Malware Analysis Report

2024-10-24 21:46

Sample ID 240522-brm35sfh27
Target 3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf
SHA256 3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8

Threat Level: Shows suspicious behavior

The file 3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Modifies Watchdog functionality

Deletes itself

Enumerates running processes

Changes its process name

Checks CPU configuration

Reads CPU attributes

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 01:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 01:22

Reported

2024-05-22 01:25

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

149s

Max time network

131s

Command Line

[/tmp/3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf N/A
File opened for modification /dev/misc/watchdog /tmp/3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf N/A

Enumerates running processes

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself telnetd /tmp/3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf N/A
Changes the process name, possibly in an attempt to hide itself telnetd N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/uptime /bin/ps N/A
File opened for reading /proc/10/stat /bin/ps N/A
File opened for reading /proc/177/stat /bin/ps N/A
File opened for reading /proc/586/status /bin/ps N/A
File opened for reading /proc/657/status /bin/ps N/A
File opened for reading /proc/167/stat /bin/ps N/A
File opened for reading /proc/1107/status /bin/ps N/A
File opened for reading /proc/1470/status /bin/ps N/A
File opened for reading /proc/1332/stat /bin/ps N/A
File opened for reading /proc/30/stat /bin/ps N/A
File opened for reading /proc/31/status /bin/ps N/A
File opened for reading /proc/130/status /bin/ps N/A
File opened for reading /proc/172/status /bin/ps N/A
File opened for reading /proc/499/status /bin/ps N/A
File opened for reading /proc/1483/stat /bin/ps N/A
File opened for reading /proc/11/status /bin/ps N/A
File opened for reading /proc/81/stat /bin/ps N/A
File opened for reading /proc/441/stat /bin/ps N/A
File opened for reading /proc/464/stat /bin/ps N/A
File opened for reading /proc/956/status /bin/ps N/A
File opened for reading /proc/29/status /bin/ps N/A
File opened for reading /proc/701/stat /bin/ps N/A
File opened for reading /proc/1163/status /bin/ps N/A
File opened for reading /proc/12/status /bin/ps N/A
File opened for reading /proc/98/status /bin/ps N/A
File opened for reading /proc/484/stat /bin/ps N/A
File opened for reading /proc/605/status /bin/ps N/A
File opened for reading /proc/707/stat /bin/ps N/A
File opened for reading /proc/14/stat /bin/ps N/A
File opened for reading /proc/35/status /bin/ps N/A
File opened for reading /proc/89/status /bin/ps N/A
File opened for reading /proc/170/stat /bin/ps N/A
File opened for reading /proc/496/stat /bin/ps N/A
File opened for reading /proc/691/stat /bin/ps N/A
File opened for reading /proc/1111/status /bin/ps N/A
File opened for reading /proc/1481/stat /bin/ps N/A
File opened for reading /proc/104/stat /bin/ps N/A
File opened for reading /proc/169/status /bin/ps N/A
File opened for reading /proc/499/stat /bin/ps N/A
File opened for reading /proc/554/status /bin/ps N/A
File opened for reading /proc/570/status /bin/ps N/A
File opened for reading /proc/1259/status /bin/ps N/A
File opened for reading /proc/14/status /bin/ps N/A
File opened for reading /proc/80/status /bin/ps N/A
File opened for reading /proc/207/status /bin/ps N/A
File opened for reading /proc/1025/status /bin/ps N/A
File opened for reading /proc/1130/stat /bin/ps N/A
File opened for reading /proc/4/status /bin/ps N/A
File opened for reading /proc/655/stat /bin/ps N/A
File opened for reading /proc/655/status /bin/ps N/A
File opened for reading /proc/1/stat /bin/ps N/A
File opened for reading /proc/165/stat /bin/ps N/A
File opened for reading /proc/tty/drivers /bin/ps N/A
File opened for reading /proc/1090/status /bin/ps N/A
File opened for reading /proc/1478/stat /bin/ps N/A
File opened for reading /proc/586/stat /bin/ps N/A
File opened for reading /proc/1244/status /bin/ps N/A
File opened for reading /proc/1289/status /bin/ps N/A
File opened for reading /proc/6/status /bin/ps N/A
File opened for reading /proc/26/status /bin/ps N/A
File opened for reading /proc/28/stat /bin/ps N/A
File opened for reading /proc/78/stat /bin/ps N/A
File opened for reading /proc/567/stat /bin/ps N/A
File opened for reading /proc/1483/status /bin/ps N/A

Processes

/tmp/3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf

[/tmp/3b7e69fb314ffdeb13c36e9ecf20a9476f34374c30ce437dea4e0db193ceb1d8.elf]

/bin/sh

[sh -c ps -eo pid,tty | grep -E 'pts|tty' | awk '{print $1}']

/bin/ps

[ps -eo pid,tty]

/bin/grep

[grep -E pts|tty]

/usr/bin/awk

[awk {print $1}]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
GB 195.181.164.17:443 tcp
US 151.101.193.91:443 tcp

Files

N/A