3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8

Analysis

max time kernel
149s
max time network
145s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21-05-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fa6befa83300967bbd31b7aa745f972.elf
Size

60KB
MD5

1fa6befa83300967bbd31b7aa745f972
SHA1

8a09dc37d02796146b40e336c7a9c9c5ebba4e8b
SHA256

3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8
SHA512

a90fb7b23ae9087db504b1778b1bbbca16b147e5cf68646045f710032a8cf5fb92561525fd8df41b0584de83313bc099711f3f4081d781be713031ef8b6dfb41
SSDEEP

1536:W/4vP/fDv1Y7GuNNq4vMSvglokUx3108OFfGPw/62cHBwr:Aa71Y7GuK4vn3+E9HO

Score

7^/10

antivm

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

1fa6befa83300967bbd31b7aa745f972.elf

pid process

1512 1fa6befa83300967bbd31b7aa745f972.elf

pid	process
1512	1fa6befa83300967bbd31b7aa745f972.elf

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

1fa6befa83300967bbd31b7aa745f972.elf

description	ioc	process
File opened for modification	/dev/watchdog	1fa6befa83300967bbd31b7aa745f972.elf
File opened for modification	/dev/misc/watchdog	1fa6befa83300967bbd31b7aa745f972.elf

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 2 IoCs

Processes:

1fa6befa83300967bbd31b7aa745f972.elf

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	telnetd	1512	1fa6befa83300967bbd31b7aa745f972.elf
Changes the process name, possibly in an attempt to hide itself	telnetd	1513

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

1fa6befa83300967bbd31b7aa745f972.elf

description ioc process

File opened for reading /proc/cpuinfo 1fa6befa83300967bbd31b7aa745f972.elf
Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery
T1082

Processes:

ps

description ioc process

File opened for reading /sys/devices/system/cpu/online ps

description	ioc	process
File opened for reading	/proc/cpuinfo	1fa6befa83300967bbd31b7aa745f972.elf

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc	process
File opened for reading	/proc/1292/stat	ps
File opened for reading	/proc/1196/stat	ps
File opened for reading	/proc/1484/stat	ps
File opened for reading	/proc/1516/stat	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/1029/status	ps
File opened for reading	/proc/1128/stat	ps
File opened for reading	/proc/1163/status	ps
File opened for reading	/proc/1095/status	ps
File opened for reading	/proc/1195/stat	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/466/status	ps
File opened for reading	/proc/1054/stat	ps
File opened for reading	/proc/1077/status	ps
File opened for reading	/proc/82/status	ps
File opened for reading	/proc/1177/status	ps
File opened for reading	/proc/491/stat	ps
File opened for reading	/proc/621/stat	ps
File opened for reading	/proc/1136/status	ps
File opened for reading	/proc/35/stat	ps
File opened for reading	/proc/134/stat	ps
File opened for reading	/proc/451/stat	ps
File opened for reading	/proc/458/status	ps
File opened for reading	/proc/1074/stat	ps
File opened for reading	/proc/1484/status	ps
File opened for reading	/proc/1514/stat	ps
File opened for reading	/proc/9/status	ps
File opened for reading	/proc/26/stat	ps
File opened for reading	/proc/164/status	ps
File opened for reading	/proc/521/stat	ps
File opened for reading	/proc/80/stat	ps
File opened for reading	/proc/1071/status	ps
File opened for reading	/proc/1517/stat	ps
File opened for reading	/proc/499/stat	ps
File opened for reading	/proc/559/stat	ps
File opened for reading	/proc/1074/status	ps
File opened for reading	/proc/28/status	ps
File opened for reading	/proc/161/stat	ps
File opened for reading	/proc/161/status	ps
File opened for reading	/proc/458/stat	ps
File opened for reading	/proc/1350/stat	ps
File opened for reading	/proc/80/status	ps
File opened for reading	/proc/160/status	ps
File opened for reading	/proc/1191/status	ps
File opened for reading	/proc/1328/status	ps
File opened for reading	/proc/997/status	ps
File opened for reading	/proc/1195/status	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/30/stat	ps
File opened for reading	/proc/79/stat	ps
File opened for reading	/proc/634/status	ps
File opened for reading	/proc/1140/status	ps
File opened for reading	/proc/1160/stat	ps
File opened for reading	/proc/1267/status	ps
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/29/status	ps
File opened for reading	/proc/176/stat	ps
File opened for reading	/proc/572/stat	ps
File opened for reading	/proc/89/status	ps
File opened for reading	/proc/115/status	ps
File opened for reading	/proc/1154/stat	ps
File opened for reading	/proc/1508/stat	ps
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/204/status	ps

/tmp/1fa6befa83300967bbd31b7aa745f972.elf
/tmp/1fa6befa83300967bbd31b7aa745f972.elf
1⤵
- Deletes itself
- Modifies Watchdog functionality
- Changes its process name
- Checks CPU configuration
PID:1512

/bin/sh
sh -c "ps -eo pid,tty | grep -E 'pts|tty' | awk '{print \$1}'"
2⤵
PID:1517

/usr/bin/awk
awk "{print \$1}"
3⤵
PID:1520

/bin/grep
grep -E "pts|tty"
3⤵
PID:1519

/bin/ps
ps -eo "pid,tty"
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1518

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads