Analysis Overview
SHA256
3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8
Threat Level: Shows suspicious behavior
The file 1fa6befa83300967bbd31b7aa745f972.elf was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Modifies Watchdog functionality
Enumerates running processes
Changes its process name
Checks CPU configuration
Reads CPU attributes
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-21 10:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 10:38
Reported
2024-05-21 10:40
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/1fa6befa83300967bbd31b7aa745f972.elf | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/1fa6befa83300967bbd31b7aa745f972.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/1fa6befa83300967bbd31b7aa745f972.elf | N/A |
Enumerates running processes
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | telnetd | /tmp/1fa6befa83300967bbd31b7aa745f972.elf | N/A |
| Changes the process name, possibly in an attempt to hide itself | telnetd | N/A | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/1fa6befa83300967bbd31b7aa745f972.elf | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1292/stat | /bin/ps | N/A |
| File opened for reading | /proc/1196/stat | /bin/ps | N/A |
| File opened for reading | /proc/1484/stat | /bin/ps | N/A |
| File opened for reading | /proc/1516/stat | /bin/ps | N/A |
| File opened for reading | /proc/8/status | /bin/ps | N/A |
| File opened for reading | /proc/1029/status | /bin/ps | N/A |
| File opened for reading | /proc/1128/stat | /bin/ps | N/A |
| File opened for reading | /proc/1163/status | /bin/ps | N/A |
| File opened for reading | /proc/1095/status | /bin/ps | N/A |
| File opened for reading | /proc/1195/stat | /bin/ps | N/A |
| File opened for reading | /proc/15/status | /bin/ps | N/A |
| File opened for reading | /proc/466/status | /bin/ps | N/A |
| File opened for reading | /proc/1054/stat | /bin/ps | N/A |
| File opened for reading | /proc/1077/status | /bin/ps | N/A |
| File opened for reading | /proc/82/status | /bin/ps | N/A |
| File opened for reading | /proc/1177/status | /bin/ps | N/A |
| File opened for reading | /proc/491/stat | /bin/ps | N/A |
| File opened for reading | /proc/621/stat | /bin/ps | N/A |
| File opened for reading | /proc/1136/status | /bin/ps | N/A |
| File opened for reading | /proc/35/stat | /bin/ps | N/A |
| File opened for reading | /proc/134/stat | /bin/ps | N/A |
| File opened for reading | /proc/451/stat | /bin/ps | N/A |
| File opened for reading | /proc/458/status | /bin/ps | N/A |
| File opened for reading | /proc/1074/stat | /bin/ps | N/A |
| File opened for reading | /proc/1484/status | /bin/ps | N/A |
| File opened for reading | /proc/1514/stat | /bin/ps | N/A |
| File opened for reading | /proc/9/status | /bin/ps | N/A |
| File opened for reading | /proc/26/stat | /bin/ps | N/A |
| File opened for reading | /proc/164/status | /bin/ps | N/A |
| File opened for reading | /proc/521/stat | /bin/ps | N/A |
| File opened for reading | /proc/80/stat | /bin/ps | N/A |
| File opened for reading | /proc/1071/status | /bin/ps | N/A |
| File opened for reading | /proc/1517/stat | /bin/ps | N/A |
| File opened for reading | /proc/499/stat | /bin/ps | N/A |
| File opened for reading | /proc/559/stat | /bin/ps | N/A |
| File opened for reading | /proc/1074/status | /bin/ps | N/A |
| File opened for reading | /proc/28/status | /bin/ps | N/A |
| File opened for reading | /proc/161/stat | /bin/ps | N/A |
| File opened for reading | /proc/161/status | /bin/ps | N/A |
| File opened for reading | /proc/458/stat | /bin/ps | N/A |
| File opened for reading | /proc/1350/stat | /bin/ps | N/A |
| File opened for reading | /proc/80/status | /bin/ps | N/A |
| File opened for reading | /proc/160/status | /bin/ps | N/A |
| File opened for reading | /proc/1191/status | /bin/ps | N/A |
| File opened for reading | /proc/1328/status | /bin/ps | N/A |
| File opened for reading | /proc/997/status | /bin/ps | N/A |
| File opened for reading | /proc/1195/status | /bin/ps | N/A |
| File opened for reading | /proc/7/status | /bin/ps | N/A |
| File opened for reading | /proc/30/stat | /bin/ps | N/A |
| File opened for reading | /proc/79/stat | /bin/ps | N/A |
| File opened for reading | /proc/634/status | /bin/ps | N/A |
| File opened for reading | /proc/1140/status | /bin/ps | N/A |
| File opened for reading | /proc/1160/stat | /bin/ps | N/A |
| File opened for reading | /proc/1267/status | /bin/ps | N/A |
| File opened for reading | /proc/21/stat | /bin/ps | N/A |
| File opened for reading | /proc/29/status | /bin/ps | N/A |
| File opened for reading | /proc/176/stat | /bin/ps | N/A |
| File opened for reading | /proc/572/stat | /bin/ps | N/A |
| File opened for reading | /proc/89/status | /bin/ps | N/A |
| File opened for reading | /proc/115/status | /bin/ps | N/A |
| File opened for reading | /proc/1154/stat | /bin/ps | N/A |
| File opened for reading | /proc/1508/stat | /bin/ps | N/A |
| File opened for reading | /proc/3/status | /bin/ps | N/A |
| File opened for reading | /proc/204/status | /bin/ps | N/A |
Processes
/tmp/1fa6befa83300967bbd31b7aa745f972.elf
[/tmp/1fa6befa83300967bbd31b7aa745f972.elf]
/bin/sh
[sh -c ps -eo pid,tty | grep -E 'pts|tty' | awk '{print $1}']
/usr/bin/awk
[awk {print $1}]
/bin/grep
[grep -E pts|tty]
/bin/ps
[ps -eo pid,tty]
Network
| Country | Destination | Domain | Proto |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 195.181.164.17:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5900 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5901 | tcp | |
| DE | 103.161.35.44:5900 | tcp |