99523964758d7ded3631bf0a2239681f4c408fc66dbe69db264dd9a77a3ce84c

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21-05-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20k.x86
Size

53KB
MD5

72d723a52bced01aad8eb7cdf73e08d7
SHA1

c652b18291acb65483a80d15915d1b42c6c4bc35
SHA256

99523964758d7ded3631bf0a2239681f4c408fc66dbe69db264dd9a77a3ce84c
SHA512

fbdacfa094477a4691e43b0368c52f6d0b71df075e50e13d6276a6ab2b453f8ef531914655a6fc7043932907f158486ae94c9ea2868a3de64126ebe202b32896
SSDEEP

1536:O13kynNjv6czSEZeLmI37KNCgoT9poQzWxS2RAfah5mQ:AUyntv6cuEZ437KAgohpoeiSi1D

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (118131) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses
T1562

Processes:

20k.x86

description ioc process

File opened for modification /dev/watchdog 20k.x86
File opened for modification /dev/misc/watchdog 20k.x86
Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

20k.x86

description ioc process

File opened for modification /sbin/watchdog 20k.x86
File opened for modification /bin/watchdog 20k.x86
Changes its process name 1 IoCs

Processes:

20k.x86

description pid process

Changes the process name, possibly in an attempt to hide itself 1493 20k.x86

description	ioc	process
File opened for modification	/dev/watchdog	20k.x86
File opened for modification	/dev/misc/watchdog	20k.x86

description	ioc	process
File opened for modification	/sbin/watchdog	20k.x86
File opened for modification	/bin/watchdog	20k.x86

description	pid	process
Changes the process name, possibly in an attempt to hide itself	1493	20k.x86

/tmp/20k.x86
/tmp/20k.x86
1⤵
- Modifies Watchdog functionality
- Writes file to system bin folder
- Changes its process name
PID:1493

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads