Malware Analysis Report

2024-10-24 21:46

Sample ID 240521-mpdbpsae4v
Target 1fa6befa83300967bbd31b7aa745f972.elf
SHA256 3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8

Threat Level: Shows suspicious behavior

The file 1fa6befa83300967bbd31b7aa745f972.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Deletes itself

Modifies Watchdog functionality

Enumerates running processes

Changes its process name

Checks CPU configuration

Reads CPU attributes

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 10:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 10:38

Reported

2024-05-21 10:40

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

149s

Max time network

145s

Command Line

[/tmp/1fa6befa83300967bbd31b7aa745f972.elf]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/1fa6befa83300967bbd31b7aa745f972.elf N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/1fa6befa83300967bbd31b7aa745f972.elf N/A
File opened for modification /dev/misc/watchdog /tmp/1fa6befa83300967bbd31b7aa745f972.elf N/A

Enumerates running processes

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself telnetd /tmp/1fa6befa83300967bbd31b7aa745f972.elf N/A
Changes the process name, possibly in an attempt to hide itself telnetd N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/1fa6befa83300967bbd31b7aa745f972.elf N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/1292/stat /bin/ps N/A
File opened for reading /proc/1196/stat /bin/ps N/A
File opened for reading /proc/1484/stat /bin/ps N/A
File opened for reading /proc/1516/stat /bin/ps N/A
File opened for reading /proc/8/status /bin/ps N/A
File opened for reading /proc/1029/status /bin/ps N/A
File opened for reading /proc/1128/stat /bin/ps N/A
File opened for reading /proc/1163/status /bin/ps N/A
File opened for reading /proc/1095/status /bin/ps N/A
File opened for reading /proc/1195/stat /bin/ps N/A
File opened for reading /proc/15/status /bin/ps N/A
File opened for reading /proc/466/status /bin/ps N/A
File opened for reading /proc/1054/stat /bin/ps N/A
File opened for reading /proc/1077/status /bin/ps N/A
File opened for reading /proc/82/status /bin/ps N/A
File opened for reading /proc/1177/status /bin/ps N/A
File opened for reading /proc/491/stat /bin/ps N/A
File opened for reading /proc/621/stat /bin/ps N/A
File opened for reading /proc/1136/status /bin/ps N/A
File opened for reading /proc/35/stat /bin/ps N/A
File opened for reading /proc/134/stat /bin/ps N/A
File opened for reading /proc/451/stat /bin/ps N/A
File opened for reading /proc/458/status /bin/ps N/A
File opened for reading /proc/1074/stat /bin/ps N/A
File opened for reading /proc/1484/status /bin/ps N/A
File opened for reading /proc/1514/stat /bin/ps N/A
File opened for reading /proc/9/status /bin/ps N/A
File opened for reading /proc/26/stat /bin/ps N/A
File opened for reading /proc/164/status /bin/ps N/A
File opened for reading /proc/521/stat /bin/ps N/A
File opened for reading /proc/80/stat /bin/ps N/A
File opened for reading /proc/1071/status /bin/ps N/A
File opened for reading /proc/1517/stat /bin/ps N/A
File opened for reading /proc/499/stat /bin/ps N/A
File opened for reading /proc/559/stat /bin/ps N/A
File opened for reading /proc/1074/status /bin/ps N/A
File opened for reading /proc/28/status /bin/ps N/A
File opened for reading /proc/161/stat /bin/ps N/A
File opened for reading /proc/161/status /bin/ps N/A
File opened for reading /proc/458/stat /bin/ps N/A
File opened for reading /proc/1350/stat /bin/ps N/A
File opened for reading /proc/80/status /bin/ps N/A
File opened for reading /proc/160/status /bin/ps N/A
File opened for reading /proc/1191/status /bin/ps N/A
File opened for reading /proc/1328/status /bin/ps N/A
File opened for reading /proc/997/status /bin/ps N/A
File opened for reading /proc/1195/status /bin/ps N/A
File opened for reading /proc/7/status /bin/ps N/A
File opened for reading /proc/30/stat /bin/ps N/A
File opened for reading /proc/79/stat /bin/ps N/A
File opened for reading /proc/634/status /bin/ps N/A
File opened for reading /proc/1140/status /bin/ps N/A
File opened for reading /proc/1160/stat /bin/ps N/A
File opened for reading /proc/1267/status /bin/ps N/A
File opened for reading /proc/21/stat /bin/ps N/A
File opened for reading /proc/29/status /bin/ps N/A
File opened for reading /proc/176/stat /bin/ps N/A
File opened for reading /proc/572/stat /bin/ps N/A
File opened for reading /proc/89/status /bin/ps N/A
File opened for reading /proc/115/status /bin/ps N/A
File opened for reading /proc/1154/stat /bin/ps N/A
File opened for reading /proc/1508/stat /bin/ps N/A
File opened for reading /proc/3/status /bin/ps N/A
File opened for reading /proc/204/status /bin/ps N/A

Processes

/tmp/1fa6befa83300967bbd31b7aa745f972.elf

[/tmp/1fa6befa83300967bbd31b7aa745f972.elf]

/bin/sh

[sh -c ps -eo pid,tty | grep -E 'pts|tty' | awk '{print $1}']

/usr/bin/awk

[awk {print $1}]

/bin/grep

[grep -E pts|tty]

/bin/ps

[ps -eo pid,tty]

Network

Country Destination Domain Proto
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
N/A 224.0.0.251:5353 udp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
GB 195.181.164.17:443 tcp
US 151.101.65.91:443 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5900 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5901 tcp
DE 103.161.35.44:5900 tcp

Files

N/A