Analysis
-
max time kernel
149s -
max time network
145s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
21-05-2024 10:38
Static task
static1
Behavioral task
behavioral1
Sample
1fa6befa83300967bbd31b7aa745f972.elf
Resource
ubuntu1804-amd64-20240508-en
General
-
Target
1fa6befa83300967bbd31b7aa745f972.elf
-
Size
60KB
-
MD5
1fa6befa83300967bbd31b7aa745f972
-
SHA1
8a09dc37d02796146b40e336c7a9c9c5ebba4e8b
-
SHA256
3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8
-
SHA512
a90fb7b23ae9087db504b1778b1bbbca16b147e5cf68646045f710032a8cf5fb92561525fd8df41b0584de83313bc099711f3f4081d781be713031ef8b6dfb41
-
SSDEEP
1536:W/4vP/fDv1Y7GuNNq4vMSvglokUx3108OFfGPw/62cHBwr:Aa71Y7GuK4vn3+E9HO
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
1fa6befa83300967bbd31b7aa745f972.elfpid process 1512 1fa6befa83300967bbd31b7aa745f972.elf -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
Processes:
1fa6befa83300967bbd31b7aa745f972.elfdescription ioc process File opened for modification /dev/watchdog 1fa6befa83300967bbd31b7aa745f972.elf File opened for modification /dev/misc/watchdog 1fa6befa83300967bbd31b7aa745f972.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 2 IoCs
Processes:
1fa6befa83300967bbd31b7aa745f972.elfdescription ioc pid process Changes the process name, possibly in an attempt to hide itself telnetd 1512 1fa6befa83300967bbd31b7aa745f972.elf Changes the process name, possibly in an attempt to hide itself telnetd 1513 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
1fa6befa83300967bbd31b7aa745f972.elfdescription ioc process File opened for reading /proc/cpuinfo 1fa6befa83300967bbd31b7aa745f972.elf -
Reads CPU attributes 1 TTPs 1 IoCs
Processes:
psdescription ioc process File opened for reading /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
psdescription ioc process File opened for reading /proc/1292/stat ps File opened for reading /proc/1196/stat ps File opened for reading /proc/1484/stat ps File opened for reading /proc/1516/stat ps File opened for reading /proc/8/status ps File opened for reading /proc/1029/status ps File opened for reading /proc/1128/stat ps File opened for reading /proc/1163/status ps File opened for reading /proc/1095/status ps File opened for reading /proc/1195/stat ps File opened for reading /proc/15/status ps File opened for reading /proc/466/status ps File opened for reading /proc/1054/stat ps File opened for reading /proc/1077/status ps File opened for reading /proc/82/status ps File opened for reading /proc/1177/status ps File opened for reading /proc/491/stat ps File opened for reading /proc/621/stat ps File opened for reading /proc/1136/status ps File opened for reading /proc/35/stat ps File opened for reading /proc/134/stat ps File opened for reading /proc/451/stat ps File opened for reading /proc/458/status ps File opened for reading /proc/1074/stat ps File opened for reading /proc/1484/status ps File opened for reading /proc/1514/stat ps File opened for reading /proc/9/status ps File opened for reading /proc/26/stat ps File opened for reading /proc/164/status ps File opened for reading /proc/521/stat ps File opened for reading /proc/80/stat ps File opened for reading /proc/1071/status ps File opened for reading /proc/1517/stat ps File opened for reading /proc/499/stat ps File opened for reading /proc/559/stat ps File opened for reading /proc/1074/status ps File opened for reading /proc/28/status ps File opened for reading /proc/161/stat ps File opened for reading /proc/161/status ps File opened for reading /proc/458/stat ps File opened for reading /proc/1350/stat ps File opened for reading /proc/80/status ps File opened for reading /proc/160/status ps File opened for reading /proc/1191/status ps File opened for reading /proc/1328/status ps File opened for reading /proc/997/status ps File opened for reading /proc/1195/status ps File opened for reading /proc/7/status ps File opened for reading /proc/30/stat ps File opened for reading /proc/79/stat ps File opened for reading /proc/634/status ps File opened for reading /proc/1140/status ps File opened for reading /proc/1160/stat ps File opened for reading /proc/1267/status ps File opened for reading /proc/21/stat ps File opened for reading /proc/29/status ps File opened for reading /proc/176/stat ps File opened for reading /proc/572/stat ps File opened for reading /proc/89/status ps File opened for reading /proc/115/status ps File opened for reading /proc/1154/stat ps File opened for reading /proc/1508/stat ps File opened for reading /proc/3/status ps File opened for reading /proc/204/status ps
Processes
-
/tmp/1fa6befa83300967bbd31b7aa745f972.elf/tmp/1fa6befa83300967bbd31b7aa745f972.elf1⤵
- Deletes itself
- Modifies Watchdog functionality
- Changes its process name
- Checks CPU configuration
-
/bin/shsh -c "ps -eo pid,tty | grep -E 'pts|tty' | awk '{print \$1}'"2⤵
-
/usr/bin/awkawk "{print \$1}"3⤵
-
/bin/grepgrep -E "pts|tty"3⤵
-
/bin/psps -eo "pid,tty"3⤵
- Reads CPU attributes
- Reads runtime system information