Analysis Overview
SHA256
24a800548a9cc548fc166fd15ca51ef239cce2724308587239ca62e9e097eb6f
Threat Level: Shows suspicious behavior
The file dfb3b9e8f06911fafd67cd01a02d19e7.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies Watchdog functionality
Modifies PAM framework files
Deletes journal logs
Modifies user home skeleton directory
Modifies sudoers policy
Writes file to system bin folder
Write file to user bin folder
Modifies init.d
Deletes log files
Modifies rc script
Enumerates running processes
Enumerates active TCP sockets
Creates/modifies Cron job
Creates/modifies environment variables
Modifies Bash startup script
Reads system network configuration
Changes its process name
Writes file to shm directory
Enumerates kernel/hardware configuration
Writes file to tmp directory
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-07 01:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-07 01:58
Reported
2024-05-07 02:00
Platform
ubuntu1804-amd64-20240226-en
Max time kernel
132s
Max time network
148s
Command Line
Signatures
Deletes journal logs
| Description | Indicator | Process | Target |
| File truncated | /var/log/journal/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File deleted | /var/log/journal/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Modifies PAM framework files
| Description | Indicator | Process | Target |
| File opened for modification | /etc/pam.d/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/misc/watchdog | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /dev/watchdog | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Modifies sudoers policy
| Description | Indicator | Process | Target |
| File opened for modification | /etc/sudoers.d/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Modifies user home skeleton directory
| Description | Indicator | Process | Target |
| File opened for modification | /etc/skel/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /etc/cron.weekly/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /etc/cron.monthly/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /var/spool/cron/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /etc/cron.daily/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /etc/cron.d/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /etc/cron.hourly/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Creates/modifies environment variables
| Description | Indicator | Process | Target |
| File opened for modification | /etc/profile.d/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Deletes log files
Enumerates active TCP sockets
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/tcp | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Enumerates running processes
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Modifies rc script
| Description | Indicator | Process | Target |
| File opened for modification | /etc/rc4.d/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /etc/rc6.d/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /etc/rc0.d/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /etc/rc5.d/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /etc/rc2.d/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /etc/rc3.d/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /etc/rc1.d/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Write file to user bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /usr/sbin/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /usr/bin/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /usr/local/sbin/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /usr/local/bin/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /sbin/watchdog | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /sbin/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /bin/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Modifies Bash startup script
| Description | Indicator | Process | Target |
| File opened for modification | /etc/profile.d/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | /bin/bash | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | /bin/bash | N/A | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/tcp | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to shm directory
| Description | Indicator | Process | Target |
| File opened for modification | /dev/shm/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.XIM-unix/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/ssh-sRVekHHvf0pe/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/.X11-unix/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/systemd-private-c63e28dce7ac40ea99359878c8113a6c-systemd-resolved.service-LqmGXc/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/systemd-private-c63e28dce7ac40ea99359878c8113a6c-ModemManager.service-F3VNGY/tmp/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/systemd-private-c63e28dce7ac40ea99359878c8113a6c-bolt.service-bVLlJz/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/.font-unix/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/systemd-private-c63e28dce7ac40ea99359878c8113a6c-systemd-timedated.service-VgDdmh/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/systemd-private-c63e28dce7ac40ea99359878c8113a6c-colord.service-9597KE/tmp/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/systemd-private-c63e28dce7ac40ea99359878c8113a6c-systemd-timedated.service-VgDdmh/tmp/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/snap-private-tmp/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/systemd-private-c63e28dce7ac40ea99359878c8113a6c-fwupd.service-Z6jdZC/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/netplan_259va_85/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/systemd-private-c63e28dce7ac40ea99359878c8113a6c-bolt.service-bVLlJz/tmp/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/systemd-private-c63e28dce7ac40ea99359878c8113a6c-systemd-resolved.service-LqmGXc/tmp/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/.Test-unix/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/.ICE-unix/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/systemd-private-c63e28dce7ac40ea99359878c8113a6c-colord.service-9597KE/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/systemd-private-c63e28dce7ac40ea99359878c8113a6c-fwupd.service-Z6jdZC/tmp/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
| File opened for modification | /tmp/systemd-private-c63e28dce7ac40ea99359878c8113a6c-ModemManager.service-F3VNGY/.old_cache | /tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf | N/A |
Processes
/tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf
[/tmp/ea4809046bdfd7d519f48b965318cf94fe08498bef0d9eeb305f81f6a5234270.elf]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 94.156.67.181:10333 | tcp | |
| US | 151.101.2.49:443 | tcp | |
| NL | 94.156.67.181:10333 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 151.101.194.49:443 | cdn.fwupd.org | tcp |
| GB | 195.181.164.21:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 89.187.167.5:443 | 1527653184.rsc.cdn77.org | tcp |
| NL | 94.156.67.181:10333 | tcp |