Analysis Overview
SHA256
3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8
Threat Level: Shows suspicious behavior
The file 3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies Watchdog functionality
Deletes itself
Enumerates running processes
Changes its process name
Checks CPU configuration
Reads CPU attributes
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 01:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 01:22
Reported
2024-05-22 01:25
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
149s
Max time network
131s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf | N/A |
Enumerates running processes
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | telnetd | /tmp/3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf | N/A |
| Changes the process name, possibly in an attempt to hide itself | telnetd | N/A | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /bin/ps | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/uptime | /bin/ps | N/A |
| File opened for reading | /proc/10/stat | /bin/ps | N/A |
| File opened for reading | /proc/177/stat | /bin/ps | N/A |
| File opened for reading | /proc/586/status | /bin/ps | N/A |
| File opened for reading | /proc/657/status | /bin/ps | N/A |
| File opened for reading | /proc/167/stat | /bin/ps | N/A |
| File opened for reading | /proc/1107/status | /bin/ps | N/A |
| File opened for reading | /proc/1470/status | /bin/ps | N/A |
| File opened for reading | /proc/1332/stat | /bin/ps | N/A |
| File opened for reading | /proc/30/stat | /bin/ps | N/A |
| File opened for reading | /proc/31/status | /bin/ps | N/A |
| File opened for reading | /proc/130/status | /bin/ps | N/A |
| File opened for reading | /proc/172/status | /bin/ps | N/A |
| File opened for reading | /proc/499/status | /bin/ps | N/A |
| File opened for reading | /proc/1483/stat | /bin/ps | N/A |
| File opened for reading | /proc/11/status | /bin/ps | N/A |
| File opened for reading | /proc/81/stat | /bin/ps | N/A |
| File opened for reading | /proc/441/stat | /bin/ps | N/A |
| File opened for reading | /proc/464/stat | /bin/ps | N/A |
| File opened for reading | /proc/956/status | /bin/ps | N/A |
| File opened for reading | /proc/29/status | /bin/ps | N/A |
| File opened for reading | /proc/701/stat | /bin/ps | N/A |
| File opened for reading | /proc/1163/status | /bin/ps | N/A |
| File opened for reading | /proc/12/status | /bin/ps | N/A |
| File opened for reading | /proc/98/status | /bin/ps | N/A |
| File opened for reading | /proc/484/stat | /bin/ps | N/A |
| File opened for reading | /proc/605/status | /bin/ps | N/A |
| File opened for reading | /proc/707/stat | /bin/ps | N/A |
| File opened for reading | /proc/14/stat | /bin/ps | N/A |
| File opened for reading | /proc/35/status | /bin/ps | N/A |
| File opened for reading | /proc/89/status | /bin/ps | N/A |
| File opened for reading | /proc/170/stat | /bin/ps | N/A |
| File opened for reading | /proc/496/stat | /bin/ps | N/A |
| File opened for reading | /proc/691/stat | /bin/ps | N/A |
| File opened for reading | /proc/1111/status | /bin/ps | N/A |
| File opened for reading | /proc/1481/stat | /bin/ps | N/A |
| File opened for reading | /proc/104/stat | /bin/ps | N/A |
| File opened for reading | /proc/169/status | /bin/ps | N/A |
| File opened for reading | /proc/499/stat | /bin/ps | N/A |
| File opened for reading | /proc/554/status | /bin/ps | N/A |
| File opened for reading | /proc/570/status | /bin/ps | N/A |
| File opened for reading | /proc/1259/status | /bin/ps | N/A |
| File opened for reading | /proc/14/status | /bin/ps | N/A |
| File opened for reading | /proc/80/status | /bin/ps | N/A |
| File opened for reading | /proc/207/status | /bin/ps | N/A |
| File opened for reading | /proc/1025/status | /bin/ps | N/A |
| File opened for reading | /proc/1130/stat | /bin/ps | N/A |
| File opened for reading | /proc/4/status | /bin/ps | N/A |
| File opened for reading | /proc/655/stat | /bin/ps | N/A |
| File opened for reading | /proc/655/status | /bin/ps | N/A |
| File opened for reading | /proc/1/stat | /bin/ps | N/A |
| File opened for reading | /proc/165/stat | /bin/ps | N/A |
| File opened for reading | /proc/tty/drivers | /bin/ps | N/A |
| File opened for reading | /proc/1090/status | /bin/ps | N/A |
| File opened for reading | /proc/1478/stat | /bin/ps | N/A |
| File opened for reading | /proc/586/stat | /bin/ps | N/A |
| File opened for reading | /proc/1244/status | /bin/ps | N/A |
| File opened for reading | /proc/1289/status | /bin/ps | N/A |
| File opened for reading | /proc/6/status | /bin/ps | N/A |
| File opened for reading | /proc/26/status | /bin/ps | N/A |
| File opened for reading | /proc/28/stat | /bin/ps | N/A |
| File opened for reading | /proc/78/stat | /bin/ps | N/A |
| File opened for reading | /proc/567/stat | /bin/ps | N/A |
| File opened for reading | /proc/1483/status | /bin/ps | N/A |
Processes
/tmp/3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf
[/tmp/3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf]
/bin/sh
[sh -c ps -eo pid,tty | grep -E 'pts|tty' | awk '{print $1}']
/bin/ps
[ps -eo pid,tty]
/bin/grep
[grep -E pts|tty]
/usr/bin/awk
[awk {print $1}]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 195.181.164.17:443 | tcp | |
| US | 151.101.193.91:443 | tcp |