1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8

Analysis

max time kernel
149s
max time network
147s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21/05/2024, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
Size

170KB
MD5

4efe945f9e1798078778681cec73bc02
SHA1

9b08661e524a6d6e6b7077945f13ac3880700aa1
SHA256

1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8
SHA512

abe8df80d93cc3a11cda83c50d8cf9fb771ea177a3aea59a26559ab6688add7b369dba38932a2ab257ad0a3d01289ceff67232f03d0cf7f1fb5036aa6c11f1fa
SSDEEP

3072:e/eGibq3BRNvmovPKSgch4BqBoJMxhBSr23p+W8jDhmSpmRpByBqm+x:e/eGibq3BRFjvPXh2hJMxhBSgH8jA+mR

Score

7^/10

Malware Config

Signatures

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for modification	/dev/watchdog	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/bin/watchdog	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/670/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/880/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1078/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/19/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/25/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/9/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/710/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/7/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/161/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/650/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/685/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/5/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/19/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1194/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1239/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1501/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/4/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/578/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1355/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/269/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1129/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/443/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/615/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/8/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1009/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1078/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1503/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/17/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/425/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/85/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1141/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/34/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/578/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/166/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1137/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1503/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1507/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/2/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/13/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/81/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1088/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/471/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1071/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1133/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/8/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/167/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1068/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/169/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/780/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/691/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/805/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1071/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1129/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/32/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/780/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/921/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1064/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1261/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/32/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/204/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/467/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/1151/maps	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
File opened for reading	/proc/204/cmdline	1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf

/tmp/1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
/tmp/1c970c16ed8c614f23761583e1135233b315a4153b52d8c1cffed9aa0abddab8.elf
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Reads runtime system information
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads