6yy4swKX+lJuMNRkVxNwj:N4gayjt+76XdONgdy41KX+nfgxuj

    Score
    7/10
    • Deletes journal logs

      Deletes systemd journal logs. Likely to evade detection.

    • Modifies PAM framework files

      Modifies Linux PAM framework files, possibly to intercept credentials.

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Modifies sudoers policy

      Adds/ Modifies rule files for sudoers policy, likely to grant additional privileges.

    • Modifies user home skeleton directory

      Modifies skeleton of initial home directory of newly added system users.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Write file to user bin folder

    • Writes file to system bin folder

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v15

Tasks