Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240226-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    07/05/2024, 01:58

General

  • Target

    ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf

  • Size

    103KB

  • MD5

    dfb3b9e8f06911fafd67cd01a02d19e7

  • SHA1

    6d2b48acc8cc55a612167c1ac60925f43a550f66

  • SHA256

    ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270

  • SHA512

    dd1271935dd1bbe240a296013d86162f9e81b6a1a62ee180913f47048956e9da121ef4a995cdd7834ba17f49399b905c212d218a2649ba40723e6da2fec5171b

  • SSDEEP

    3072:aXaoPUZSK1mVKpn7q6WFjcArKRy3OFP9mRJf:Ca/ZdrqjcAilFPUb

Score
7/10

Malware Config

Signatures

  • Deletes journal logs 1 TTPs 2 IoCs

    Deletes systemd journal logs. Likely to evade detection.

  • Modifies PAM framework files 1 IoCs

    Modifies Linux PAM framework files, possibly to intercept credentials.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Modifies sudoers policy 1 IoCs

    Adds/ Modifies rule files for sudoers policy, likely to grant additional privileges.

  • Modifies user home skeleton directory 1 IoCs

    Modifies skeleton of initial home directory of newly added system users.

  • Creates/modifies Cron job 1 TTPs 6 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Creates/modifies environment variables 1 TTPs 1 IoCs

    Creating/modifying environment variables is a common persistence mechanism.

  • Deletes log files 1 TTPs 20 IoCs

    Deletes log files on the system.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

  • Modifies rc script 1 TTPs 7 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

  • Write file to user bin folder 1 TTPs 4 IoCs
  • Writes file to system bin folder 1 TTPs 3 IoCs
  • Modifies Bash startup script 1 TTPs 1 IoCs
  • Changes its process name 2 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Enumerates kernel/hardware configuration 1 TTPs 11 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to shm directory 1 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

  • Writes file to tmp directory 21 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf
    /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf
    1⤵
    • Deletes journal logs
    • Modifies PAM framework files
    • Modifies Watchdog functionality
    • Modifies sudoers policy
    • Modifies user home skeleton directory
    • Creates/modifies Cron job
    • Creates/modifies environment variables
    • Deletes log files
    • Enumerates active TCP sockets
    • Modifies init.d
    • Modifies rc script
    • Write file to user bin folder
    • Writes file to system bin folder
    • Modifies Bash startup script
    • Reads system network configuration
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    • Writes file to shm directory
    • Writes file to tmp directory
    PID:1555

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads